{"index":{"version":"2.3.9","fields":["title","breadcrumb","description","body"],"fieldVectors":[["title/404.html",[0,0.637,1,19.944,2,4.976,3,4.605,4,4.933,5,3.263]],["breadcrumb/404.html",[1,10.985,6,0.257]],["description/404.html",[0,0.392,7,2.97,8,18.14,9,1.135,10,9.701,11,0.577,12,14.036,13,2.781,14,2.243]],["body/404.html",[0,0.121,1,3.11,6,0.083,7,0.754,8,4.602,9,0.327,10,2.461,11,0.146,12,3.561,15,4.18,16,0.659,17,0.961,18,4.602,19,0.854,20,1.329,21,2.923,22,6.027,23,1.802,24,3.32,25,2.38,26,0.484]],["title/aws/data.html",[2,4.44,3,4.108,4,6.123,5,2.912,27,2.481,28,2.265,29,0.982]],["breadcrumb/aws/data.html",[6,0.224,27,1.333,28,1.217]],["description/aws/data.html",[27,1.279,28,1.167,29,0.506,30,3.346,31,1.306,32,0.432,33,0.632,34,0.432,35,0.849,36,12.323,37,2.678,38,4.803,39,10.5,40,1.022,41,0.432,42,10.5,43,0.507,44,0.368,45,1.306,46,9.79]],["body/aws/data.html",[0,0.119,2,1.011,4,0.73,5,0.443,7,0.561,9,0.289,10,1.282,11,0.157,14,0.424,16,0.343,17,0.716,21,1.522,25,1.093,26,0.252,27,0.559,28,0.501,29,0.192,30,1.426,31,0.534,32,0.183,33,0.271,34,0.186,35,0.351,36,4.681,37,0.814,38,2.064,39,4.345,40,0.323,41,0.185,42,4.382,43,0.159,44,0.157,45,0.445,46,1.729,47,0.076,48,0.076,49,1.882,50,0.848,51,0.273,52,0.626,53,0.184,54,0.382,55,0.848,56,0.573,57,3.469,58,0.675,59,1.855,60,0.323,61,1.328,62,0.767,63,2.001,64,1.355,65,0.572,66,0.358,67,0.264,68,0.757,69,0.572,70,1.417,71,1.564,72,3.139,73,1.522,74,2.397,75,2.397,76,0.562,77,0.496,78,1.355,79,0.506,80,0.365,81,0.625,82,0.787,83,0.179,84,0.935,85,0.303,86,0.113,87,0.591,88,0.047,89,0.054,90,0.457,91,0.99,92,0.912,93,0.807,94,0.533,95,1.355,96,0.729,97,0.53,98,0.561,99,0.445,100,0.573,101,1.405,102,0.076,103,0.131,104,0.151,105,2.108,106,1.126,107,0.549,108,2.052,109,1.282,110,0.314,111,0.343,112,0.846,113,0.802,114,0.561,115,0.285,116,0.161,117,0.42,118,0.36,119,0.5,120,1.486,121,0.365,122,0.692,123,0.458,124,0.758,125,0.848,126,0.086,127,0.715,128,0.5,129,0.494,130,0.494,131,0.494,132,0.807,133,0.104,134,0.491,135,0.911,136,0.987,137,0.526,138,0.729,139,0.692,140,0.533,141,0.692,142,1.342,143,0.743,144,0.848,145,0.612,146,0.424,147,3.139,148,0.167,149,0.561,150,0.343,151,1.02,152,0.884,153,0.343,154,0.3,155,5.043,156,0.345,157,2.862,158,1.434,159,1.094,160,0.299,161,0.311,162,0.263,163,5.872,164,2.83,165,0.457,166,6.484,167,1.042,168,1.347,169,1.342,170,1.735,171,1.486,172,1.098,173,0.251,174,2.397,175,2.878,176,0.506,177,5.242,178,0.641,179,3.139,180,0.79,181,0.767,182,0.3,183,0.582,184,0.709,185,1.833,186,2.862,187,0.698,188,0.807,189,0.343,190,1.282,191,0.636,192,0.277,193,0.67,194,0.403,195,1.938,196,2.653,197,2.336,198,0.4,199,0.933,200,0.892,201,0.987,202,2.001,203,0.807,204,2.474,205,1.093,206,0.56,207,0.319,208,2.397,209,0.437,210,3.139,211,0.94,212,0.239,213,0.767,214,0.521,215,3.139,216,0.698,217,1.522,218,0.542,219,0.561,220,0.591,221,0.523,222,0.529,223,0.99,224,2.001,225,1.097,226,1.355,227,0.157,228,3.114,229,2.571,230,0.729,231,1.729,232,0.624,233,0.472,234,0.846,235,1.355,236,2.052,237,2.692,238,1.833,239,0.343,240,2.058,241,0.621,242,0.848,243,3.139,244,0.569,245,0.614,246,1.47,247,0.657,248,2.001,249,0.21,250,0.729,251,0.53,252,0.506,253,0.472,254,0.637,255,2.692,256,0.801,257,2.177,258,1.004,259,1.564,260,2.122,261,0.624,262,0.405,263,0.385,264,0.365,265,0.491,266,5.191,267,5.191,268,5.191,269,5.191,270,0.765,271,0.394,272,1.412,273,0.385,274,0.188,275,0.933,276,0.459,277,0.523,278,0.526,279,0.317,280,0.42,281,0.463,282,0.675,283,3.139,284,0.807,285,2.028,286,1.62,287,0.912,288,0.208,289,1.355,290,1.039,291,1.282,292,0.528,293,0.392,294,0.472,295,3.139,296,1.355,297,1.282,298,0.935,299,0.424,300,0.392,301,1.647,302,1.647,303,0.248,304,0.405,305,0.654,306,1.938,307,1.729,308,0.573,309,3.139,310,1.355,311,0.407,312,0.762,313,0.53,314,0.987,315,0.892,316,0.582,317,0.53,318,0.657,319,0.56,320,2.474,321,2.177,322,1.042,323,0.549,324,2.028,325,3.139,326,0.692,327,0.636,328,0.392,329,0.38,330,0.38,331,2.028,332,0.965,333,1.098,334,2.001,335,0.624,336,1.855,337,1.522,338,1.62,339,0.303,340,0.445,341,0.405,342,0.98,343,0.911,344,0.245,345,3.428,346,0.13,347,4.49,348,1.729,349,1.522,350,0.807,351,0.13,352,1.335,353,0.205,354,2.221,355,3.139,356,2.692,357,2.692,358,2.692,359,2.692,360,0.892,361,2.177,362,3.139,363,0.654,364,2.177,365,0.526,366,1.938,367,2.952,368,1.47,369,1.893,370,1.903,371,4.227,372,3.139,373,1.97,374,0.956,375,3.139,376,1.335,377,2.397,378,2.397,379,3.139,380,2.935,381,3.123,382,3.123,383,2.513,384,1.155,385,1.281,386,4.49,387,3.139,388,1.505,389,3.85,390,3.123,391,2.692,392,2.317,393,3.421,394,0.636,395,0.636,396,2.952,397,0.811,398,2.397,399,2.935,400,0.716,401,3.139,402,1.62,403,1.62,404,1.388,405,2.317,406,2.317,407,1.62,408,3.139,409,2.692,410,0.205,411,0.582,412,0.582,413,0.582,414,0.172,415,0.107,416,0.139,417,0.172,418,0.317,419,0.239,420,0.239,421,3.139,422,4.906,423,5.242,424,0.716,425,0.367,426,0.418,427,1.288,428,2.177,429,2.177,430,0.66,431,0.892,432,1.417,433,0.919,434,1.626,435,1.355,436,3.428,437,3.139,438,1.154,439,1.093,440,0.987,441,1.008,442,0.418,443,1.721,444,0.343,445,3.139,446,0.301,447,2.177,448,3.139,449,2.692,450,1.342,451,0.667,452,2.952,453,2.122,454,2.266,455,3.139,456,3.85,457,3.139,458,2.952,459,0.933,460,3.152,461,3.85,462,3.139,463,3.249,464,3.139,465,3.139,466,2.615,467,1.799,468,1.02,469,2.952,470,2.213,471,3.085,472,1.737,473,0.549,474,1.729,475,0.807,476,2.177,477,2.397,478,3.85,479,2.177,480,1.417,481,1.214,482,1.405,483,1.62,484,0.846,485,0.655,486,2.474,487,0.345,488,0.762,489,3.139,490,1.034,491,1.833,492,4.003,493,3.577,494,1.729,495,3.139,496,0.526,497,1.355,498,0.433,499,2.336,500,1.267,501,0.743,502,3.139,503,2.177,504,0.598,505,2.177,506,1.154,507,0.892,508,1.522,509,1.734,510,1.282,511,0.427,512,0.042,513,0.54,514,1.34,515,3.139,516,1.041,517,1.214,518,0.938,519,1.042,520,0.935,521,0.675,522,0.495,523,0.647,524,0.965,525,2.177,526,2.653,527,0.084,528,1.077,529,0.767,530,1.647,531,0.457,532,1.405,533,3.097,534,5.154,535,4.49,536,2.177,537,1.522,538,0.987,539,0.616,540,1.156,541,1.729,542,0.987,543,0.836,544,0.94,545,2.952,546,1.342,547,0.861,548,3.139,549,2.692,550,0.271,551,0.187,552,1.276,553,2.396,554,1.648,555,4.49,556,1.214,557,1.152,558,0.938,559,2.653,560,0.912,561,1.938,562,1.214,563,0.892,564,0.34,565,0.94,566,0.572,567,5.154,568,1.486,569,2.177,570,0.892,571,1.355,572,0.382,573,3.139,574,4.495,575,4.495,576,4.495,577,2.935,578,5.242,579,3.85,580,0.31,581,3.139,582,1.262,583,1.923,584,2.397,585,2.177,586,1.522,587,1.734,588,1.729,589,1.855,590,3.139,591,2.001,592,1.522,593,4.369,594,5.242,595,4.369,596,1.62,597,4.369,598,3.85,599,5.242,600,3.85,601,3.139,602,2.397,603,2.692,604,3.139,605,2.692,606,2.692,607,2.692,608,3.139,609,3.139,610,1.734,611,4.003,612,4.49,613,3.139,614,2.692,615,2.692,616,2.692,617,2.692,618,3.139,619,1.62,620,2.177,621,2.177,622,3.139,623,3.139,624,2.263,625,5.722,626,0.987,627,1.434,628,0.3,629,0.598,630,0.675,631,0.692,632,4.49,633,1.833,634,0.528,635,4.303,636,0.716,637,0.472,638,3.139,639,2.001,640,0.698,641,2.177,642,3.139,643,3.139,644,4.49,645,3.139,646,3.139,647,0.53,648,3.577,649,0.595,650,1.214,651,0.987,652,1.729,653,0.418,654,1.729,655,0.56,656,0.283,657,0.486,658,2.001,659,0.716,660,0.692,661,0.715,662,0.848,663,3.114,664,1.522,665,3.139,666,0.892,667,2.692,668,2.177,669,3.139,670,0.53,671,1.214,672,0.987,673,0.987,674,3.139,675,2.649,676,1.729,677,4.49,678,2.177,679,2.177,680,1.62,681,1.355,682,0.636,683,4.49,684,0.987,685,1.529,686,0.385,687,0.712,688,1.569,689,3.114,690,0.729,691,2.317,692,2.397,693,0.252,694,1.486,695,3.139,696,1.49,697,1.522,698,1.282,699,0.767,700,4.49,701,3.139,702,0.688,703,1.47,704,3.139,705,1.855,706,3.794,707,2.397,708,0.53,709,2.311,710,1.282,711,1.855,712,2.692,713,1.636,714,4.49,715,1.355,716,1.486,717,0.274,718,2.692,719,4.49,720,3.139,721,3.139,722,3.139,723,2.692,724,3.139,725,0.636,726,1.737,727,3.139,728,3.114,729,3.114,730,3.114,731,3.139,732,3.139,733,1.737,734,3.114,735,3.139,736,1.648,737,5.722,738,1.217,739,1.62,740,3.139,741,1.434,742,3.139,743,5.242,744,0.94,745,0.692,746,1.221,747,0.99,748,2.397,749,4.49,750,3.139,751,2.001,752,3.139,753,1.093,754,1.093,755,1.152,756,0.252,757,4.49,758,0.807,759,1.522,760,0.807,761,1.434,762,2.653,763,3.139,764,0.591,765,0.716,766,3.139,767,1.214,768,0.807,769,0.5,770,3.139,771,1.041,772,3.38,773,1.214,774,2.177,775,0.716,776,0.807,777,2.692,778,2.692,779,0.716,780,1.81,781,2.177,782,0.767,783,0.591,784,0.848,785,1.62,786,3.139,787,1.855,788,3.139,789,3.139,790,0.692,791,0.624,792,0.987,793,0.987,794,0.938,795,3.139,796,3.139,797,3.85,798,1.855,799,0.938,800,2.692,801,2.177,802,0.807,803,1.355,804,2.177,805,2.963,806,3.139,807,0.274,808,1.47,809,4.369,810,4.49,811,4.49,812,2.177,813,1.938,814,3.38,815,2.862,816,0.892,817,3.139,818,3.139,819,3.139,820,3.139,821,3.139,822,3.139,823,3.139,824,3.139,825,3.139,826,1.62,827,5.242,828,3.139,829,3.139,830,3.139,831,3.139,832,2.692,833,3.139,834,3.139,835,3.139,836,3.139,837,3.139,838,2.397,839,3.139,840,3.139,841,3.139,842,3.139,843,3.139,844,5.242,845,0.16,846,2.001,847,3.139,848,5.242,849,1.276,850,0.131,851,2.177,852,1.214,853,2.397,854,3.139,855,1.522,856,0.56,857,3.85,858,3.139,859,3.139,860,3.139,861,3.139,862,2.001,863,0.472,864,1.039,865,3.139,866,3.139,867,2.397,868,1.355,869,3.139,870,3.139,871,1.355,872,0.232,873,0.187,874,3.139,875,2.692,876,2.001,877,0.716,878,1.855,879,3.139,880,2.474,881,1.729,882,0.848,883,2.177,884,1.729,885,0.801,886,2.001,887,1.355,888,0.892,889,0.56,890,0.987,891,0.892,892,2.177,893,5.722,894,0.729,895,0.758,896,2.692,897,0.424,898,1.729,899,0.5,900,1.152,901,2.692,902,0.938,903,0.472,904,3.139,905,0.445,906,0.319,907,3.139,908,1.152,909,0.56,910,3.139,911,2.692,912,0.692,913,1.039,914,1.039,915,3.139,916,3.139,917,0.231,918,0.445,919,0.367,920,0.767,921,1.039,922,1.282,923,2.692,924,2.397,925,1.855,926,1.522,927,1.214,928,0.319,929,2.397,930,2.397,931,2.692,932,1.093,933,1.093,934,2.474,935,2.692,936,1.522,937,3.139,938,2.177,939,4.49,940,3.139,941,4.49,942,3.139,943,5.242,944,3.139,945,2.692,946,3.139,947,3.139,948,3.139,949,1.62,950,5.242,951,5.242,952,3.139,953,3.139,954,0.367,955,3.139,956,3.139,957,3.139,958,3.139,959,3.139,960,3.139,961,3.139,962,3.139,963,3.139,964,3.139,965,3.139,966,3.139,967,3.139,968,2.692,969,3.139,970,3.139,971,3.139,972,3.139,973,2.692,974,3.139,975,3.139,976,3.139,977,3.139,978,2.177,979,1.855,980,1.62,981,3.139]],["title/aws/genai.html",[2,4.44,3,4.108,4,6.123,5,2.912,27,2.481,982,16.723,983,8.007]],["breadcrumb/aws/genai.html",[6,0.224,27,1.333,983,4.302]],["description/aws/genai.html",[4,2.081,27,1.173,60,0.779,62,1.659,102,0.197,173,0.779,188,2.172,227,0.396,240,4.634,244,1.295,303,0.584,360,3.239,365,1.908,459,2.172,527,0.305,564,0.916,566,1.539,845,0.83,982,7.906,983,3.785,984,7.451,985,4.407,986,7.037,987,3.983,988,8.982,989,2.038,990,3.414,991,8.982]],["body/aws/genai.html",[0,0.113,2,1.011,4,0.672,7,0.565,9,0.151,11,0.174,14,0.497,16,0.494,17,0.72,19,0.449,23,0.946,24,1.744,25,1.573,26,0.254,27,0.555,28,0.451,29,0.129,30,1.082,31,0.527,32,0.128,33,0.247,34,0.077,35,0.252,37,0.346,41,0.077,43,0.119,44,0.155,47,0.077,48,0.07,49,1.815,51,0.305,53,0.142,54,0.452,56,0.346,58,0.476,60,0.338,62,0.46,65,0.299,67,0.25,68,0.718,69,0.299,70,0.856,76,0.363,77,0.446,79,0.488,80,0.318,81,0.628,82,0.759,83,0.185,84,1.126,85,0.29,86,0.128,88,0.045,89,0.051,90,0.64,94,0.322,99,0.449,102,0.073,103,0.132,104,0.152,105,1.103,107,0.46,110,0.442,113,0.778,114,0.396,115,0.364,116,0.162,117,0.233,118,0.254,121,0.381,123,0.434,126,0.07,127,0.658,128,1.007,129,0.48,130,0.48,131,0.48,132,0.813,133,0.1,135,0.679,141,0.996,145,0.542,146,0.426,148,0.111,149,0.396,150,0.69,151,0.565,153,0.346,154,0.212,156,0.191,159,0.449,160,0.271,161,0.132,162,0.259,168,0.813,171,2.009,172,0.663,173,0.216,175,2.407,176,0.423,178,0.584,180,0.856,181,1.543,182,0.212,183,0.584,184,0.371,187,0.422,188,0.934,189,0.628,190,1.293,191,0.64,192,0.305,194,0.405,198,0.392,199,0.841,200,0.629,201,0.995,203,1.623,207,0.322,209,0.273,212,0.253,213,0.773,216,0.602,218,0.55,220,1.144,221,0.515,222,0.446,227,0.164,229,1.293,232,0.897,236,2.775,239,0.346,240,2.01,241,0.599,244,0.588,245,0.761,248,2.018,249,0.352,251,1.065,252,0.582,254,0.573,256,0.806,258,1.059,263,0.422,264,0.381,270,0.46,271,0.389,273,0.488,274,0.226,275,0.702,276,0.488,277,0.422,278,0.446,279,0.216,280,0.233,281,0.446,282,0.618,284,1.161,287,0.84,288,0.195,289,1.366,293,0.79,294,0.679,298,1.024,300,0.632,301,1.161,303,0.269,304,0.422,305,0.655,308,0.759,312,0.422,313,0.762,315,2.01,316,0.643,318,0.663,322,0.735,323,0.606,326,0.698,327,0.449,328,0.396,329,0.392,330,0.392,333,1.272,338,1.633,339,0.302,340,0.504,341,0.406,342,0.984,343,0.913,344,0.206,346,0.131,350,0.809,351,0.131,352,1.339,353,0.135,363,0.712,365,0.879,366,2.273,367,3.354,368,1.738,369,2.238,370,2.157,371,3.357,373,1.95,374,1.064,376,1.339,380,2.945,381,3.133,382,3.133,383,2.517,384,1.097,388,1.509,390,3.354,391,2.714,392,1.633,393,3.618,394,0.746,395,0.746,396,3.258,397,0.895,399,3.28,400,0.968,402,2.717,403,2.717,404,1.468,405,3.258,406,2.717,407,2.717,409,2.714,410,0.217,411,0.618,412,0.618,413,0.618,414,0.182,415,0.114,416,0.147,417,0.182,418,0.328,419,0.253,420,0.253,424,1.007,425,0.616,426,0.602,427,0.897,430,0.706,432,1.424,438,0.813,439,1.103,440,0.995,441,1.036,442,0.765,443,0.9,446,0.29,447,2.195,451,0.673,452,2.963,453,2.09,454,2.238,458,3.133,459,1.014,460,3.164,463,3.618,466,2.625,467,1.806,468,1.024,470,2.514,471,2.625,472,1.225,473,0.46,475,0.813,476,2.195,480,1.641,482,0.735,487,0.366,488,0.841,490,0.968,494,2.488,496,0.371,498,0.504,499,2.151,500,1.203,504,0.422,506,1.354,508,2.945,509,1.047,511,0.489,512,0.076,513,0.573,514,0.992,516,0.897,519,0.735,521,0.618,522,0.542,523,0.627,524,0.969,526,2.669,527,0.135,528,1.082,530,1.161,531,0.584,539,0.618,543,0.505,544,1.272,545,3.429,547,0.476,550,0.273,551,0.132,552,1.284,553,2.064,554,1.806,560,0.505,562,0.856,563,0.9,564,0.412,565,1.103,566,0.715,571,1.366,572,0.352,580,0.335,582,1.571,596,0.773,610,1.9,624,2.621,626,1.656,627,1.447,628,0.212,630,0.679,631,1.339,633,1.293,634,0.276,636,0.72,637,0.476,640,0.602,649,0.497,651,0.995,656,0.244,657,0.507,661,0.759,666,1.497,670,0.762,672,0.851,673,0.596,682,0.64,687,0.688,691,1.495,693,0.254,697,2.554,699,1.287,708,0.762,713,1.221,716,2.089,717,0.53,725,0.449,733,1.225,736,0.995,744,0.663,746,0.596,754,1.573,756,0.254,760,1.161,764,0.596,768,1.476,774,2.19,775,0.505,776,0.813,781,2.195,782,0.773,787,2.669,790,0.698,794,0.946,802,0.813,803,1.95,808,0.813,845,0.357,849,0.9,850,0.132,852,1.747,856,1.024,863,0.679,864,1.495,872,0.424,882,0.856,888,1.284,889,0.939,891,1.795,897,0.299,899,0.505,900,1.161,903,0.476,905,0.449,906,0.584,908,1.161,909,0.806,912,0.698,917,0.233,919,0.371,921,1.047,925,2.669,928,0.714,933,1.834,934,1.744,954,0.813,979,2.669,980,3.429,982,3.749,983,1.753,984,3.492,985,2.011,986,3.308,987,1.853,988,1.744,989,0.396,991,3.346,992,0.184,993,3.165,994,2.714,995,3.165,996,2.417,997,2.417,998,2.714,999,2.879,1000,1.293,1001,0.422,1002,0.191,1003,3.354,1004,0.939,1005,1.366,1006,0.51,1007,1.047,1008,2.195,1009,1.574,1010,1.047,1011,1.561,1012,1.633,1013,1.535,1014,2.646,1015,1.744,1016,2.018,1017,1.366,1018,0.191,1019,1.047,1020,0.396,1021,1.366,1022,6.861,1023,5.743,1024,4.517,1025,2.669,1026,4.517,1027,4.517,1028,5.267,1029,5.267,1030,5.267,1031,4.517,1032,3.165,1033,1.656,1034,1.91,1035,3.133,1036,0.806,1037,3.165,1038,2.195,1039,2.115,1040,1.495,1041,2.331,1042,3.661,1043,2.879,1044,2.331,1045,3.661,1046,1.161,1047,3.132,1048,1.535,1049,1.354,1050,2.571,1051,1.633,1052,1.986,1053,4.517,1054,0.449,1055,2.349,1056,1.223,1057,3.165,1058,4.022,1059,2.195,1060,3.165,1061,3.165,1062,3.165,1063,5.267,1064,3.165,1065,3.165,1066,3.165,1067,4.516,1068,3.165,1069,2.714,1070,3.165,1071,3.165,1072,2.417,1073,3.165,1074,5.267,1075,5.743,1076,3.165,1077,4.517,1078,3.449,1079,4.385,1080,0.762,1081,3.449,1082,3.393,1083,3.449,1084,4.517,1085,3.873,1086,4.925,1087,3.873,1088,4.517,1089,4.517,1090,4.517,1091,3.165,1092,0.946,1093,3.873,1094,3.165,1095,3.873,1096,4.517,1097,4.517,1098,3.873,1099,3.873,1100,3.165,1101,3.449,1102,2.945,1103,1.339,1104,3.133,1105,3.588,1106,3.588,1107,1.561,1108,1.795,1109,3.588,1110,2.856,1111,1.457,1112,1.103,1113,2.331,1114,2.331,1115,2.195,1116,1.393,1117,3.588,1118,3.871,1119,1.206,1120,3.165,1121,3.165,1122,1.728,1123,0.193,1124,0.946,1125,1.366,1126,1.657,1127,4.517,1128,2.064,1129,2.488,1130,1.047,1131,2.714,1132,3.165,1133,2.417,1134,3.165,1135,3.165,1136,2.714,1137,3.165,1138,3.165,1139,4.517,1140,3.164,1141,0.735,1142,2.573,1143,1.103,1144,4.517,1145,1.747,1146,1.403,1147,0.698,1148,1.447,1149,2.417,1150,2.195,1151,2.417,1152,2.963,1153,2.331,1154,2.714,1155,1.95,1156,0.946,1157,2.195,1158,1.535,1159,1.103,1160,2.717,1161,4.517,1162,4.022,1163,1.95,1164,1.161,1165,0.449,1166,0.735,1167,0.464,1168,1.185,1169,1.633,1170,0.698,1171,2.417,1172,3.661,1173,1.41,1174,3.053,1175,2.756,1176,3.84,1177,1.044,1178,4.517,1179,2.669,1180,3.996,1181,1.628,1182,1.366,1183,3.661,1184,2.195,1185,2.19,1186,0.788,1187,3.132,1188,2.417,1189,2.018,1190,1.87,1191,1.747,1192,3.346,1193,2.669,1194,2.228,1195,4.517,1196,3.165,1197,4.963,1198,3.873,1199,2.417,1200,0.946,1201,2.714,1202,4.517,1203,1.497,1204,4.517,1205,6.764,1206,4.517,1207,4.517,1208,4.517,1209,3.165,1210,6.315,1211,6.315,1212,2.901,1213,0.394,1214,4.517,1215,4.517,1216,5.267,1217,5.267,1218,3.873,1219,5.267,1220,6.073,1221,6.5,1222,6.5,1223,3.165,1224,3.165,1225,3.165,1226,3.165,1227,3.062,1228,1.497,1229,2.669,1230,0.534,1231,3.165,1232,2.018,1233,0.995,1234,3.165,1235,0.735,1236,4.517,1237,3.165,1238,0.746,1239,2.945,1240,3.357,1241,3.165,1242,1.103,1243,3.449,1244,2.195,1245,4.517,1246,2.195,1247,3.165,1248,5.743,1249,3.165,1250,4.517,1251,1.047,1252,1.403,1253,0.9,1254,2.97,1255,1.333,1256,4.637,1257,1.447,1258,1.747,1259,1.225,1260,2.714,1261,0.946,1262,1.293,1263,2.879,1264,1.535,1265,2.018,1266,2.669,1267,3.873,1268,2.195,1269,0.618,1270,0.995,1271,0.565,1272,2.714,1273,1.87,1274,1.495,1275,1.049,1276,1.943,1277,2.714,1278,1.574,1279,1.224,1280,3.112,1281,2.669,1282,5.301,1283,1.161,1284,2.195,1285,2.018,1286,0.946,1287,1.366,1288,0.322,1289,0.856,1290,3.165,1291,2.417,1292,3.165,1293,3.165,1294,0.322,1295,3.165,1296,3.165,1297,2.195,1298,3.165,1299,2.195,1300,3.165,1301,3.165,1302,3.165,1303,2.714,1304,3.165,1305,3.165,1306,3.165,1307,3.165,1308,3.165,1309,3.165,1310,3.165,1311,3.165,1312,3.165,1313,5.743,1314,4.517,1315,2.785,1316,4.517,1317,4.517,1318,4.517,1319,3.165,1320,5.267,1321,4.517,1322,4.517,1323,3.165,1324,4.517,1325,3.165,1326,3.165,1327,3.165,1328,3.165,1329,4.517,1330,2.714,1331,3.165,1332,3.165,1333,0.505,1334,0.529,1335,2.488,1336,2.037,1337,3.165,1338,3.165,1339,3.165,1340,3.165,1341,3.165,1342,3.165,1343,1.103,1344,2.331,1345,2.018,1346,1.225,1347,3.165,1348,0.371,1349,1.87,1350,0.762,1351,2.714,1352,1.87,1353,2.195,1354,2.714,1355,3.165,1356,2.018,1357,1.225,1358,1.744,1359,1.535,1360,1.103,1361,0.396,1362,1.744,1363,1.366,1364,4.822,1365,4.379,1366,4.822,1367,5.743,1368,6.073,1369,2.018,1370,4.517,1371,6.073,1372,2.417,1373,1.42,1374,4.517,1375,1.509,1376,2.018,1377,1.049,1378,1.633,1379,2.879,1380,1.366,1381,2.195,1382,2.714,1383,2.417,1384,1.535,1385,0.856,1386,0.946,1387,3.132,1388,2.018,1389,1.366,1390,2.195,1391,3.165,1392,0.629,1393,3.165,1394,2.195,1395,3.165,1396,5.267,1397,5.267,1398,3.165,1399,6.073,1400,3.165,1401,3.165,1402,2.714,1403,1.633,1404,2.195,1405,1.447,1406,0.698,1407,3.165,1408,1.104,1409,1.744,1410,3.165,1411,4.517,1412,2.417,1413,3.165,1414,3.165,1415,3.165,1416,2.195,1417,2.714,1418,3.165,1419,3.165,1420,2.417,1421,2.714,1422,3.165,1423,0.762,1424,1.293,1425,1.161,1426,2.417,1427,3.165,1428,1.87,1429,2.714,1430,1.633,1431,3.165,1432,2.195,1433,1.161,1434,4.517,1435,1.633,1436,2.554,1437,0.698,1438,2.488,1439,2.417,1440,2.879,1441,2.064,1442,1.447,1443,3.165,1444,1.047,1445,0.698,1446,1.047,1447,1.293,1448,1.87,1449,3.165,1450,3.165,1451,2.714,1452,3.165,1453,3.165,1454,4.517,1455,3.165,1456,3.873,1457,3.165,1458,3.652,1459,4.516,1460,3.873,1461,4.517,1462,3.873,1463,1.95,1464,3.449,1465,3.449,1466,4.517,1467,3.873,1468,3.165,1469,2.195,1470,3.165,1471,1.633,1472,1.535,1473,0.856,1474,0.9,1475,2.417,1476,3.449,1477,2.417,1478,0.856,1479,1.293,1480,2.018,1481,3.165,1482,4.022,1483,2.417,1484,2.554,1485,2.417,1486,4.022,1487,2.417,1488,3.165,1489,2.714,1490,2.714,1491,3.165,1492,2.714,1493,2.714,1494,1.535,1495,1.447,1496,1.447,1497,2.714,1498,4.517,1499,1.535,1500,2.714,1501,2.714,1502,2.714]],["title/aws/iam.html",[2,4.693,3,4.342,4,6.362,5,3.077,27,2.623,564,2.048]],["breadcrumb/aws/iam.html",[6,0.224,27,1.333,564,1.041]],["description/aws/iam.html",[4,2.649,27,1.494,33,0.739,148,0.512,175,9.487,180,2.43,253,3.123,564,1.528,630,3.123,686,1.525,873,0.866,1503,0.591,1504,5.335,1505,12.265]],["body/aws/iam.html",[0,0.12,2,1.011,3,0.527,4,0.565,5,0.544,9,0.299,11,0.173,13,0.664,15,2.134,16,0.567,17,0.491,19,0.436,20,0.679,27,0.558,28,0.372,30,0.579,32,0.075,33,0.273,34,0.184,35,0.147,37,0.484,41,0.107,43,0.159,44,0.154,45,0.542,47,0.075,48,0.075,49,1.323,50,1.196,51,0.308,53,0.176,54,0.431,56,0.657,58,0.853,60,0.287,61,1.028,62,0.611,63,1.961,64,1.328,65,0.291,66,0.338,67,0.256,68,0.553,71,1.072,73,2.146,76,0.455,77,0.325,79,0.355,80,0.186,82,0.553,83,0.182,84,1.011,85,0.294,86,0.121,87,0.579,88,0.05,89,0.054,90,0.386,91,0.679,94,0.313,95,1.328,97,1.013,98,0.806,100,0.336,102,0.085,103,0.185,104,0.213,107,0.268,109,1.256,110,0.396,111,0.336,113,0.36,114,0.751,115,0.195,116,0.11,118,0.455,119,0.706,120,1.018,121,0.405,122,0.976,123,0.466,124,0.519,125,0.832,126,0.075,127,0.385,128,0.491,129,0.507,130,0.507,131,0.507,132,1.138,133,0.106,134,0.336,135,0.463,136,2.144,140,0.313,143,0.436,145,0.418,146,0.418,148,0.159,149,0.898,150,0.484,151,0.549,152,0.519,154,0.441,156,0.267,157,1.961,159,0.436,160,0.288,161,0.291,162,0.257,165,0.524,168,0.791,169,0.92,170,0.791,172,1.258,173,0.248,175,3.263,176,0.598,178,0.313,180,0.808,182,0.379,183,0.611,184,0.36,185,1.256,186,1.961,187,0.691,189,0.336,190,1.256,191,0.436,192,0.311,193,0.607,194,0.405,196,1.818,198,0.417,199,0.59,202,1.961,209,0.186,212,0.128,213,1.081,214,0.355,216,0.59,217,1.492,218,0.546,219,0.385,220,0.834,221,0.507,222,0.226,223,0.908,227,0.107,233,0.78,234,0.579,235,1.328,239,0.336,240,2.042,241,0.562,244,0.57,245,0.36,250,1.028,251,0.875,252,0.547,253,1.139,254,0.623,256,0.925,258,0.826,262,0.418,263,0.441,264,0.425,265,0.336,270,0.694,271,0.386,272,2.213,273,0.46,274,0.158,276,0.617,277,0.507,278,0.517,279,0.212,280,0.226,281,0.46,282,0.656,287,0.826,288,0.182,293,0.385,294,0.463,299,0.535,300,0.614,301,1.129,303,0.254,304,0.431,305,0.659,308,0.484,311,0.313,312,0.691,313,1.218,316,0.313,317,0.519,319,1.149,323,0.546,324,1.19,326,0.976,328,0.385,329,0.389,330,0.389,333,1.085,337,1.492,339,0.308,340,0.485,341,0.408,342,0.991,343,0.941,344,0.224,346,0.097,350,0.833,351,0.134,352,1.38,353,0.18,360,1.03,361,3.069,363,0.685,364,4.338,365,0.772,366,2.593,367,3.518,368,1.774,369,2.284,370,2.193,371,4.4,373,2,374,1.032,376,1.552,378,4.776,380,3.033,381,3.227,382,3.227,383,2.559,384,1.15,385,0.752,388,1.452,390,2.925,393,3.599,394,0.735,395,0.735,396,3.227,397,0.886,399,3.258,400,0.826,402,2.675,403,2.675,404,1.428,405,3.227,406,2.675,407,2.675,410,0.224,411,0.637,412,0.637,413,0.637,414,0.188,415,0.121,416,0.157,417,0.193,418,0.333,419,0.261,420,0.261,424,0.904,426,0.59,430,0.684,431,0.875,432,1.532,433,0.913,434,1.258,435,1.328,439,1.542,441,0.886,442,0.755,446,0.333,451,0.678,452,3.099,453,2.112,454,2.223,458,1.588,459,0.929,466,2.745,467,1.63,468,1.011,470,2.42,471,2.745,473,0.452,482,0.714,485,0.385,487,0.377,488,0.879,490,0.491,496,0.732,498,0.346,500,1.381,501,0.627,504,0.755,506,1.332,507,0.611,510,1.256,511,0.407,512,0.069,513,0.567,516,0.611,519,1.204,521,0.528,522,0.489,523,0.591,527,0.083,528,1.131,529,0.752,531,0.577,532,1.395,537,2.146,538,0.968,539,0.656,540,0.679,542,0.968,545,3.227,546,1.55,547,0.853,550,0.421,551,0.128,557,1.129,561,1.328,562,0.832,564,0.435,565,0.644,566,0.707,570,1.258,580,0.345,582,1.38,583,2.295,584,3.38,585,3.069,586,2.146,588,1.695,591,2.822,592,2.146,596,1.468,610,1.876,626,0.968,628,0.296,629,0.859,630,0.78,634,0.452,636,0.491,637,0.666,640,0.879,647,0.519,649,0.418,655,0.925,656,0.166,657,0.247,659,0.491,661,0.385,666,0.875,670,1.177,673,0.976,682,0.436,684,1.392,685,0.644,686,0.564,687,0.722,688,1.085,691,1.465,693,0.517,696,0.875,697,1.492,698,1.256,699,1.267,703,1.332,713,0.832,717,0.386,718,2.638,725,0.913,728,2.134,729,3.595,730,2.134,738,0.714,744,0.927,745,1.25,746,0.834,747,0.976,748,3.38,751,1.961,754,1.542,755,1.129,756,0.517,758,0.791,760,1.544,761,1.406,764,0.579,769,0.491,771,1.126,773,1.712,776,0.791,779,0.491,780,0.92,784,1.401,791,0.611,792,0.968,793,1.63,798,2.615,802,0.791,816,1.409,845,0.288,846,1.961,856,0.789,864,1.018,872,0.462,873,0.315,885,0.789,888,0.875,890,0.968,894,1.496,897,0.535,899,1.145,902,0.92,906,0.45,912,1.143,917,0.325,918,0.851,919,0.518,920,1.385,928,0.313,954,0.36,979,1.818,985,0.832,992,0.138,1001,0.41,1002,0.186,1006,0.226,1011,1.138,1018,0.433,1019,1.465,1034,0.968,1036,0.925,1038,2.134,1040,2.308,1046,0.791,1059,2.134,1067,2.638,1078,2.35,1079,2.35,1080,1.15,1081,2.35,1082,3.063,1083,2.35,1085,2.638,1086,3.796,1087,2.638,1093,2.638,1095,3.796,1101,2.35,1107,1.332,1108,0.875,1112,2.179,1116,1.143,1122,1.611,1123,0.41,1124,1.927,1133,3.959,1140,1.695,1141,0.714,1142,1.624,1145,1.19,1146,0.752,1147,0.679,1153,1.588,1155,1.328,1170,1.607,1186,0.336,1203,0.875,1213,0.452,1232,2.822,1233,0.968,1238,0.436,1242,0.644,1252,0.752,1258,2.006,1263,1.961,1269,0.313,1270,2.027,1271,0.789,1280,2.615,1283,0.791,1284,2.134,1285,1.961,1286,1.323,1288,0.577,1294,0.528,1297,2.134,1299,2.134,1333,0.706,1334,0.703,1336,1.19,1343,2.092,1344,2.675,1348,0.607,1349,1.818,1358,1.695,1359,1.492,1362,3.309,1373,1.392,1375,0.714,1378,1.588,1383,2.35,1384,1.492,1408,0.752,1424,1.256,1437,0.976,1448,1.818,1503,0.211,1504,1.823,1505,1.818,1506,2.856,1507,1.818,1508,1.961,1509,1.818,1510,1.695,1511,2.134,1512,3.077,1513,1.028,1514,3.077,1515,3.077,1516,3.069,1517,3.077,1518,0.875,1519,2.134,1520,1.818,1521,4.427,1522,1.588,1523,0.577,1524,2.638,1525,0.925,1526,1.807,1527,2.023,1528,2.324,1529,1.328,1530,0.92,1531,1.328,1532,2.638,1533,3.305,1534,2.35,1535,2.514,1536,2.638,1537,3.077,1538,1.624,1539,1.409,1540,1.63,1541,2.7,1542,3.077,1543,0.968,1544,1.55,1545,2.35,1546,1.961,1547,1.256,1548,1.715,1549,1.328,1550,0.92,1551,1.695,1552,2.599,1553,1.695,1554,3.069,1555,0.92,1556,1.072,1557,0.491,1558,2.134,1559,2.615,1560,1.072,1561,2.749,1562,2.134,1563,2.134,1564,0.966,1565,2.447,1566,1.647,1567,2.134,1568,3.077,1569,2.35,1570,3.077,1571,2.284,1572,0.968,1573,2.638,1574,4.329,1575,1.588,1576,3.077,1577,1.068,1578,3.077,1579,6.007,1580,4.861,1581,5.527,1582,6.255,1583,5.67,1584,6.255,1585,3.069,1586,4.427,1587,5.67,1588,4.427,1589,4.427,1590,3.077,1591,4.427,1592,4.427,1593,4.427,1594,2.35,1595,2.822,1596,3.077,1597,3.069,1598,5.76,1599,6.976,1600,6.007,1601,4.427,1602,5.67,1603,1.91,1604,4.427,1605,4.427,1606,0.976,1607,3.614,1608,3.077,1609,2.146,1610,2.284,1611,4.427,1612,2.324,1613,2.856,1614,2.822,1615,2.514,1616,1.421,1617,3.077,1618,2.782,1619,1.325,1620,2.638,1621,1.113,1622,1.807,1623,3.305,1624,1.19,1625,1.129,1626,1.392,1627,1.91,1628,1.406,1629,2.134,1630,2.35,1631,3.077,1632,1.712,1633,1.807,1634,0.579,1635,1.807,1636,2.35,1637,3.077,1638,0.491,1639,1.138,1640,2.134,1641,2.35,1642,2.638,1643,1.695,1644,2.35,1645,2.856,1646,2.134,1647,3.077,1648,3.077,1649,3.077,1650,3.077,1651,3.077,1652,3.077,1653,3.077,1654,4.329,1655,3.077,1656,3.077,1657,4.445,1658,5.184,1659,4.427,1660,4.427,1661,3.077,1662,2.638,1663,4.427,1664,4.427,1665,1.474,1666,1.19,1667,0.666,1668,3.077,1669,1.332,1670,4.427,1671,4.427,1672,2.822,1673,2.35,1674,3.077,1675,2.134,1676,1.323,1677,0.355,1678,1.072,1679,1.818,1680,0.875,1681,1.465,1682,3.796,1683,0.714,1684,2.117,1685,1.715,1686,2.638,1687,2.134,1688,2.35,1689,1.328,1690,0.92,1691,4.165,1692,2.146,1693,1.961,1694,0.735,1695,1.588,1696,0.579,1697,3.077,1698,3.077,1699,0.92,1700,0.679,1701,2.284,1702,2.35,1703,3.595,1704,3.305,1705,2.638,1706,2.35,1707,2.134,1708,2.134,1709,0.968,1710,1.902,1711,1.328,1712,1.256,1713,2.092,1714,1.018,1715,4.427,1716,4.427,1717,2.238,1718,4.427,1719,3.077,1720,4.427,1721,3.077,1722,2.638,1723,4.427,1724,4.445,1725,5.184,1726,2.638,1727,2.638,1728,2.638,1729,3.077,1730,3.796,1731,4.427,1732,3.077,1733,3.077,1734,1.818,1735,3.077,1736,3.077,1737,2.638,1738,3.077,1739,3.077,1740,3.077,1741,5.184,1742,3.077,1743,3.077,1744,3.077,1745,3.077,1746,3.077,1747,2.638,1748,2.35,1749,3.069,1750,3.077,1751,3.077,1752,6.255,1753,3.077,1754,3.077,1755,3.077,1756,3.077,1757,1.072,1758,3.077,1759,3.077,1760,5.67,1761,4.427,1762,4.427,1763,2.134,1764,2.146,1765,1.406,1766,2.438,1767,1.961,1768,4.427,1769,1.695,1770,2.369,1771,3.959,1772,1.588,1773,1.492,1774,2.35,1775,2.638,1776,2.438,1777,1.256,1778,2.134,1779,2.638,1780,3.077,1781,1.588,1782,1.328,1783,3.077,1784,1.392,1785,2.023,1786,0.789,1787,0.879,1788,3.069,1789,1.818,1790,1.018,1791,1.256,1792,0.579,1793,1.018,1794,0.925,1795,1.328,1796,1.018,1797,3.077,1798,3.077,1799,1.961,1800,4.427,1801,3.326,1802,3.077,1803,3.077,1804,3.077,1805,3.077,1806,3.077,1807,3.077,1808,3.077,1809,3.077,1810,3.077,1811,3.077,1812,5.184,1813,6.007,1814,6.007,1815,6.007,1816,6.007,1817,3.077,1818,6.007,1819,5.184,1820,5.184,1821,3.077,1822,3.38,1823,3.077,1824,3.077,1825,3.077,1826,3.077,1827,3.077,1828,3.077,1829,3.077,1830,1.256,1831,3.077,1832,2.008,1833,2.638,1834,3.077,1835,4.427,1836,5.67,1837,3.077,1838,4.427,1839,3.077,1840,3.077,1841,3.077,1842,3.077,1843,3.077,1844,3.077,1845,3.077,1846,2.134,1847,2.35,1848,3.077,1849,3.077,1850,3.077,1851,3.077,1852,1.258,1853,2.023,1854,1.323,1855,2.134,1856,1.474,1857,3.796,1858,3.077,1859,1.406,1860,2.134,1861,1.256,1862,3.077,1863,3.077,1864,1.91,1865,1.961,1866,0.385,1867,2.638,1868,4.427,1869,1.328,1870,1.695,1871,1.588,1872,1.961,1873,2.638,1874,1.695,1875,2.134,1876,0.875,1877,1.588,1878,3.077,1879,3.077,1880,1.818,1881,2.146,1882,3.077,1883,1.072,1884,2.822,1885,0.832,1886,0.875,1887,3.077,1888,2.134,1889,1.695,1890,2.134,1891,1.492,1892,1.806,1893,1.818,1894,2.745,1895,3.077,1896,1.961,1897,1.492,1898,1.695,1899,3.077,1900,2.638,1901,5.67,1902,2.638,1903,2.638,1904,4.427,1905,3.077,1906,3.077,1907,3.077,1908,3.077,1909,3.077,1910,3.305,1911,3.077,1912,4.427,1913,3.077,1914,1.695,1915,0.968,1916,4.427,1917,3.077,1918,2.638,1919,4.427,1920,4.427,1921,0.92,1922,2.023,1923,3.077,1924,2.134,1925,1.818,1926,2.638,1927,2.638,1928,2.35,1929,1.961,1930,1.588,1931,1.492,1932,1.492,1933,0.968,1934,3.077,1935,1.492,1936,3.077,1937,2.638,1938,1.256,1939,2.35,1940,2.35,1941,3.077,1942,3.077,1943,2.35,1944,3.077,1945,1.695,1946,1.695,1947,2.638,1948,2.134,1949,0.59,1950,1.783,1951,1.395,1952,1.712,1953,1.256,1954,1.129,1955,3.069,1956,0.549,1957,0.752,1958,1.695,1959,1.818,1960,1.129,1961,1.695,1962,1.129,1963,2.35,1964,1.588,1965,1.695,1966,1.129,1967,0.644,1968,3.077,1969,3.077,1970,3.077,1971,3.077,1972,3.077,1973,3.077,1974,0.385,1975,2.638,1976,4.427,1977,2.638,1978,3.077,1979,2.638,1980,2.35,1981,3.077,1982,2.35,1983,3.077,1984,3.077,1985,4.427,1986,3.077,1987,3.077,1988,1.695,1989,2.638,1990,2.638,1991,3.077,1992,4.427,1993,3.077,1994,2.638,1995,2.638,1996,2.638,1997,2.638,1998,3.077,1999,2.35,2000,1.492,2001,3.077,2002,3.077,2003,3.077,2004,2.638,2005,3.077,2006,0.579,2007,1.818]],["title/aws/index.html",[2,4.976,3,4.605,4,6.619,5,3.263,27,2.781]],["breadcrumb/aws/index.html",[6,0.257,27,1.532]],["description/aws/index.html",[2,2.73,4,2.706,27,1.526,28,1.393,29,0.604,89,0.167,115,1.345,244,1.684,288,0.681,511,1.438,564,1.191,845,1.079,872,1.567,1123,1.296]],["body/aws/index.html",[0,0.11,2,0.985,4,0.898,17,0.924,20,1.553,27,0.481,28,0.462,29,0.19,30,1.092,31,0.426,32,0.141,33,0.25,35,0.277,36,4.021,37,0.769,40,0.279,43,0.12,44,0.138,46,3.194,47,0.141,48,0.088,49,1.733,50,1.567,51,0.302,53,0.174,60,0.277,62,0.59,67,0.206,88,0.043,102,0.081,103,0.242,104,0.279,110,0.405,111,0.634,115,0.446,116,0.208,117,0.426,126,0.077,153,0.634,154,0.387,173,0.277,175,2.65,180,0.679,188,0.964,212,0.242,227,0.162,240,2.001,241,0.506,244,0.574,247,1.214,249,0.387,253,0.872,274,0.208,288,0.215,300,0.506,303,0.208,346,0.108,360,1.152,365,0.824,459,0.773,468,1.034,470,2.585,471,2.65,511,0.453,512,0.088,527,0.125,564,0.406,566,0.547,629,0.773,630,0.872,652,3.194,686,0.426,691,1.918,717,0.506,725,0.822,736,1.823,745,1.279,779,1.065,845,0.34,850,0.242,872,0.544,885,1.034,894,1.346,905,1.025,906,0.59,917,0.426,982,2.812,983,1.346,984,2.65,985,1.567,986,2.503,987,1.417,988,3.194,989,0.725,990,1.214,991,3.194,1010,1.918,1123,0.408,1142,2.127,1167,0.426,1288,0.59,1356,3.696,1503,0.19,1504,1.49,1505,3.426,1538,2.127,1566,1.346,1624,2.243,1859,2.65,1889,3.194,1949,0.773,1950,2.274,1951,1.551,1974,0.725,2008,0.824,2009,1.918,2010,3.426,2011,4.427,2012,2.243,2013,2.127,2014,4.972,2015,3.194,2016,5.798,2017,1.346,2018,3.24,2019,2.65,2020,1.918,2021,3.696,2022,2.503,2023,3.426,2024,5.798,2025,2.368]],["title/aws/ir.html",[2,4.44,3,4.108,4,6.123,5,2.912,27,2.481,288,1.107,511,2.339]],["breadcrumb/aws/ir.html",[6,0.198,27,1.18,288,0.527,511,1.113]],["description/aws/ir.html",[27,1.302,30,3.408,45,1.33,219,2.263,240,5.144,275,2.411,288,0.581,511,1.228,512,0.239,564,1.017,629,2.411,691,5.988,745,3.991,873,0.755,894,4.202,917,1.33,2020,5.988,2021,11.536,2026,4.891,2027,10.692,2028,2.722,2029,6.303]],["body/aws/ir.html",[0,0.121,2,1.011,4,0.572,5,0.378,9,0.301,11,0.157,13,0.88,14,0.594,17,0.714,26,0.459,27,0.557,28,0.435,29,0.089,30,1.304,31,0.23,32,0.127,33,0.26,34,0.181,35,0.15,37,0.572,38,0.846,39,2.646,40,0.218,41,0.127,43,0.125,44,0.139,45,0.384,46,1.723,47,0.109,48,0.076,49,1.564,50,0.846,51,0.141,52,0.423,53,0.163,55,0.846,56,0.49,60,0.289,61,1.04,62,0.581,63,1.994,64,1.35,65,0.295,66,0.374,67,0.266,69,0.295,71,2.106,73,1.517,76,0.485,77,0.384,78,1.35,79,0.42,80,0.27,81,0.661,82,0.756,83,0.173,84,0.799,85,0.295,86,0.113,88,0.047,89,0.048,90,0.273,92,0.499,94,0.532,96,0.726,97,0.964,98,0.391,100,0.342,101,0.726,102,0.081,103,0.131,104,0.252,107,0.528,108,1.43,109,1.277,110,0.366,111,0.342,112,0.589,113,0.669,114,0.654,115,0.198,116,0.16,117,0.23,118,0.556,119,0.499,120,1.035,121,0.442,122,0.69,123,0.443,124,0.528,125,0.846,126,0.08,127,0.654,128,0.834,129,0.479,130,0.479,131,0.479,132,0.804,133,0.121,134,0.624,135,0.471,136,1.645,137,0.366,138,1.215,139,1.154,140,0.674,141,0.69,143,0.741,145,0.295,146,0.494,148,0.111,149,0.391,152,0.528,154,0.299,155,2.169,156,0.27,159,1.079,160,0.292,161,0.218,162,0.256,163,5.393,164,2.754,165,0.457,167,0.726,168,0.804,170,1.151,171,1.035,172,1.317,176,0.459,178,0.615,180,0.819,181,1.094,182,0.382,183,0.712,187,0.761,188,0.697,191,0.891,192,0.311,193,0.612,194,0.398,195,1.35,198,0.38,199,0.417,206,1.019,207,0.728,209,0.27,212,0.262,213,1.094,214,0.52,216,0.597,218,0.519,219,0.935,221,0.444,222,0.526,223,0.932,226,1.933,227,0.147,232,0.89,233,0.674,234,0.843,238,1.829,239,0.342,240,2.139,241,0.621,242,0.846,244,0.602,245,0.612,246,1.345,249,0.209,250,0.726,251,0.528,252,0.541,253,1.029,254,0.68,258,0.499,259,1.56,261,1.376,262,0.5,263,0.476,264,0.27,265,0.49,266,2.682,267,2.682,268,2.682,269,2.682,270,0.733,271,0.326,273,0.23,274,0.232,275,1,276,0.581,277,0.514,278,0.514,279,0.317,280,0.329,281,0.444,282,0.532,284,1.468,287,0.834,288,0.241,289,1.35,290,1.035,294,0.674,296,1.933,297,2.469,299,0.494,300,0.457,303,0.258,304,0.382,305,0.594,308,0.572,310,1.35,311,0.4,312,0.761,313,1.061,315,1.273,316,0.64,317,0.964,318,0.938,319,0.558,322,0.726,323,0.589,326,0.69,327,0.857,328,0.391,329,0.345,330,0.345,332,0.756,333,1.196,335,1.135,339,0.289,340,0.462,341,0.394,342,0.947,343,0.787,344,0.216,346,0.132,350,0.697,351,0.131,352,1.154,353,0.205,356,2.682,357,2.682,358,2.682,359,2.682,360,1.201,363,0.666,366,1.35,367,1.614,368,0.804,369,1.035,370,1.408,373,0.889,374,0.981,376,0.69,380,2.537,381,2.7,382,2.7,383,2.308,384,1.061,388,1.215,390,2.947,392,1.614,393,3.418,394,0.635,395,0.635,396,2.947,397,0.809,398,2.389,399,3.05,400,0.964,402,2.311,403,2.311,404,1.412,405,2.947,406,2.311,407,2.311,410,0.187,411,0.532,412,0.532,413,0.532,414,0.181,415,0.113,416,0.139,417,0.171,418,0.31,419,0.238,420,0.218,424,0.714,425,0.366,426,0.417,430,0.659,433,0.443,438,0.804,439,1.09,441,0.635,442,0.697,443,0.889,444,0.687,446,0.322,450,1.564,451,0.654,452,2.7,453,1.978,454,2.264,456,4.487,458,2.947,459,0.923,460,2.468,461,2.682,466,2.391,467,1.645,468,0.933,469,2.311,470,2.609,471,2.391,473,0.528,475,0.804,478,2.682,480,1.414,482,1.215,484,0.843,485,0.654,487,0.316,488,0.838,490,0.964,493,1.848,496,0.758,498,0.404,499,1.277,500,1.196,501,0.741,504,0.417,507,1.039,511,0.502,512,0.097,513,0.539,514,0.985,516,1.039,517,1.21,518,0.935,519,1.04,521,0.64,522,0.494,523,0.625,526,3.091,527,0.058,528,0.985,529,0.764,531,0.456,532,0.726,534,2.389,538,0.984,539,0.581,540,0.988,543,0.714,545,3.531,547,0.787,550,0.422,554,0.984,556,1.21,558,0.935,560,1.056,564,0.408,566,0.68,570,1.487,572,0.382,574,2.682,575,2.682,577,3.212,579,3.841,580,0.214,587,1.035,602,2.389,610,1.731,611,3.42,614,2.682,615,2.682,616,2.682,617,2.682,628,0.35,629,1.014,630,0.674,631,1.154,634,0.457,636,0.714,640,0.597,648,1.848,649,0.423,650,1.21,651,0.984,652,2.882,653,0.899,655,0.933,656,0.394,659,0.499,660,1.387,661,0.843,662,1.414,666,1.487,668,2.169,670,1.118,672,0.589,682,0.635,684,0.984,685,0.655,686,0.384,687,0.686,688,0.938,690,1.04,691,1.89,693,0.42,696,1.624,697,2.172,702,0.342,710,1.829,713,0.846,716,2,717,0.625,725,0.741,726,1.21,736,1.408,738,0.726,741,1.43,745,1.678,746,0.843,753,1.09,756,0.42,760,0.804,765,0.834,769,0.499,771,0.89,775,0.714,780,1.708,783,0.843,784,1.414,791,1.316,793,1.796,799,1.339,802,1.468,807,0.273,808,1.468,816,0.621,845,0.33,849,0.889,852,1.21,856,0.799,863,0.471,864,1.035,868,1.35,871,1.35,872,0.529,873,0.238,885,1.078,889,0.558,890,1.408,894,1.768,895,0.883,897,0.539,898,1.723,899,0.964,900,1.148,903,0.674,905,0.443,906,0.581,909,1.078,912,0.988,913,1.482,914,1.035,917,0.542,920,1.618,921,1.482,926,3.212,927,2.024,932,1.09,949,2.311,968,2.682,978,2.169,979,1.848,980,2.311,989,0.391,992,0.139,1001,0.697,1002,0.189,1006,0.476,1009,0.935,1017,1.35,1018,0.38,1020,0.56,1034,1.408,1036,0.799,1039,1.09,1040,1.731,1050,2.339,1056,0.726,1078,2.389,1079,3.42,1081,2.389,1082,2.646,1083,2.389,1092,0.655,1098,2.682,1099,2.682,1101,2.389,1110,1.733,1111,1.135,1116,0.69,1119,0.621,1122,0.764,1123,0.369,1124,1.98,1125,1.35,1126,1.643,1130,1.035,1133,2.389,1140,1.723,1141,1.04,1142,2.642,1145,1.21,1146,1.094,1147,0.988,1148,1.43,1151,2.389,1155,1.933,1156,0.935,1165,1.008,1170,1.428,1173,0.726,1174,1.35,1175,1.733,1185,1.517,1186,0.49,1228,1.273,1230,0.528,1233,1.408,1235,0.726,1238,0.443,1239,1.517,1242,0.938,1246,3.106,1252,0.764,1253,0.889,1254,1.43,1255,1.04,1257,2.391,1261,1.339,1262,2.137,1269,0.318,1271,0.558,1274,1.035,1275,1.04,1278,1.807,1279,1.329,1280,1.848,1283,1.345,1285,1.994,1286,1.339,1294,0.64,1303,3.841,1333,1.056,1334,0.775,1336,1.21,1344,2.311,1346,1.21,1348,0.801,1352,1.848,1362,2.882,1373,1.408,1375,1.215,1380,1.35,1385,0.846,1386,1.564,1389,1.35,1392,0.89,1409,3.33,1423,1.02,1425,1.92,1428,1.848,1437,0.69,1445,0.69,1447,1.277,1458,2.169,1469,2.169,1471,2.947,1474,0.889,1478,0.846,1503,0.207,1504,1.733,1508,1.994,1513,0.726,1525,0.799,1530,0.935,1531,1.35,1535,2.172,1540,0.984,1541,1.35,1548,2.192,1549,1.35,1552,2.21,1556,1.56,1557,0.499,1560,1.09,1564,0.857,1566,1.46,1567,2.169,1572,0.984,1573,2.21,1574,2.389,1577,0.589,1580,3.841,1581,3.841,1585,2.169,1598,2.682,1606,0.985,1607,2.855,1610,2.311,1618,1.933,1619,1.26,1621,1.02,1624,2.903,1625,1.643,1626,2.037,1627,1.35,1628,2.047,1638,0.499,1639,0.804,1654,3.42,1657,3.841,1665,1.788,1667,0.471,1669,1.345,1672,1.994,1676,0.935,1677,0.52,1678,1.822,1680,1.788,1688,3.995,1689,2.258,1691,3.106,1694,0.939,1695,2.311,1696,0.843,1710,1.148,1711,1.35,1714,1.482,1717,1.933,1722,2.682,1724,3.841,1726,2.682,1727,2.682,1728,2.682,1730,2.682,1737,2.682,1747,3.841,1757,1.09,1765,1.43,1766,1.723,1787,0.89,1790,1.035,1794,0.933,1795,1.35,1832,0.935,1852,1.624,1859,3.082,1866,0.756,1869,1.933,1874,1.723,1875,2.169,1876,0.889,1883,1.56,1885,1.211,1886,0.889,1891,1.517,1915,1.645,1925,1.848,1932,2.77,1935,2.172,1952,2.024,1956,0.799,1957,0.764,1963,2.389,1966,1.148,1974,0.56,1989,3.841,1990,2.682,2000,1.517,2008,0.524,2017,1.326,2020,2,2021,4.67,2026,1.791,2027,4.202,2028,0.674,2029,2.384,2030,2.64,2031,1.277,2032,4.009,2033,2.682,2034,3.128,2035,2.682,2036,2.77,2037,1.848,2038,3.106,2039,1.643,2040,1.994,2041,1.848,2042,1.848,2043,1.614,2044,1.148,2045,2.172,2046,1.614,2047,1.796,2048,1.723,2049,2.172,2050,2.468,2051,3.106,2052,1.517,2053,3.128,2054,3.734,2055,3.841,2056,2.682,2057,1.634,2058,2.682,2059,2.389,2060,1.43,2061,1.733,2062,1.614,2063,3.961,2064,2.339,2065,1.708,2066,2.678,2067,2.389,2068,1.994,2069,2.169,2070,2.682,2071,2.682,2072,2.389,2073,1.517,2074,1.933,2075,2.047,2076,1.517,2077,2.682,2078,1.339,2079,1.848,2080,2.682,2081,0.589,2082,1.408,2083,1.487,2084,1.43,2085,2.646,2086,2.169,2087,2.389,2088,2.682,2089,3.147,2090,1.487,2091,2.682,2092,1.723,2093,1.517,2094,2.169,2095,0.655,2096,1.21,2097,2.389,2098,1.994,2099,1.21,2100,3.046,2101,3.841,2102,1.277,2103,2.024,2104,0.69,2105,4.479,2106,2.855,2107,2.389,2108,1.482,2109,0.764,2110,0.697,2111,1.09,2112,1.21,2113,1.994,2114,2.682,2115,0.985,2116,2.169,2117,2.882,2118,1.723,2119,1.723,2120,2.389,2121,2.389,2122,1.21,2123,2.169,2124,1.614,2125,2.389,2126,1.148,2127,1.09,2128,1.994,2129,2.682,2130,1.43,2131,3.42,2132,2.389,2133,2.137,2134,2.682,2135,4.479,2136,4.898,2137,3.128,2138,4.479,2139,3.128,2140,3.128,2141,1.09,2142,3.128,2143,3.128,2144,3.128,2145,2.646,2146,4.479,2147,4.479,2148,4.898,2149,3.128,2150,3.128,2151,3.42,2152,4.479,2153,2.682,2154,3.128,2155,3.128,2156,1.723,2157,2.682,2158,2.682,2159,3.128,2160,3.128,2161,3.128,2162,2.855,2163,0.935,2164,3.128,2165,3.128,2166,1.723,2167,3.128,2168,3.128,2169,4.479,2170,3.128,2171,3.128,2172,3.841,2173,3.128,2174,3.128,2175,3.128,2176,3.128,2177,3.128,2178,3.128,2179,2.389,2180,2.682,2181,3.128,2182,3.128,2183,3.128,2184,3.128,2185,5.232,2186,4.479,2187,4.479,2188,4.479,2189,4.479,2190,3.128,2191,4.479,2192,3.128,2193,3.128,2194,3.128,2195,3.128,2196,4.487,2197,2.169,2198,2.169,2199,2.169,2200,1.277,2201,1.517,2202,3.42,2203,1.273,2204,3.128,2205,3.128,2206,3.42,2207,3.128,2208,1.848,2209,1.277,2210,2.169,2211,2.682,2212,0.984,2213,1.09,2214,1.848,2215,1.148,2216,0.621,2217,2.389,2218,2.682,2219,3.128,2220,1.92,2221,3.128,2222,2.389,2223,0.984,2224,1.21,2225,1.517,2226,3.841,2227,3.128,2228,2.169,2229,1.517,2230,3.335,2231,3.147,2232,2.169,2233,1.35,2234,2.682,2235,1.723,2236,3.128,2237,1.614,2238,2.169,2239,2.389,2240,1.994,2241,2.169,2242,2.389,2243,2.468,2244,1.35,2245,3.128,2246,3.128,2247,1.43,2248,3.128,2249,1.277,2250,3.335,2251,2.389,2252,1.723,2253,4.479,2254,5.232,2255,2.433,2256,4.487,2257,3.128,2258,3.128,2259,3.841,2260,4.479,2261,3.128,2262,3.128,2263,3.128,2264,2.682,2265,1.643,2266,3.128,2267,4.479,2268,4.479,2269,3.128,2270,2.389,2271,3.128,2272,3.128,2273,3.128,2274,3.128,2275,3.128,2276,3.128,2277,3.128,2278,3.128,2279,3.128,2280,3.128,2281,3.128,2282,3.128,2283,3.128,2284,3.128,2285,3.128,2286,3.128,2287,3.128,2288,3.128,2289,3.128,2290,3.128,2291,3.128,2292,3.128,2293,3.128,2294,2.389,2295,3.128,2296,3.128,2297,3.128,2298,3.128,2299,3.128,2300,1.994,2301,3.106,2302,2.169,2303,3.128,2304,2.311,2305,3.128,2306,4.479,2307,1.994,2308,1.994,2309,1.994,2310,3.128,2311,4.479,2312,3.128,2313,3.128,2314,3.128,2315,3.128,2316,3.42,2317,2.169,2318,3.128,2319,1.994,2320,2.169,2321,1.723,2322,2.389,2323,1.848,2324,2.682,2325,2.169,2326,2.169,2327,1.994,2328,1.731,2329,1.723,2330,3.128,2331,1.517,2332,0.589,2333,2.682,2334,2.682,2335,2.169,2336,2.389,2337,1.277,2338,1.277,2339,2.311,2340,2.169,2341,2.169,2342,2.389,2343,3.128,2344,2.682,2345,3.128,2346,1.723,2347,3.128,2348,3.128,2349,5.713,2350,4.479,2351,3.128,2352,3.128,2353,2.682,2354,3.128,2355,5.232,2356,3.128,2357,2.21,2358,2.682,2359,2.682,2360,3.128,2361,3.128,2362,3.128,2363,3.128,2364,3.128,2365,3.128,2366,2.682,2367,3.128,2368,2.682,2369,3.128,2370,3.128,2371,3.128,2372,3.128,2373,3.128,2374,5.232,2375,5.232,2376,4.479,2377,3.128,2378,3.128,2379,3.128,2380,4.479,2381,3.128,2382,2.389,2383,3.128,2384,3.128,2385,3.128,2386,3.128,2387,3.128,2388,3.128,2389,3.128,2390,2.682,2391,3.128,2392,3.128,2393,2.389,2394,2.389,2395,3.128,2396,2.682,2397,1.848,2398,2.389,2399,1.43,2400,1.723,2401,3.128,2402,3.128,2403,3.128,2404,3.128,2405,2.389,2406,2.169,2407,3.128,2408,3.128,2409,3.128,2410,3.128,2411,2.169,2412,1.148,2413,1.21,2414,3.128,2415,3.128,2416,1.517,2417,1.43,2418,0.935,2419,3.128,2420,3.128,2421,2.537,2422,1.994,2423,1.994,2424,2.682,2425,2.682,2426,3.128,2427,3.128,2428,3.128,2429,1.277,2430,3.128,2431,3.128,2432,1.09,2433,1.35,2434,0.984,2435,2.855,2436,1.21,2437,3.128,2438,3.128,2439,2.646,2440,2.682,2441,4.479,2442,1.21,2443,3.128,2444,0.471,2445,3.128,2446,3.128,2447,3.128]],["title/aws/kubernetes.html",[2,4.693,3,4.342,4,6.362,5,3.077,27,2.623,1950,11.462]],["breadcrumb/aws/kubernetes.html",[6,0.224,27,1.333,1949,2.469]],["description/aws/kubernetes.html",[2,1.728,4,1.713,27,0.966,33,0.478,37,1.467,40,0.56,41,0.326,44,0.278,51,0.606,53,0.494,67,0.478,115,0.851,176,1.078,212,0.56,244,1.066,274,0.48,468,2.394,470,5.193,527,0.251,551,0.56,717,1.171,779,2.14,850,0.56,872,0.992,1167,0.986,1503,0.382,1949,1.788,1950,7.532,1951,4.65,1974,1.678,2018,6.509,2022,5.793,2023,7.931,2448,9.308,2449,10.25,2450,10.25,2451,4.221]],["body/aws/kubernetes.html",[0,0.113,2,1.01,3,0.62,4,0.955,5,0.577,7,0.711,9,0.213,11,0.175,13,0.521,14,0.293,19,0.439,23,0.927,25,1.55,26,0.418,27,0.556,28,0.342,30,0.584,31,0.418,32,0.152,33,0.269,34,0.163,35,0.3,37,0.764,38,1.943,40,0.306,41,0.146,43,0.149,44,0.147,45,0.461,47,0.075,48,0.041,49,1.875,51,0.325,53,0.184,54,0.297,58,0.669,60,0.309,65,0.492,66,0.373,67,0.268,69,0.293,70,0.838,73,1.504,76,0.531,77,0.461,79,0.457,80,0.314,81,0.339,82,0.388,83,0.178,85,0.291,86,0.134,88,0.05,89,0.051,90,0.634,92,0.494,93,1.338,94,0.316,99,0.631,102,0.084,103,0.129,104,0.149,106,0.494,107,0.271,113,0.609,114,0.651,115,0.398,116,0.159,117,0.228,118,0.503,121,0.187,123,0.462,124,0.878,126,0.041,127,0.388,128,0.907,129,0.421,130,0.421,131,0.452,133,0.099,135,0.669,140,0.453,143,0.439,145,0.293,146,0.42,148,0.184,149,0.388,150,0.486,154,0.207,156,0.187,159,0.439,160,0.281,161,0.289,162,0.252,164,1.817,168,0.797,173,0.3,175,1.417,176,0.457,178,0.53,180,0.705,182,0.297,183,0.316,184,0.363,188,0.921,189,0.339,191,0.631,192,0.309,193,0.666,194,0.407,198,0.428,199,0.897,200,1.13,203,1.462,207,0.704,209,0.364,211,0.932,212,0.237,214,0.574,216,0.593,220,0.838,221,0.443,222,0.536,223,0.946,225,0.758,227,0.157,229,1.266,230,0.72,233,0.783,238,1.266,240,2.003,241,0.454,242,1.407,244,0.607,245,0.521,249,0.419,250,1.321,252,0.519,254,0.569,256,0.553,258,1,261,0.884,262,0.297,263,0.418,264,0.412,270,0.638,271,0.369,272,0.975,274,0.264,275,0.593,277,0.443,278,0.475,279,0.148,280,0.327,281,0.461,284,0.797,287,0.494,288,0.207,291,2.561,293,0.651,294,0.669,298,1.074,299,0.61,300,0.641,301,1.138,303,0.254,304,0.442,305,0.675,307,1.708,308,0.722,311,0.378,312,0.413,313,1.058,315,0.881,316,0.579,317,0.96,318,0.649,319,0.553,323,0.596,324,1.722,326,0.684,327,0.738,328,0.711,329,0.406,330,0.406,333,0.932,338,1.6,339,0.304,341,0.407,342,0.987,343,0.466,344,0.247,346,0.128,350,0.836,351,0.14,352,1.425,353,0.194,360,0.884,363,0.715,366,1.338,367,1.6,368,1.462,369,1.473,370,0.975,373,1.265,374,0.631,380,3.041,381,3.236,382,3.236,383,2.563,384,1.115,385,0.758,388,1.5,390,3.567,393,2.936,394,0.439,395,0.439,396,2.296,397,0.631,399,2.525,400,0.71,402,1.6,403,1.6,404,1.463,405,2.296,406,1.6,407,1.6,414,0.214,415,0.134,416,0.146,417,0.181,418,0.326,419,0.251,420,0.251,424,0.907,425,0.609,426,0.758,427,1.13,430,0.685,433,0.936,438,0.797,441,0.915,442,0.593,443,1.265,446,0.272,451,0.635,452,3.109,453,2.174,454,2.26,458,3.109,459,0.952,460,3.319,466,2.753,467,1.972,468,1.246,469,2.686,470,2.747,471,2.952,473,0.596,476,2.15,484,0.838,485,0.556,487,0.39,488,0.861,490,1.054,491,1.266,496,0.521,498,0.471,499,2.126,500,1.191,501,0.631,504,0.694,506,0.797,507,0.884,511,0.457,512,0.087,513,0.569,514,0.98,519,0.72,521,0.613,522,0.293,523,0.624,524,0.96,527,0.128,528,1.135,531,0.316,532,1.033,537,1.504,539,0.579,540,0.684,543,0.71,544,0.649,545,3.472,546,1.801,547,0.856,550,0.39,551,0.289,558,1.33,563,0.881,564,0.418,565,0.649,566,0.714,567,3.976,570,1.265,571,1.338,572,0.297,577,2.158,580,0.309,582,0.982,586,1.504,587,1.473,593,2.368,595,2.368,596,1.472,597,2.368,598,2.659,600,2.659,610,1.882,626,0.975,628,0.297,629,0.413,634,0.526,635,3.627,636,0.494,637,0.669,640,0.758,641,2.158,647,0.751,649,0.537,650,1.2,651,1.4,653,0.413,655,0.794,656,0.281,657,0.484,659,0.494,661,0.651,664,1.504,666,1.617,670,0.96,672,0.838,675,1.2,682,0.631,687,0.723,688,0.932,691,2.137,693,0.418,694,1.993,699,0.758,703,1.144,706,1.6,708,0.523,709,2.088,711,1.832,713,1.538,717,0.615,723,3.816,725,1.013,726,1.722,728,2.15,729,2.15,730,2.15,733,1.2,736,0.975,746,0.98,747,0.982,751,1.976,753,1.08,754,1.08,756,0.418,758,0.797,759,1.504,760,0.797,762,1.832,764,0.584,769,0.494,773,1.2,775,0.71,779,1.23,782,0.758,783,0.584,791,0.884,792,0.975,793,1.637,799,0.927,807,0.271,816,0.616,826,1.6,838,2.368,845,0.265,850,0.27,872,0.488,873,0.281,877,0.494,885,1.152,886,2.837,887,1.921,888,1.265,889,0.929,890,2.031,892,2.15,894,0.72,895,0.751,897,0.592,899,0.96,902,0.927,903,0.669,906,0.579,908,1.138,909,0.553,912,1.148,913,1.026,917,0.443,919,0.609,920,0.758,922,1.266,927,1.722,928,0.53,932,1.08,954,0.363,973,2.659,978,2.15,979,1.832,980,1.6,987,1.578,990,1.353,992,0.126,1001,0.593,1002,0.187,1005,1.338,1006,0.418,1009,1.556,1011,0.797,1018,0.187,1020,0.651,1021,1.338,1025,2.63,1033,0.975,1036,1.015,1039,1.08,1054,0.439,1055,1.2,1058,3.398,1059,4.178,1072,2.368,1080,1.058,1082,3.56,1103,0.684,1110,2.604,1111,0.616,1112,1.813,1113,2.296,1114,1.6,1116,1.255,1123,0.437,1128,2.034,1129,1.708,1140,2.452,1141,1.563,1145,1.2,1147,0.684,1156,0.927,1164,1.138,1165,0.631,1167,0.513,1170,0.684,1173,1.033,1177,0.466,1186,0.486,1201,2.659,1213,0.526,1228,0.881,1233,0.975,1235,0.72,1238,0.99,1242,0.932,1246,3.086,1255,1.033,1268,2.15,1269,0.579,1270,0.975,1271,0.553,1274,1.026,1280,3.076,1287,1.338,1288,0.613,1289,1.628,1294,0.316,1297,2.15,1299,2.15,1315,2.525,1330,3.816,1333,0.71,1334,0.609,1335,1.708,1344,1.6,1346,1.2,1348,0.521,1350,0.523,1358,1.708,1360,1.08,1392,0.616,1406,0.684,1409,2.452,1416,2.15,1423,1.017,1437,1.148,1442,1.417,1444,1.026,1446,1.026,1458,2.15,1459,2.659,1463,1.921,1464,3.398,1465,2.368,1469,2.15,1471,2.936,1472,2.922,1473,1.203,1474,1.48,1475,2.368,1476,2.368,1477,2.368,1478,0.838,1479,1.817,1482,2.368,1483,2.368,1484,2.525,1485,2.368,1486,3.976,1487,2.368,1494,2.158,1495,1.417,1496,1.417,1499,1.504,1503,0.215,1513,0.72,1516,3.086,1523,0.752,1525,0.794,1540,0.975,1556,1.55,1566,0.72,1567,2.15,1569,2.368,1571,1.6,1577,0.98,1606,1.135,1607,3.319,1619,0.684,1621,0.523,1624,1.2,1633,2.126,1634,1.245,1635,1.266,1638,0.71,1639,0.797,1667,0.669,1672,2.837,1673,2.368,1677,0.249,1680,0.881,1681,1.723,1683,0.72,1684,2.126,1685,1.026,1694,0.439,1700,0.684,1713,1.08,1769,1.708,1773,1.504,1786,1.152,1787,0.616,1792,0.584,1794,0.794,1796,1.026,1830,1.817,1852,0.881,1853,1.417,1854,1.701,1855,2.15,1859,2.379,1864,1.338,1866,0.556,1870,1.708,1873,2.659,1880,1.832,1889,1.708,1891,1.504,1910,1.976,1946,1.708,1949,1.005,1950,2.441,1951,1.777,1952,1.2,1953,1.817,1954,1.138,1955,4.349,1956,1.015,1957,0.758,1964,1.6,1966,1.138,1974,0.711,1975,2.659,1979,3.816,1980,4.6,1982,2.368,2006,0.98,2017,0.72,2018,3.133,2020,1.026,2022,3.085,2023,3.905,2026,1.888,2060,1.417,2061,1.2,2065,0.927,2067,2.368,2073,1.504,2074,1.338,2081,0.584,2082,0.975,2083,1.265,2090,1.48,2099,1.2,2108,1.026,2110,0.413,2115,1.315,2117,1.708,2148,3.816,2179,2.368,2180,2.659,2202,3.398,2203,1.48,2212,0.975,2220,1.633,2229,2.158,2304,1.6,2332,0.584,2357,1.2,2382,2.368,2398,2.368,2399,1.417,2411,2.15,2434,1.4,2444,0.466,2448,4.349,2449,2.368,2451,2.391,2452,1.266,2453,3.101,2454,1.976,2455,1.417,2456,3.101,2457,2.15,2458,1.708,2459,3.101,2460,2.368,2461,1.473,2462,2.659,2463,3.604,2464,4.451,2465,4.451,2466,5.207,2467,1.033,2468,3.998,2469,3.84,2470,1.976,2471,2.368,2472,3.086,2473,1.708,2474,3.627,2475,1.832,2476,1.09,2477,0.975,2478,1.6,2479,3.705,2480,4.844,2481,5.69,2482,3.101,2483,3.101,2484,5.69,2485,2.659,2486,2.368,2487,3.816,2488,5.207,2489,4.451,2490,4.451,2491,6.271,2492,4.451,2493,4.451,2494,6.025,2495,5.207,2496,3.101,2497,4.451,2498,3.101,2499,3.101,2500,3.101,2501,5.539,2502,4.451,2503,5.207,2504,3.101,2505,3.101,2506,3.101,2507,3.101,2508,3.101,2509,3.101,2510,3.101,2511,3.101,2512,3.101,2513,4.451,2514,3.101,2515,3.101,2516,3.101,2517,2.368,2518,4.451,2519,2.659,2520,3.101,2521,3.101,2522,3.101,2523,3.101,2524,3.101,2525,2.659,2526,3.101,2527,3.101,2528,3.101,2529,3.101,2530,3.101,2531,3.101,2532,3.101,2533,3.101,2534,3.101,2535,3.101,2536,3.101,2537,3.101,2538,3.101,2539,2.098,2540,4.736,2541,3.524,2542,3.56,2543,3.319,2544,4.035,2545,4.035,2546,2.922,2547,2.15,2548,4.451,2549,5.207,2550,4.451,2551,1.921,2552,5.207,2553,2.659,2554,3.101,2555,2.659,2556,3.101,2557,5.69,2558,5.207,2559,1.832,2560,3.398,2561,3.101,2562,3.101,2563,1.6,2564,1.976,2565,3.101,2566,1.976,2567,3.101,2568,3.101,2569,3.101,2570,2.659,2571,3.56,2572,3.101,2573,1.417,2574,2.837,2575,2.098,2576,1.993,2577,1.982,2578,1.708,2579,2.368,2580,2.247,2581,3.976,2582,4.046,2583,1.026,2584,2.659,2585,2.158,2586,2.659,2587,3.101,2588,1.976,2589,2.452,2590,1.538,2591,3.101,2592,1.832,2593,2.15,2594,3.101,2595,3.101,2596,6.025,2597,3.101,2598,3.101,2599,3.101,2600,2.659,2601,3.398,2602,3.101,2603,3.101,2604,3.101,2605,3.101,2606,2.15,2607,2.659,2608,3.101,2609,2.368,2610,3.101,2611,3.101,2612,3.101,2613,3.101,2614,3.101,2615,3.101,2616,3.101,2617,3.101,2618,2.659,2619,1.6,2620,2.368,2621,1.504,2622,3.101,2623,1.708,2624,2.368,2625,3.101,2626,2.15,2627,2.15,2628,1.417,2629,1.417,2630,3.708,2631,3.61,2632,1.504,2633,0.975,2634,4.451,2635,4.451,2636,3.101,2637,3.101,2638,3.101,2639,3.101,2640,3.101,2641,3.101,2642,3.101,2643,3.101,2644,4.464,2645,1.266,2646,1.6,2647,1.976,2648,2.15,2649,3.101,2650,3.101,2651,3.101,2652,3.101,2653,3.101,2654,3.101,2655,3.816,2656,0.649,2657,2.296,2658,2.659,2659,1.976,2660,4.451,2661,3.101,2662,3.101,2663,3.101,2664,3.101,2665,1.504,2666,1.504,2667,3.101,2668,2.15,2669,2.15,2670,2.659,2671,3.101,2672,2.659,2673,2.15,2674,3.101,2675,1.832,2676,3.398,2677,1.338,2678,1.338,2679,1.6,2680,3.101,2681,5.377,2682,1.976,2683,1.832,2684,2.247,2685,2.659,2686,0.523,2687,1.993,2688,3.076,2689,1.338,2690,1.6,2691,2.452,2692,1.504,2693,1.637,2694,0.684,2695,1.832,2696,2.15,2697,3.101,2698,3.101,2699,3.101,2700,2.368,2701,1.6,2702,3.101,2703,3.101,2704,2.63,2705,4.451,2706,3.101,2707,3.101,2708,3.101,2709,3.101,2710,3.101,2711,3.101,2712,3.101,2713,3.101,2714,4.451,2715,4.451,2716,3.101,2717,4.451,2718,3.101,2719,3.101,2720,3.101,2721,3.101,2722,2.368,2723,3.101,2724,2.659,2725,3.101,2726,3.101,2727,3.101,2728,3.101,2729,2.659,2730,1.138,2731,1.708,2732,1.708,2733,1.708,2734,2.659,2735,4.451,2736,3.101,2737,2.15,2738,3.101,2739,1.417,2740,3.101,2741,3.101,2742,3.101,2743,3.101,2744,1.976,2745,1.708,2746,3.101,2747,2.659,2748,3.101,2749,2.659,2750,3.398,2751,3.101,2752,3.333,2753,3.816,2754,3.816,2755,3.101,2756,2.659,2757,3.101,2758,3.101,2759,3.101,2760,3.086,2761,3.101,2762,3.101,2763,3.101,2764,1.6,2765,2.368,2766,2.368,2767,3.101,2768,2.659,2769,3.101,2770,3.101,2771,2.659,2772,3.101,2773,2.368,2774,2.659,2775,2.659,2776,2.659,2777,2.659,2778,3.101,2779,1.338,2780,3.101,2781,3.101,2782,3.101,2783,3.101,2784,3.101,2785,3.101,2786,3.101,2787,3.101,2788,3.101,2789,3.101,2790,3.101,2791,3.101,2792,3.101,2793,3.086,2794,3.101,2795,2.659,2796,2.659,2797,2.659,2798,2.659,2799,3.816,2800,2.659,2801,4.464,2802,2.659,2803,2.368,2804,3.101,2805,2.15,2806,2.659,2807,2.659,2808,3.101,2809,4.464,2810,3.319,2811,3.101,2812,3.101,2813,3.398,2814,3.101,2815,1.633,2816,3.101,2817,2.659,2818,3.816,2819,3.101,2820,3.101,2821,2.368,2822,1.338,2823,2.659,2824,2.15,2825,1.976,2826,2.659,2827,2.659,2828,1.708,2829,4.451,2830,1.708,2831,1.976,2832,2.15,2833,1.708,2834,3.101,2835,3.101,2836,3.101,2837,1.976,2838,3.101,2839,4.451,2840,4.451,2841,3.101,2842,4.451,2843,4.451,2844,3.101,2845,3.101,2846,3.101,2847,3.101,2848,3.101,2849,3.101,2850,3.101,2851,4.451,2852,3.101,2853,2.368,2854,1.138,2855,3.101,2856,3.101,2857,2.659,2858,2.368]],["title/aws/logging.html",[2,5.954,3,3.898,4,5.902,5,2.763,27,2.354,244,2.599,845,1.665]],["breadcrumb/aws/logging.html",[2,1.895,6,0.178,27,1.059,244,1.169,845,0.749]],["description/aws/logging.html",[2,2.247,27,1.741,28,1.146,30,3.287,188,2.326,219,2.183,240,6.878,241,1.523,244,1.922,275,2.326,360,3.468,470,6.753,547,2.626,725,2.474,845,0.888,872,1.29,885,3.113,1624,6.753,1859,7.978,2017,4.053,2027,10.314]],["body/aws/logging.html",[0,0.118,2,1.011,4,0.674,5,0.486,6,0.038,9,0.291,11,0.128,13,0.849,14,0.428,16,0.496,17,0.507,19,0.451,24,2.91,26,0.424,27,0.556,28,0.504,29,0.19,30,1.43,33,0.262,34,0.182,35,0.311,37,0.727,38,1.556,39,2.679,40,0.254,41,0.14,42,3.596,43,0.144,44,0.126,45,0.333,46,1.754,47,0.077,48,0.081,49,1.819,50,0.86,51,0.275,53,0.185,54,0.407,55,0.86,56,0.348,59,1.881,60,0.324,61,1.227,62,0.752,63,2.029,64,1.374,65,0.428,66,0.352,67,0.254,68,0.398,69,0.544,71,1.84,76,0.534,77,0.388,79,0.523,80,0.347,81,0.712,82,0.398,83,0.178,84,0.809,85,0.283,86,0.114,87,0.599,88,0.047,89,0.048,90,0.531,91,0.702,92,0.723,93,0.818,94,0.586,95,1.374,96,1.512,97,0.891,98,0.661,99,0.643,100,0.577,101,0.739,102,0.079,103,0.133,104,0.153,105,1.109,106,0.507,107,0.396,110,0.223,113,0.793,114,0.72,115,0.386,121,0.274,123,0.435,126,0.07,128,0.507,129,0.48,130,0.48,131,0.48,133,0.115,135,0.479,137,0.373,140,0.461,145,0.499,146,0.544,148,0.18,149,0.398,150,0.348,152,0.537,153,0.348,159,1.076,160,0.189,161,0.303,162,0.242,164,2.658,165,0.461,168,1.165,169,1.579,172,1.532,178,0.324,181,1.108,182,0.213,183,0.538,184,0.373,187,0.424,188,0.767,191,0.816,192,0.319,193,0.762,194,0.412,198,0.427,203,1.165,206,0.809,207,0.644,208,2.431,209,0.382,211,0.666,212,0.264,214,0.489,216,0.424,218,0.533,219,0.761,220,0.599,221,0.465,222,0.558,225,1.291,226,1.374,227,0.11,229,1.3,230,1.053,232,0.632,233,0.866,234,0.599,236,2.414,240,2.181,241,0.672,244,0.612,245,0.618,246,0.818,247,1.206,249,0.353,251,0.765,252,0.256,254,0.628,256,0.568,258,0.97,259,1.84,260,1.001,262,0.482,263,0.388,270,0.763,271,0.285,272,2.047,273,0.234,274,0.246,275,0.966,276,0.508,277,0.511,278,0.52,279,0.338,280,0.388,281,0.423,282,0.586,284,1.165,285,2.228,287,0.723,288,0.217,290,1.905,291,1.3,292,0.461,296,1.374,300,0.396,302,1.664,303,0.262,304,0.385,305,0.649,308,0.496,311,0.382,312,0.424,316,0.538,317,0.765,318,1.106,319,1.128,323,0.618,326,1.494,327,0.862,328,0.398,329,0.367,330,0.367,331,1.231,333,1.106,334,2.029,339,0.298,340,0.423,341,0.402,342,0.971,343,0.866,344,0.114,345,3.463,346,0.136,350,0.767,351,0.124,352,1.27,353,0.212,354,2.113,360,1.506,363,0.688,365,0.531,374,0.643,380,2.792,381,2.971,382,2.971,383,2.442,384,1.067,388,1.413,390,3.264,393,3.434,394,0.643,395,0.643,396,2.971,397,0.816,398,2.431,399,3.068,400,0.842,402,2.34,403,2.34,404,1.455,405,2.971,406,2.34,407,2.34,410,0.206,411,0.586,412,0.586,413,0.586,414,0.173,415,0.108,416,0.14,417,0.173,418,0.318,419,0.24,420,0.24,422,2.729,425,0.531,426,0.604,430,0.714,431,0.905,433,0.943,440,1.001,442,0.767,443,0.905,444,0.348,446,0.328,451,0.656,452,2.971,453,2.093,454,2.202,458,2.971,459,0.887,460,3.172,466,2.631,467,1.811,468,1.027,469,2.34,470,2.447,471,2.631,473,0.278,481,2.575,482,1.337,484,0.995,485,0.398,487,0.367,488,0.811,490,0.97,491,1.3,493,2.679,496,0.674,498,0.407,499,1.852,500,1.106,501,0.451,504,0.604,506,1.358,511,0.442,512,0.06,513,0.499,514,0.854,516,0.901,519,0.739,520,0.942,521,0.586,522,0.628,523,0.597,524,0.765,525,3.993,526,1.881,527,0.06,528,0.995,529,0.778,530,1.168,531,0.586,532,1.053,533,2.679,534,2.431,538,1.426,539,0.324,543,0.507,545,2.971,546,0.952,547,1.154,550,0.367,551,0.22,552,0.905,556,1.231,557,1.664,558,1.356,559,2.679,560,0.842,562,0.86,564,0.374,565,0.666,566,0.597,570,1.289,572,0.385,576,2.729,577,3.284,580,0.291,582,1,583,1.168,586,1.544,593,2.431,595,2.431,596,0.778,597,2.431,602,2.431,603,2.729,605,2.729,606,2.729,607,2.729,610,1.748,626,1.989,627,1.455,628,0.213,629,0.424,631,1,634,0.606,636,1.061,640,0.424,649,0.575,651,1.426,653,0.767,654,1.754,655,0.809,656,0.245,657,0.364,659,0.723,661,0.661,662,1.428,668,2.207,670,0.891,672,0.599,673,0.995,682,0.643,685,1.106,686,0.423,687,0.714,688,1.106,690,0.739,691,1.053,693,0.489,698,1.3,699,0.778,702,0.348,703,1.165,707,2.431,716,1.905,717,0.568,725,1.055,736,1.001,738,1.512,741,1.455,744,0.666,745,1,746,0.599,747,1.27,754,1.109,755,1.168,756,0.523,758,0.818,760,1.165,764,1.146,765,0.507,768,1.626,769,0.723,778,3.889,780,0.952,790,0.702,791,0.901,792,1.426,793,1.426,794,0.952,803,1.374,807,0.278,808,1.165,826,2.34,845,0.371,849,1.502,852,1.231,857,2.729,862,2.029,863,0.479,864,1.053,872,0.527,873,0.254,882,1.226,883,2.207,884,1.754,885,1.161,886,2.891,888,0.905,889,0.568,890,1.001,895,1.027,897,0.628,898,1.754,899,0.918,902,0.952,903,0.479,906,0.461,909,0.568,913,1.053,914,1.053,917,0.447,919,0.762,920,0.778,922,2.485,928,0.324,932,1.109,949,1.642,978,2.207,980,1.642,985,1.226,987,0.778,989,0.398,990,0.666,992,0.11,1002,0.367,1004,0.568,1006,0.333,1010,2.154,1018,0.274,1020,0.567,1036,0.809,1040,1.053,1049,1.48,1050,1.231,1052,1.001,1059,2.207,1082,1.881,1092,0.95,1103,0.702,1108,1.289,1116,0.702,1122,0.778,1123,0.194,1124,0.952,1126,1.664,1131,2.729,1140,2.498,1142,2.598,1143,1.109,1145,1.754,1146,1.108,1147,0.702,1156,1.356,1159,1.109,1165,0.862,1166,1.469,1167,0.333,1170,0.702,1173,1.227,1175,1.754,1181,1.227,1182,1.957,1187,2.207,1213,0.502,1228,1.502,1230,0.765,1233,1.426,1235,0.739,1238,0.749,1242,0.95,1246,3.663,1252,0.778,1257,1.455,1258,1.231,1259,1.231,1261,0.952,1264,1.544,1269,0.324,1274,1.053,1275,1.337,1276,1.356,1278,1.356,1279,0.995,1283,1.48,1285,4.431,1286,0.952,1333,0.507,1334,0.373,1335,1.754,1348,0.531,1350,0.765,1354,2.729,1357,2.62,1360,1.109,1361,0.398,1392,1.345,1408,0.778,1423,0.537,1425,1.168,1433,1.938,1435,1.642,1445,0.702,1471,1.642,1505,1.881,1508,2.029,1510,1.754,1511,2.207,1518,0.905,1520,1.881,1523,0.461,1528,1.231,1531,1.374,1541,1.957,1543,1.661,1544,0.952,1553,1.754,1557,0.507,1564,0.451,1566,1.227,1567,2.207,1572,1.914,1573,1.231,1577,1.084,1606,0.854,1607,2.029,1610,3.434,1618,1.957,1619,0.702,1621,0.765,1624,2.849,1625,1.168,1626,1.001,1638,0.507,1643,1.754,1654,2.431,1667,0.682,1672,2.029,1673,2.431,1676,1.579,1677,0.568,1678,1.109,1680,0.905,1681,1.748,1683,1.053,1684,1.852,1709,1.001,1712,1.3,1713,1.109,1714,1.053,1717,1.374,1757,1.84,1767,2.029,1770,1.455,1787,1.209,1794,0.568,1830,1.3,1852,0.905,1859,2.631,1860,2.207,1866,0.949,1871,1.642,1876,0.905,1883,2.359,1885,1.76,1896,2.029,1910,2.029,1915,1.426,1922,2.073,1933,1.426,1949,0.424,1950,1.989,1951,0.739,1956,0.809,1974,0.567,2017,1.572,2019,1.455,2021,3.67,2026,1.226,2027,4.001,2030,2.204,2036,1.544,2045,1.544,2046,1.642,2047,1.001,2048,1.754,2057,0.86,2061,1.231,2068,2.029,2069,2.207,2074,1.374,2081,0.854,2082,1.426,2083,1.798,2084,1.455,2093,2.562,2098,2.029,2104,0.702,2109,0.778,2110,0.604,2111,1.109,2112,1.231,2124,3.434,2132,2.431,2133,1.3,2200,1.3,2201,1.544,2202,2.431,2206,3.463,2212,1.001,2215,1.168,2216,0.901,2220,1.664,2226,2.729,2259,2.729,2304,2.34,2307,2.029,2308,2.029,2328,1.053,2329,1.754,2337,1.3,2338,1.3,2341,2.207,2342,2.431,2346,1.754,2353,2.729,2357,2.84,2358,2.729,2359,2.729,2366,2.729,2382,2.431,2390,2.729,2416,1.544,2421,1.544,2422,2.029,2429,1.852,2432,1.109,2434,1.661,2461,1.053,2467,0.739,2478,1.642,2609,5.586,2669,2.207,2677,1.374,2679,1.642,2687,1.5,2688,1.881,2690,2.34,2692,2.199,2701,2.34,2739,1.455,2764,1.642,2793,2.207,2859,2.726,2860,4.22,2861,2.891,2862,2.731,2863,3.183,2864,1.642,2865,2.431,2866,2.431,2867,1.374,2868,2.233,2869,1.544,2870,1.642,2871,3.889,2872,2.207,2873,2.431,2874,1.455,2875,1.001,2876,1.881,2877,2.729,2878,2.029,2879,3.183,2880,2.729,2881,2.891,2882,3.183,2883,1.374,2884,2.029,2885,2.891,2886,2.679,2887,2.207,2888,2.207,2889,2.029,2890,2.207,2891,3.183,2892,2.431,2893,3.183,2894,2.199,2895,3.183,2896,6.086,2897,4.535,2898,4.535,2899,5.758,2900,4.535,2901,4.535,2902,2.3,2903,3.183,2904,3.183,2905,5.758,2906,5.283,2907,5.283,2908,5.283,2909,4.535,2910,3.183,2911,4.535,2912,3.183,2913,5.283,2914,6.086,2915,5.758,2916,5.283,2917,5.283,2918,4.535,2919,6.086,2920,4.535,2921,4.535,2922,4.535,2923,5.283,2924,4.53,2925,4.535,2926,5.758,2927,5.283,2928,3.183,2929,4.535,2930,3.183,2931,4.535,2932,3.183,2933,3.183,2934,3.183,2935,3.183,2936,3.183,2937,3.183,2938,3.183,2939,3.183,2940,2.431,2941,3.889,2942,3.183,2943,3.183,2944,3.183,2945,3.183,2946,2.431,2947,2.207,2948,3.183,2949,6.086,2950,6.086,2951,3.183,2952,4.535,2953,4.535,2954,3.183,2955,4.535,2956,3.183,2957,3.183,2958,2.029,2959,2.431,2960,3.183,2961,3.183,2962,1.231,2963,3.183,2964,3.183,2965,2.729,2966,2.431,2967,1.754,2968,1.881,2969,4.535,2970,3.183,2971,3.183,2972,2.431,2973,3.183,2974,3.183,2975,3.183,2976,1.374,2977,3.145,2978,4.535,2979,1.754,2980,2.729,2981,4.53,2982,1.374,2983,1.642,2984,3.183,2985,1.3,2986,2.073,2987,3.183,2988,3.183,2989,3.183,2990,4.535,2991,4.535,2992,4.535,2993,3.183,2994,5.283,2995,5.283,2996,3.183,2997,3.183,2998,4.535,2999,4.535,3000,4.535,3001,4.535,3002,3.183,3003,3.183,3004,3.183,3005,3.183,3006,3.183,3007,3.183,3008,3.183,3009,2.029,3010,3.183,3011,2.891,3012,3.183,3013,3.183,3014,2.207,3015,6.086,3016,3.183,3017,1.881,3018,2.729,3019,2.199,3020,2.729,3021,3.183,3022,5.283,3023,3.183,3024,3.183,3025,3.183,3026,3.183,3027,2.207,3028,3.183,3029,2.498,3030,3.183,3031,1.881,3032,6.655,3033,4.971,3034,1.544,3035,4.535,3036,1.001,3037,2.431,3038,3.145,3039,0.537,3040,3.183,3041,1.754,3042,5.425,3043,4.535,3044,3.183,3045,3.183,3046,4.535,3047,3.183,3048,3.183,3049,3.183,3050,3.183,3051,1.544,3052,4.535,3053,4.535,3054,3.183,3055,3.183,3056,3.183,3057,3.183,3058,3.183,3059,3.183,3060,3.183,3061,4.535,3062,3.183,3063,3.183,3064,3.183,3065,3.463,3066,3.183,3067,3.183,3068,3.183,3069,2.207,3070,3.183,3071,3.183,3072,3.183,3073,3.183,3074,3.183,3075,4.535,3076,3.183,3077,3.183,3078,3.183,3079,4.535,3080,3.183,3081,3.183,3082,3.183,3083,3.183,3084,2.431,3085,1.356,3086,2.431,3087,3.183,3088,2.729,3089,1.881,3090,1.754,3091,3.183,3092,3.183,3093,3.183,3094,2.207,3095,3.183,3096,1.881,3097,3.183,3098,3.183,3099,3.183,3100,3.183,3101,3.183,3102,3.183,3103,3.183,3104,3.183,3105,3.183,3106,3.183,3107,0.952,3108,3.183,3109,3.183,3110,3.183,3111,2.431,3112,3.183,3113,2.431,3114,3.183,3115,1.881,3116,1.881,3117,2.729,3118,1.3,3119,2.34,3120,2.731,3121,2.431,3122,0.568,3123,1.754,3124,1.754,3125,2.431,3126,2.729,3127,2.729,3128,1.754,3129,2.029,3130,1.642,3131,4.058,3132,3.183,3133,3.183,3134,3.183,3135,1.642,3136,3.183,3137,3.183,3138,2.729,3139,3.183,3140,1.754,3141,0.905,3142,2.729,3143,2.029,3144,1.374,3145,1.642,3146,2.729,3147,4.535,3148,2.431,3149,1.168,3150,3.183,3151,3.183,3152,4.535,3153,2.029,3154,2.729,3155,3.183,3156,2.729,3157,5.758,3158,3.183,3159,3.183,3160,3.183,3161,3.183,3162,3.183,3163,3.183,3164,6.51,3165,3.183,3166,3.183,3167,3.183,3168,3.183,3169,3.183,3170,3.183,3171,3.183,3172,2.729,3173,3.183,3174,3.183,3175,6.086,3176,6.327,3177,5.283,3178,5.283,3179,3.183,3180,5.283,3181,5.283,3182,5.283,3183,3.183,3184,3.183,3185,3.183,3186,4.535,3187,4.535,3188,4.535,3189,4.535,3190,3.183,3191,3.183,3192,3.183,3193,3.183,3194,3.183,3195,3.183,3196,3.183,3197,3.183,3198,3.183,3199,4.535,3200,3.183,3201,3.183,3202,3.183,3203,3.183,3204,3.183,3205,2.729,3206,3.183,3207,3.183,3208,3.183]],["title/aws/network.html",[2,4.693,3,4.342,4,6.362,5,3.077,27,2.623,115,2.312]],["breadcrumb/aws/network.html",[6,0.224,27,1.333,115,1.175]],["description/aws/network.html",[4,2.352,27,1.326,31,1.354,32,0.448,33,0.656,67,0.656,115,1.169,153,2.015,188,3.807,300,1.609,527,0.345,872,1.362,889,3.288,2011,14.076,2013,6.764,2014,15.807,2015,10.155,2894,8.939,3209,15.807]],["body/aws/network.html",[0,0.119,2,1.01,4,0.663,5,0.479,9,0.248,11,0.152,13,0.608,14,0.623,16,0.684,17,0.905,20,0.681,26,0.417,27,0.558,28,0.395,29,0.148,30,1.215,31,0.553,32,0.182,33,0.266,34,0.179,35,0.271,37,0.568,41,0.185,42,1.824,43,0.064,44,0.139,45,0.417,47,0.108,48,0.091,49,0.923,50,0.835,51,0.324,53,0.155,54,0.431,55,1.199,56,0.485,60,0.316,61,1.206,62,0.769,63,1.968,64,1.333,65,0.419,66,0.363,67,0.259,68,0.752,69,0.635,71,1.546,74,2.358,75,2.358,76,0.483,77,0.382,78,1.333,79,0.417,80,0.378,81,0.621,83,0.179,84,1.013,85,0.309,86,0.117,87,0.581,88,0.048,89,0.053,90,0.496,91,0.681,92,0.905,93,0.794,94,0.529,95,2.242,96,1.206,97,0.521,98,0.386,99,0.438,100,0.485,101,0.717,102,0.081,103,0.129,104,0.25,107,0.269,109,1.261,110,0.363,111,0.337,113,0.519,115,0.476,116,0.111,117,0.417,118,0.417,119,0.707,120,1.022,121,0.343,122,0.681,123,0.462,124,0.876,125,0.835,126,0.069,127,0.71,128,0.707,129,0.5,130,0.496,131,0.496,132,0.794,133,0.103,134,0.485,135,1.026,136,0.971,137,0.361,138,0.717,139,1.146,140,0.529,141,0.979,142,1.553,143,0.629,144,1.199,145,0.591,146,0.568,148,0.128,149,0.649,150,0.684,151,0.926,152,0.749,153,0.621,154,0.297,155,4.474,156,0.186,158,1.411,159,0.629,160,0.275,161,0.31,162,0.26,164,1.261,165,0.453,168,1.14,169,0.923,170,1.14,171,1.468,172,0.647,173,0.299,174,2.358,175,3.017,176,0.607,178,0.612,180,0.519,181,0.754,182,0.297,183,0.452,184,0.665,187,0.411,188,1.033,189,0.485,190,2.821,191,0.438,192,0.281,193,0.755,194,0.405,195,1.333,196,1.824,197,2.95,198,0.378,200,1.478,201,2.26,203,1.794,205,1.075,206,0.551,207,0.637,209,0.313,211,1.088,212,0.281,214,0.483,216,0.591,217,1.497,218,0.541,219,0.649,220,0.836,221,0.417,222,0.442,223,0.93,225,1.084,227,0.075,230,0.717,232,0.613,233,0.667,234,0.581,238,1.261,240,2.031,241,0.576,242,1.693,244,0.549,245,0.519,247,0.647,250,1.397,251,0.749,252,0.417,254,0.67,256,0.791,258,1.113,259,1.075,262,0.509,263,0.326,264,0.389,265,0.337,270,0.657,271,0.363,272,0.971,273,0.382,274,0.111,276,0.456,277,0.521,278,0.528,279,0.299,280,0.474,281,0.46,282,0.612,284,1.335,287,0.828,288,0.201,291,1.261,292,0.496,293,0.555,294,0.854,298,1.151,299,0.419,300,0.644,303,0.252,304,0.402,305,0.659,307,1.701,308,0.485,311,0.313,313,1.166,316,0.637,317,1.015,319,1.013,322,1.03,323,0.563,324,2.009,326,1.327,327,0.438,328,0.649,329,0.406,330,0.406,331,1.717,332,0.521,333,1.088,335,0.613,337,2.152,339,0.303,340,0.46,341,0.405,342,0.978,343,0.905,344,0.186,346,0.058,350,0.801,351,0.128,352,1.327,353,0.198,354,2.207,360,1.032,361,3.077,363,0.688,364,3.077,365,0.519,366,2.451,367,2.68,368,1.335,369,1.719,370,1.633,371,3.311,373,1.834,374,0.935,376,0.979,377,2.358,378,2.358,380,2.917,381,3.104,382,3.104,383,2.561,384,1.134,385,1.269,388,1.533,390,3.564,392,1.593,393,3.406,394,0.629,395,0.629,396,2.93,397,0.852,399,3.037,400,0.828,402,2.29,403,2.29,404,1.259,405,2.93,406,2.29,407,2.29,410,0.215,411,0.612,412,0.612,413,0.612,414,0.18,415,0.112,416,0.146,417,0.18,418,0.326,419,0.251,420,0.251,424,0.707,427,1.244,430,0.612,433,0.629,434,0.878,438,0.794,439,1.546,441,1.005,443,0.878,446,0.287,447,3.077,450,0.923,451,0.665,452,2.93,453,2.076,454,2.258,458,2.93,459,0.967,460,3.128,463,3.329,466,2.595,467,1.786,468,1.073,469,2.29,470,2.197,471,2.595,472,2.197,473,0.587,474,1.701,475,0.794,476,2.141,479,2.141,480,0.835,482,0.717,485,0.386,486,2.445,487,0.378,488,0.757,490,0.959,491,1.261,492,3.388,496,0.733,497,1.333,498,0.441,499,2.557,500,1.189,501,0.805,504,0.411,505,3.077,506,1.14,507,1.195,511,0.425,512,0.041,513,0.536,514,0.978,516,1.032,517,1.717,518,1.327,519,0.717,521,0.637,522,0.419,523,0.591,524,0.521,526,1.824,527,0.139,528,1.069,529,0.754,530,1.628,531,0.612,532,1.318,539,0.637,540,1.252,543,0.707,544,0.929,545,1.593,550,0.378,551,0.129,557,1.133,559,2.622,560,0.828,561,1.333,562,0.835,563,0.878,564,0.338,565,0.647,566,0.536,572,0.379,577,3.037,580,0.33,582,1.327,583,2.084,586,1.497,596,0.754,610,1.99,624,2.242,626,0.971,628,0.347,630,0.464,631,0.681,634,0.387,636,0.492,637,0.464,640,0.411,647,0.521,648,2.622,649,0.609,652,2.445,655,0.791,656,0.167,657,0.548,659,0.492,660,0.681,661,0.555,662,1.199,666,1.476,670,0.521,673,0.978,675,1.195,682,0.736,684,1.395,687,0.71,691,2.45,693,0.356,694,2.072,697,1.497,708,1.178,712,3.805,713,1.535,715,1.915,716,1.719,717,0.546,725,0.935,726,1.717,728,2.141,729,2.141,730,2.141,738,1.03,741,1.411,744,1.311,746,1.133,748,3.388,751,3.62,753,1.546,754,1.075,756,0.417,760,0.794,761,1.411,765,0.492,767,1.717,769,0.828,771,1.032,780,0.923,782,1.576,783,0.581,794,0.923,799,0.923,802,1.14,807,0.614,808,0.794,809,2.358,813,2.596,816,0.613,838,2.358,849,1.476,850,0.294,852,2.009,855,2.519,856,0.791,864,1.468,871,1.333,872,0.55,873,0.251,877,0.707,878,1.824,881,1.701,882,1.404,885,1.177,886,4.449,887,2.242,888,1.261,889,1.274,890,2.315,895,0.749,897,0.674,898,1.701,902,0.923,903,0.854,908,2.084,909,1.274,914,1.468,919,0.361,920,0.754,921,1.719,922,1.261,923,2.648,928,0.452,930,2.358,933,1.546,954,0.519,980,3.469,985,0.835,990,0.929,992,0.126,1001,0.411,1002,0.268,1006,0.382,1009,0.923,1011,0.794,1017,1.333,1018,0.186,1025,1.824,1033,1.969,1036,0.926,1041,2.29,1046,0.794,1049,0.794,1080,0.749,1092,0.647,1107,1.14,1110,1.717,1116,0.979,1123,0.426,1125,1.333,1126,1.628,1136,2.648,1140,2.445,1142,1.133,1146,0.754,1153,1.593,1168,1.151,1170,0.979,1173,1.206,1186,0.485,1189,1.968,1194,1.133,1227,1.497,1230,0.749,1235,0.717,1238,0.979,1242,0.647,1251,1.022,1252,1.084,1254,1.411,1256,2.358,1259,1.717,1261,0.923,1264,1.497,1266,2.622,1270,0.971,1271,1.117,1272,2.648,1274,1.719,1278,1.327,1279,0.581,1286,1.327,1287,1.333,1288,0.314,1294,0.314,1333,0.905,1334,0.519,1344,1.593,1348,0.519,1357,1.195,1360,1.809,1361,0.386,1375,0.717,1377,1.03,1416,2.141,1423,0.876,1425,1.133,1433,1.628,1436,2.152,1439,4.593,1444,1.468,1446,1.022,1451,2.648,1456,3.805,1458,3.938,1460,3.805,1462,3.805,1463,1.915,1465,3.388,1467,2.648,1469,2.141,1471,3.861,1472,2.519,1473,2.049,1474,1.94,1475,3.388,1476,3.388,1477,3.388,1478,1.784,1479,2.635,1480,3.311,1482,5.275,1483,3.966,1484,2.917,1485,2.358,1486,4.593,1487,2.358,1489,3.805,1490,3.805,1492,3.805,1493,3.805,1497,2.648,1499,3.26,1502,2.648,1503,0.088,1513,1.206,1516,2.141,1518,0.878,1523,0.314,1530,0.923,1531,1.333,1539,0.613,1543,0.971,1547,1.261,1550,0.923,1560,1.546,1564,0.438,1572,0.971,1607,2.829,1616,0.681,1619,0.979,1621,0.958,1624,1.717,1625,1.133,1627,1.333,1646,2.141,1665,1.261,1667,0.854,1675,2.141,1676,1.553,1677,0.548,1678,1.075,1681,1.022,1683,0.717,1703,2.141,1710,1.133,1769,1.701,1775,3.805,1777,1.812,1789,1.824,1792,0.581,1793,1.022,1830,1.812,1864,1.915,1866,0.386,1871,1.593,1874,1.701,1876,1.261,1881,2.152,1883,1.075,1885,1.199,1892,1.809,1900,2.648,1902,2.648,1903,2.648,1910,2.829,1914,2.445,1915,0.971,1924,2.141,1930,1.593,1940,2.358,1954,1.133,1960,1.133,1962,1.133,1974,0.555,1999,2.358,2009,1.022,2011,5.723,2013,1.906,2025,1.261,2026,0.835,2028,0.667,2029,1.546,2030,1.075,2035,2.648,2049,1.497,2061,1.195,2062,2.29,2093,2.152,2099,2.672,2103,1.195,2104,0.681,2107,3.966,2109,1.269,2110,0.411,2112,1.195,2122,1.717,2124,1.593,2156,1.701,2200,1.261,2201,1.497,2212,1.395,2213,1.075,2214,1.824,2216,0.613,2228,2.141,2229,2.152,2230,1.968,2231,1.701,2264,4.869,2321,1.701,2323,1.824,2328,1.468,2331,2.152,2413,1.195,2429,1.261,2433,1.333,2435,1.968,2436,1.195,2475,2.622,2476,0.929,2477,0.971,2517,3.388,2519,2.648,2525,2.648,2543,1.701,2551,2.945,2564,1.968,2570,2.648,2579,2.358,2582,3.314,2583,1.022,2589,1.701,2593,2.141,2619,2.29,2621,1.497,2633,0.971,2750,2.358,2764,1.593,2793,2.141,2815,1.628,2821,2.358,2822,2.703,2854,2.73,2857,2.648,2858,2.358,2861,1.968,2864,2.29,2874,2.028,2876,1.824,2877,3.805,2878,1.968,2888,3.077,2894,2.152,2966,3.388,2967,2.445,2977,2.141,3017,2.622,3019,2.917,3034,2.152,3036,1.395,3039,0.876,3042,2.648,3084,3.966,3085,1.327,3089,2.622,3094,3.938,3116,2.622,3120,1.333,3123,2.445,3124,1.701,3129,1.968,3130,1.593,3144,1.915,3145,2.93,3149,1.628,3209,3.805,3210,1.968,3211,2.141,3212,3.088,3213,2.648,3214,2.374,3215,1.593,3216,3.088,3217,3.088,3218,1.872,3219,5.37,3220,2.622,3221,1.261,3222,2.648,3223,2.141,3224,2.829,3225,2.829,3226,3.077,3227,2.141,3228,3.088,3229,2.141,3230,2.358,3231,2.622,3232,1.824,3233,3.088,3234,5.851,3235,3.088,3236,3.088,3237,1.411,3238,2.141,3239,3.088,3240,2.648,3241,3.805,3242,2.648,3243,1.333,3244,1.701,3245,3.088,3246,3.088,3247,3.088,3248,2.648,3249,3.088,3250,3.088,3251,3.088,3252,3.088,3253,3.088,3254,3.088,3255,5.194,3256,2.445,3257,3.088,3258,3.088,3259,4.438,3260,3.088,3261,3.088,3262,3.088,3263,3.088,3264,3.388,3265,3.088,3266,3.088,3267,3.088,3268,3.088,3269,3.088,3270,5.194,3271,2.141,3272,4.171,3273,3.088,3274,5.194,3275,1.333,3276,3.088,3277,3.088,3278,1.593,3279,1.915,3280,2.358,3281,3.088,3282,3.088,3283,3.088,3284,3.088,3285,4.438,3286,3.088,3287,3.088,3288,1.022,3289,1.824,3290,2.648,3291,2.635,3292,3.469,3293,3.069,3294,3.554,3295,3.602,3296,3.602,3297,0.794,3298,3.388,3299,3.938,3300,2.622,3301,3.077,3302,3.077,3303,1.968,3304,1.075,3305,3.088,3306,1.497,3307,3.088,3308,2.648,3309,2.141,3310,1.497,3311,1.593,3312,1.701,3313,1.261,3314,2.009,3315,3.088,3316,3.088,3317,2.648,3318,3.088,3319,3.088,3320,1.824,3321,4.438,3322,3.088,3323,3.088,3324,3.088,3325,3.088,3326,4.869,3327,3.088,3328,3.088,3329,3.088,3330,3.088,3331,3.088,3332,3.088,3333,3.088,3334,3.088,3335,2.648,3336,0.971,3337,3.088,3338,3.088,3339,3.088,3340,3.088,3341,3.088,3342,3.088,3343,3.088,3344,2.358,3345,5.194,3346,4.438,3347,3.088,3348,3.088,3349,4.438,3350,5.194,3351,4.438,3352,4.438,3353,3.088,3354,4.438,3355,3.088,3356,3.088,3357,3.088,3358,4.438,3359,3.088,3360,3.088,3361,1.701,3362,2.358,3363,2.358,3364,2.358,3365,1.824,3366,1.824,3367,3.077,3368,2.648,3369,3.088,3370,3.088,3371,3.088,3372,2.648,3373,2.648,3374,3.088,3375,2.141,3376,3.088,3377,4.438,3378,3.088,3379,2.648,3380,2.648,3381,2.648,3382,3.088,3383,3.088,3384,3.088,3385,3.088,3386,3.088,3387,3.088,3388,3.088,3389,3.088,3390,3.088,3391,1.824,3392,2.648,3393,1.701,3394,1.593,3395,3.088,3396,2.648,3397,2.141,3398,3.088,3399,1.333,3400,2.622,3401,1.335,3402,2.648,3403,2.68,3404,1.701,3405,3.388,3406,2.29,3407,1.701,3408,5.194,3409,1.593,3410,3.088,3411,3.088,3412,3.088,3413,5.194,3414,3.088,3415,3.088,3416,3.088,3417,3.088,3418,3.088,3419,4.438,3420,3.088,3421,4.438,3422,3.088,3423,3.088,3424,4.438,3425,4.438,3426,4.438,3427,3.088,3428,3.077,3429,4.438,3430,3.088,3431,2.358,3432,4.438,3433,3.088,3434,3.088,3435,3.088,3436,3.088,3437,3.088,3438,3.088,3439,2.648,3440,3.088,3441,3.077,3442,3.088,3443,3.088,3444,3.088,3445,3.088,3446,3.088,3447,1.968,3448,3.088,3449,3.088,3450,3.088,3451,3.088,3452,3.088,3453,3.088,3454,3.088,3455,2.648,3456,3.088,3457,3.088,3458,2.648,3459,1.824,3460,4.662,3461,3.088,3462,1.593,3463,3.088,3464,0.681,3465,0.681,3466,3.088,3467,3.088,3468,3.088,3469,3.088,3470,3.088,3471,3.088,3472,3.088,3473,3.088,3474,4.438,3475,3.088,3476,2.141,3477,3.088,3478,2.141,3479,3.088,3480,3.088,3481,5.194,3482,3.088,3483,3.088,3484,3.088,3485,3.088,3486,3.088,3487,4.438,3488,3.088,3489,4.438,3490,3.088,3491,3.088,3492,3.088,3493,3.088,3494,3.088,3495,3.088,3496,3.088,3497,3.088,3498,3.088,3499,1.968,3500,1.133,3501,2.358,3502,2.028,3503,1.333,3504,3.088,3505,2.648,3506,1.968,3507,1.824,3508,4.438,3509,3.088,3510,3.088,3511,3.088,3512,3.088,3513,3.088,3514,3.088,3515,3.088,3516,3.088,3517,3.088,3518,3.088,3519,3.088,3520,3.088,3521,3.088,3522,2.648,3523,4.438,3524,3.088,3525,3.088,3526,3.088,3527,3.088,3528,3.088,3529,3.088,3530,3.088,3531,2.358,3532,3.088,3533,3.088]],["title/aws/workloads.html",[2,4.693,3,4.342,4,6.362,5,3.077,27,2.623,1123,2.227]],["breadcrumb/aws/workloads.html",[6,0.224,27,1.333,1123,1.132]],["description/aws/workloads.html",[4,2.152,27,1.213,49,5.04,53,0.583,227,0.409,652,13.011,689,11.692,691,5.579,918,2.389,1123,1.03,1142,6.187,1503,0.48,1555,5.04,1566,3.915,1889,9.289,1950,5.302,1951,3.915,2018,8.176,2019,7.705,2126,6.187,3122,3.007,3464,3.719,3534,10.748,3535,9.962]],["body/aws/workloads.html",[0,0.12,1,1.601,2,1.011,3,0.37,4,0.843,5,0.44,7,0.557,9,0.288,11,0.161,13,0.846,14,0.592,16,0.339,17,0.495,18,2.369,19,0.854,20,0.684,23,0.927,24,1.709,25,1.08,26,0.249,27,0.557,28,0.292,29,0.088,30,1.245,31,0.327,32,0.161,33,0.264,34,0.184,35,0.316,37,0.776,40,0.289,41,0.166,43,0.143,44,0.144,45,0.443,47,0.075,48,0.083,49,2.137,50,1.408,51,0.292,53,0.188,54,0.45,55,0.838,56,0.487,60,0.249,62,0.316,65,0.293,66,0.339,67,0.254,68,0.651,70,0.838,76,0.561,77,0.383,78,1.339,79,0.418,81,0.487,82,0.753,83,0.175,85,0.285,86,0.106,88,0.045,89,0.054,91,0.684,94,0.579,96,0.72,97,0.879,100,0.487,102,0.084,103,0.186,104,0.214,109,1.267,110,0.398,111,0.339,112,0.838,113,0.809,115,0.382,117,0.383,118,0.484,121,0.39,123,0.45,124,0.751,125,0.838,126,0.069,127,0.651,128,0.495,129,0.493,130,0.493,131,0.493,132,1.144,133,0.099,134,0.487,135,0.856,136,0.975,137,0.521,138,0.72,139,0.684,140,0.53,141,0.684,142,0.927,143,0.738,144,0.838,145,0.492,146,0.592,148,0.128,149,0.711,150,0.339,152,0.751,153,0.487,154,0.207,156,0.187,158,2.035,159,0.738,160,0.251,161,0.306,162,0.261,164,2.699,165,0.388,167,1.034,170,1.144,171,1.026,172,1.09,173,0.272,175,2.38,176,0.519,178,0.613,180,0.61,181,0.758,182,0.38,183,0.453,184,0.521,187,0.413,188,0.593,189,0.622,191,0.44,192,0.303,193,0.756,194,0.405,195,1.922,198,0.39,200,1.13,203,1.144,206,0.553,207,0.316,209,0.187,211,1.192,212,0.294,214,0.484,216,0.803,218,0.531,219,0.388,220,1.072,221,0.502,222,0.544,223,1.02,225,1.272,227,0.138,229,1.267,232,0.616,233,0.467,234,0.838,238,1.267,239,0.339,240,1.986,241,0.603,242,1.408,244,0.583,245,0.61,247,0.932,249,0.432,250,1.563,251,0.751,252,0.531,253,0.67,254,0.293,256,0.929,258,1.03,260,0.975,261,0.616,262,0.462,263,0.495,264,0.399,270,0.685,271,0.281,272,2.032,273,0.443,275,0.413,276,0.418,277,0.522,278,0.531,279,0.288,280,0.327,281,0.461,282,0.579,284,1.338,286,1.601,287,0.71,288,0.207,291,2.748,292,0.497,294,0.467,298,0.794,299,0.42,300,0.454,301,1.138,303,0.257,304,0.403,305,0.645,306,1.339,308,0.487,311,0.314,313,1.058,315,0.882,316,0.453,317,1.017,318,0.932,319,1.179,321,1.504,323,0.564,326,0.982,327,0.631,328,0.557,329,0.412,330,0.412,332,1.09,333,0.65,337,2.525,338,1.601,339,0.298,340,0.443,341,0.403,342,0.972,343,0.906,344,0.254,345,2.369,346,0.134,350,0.803,351,0.131,352,1.329,353,0.198,354,2.211,360,1.197,361,2.151,363,0.696,364,2.151,365,0.756,366,2.601,367,2.687,368,1.462,369,1.883,370,1.638,371,1.977,373,1.48,374,0.854,376,0.684,377,2.369,380,2.76,381,2.936,382,2.936,383,2.425,384,1.115,388,1.399,390,2.936,393,2.936,394,0.44,395,0.44,396,2.297,397,0.631,399,2.525,400,0.71,402,1.601,403,1.601,404,1.262,405,2.297,406,1.601,407,1.601,410,0.204,411,0.579,412,0.579,413,0.579,414,0.171,415,0.106,416,0.138,417,0.171,418,0.316,419,0.237,420,0.237,424,0.83,425,0.521,427,0.616,430,0.673,432,1.203,433,0.806,438,0.797,440,0.975,441,0.854,442,0.758,443,0.882,444,0.686,446,0.272,450,0.927,451,0.665,452,2.936,453,2.078,454,2.187,458,2.936,459,0.91,460,3.135,466,2.601,467,1.789,468,1.257,469,2.687,470,2.643,471,2.601,472,1.722,473,0.615,474,2.453,480,1.408,482,0.72,484,0.981,485,0.557,487,0.378,488,0.758,490,0.961,491,2.638,492,2.369,496,0.774,498,0.478,499,2.324,500,1.192,501,0.99,504,0.413,506,1.462,507,1.035,511,0.463,512,0.091,513,0.537,514,1.072,516,1.197,519,1.321,520,0.794,521,0.613,522,0.42,523,0.645,524,0.96,526,2.63,527,0.097,528,1.072,531,0.453,536,2.151,537,1.504,538,0.975,539,0.53,540,0.684,543,0.495,545,1.601,547,0.467,550,0.378,551,0.237,552,1.266,554,1.638,559,1.833,563,0.882,564,0.396,565,0.65,566,0.711,568,1.026,569,2.151,570,0.882,572,0.298,577,2.159,580,0.288,582,1.149,596,1.272,610,1.473,624,2.248,626,1.4,628,0.298,629,0.593,631,0.982,633,1.267,634,0.271,636,0.495,637,0.783,640,0.593,641,1.504,649,0.293,650,1.2,651,0.975,652,4.046,655,0.794,656,0.325,657,0.561,659,0.495,660,1.149,661,0.388,666,1.618,668,2.151,670,0.879,672,0.584,673,0.584,682,0.631,685,0.932,687,0.579,689,4.179,690,0.72,691,2.498,693,0.418,694,2.422,698,1.818,699,0.758,702,0.339,708,0.523,709,1.138,713,1.538,717,0.61,725,0.631,738,1.399,741,1.418,747,0.982,751,3.32,756,0.519,760,0.797,765,0.83,767,1.2,769,0.83,771,1.035,772,1.833,775,0.83,779,0.71,780,0.927,794,0.927,800,2.66,801,2.151,803,1.339,808,0.797,845,0.29,846,1.977,850,0.129,856,0.553,862,2.838,863,0.856,872,0.489,873,0.292,877,0.495,884,1.709,885,1.246,886,1.977,887,2.456,888,1.618,889,0.794,890,1.4,892,3.087,895,0.96,897,0.569,899,0.907,902,1.557,905,0.631,906,0.579,909,0.794,914,1.026,917,0.228,918,1.067,919,0.521,920,0.758,928,0.53,932,1.814,954,0.363,979,3.077,985,0.838,987,1.578,989,0.711,990,1.09,992,0.108,997,2.369,1001,0.803,1002,0.187,1006,0.461,1007,1.026,1009,0.927,1017,1.339,1018,0.187,1020,0.557,1035,2.687,1036,1.075,1040,1.473,1046,1.144,1049,1.144,1050,1.2,1052,0.975,1054,0.44,1055,2.426,1069,2.66,1072,2.369,1080,0.879,1082,3.077,1103,0.684,1107,0.797,1116,0.684,1122,1.532,1123,0.437,1125,1.922,1129,1.709,1140,1.709,1141,0.72,1142,2.718,1145,1.2,1146,1.088,1147,1.594,1152,1.601,1160,1.601,1169,2.936,1170,0.684,1175,1.722,1177,0.906,1181,0.72,1182,1.339,1186,0.747,1187,2.151,1198,2.66,1200,1.875,1212,1.709,1213,0.388,1227,1.504,1228,1.266,1230,0.96,1239,1.504,1243,2.369,1244,2.151,1253,0.882,1257,1.418,1262,1.818,1263,1.977,1264,2.76,1266,1.833,1269,0.638,1270,0.975,1271,0.553,1274,1.473,1278,1.557,1279,1.404,1280,3.56,1283,1.462,1285,4.354,1286,1.701,1287,1.922,1288,0.453,1289,0.838,1294,0.53,1297,3.087,1299,3.087,1333,0.71,1335,1.709,1336,1.722,1343,1.08,1344,1.601,1348,0.521,1349,1.833,1350,0.523,1357,2.015,1358,1.709,1361,0.865,1363,1.339,1375,0.72,1377,0.72,1389,1.339,1392,1.13,1406,0.684,1409,1.709,1423,1.017,1430,2.297,1433,1.634,1445,0.684,1446,1.026,1463,1.339,1471,1.601,1472,3.264,1473,1.203,1474,1.266,1479,1.818,1503,0.179,1510,3.32,1523,0.727,1525,1.267,1530,1.331,1531,1.339,1535,1.504,1538,1.138,1543,1.895,1544,0.927,1550,0.927,1555,1.875,1559,1.833,1562,2.151,1564,0.44,1566,1.757,1572,0.975,1573,1.722,1577,0.981,1606,0.584,1621,1.017,1625,1.138,1633,2.853,1634,1.181,1635,1.267,1638,0.83,1639,1.144,1667,0.906,1675,2.151,1676,0.927,1677,0.457,1678,1.551,1679,2.63,1680,0.882,1681,1.026,1683,1.034,1689,1.339,1693,1.977,1700,0.684,1701,2.687,1710,1.138,1712,1.267,1713,1.551,1764,1.504,1770,1.418,1772,2.297,1784,1.638,1785,2.035,1786,0.929,1790,1.026,1791,1.267,1794,0.553,1830,1.818,1854,1.331,1856,1.266,1866,0.557,1869,1.339,1876,0.882,1880,1.833,1886,0.882,1889,4.07,1892,1.08,1893,1.833,1894,2.38,1910,1.977,1915,1.638,1945,1.709,1946,1.709,1947,3.818,1949,0.413,1950,1.789,1951,1.456,1952,2.331,1953,1.267,1955,4.179,1956,0.553,1957,0.758,1974,0.388,1977,2.66,2012,1.2,2017,1.321,2018,3.521,2019,3.401,2023,4.128,2025,1.818,2026,1.408,2028,0.67,2029,1.08,2047,0.975,2049,1.504,2065,1.331,2066,1.138,2074,1.922,2083,0.882,2090,0.882,2104,1.329,2108,1.026,2109,1.272,2110,0.803,2112,1.2,2115,1.267,2124,2.297,2126,2.638,2133,2.324,2156,1.709,2196,4.466,2203,0.882,2213,1.08,2215,1.634,2216,1.035,2220,1.138,2223,1.638,2230,3.841,2234,2.66,2244,1.922,2247,1.418,2250,2.838,2252,1.709,2255,1.2,2265,1.138,2308,1.977,2329,1.709,2332,1.181,2357,2.015,2433,1.339,2434,0.975,2450,2.369,2452,1.267,2460,2.369,2467,1.5,2476,0.932,2477,1.4,2517,2.369,2566,1.977,2574,1.977,2578,1.709,2580,1.339,2582,1.709,2585,1.504,2586,2.66,2590,0.838,2656,0.65,2669,3.087,2672,2.66,2677,1.339,2739,1.418,2752,2.687,2753,2.66,2754,2.66,2765,2.369,2766,2.369,2773,2.369,2774,2.66,2775,2.66,2776,2.66,2777,2.66,2793,2.151,2795,2.66,2796,3.818,2797,3.818,2798,3.818,2799,3.818,2800,3.818,2801,4.88,2802,3.818,2807,2.66,2809,4.466,2810,4.118,2815,1.138,2817,3.818,2818,3.818,2823,3.818,2825,1.977,2854,2.506,2862,1.339,2864,1.601,2870,2.297,2875,0.975,2876,1.833,2881,1.977,2886,1.833,2888,3.087,2902,1.883,2924,3.818,2985,1.818,3017,1.833,3018,2.66,3019,2.159,3029,1.709,3084,2.369,3085,0.927,3111,2.369,3113,2.369,3117,4.88,3121,2.369,3122,1.357,3140,2.453,3144,1.922,3154,3.818,3172,2.66,3205,2.66,3221,1.48,3223,2.151,3224,1.977,3291,2.9,3292,3.568,3306,2.159,3314,2.703,3326,3.818,3336,2.197,3368,2.66,3396,2.66,3428,2.151,3464,1.383,3465,0.684,3506,1.977,3534,2.838,3535,3.077,3536,2.159,3537,1.39,3538,2.075,3539,1.267,3540,1.08,3541,2.369,3542,2.151,3543,1.267,3544,1.994,3545,2.151,3546,2.66,3547,2.66,3548,4.452,3549,1.601,3550,3.102,3551,1.977,3552,3.102,3553,2.66,3554,2.369,3555,0.838,3556,1.709,3557,2.838,3558,2.151,3559,2.369,3560,2.369,3561,2.369,3562,2.369,3563,2.369,3564,1.833,3565,5.691,3566,4.452,3567,0.975,3568,4.345,3569,3.32,3570,2.369,3571,1.982,3572,2.151,3573,3.102,3574,2.369,3575,3.102,3576,2.66,3577,3.4,3578,3.102,3579,1.601,3580,2.66,3581,3.102,3582,3.102,3583,3.102,3584,3.102,3585,3.102,3586,3.102,3587,2.63,3588,3.102,3589,3.102,3590,3.102,3591,3.102,3592,3.102,3593,3.102,3594,3.102,3595,3.102,3596,3.102,3597,3.102,3598,3.102,3599,2.151,3600,2.151,3601,2.151,3602,3.102,3603,0.975,3604,5.208,3605,3.102,3606,1.088,3607,2.369,3608,2.66,3609,2.63,3610,3.102,3611,2.151,3612,5.208,3613,1.504,3614,2.66,3615,3.102,3616,3.102,3617,1.709,3618,2.63,3619,3.102,3620,2.838,3621,2.66,3622,3.102,3623,3.102,3624,3.102,3625,5.208,3626,3.102,3627,4.452,3628,1.267,3629,4.452,3630,3.102,3631,5.208,3632,3.102,3633,3.102,3634,3.102,3635,4.452,3636,3.102,3637,4.452,3638,3.102,3639,3.102,3640,3.102,3641,3.102,3642,3.102,3643,4.452,3644,3.818,3645,3.818,3646,4.452,3647,3.102,3648,3.102,3649,3.102,3650,4.452,3651,3.102,3652,4.452,3653,4.452,3654,4.452,3655,3.102,3656,3.102,3657,3.102,3658,3.102,3659,2.369,3660,2.151,3661,2.151,3662,2.151,3663,5.208,3664,2.66,3665,3.102,3666,5.208,3667,3.102,3668,3.102,3669,3.102,3670,1.833,3671,2.66,3672,2.369,3673,3.102,3674,1.833,3675,3.102,3676,3.087,3677,3.102,3678,3.102,3679,3.102,3680,3.568,3681,4.452,3682,2.869,3683,1.833,3684,3.102,3685,2.151,3686,3.102,3687,3.102,3688,2.66,3689,3.102,3690,3.102,3691,1.504,3692,3.102,3693,3.102,3694,2.66,3695,2.66,3696,3.102,3697,2.369,3698,2.66,3699,3.102,3700,3.102,3701,3.102,3702,3.102,3703,5.208,3704,1.709,3705,4.452,3706,3.102,3707,3.102,3708,3.102,3709,3.102,3710,3.102,3711,3.102,3712,3.102,3713,3.102,3714,3.102,3715,3.102,3716,3.102,3717,4.452,3718,3.102,3719,3.102,3720,3.102,3721,2.66,3722,3.102,3723,3.102,3724,5.208,3725,3.102,3726,3.102,3727,4.452,3728,4.452,3729,3.102,3730,4.452,3731,3.102,3732,4.452,3733,3.102,3734,3.102,3735,4.452,3736,3.102,3737,3.102,3738,3.102,3739,3.102,3740,3.102,3741,3.102,3742,3.102,3743,3.102,3744,2.66,3745,3.102,3746,3.102,3747,2.838,3748,2.151,3749,2.151,3750,3.102,3751,5.208,3752,4.452,3753,3.102,3754,5.208,3755,3.102,3756,3.102,3757,3.102,3758,3.102,3759,3.102,3760,3.102,3761,3.102,3762,3.102,3763,3.102,3764,3.102,3765,2.66,3766,1.833,3767,3.102,3768,3.102,3769,2.151,3770,2.369,3771,3.102,3772,2.369,3773,3.102,3774,3.102,3775,2.453,3776,1.833,3777,3.102,3778,1.833,3779,3.102,3780,3.102,3781,1.709,3782,6.272,3783,3.102,3784,5.208,3785,3.102,3786,3.102,3787,3.4,3788,3.102,3789,4.452,3790,3.102,3791,3.102,3792,1.977,3793,3.102,3794,3.102,3795,3.102,3796,3.102,3797,2.369,3798,2.66,3799,3.102,3800,4.452,3801,3.102,3802,3.102,3803,3.102,3804,3.102,3805,3.102,3806,3.102,3807,3.102,3808,2.369,3809,3.102,3810,3.102,3811,2.369,3812,3.102,3813,3.102,3814,3.102,3815,2.66,3816,3.102,3817,3.102,3818,2.369,3819,2.66,3820,3.102,3821,3.102,3822,2.66,3823,1.709,3824,3.087,3825,1.833,3826,1.504,3827,2.66,3828,0.797,3829,3.102,3830,3.102,3831,3.102,3832,2.66,3833,1.977,3834,2.369,3835,5.691,3836,3.102,3837,3.102,3838,3.102,3839,3.102,3840,3.102,3841,3.102,3842,3.102,3843,3.102,3844,3.102]],["title/azure/data.html",[2,4.44,3,4.108,4,6.123,5,2.912,28,2.265,29,0.982,129,2.411]],["breadcrumb/azure/data.html",[6,0.198,28,1.077,29,0.467,129,1.147]],["description/azure/data.html",[4,1.952,28,1.004,29,0.436,32,0.371,33,0.544,34,0.371,38,4.134,40,0.638,43,0.534,45,1.124,52,2.081,129,1.069,160,0.638,162,0.547,214,1.228,265,1.672,285,5.917,410,0.547,680,7.891,2026,4.134,2057,4.134,2467,3.551,2686,3.718,2693,4.809,3845,5.06,3846,10.606,3847,10.606,3848,6.989]],["body/azure/data.html",[0,0.116,2,1.011,3,0.366,4,0.798,7,0.647,9,0.271,11,0.16,13,0.517,14,0.29,16,0.336,23,0.918,26,0.455,27,0.49,28,0.506,29,0.171,30,0.832,31,0.325,32,0.178,33,0.271,34,0.187,35,0.333,38,2.054,40,0.321,41,0.173,43,0.161,44,0.148,45,0.473,47,0.126,48,0.079,51,0.324,52,0.727,53,0.189,54,0.43,55,0.83,56,0.336,57,2.435,58,0.779,60,0.336,61,1.202,62,0.527,64,1.325,65,0.29,66,0.356,67,0.26,68,0.553,69,0.489,70,1.195,76,0.502,77,0.416,78,1.325,79,0.355,80,0.312,81,0.619,82,0.384,83,0.173,84,1.07,85,0.294,86,0.106,87,0.578,88,0.047,89,0.055,90,0.386,91,0.677,92,0.489,93,0.789,94,0.312,95,1.907,96,0.713,97,0.518,98,0.384,99,0.734,100,0.483,101,1.026,102,0.076,103,0.128,104,0.249,105,1.539,106,0.957,107,0.386,108,1.403,110,0.437,111,0.336,112,1.067,113,0.732,115,0.458,116,0.203,117,0.226,118,0.355,119,1.138,121,0.185,123,0.43,124,0.518,126,0.068,127,0.553,129,0.538,130,0.477,131,0.469,133,0.099,134,0.483,135,0.462,136,0.965,138,0.713,139,0.975,140,0.312,141,1.249,142,1.693,143,0.626,144,1.195,145,0.417,146,0.417,148,0.159,152,0.518,154,0.379,156,0.342,158,1.403,159,0.734,160,0.31,161,0.294,162,0.265,164,1.254,165,0.452,169,1.693,170,1.136,171,1.016,173,0.287,176,0.573,178,0.45,180,0.663,182,0.449,183,0.312,184,0.359,185,2.313,186,1.957,187,0.69,189,0.483,191,0.435,192,0.317,193,0.703,194,0.408,197,1.254,198,0.267,199,0.8,200,1.242,206,0.923,207,0.611,209,0.405,212,0.25,213,1.265,214,0.455,216,0.755,218,0.521,219,0.384,220,0.578,221,0.38,222,0.501,223,0.589,227,0.126,229,1.805,230,0.713,232,0.61,233,0.991,234,0.578,236,1.403,239,0.336,241,0.452,244,0.559,245,0.663,246,0.789,247,0.643,250,0.713,251,0.518,252,0.539,254,0.643,256,0.923,258,0.705,260,2.192,261,0.61,262,0.379,263,0.325,264,0.411,265,0.745,270,0.683,271,0.166,273,0.416,274,0.11,275,0.409,276,0.547,277,0.512,278,0.53,279,0.271,280,0.325,281,0.416,282,0.527,285,2.697,287,0.705,292,0.386,293,0.863,294,0.462,296,1.907,298,0.548,300,0.64,303,0.255,304,0.379,305,0.622,308,0.336,311,0.416,312,0.858,313,1.055,316,0.45,317,0.518,318,1.084,319,1.01,320,1.691,327,0.913,328,0.553,329,0.362,330,0.362,331,1.188,332,0.518,333,1.084,335,0.878,339,0.294,340,0.484,341,0.397,342,0.951,343,0.852,344,0.231,346,0.106,350,0.755,351,0.123,353,0.201,363,0.634,365,0.606,373,0.873,374,0.435,384,0.518,388,1.393,394,0.435,395,0.435,397,0.734,400,0.996,404,1.473,410,0.267,411,0.527,412,0.527,413,0.527,414,0.17,415,0.097,416,0.126,417,0.155,418,0.299,419,0.216,420,0.216,424,0.705,425,0.663,426,0.409,427,1.192,428,2.129,429,2.129,430,0.527,431,0.873,432,0.83,433,0.997,438,1.136,440,0.965,441,0.913,443,1.472,444,0.683,446,0.315,450,1.548,451,0.699,453,0.965,467,1.628,468,0.548,473,0.562,482,0.713,484,0.578,485,0.75,487,0.362,488,0.69,490,0.705,498,0.449,500,0.643,501,0.734,504,0.755,506,0.789,507,1.029,508,3.381,509,1.874,511,0.351,512,0.096,513,0.567,514,0.578,518,0.918,519,0.713,520,1.299,522,0.29,523,0.489,524,0.746,527,0.112,528,0.975,530,1.127,531,0.611,538,1.39,539,0.636,540,1.249,543,0.825,544,1.38,550,0.405,551,0.28,553,2.366,556,1.71,560,0.705,566,0.674,570,0.873,571,1.325,572,0.449,580,0.33,582,1.142,592,2.143,619,1.584,620,2.129,621,2.129,628,0.43,629,0.589,630,0.462,631,1.249,634,0.268,635,1.957,636,0.489,640,0.858,649,0.417,653,0.409,655,0.548,656,0.28,657,0.502,659,0.705,661,0.384,662,1.195,670,1.055,671,1.188,673,0.578,675,1.71,680,3.323,682,0.626,685,0.925,686,0.507,687,0.721,688,1.445,690,0.713,693,0.355,696,1.61,702,0.336,705,3.059,713,0.83,733,1.188,734,2.129,738,0.713,746,1.13,747,1.379,754,1.069,756,0.482,758,0.789,764,1.067,765,0.996,767,1.188,768,1.542,769,0.825,772,1.814,774,1.489,775,0.705,779,0.489,780,1.321,782,1.64,783,0.975,790,0.677,791,0.61,792,1.887,805,2.366,807,0.494,808,1.946,816,0.61,845,0.156,850,0.269,856,1.07,871,1.325,872,0.383,873,0.128,877,0.489,882,0.83,883,2.129,888,1.472,897,0.417,900,1.622,903,0.665,905,0.435,908,1.622,909,0.788,912,1.142,913,1.016,914,1.016,917,0.325,919,0.359,922,1.254,924,4.583,927,1.188,932,1.539,954,0.517,990,0.925,992,0.107,1000,1.254,1001,0.919,1002,0.185,1006,0.441,1018,0.185,1020,0.553,1036,0.788,1049,0.789,1054,0.734,1080,1.262,1092,0.643,1119,0.61,1123,0.346,1126,1.127,1128,3.24,1129,1.691,1143,1.069,1148,1.403,1155,1.325,1158,1.489,1159,1.069,1165,0.626,1166,1.026,1167,0.38,1168,1.07,1173,0.713,1174,1.907,1177,0.852,1181,0.713,1213,0.386,1227,1.489,1230,0.518,1233,0.965,1244,2.129,1255,1.202,1259,2.003,1269,0.671,1270,0.965,1271,0.548,1278,0.918,1294,0.312,1333,0.489,1334,0.517,1346,1.188,1348,0.359,1350,1.196,1363,1.325,1386,1.321,1390,2.129,1392,0.61,1394,2.129,1406,0.677,1424,1.254,1437,0.677,1441,1.403,1472,1.489,1473,1.195,1503,0.208,1518,0.873,1523,0.45,1528,1.71,1530,0.918,1544,0.918,1548,1.016,1557,0.705,1560,1.539,1564,0.626,1566,0.713,1606,0.578,1609,2.511,1612,1.71,1618,2.235,1621,0.518,1626,0.965,1628,1.403,1636,2.344,1638,0.489,1639,0.789,1665,0.873,1667,0.779,1669,0.789,1677,0.355,1679,1.814,1680,0.873,1690,0.918,1696,1.067,1699,1.321,1700,0.975,1712,1.254,1734,3.059,1772,1.584,1773,1.489,1786,1.01,1787,0.61,1790,1.016,1792,0.578,1794,0.548,1796,1.016,1822,2.344,1830,1.254,1869,1.325,1876,0.873,1880,1.814,1886,0.873,1896,1.957,1921,0.918,1927,3.79,1954,1.127,1956,0.788,1957,0.75,1959,1.814,1960,1.127,1966,1.127,1967,1.484,1974,0.553,2006,0.832,2022,1.907,2026,1.531,2030,1.539,2031,1.805,2032,1.957,2039,2.532,2046,2.28,2057,2.058,2062,1.584,2064,1.188,2065,0.918,2068,2.817,2073,1.489,2074,1.325,2081,0.578,2093,2.143,2096,2.322,2103,1.188,2104,0.677,2109,0.75,2110,0.409,2115,0.832,2130,2.366,2145,1.814,2203,1.706,2208,1.814,2212,1.39,2216,0.878,2223,0.965,2224,1.188,2225,2.143,2249,1.254,2252,3.12,2255,1.188,2307,1.957,2332,0.975,2337,1.254,2338,1.254,2339,1.584,2413,1.188,2417,1.403,2435,1.957,2444,0.779,2467,0.713,2473,1.691,2476,0.643,2478,1.584,2573,1.403,2590,1.689,2619,1.584,2629,2.02,2631,3.065,2633,1.628,2645,2.114,2656,1.473,2678,3.081,2683,1.814,2686,1.303,2693,2.212,2694,1.481,2815,1.127,2833,1.691,2867,1.325,2868,1.127,2894,1.489,2902,1.016,2979,1.691,2986,1.403,3039,0.746,3041,2.435,3051,2.91,3090,1.691,3122,0.548,3130,1.584,3149,1.127,3214,3.418,3218,2.007,3221,0.873,3231,1.814,3244,1.691,3275,1.325,3304,1.069,3312,1.691,3313,1.805,3320,1.814,3399,1.325,3462,1.584,3465,0.677,3506,1.957,3537,0.75,3538,1.462,3544,1.462,3555,0.83,3571,1.539,3599,2.129,3606,1.08,3628,1.254,3672,3.954,3691,1.489,3721,2.633,3744,2.633,3823,3.12,3828,1.331,3845,2.532,3846,4.878,3847,3.065,3848,2.944,3849,1.334,3850,2.28,3851,3.07,3852,1.814,3853,2.817,3854,1.254,3855,3.375,3856,3.806,3857,3.693,3858,2.114,3859,0.918,3860,1.814,3861,0.873,3862,0.965,3863,3.07,3864,2.852,3865,2.344,3866,2.817,3867,3.068,3868,2.611,3869,2.344,3870,1.403,3871,3.07,3872,3.79,3873,5.146,3874,5.178,3875,3.826,3876,4.42,3877,4.42,3878,4.325,3879,3.07,3880,2.344,3881,3.07,3882,2.129,3883,2.633,3884,2.344,3885,2.633,3886,3.065,3887,2.344,3888,1.403,3889,4.42,3890,1.842,3891,3.07,3892,2.633,3893,2.633,3894,3.065,3895,2.129,3896,3.79,3897,3.065,3898,2.747,3899,3.07,3900,2.633,3901,2.633,3902,1.254,3903,2.435,3904,2.344,3905,1.403,3906,2.633,3907,3.07,3908,2.129,3909,3.07,3910,3.12,3911,3.906,3912,5.156,3913,5.36,3914,4.325,3915,6.002,3916,2.129,3917,1.814,3918,2.633,3919,2.633,3920,3.375,3921,3.065,3922,3.07,3923,3.07,3924,3.07,3925,3.12,3926,3.12,3927,2.344,3928,3.12,3929,3.79,3930,3.79,3931,2.344,3932,2.344,3933,2.633,3934,2.633,3935,2.633,3936,2.633,3937,2.633,3938,3.546,3939,2.129,3940,3.07,3941,2.129,3942,2.129,3943,1.957,3944,3.07,3945,3.07,3946,3.07,3947,3.07,3948,2.511,3949,2.672,3950,2.511,3951,2.344,3952,2.633,3953,3.07,3954,3.07,3955,3.07,3956,3.56,3957,4.857,3958,3.059,3959,3.79,3960,1.628,3961,3.79,3962,3.79,3963,4.42,3964,4.44,3965,2.817,3966,3.79,3967,2.633,3968,3.375,3969,3.07,3970,3.07,3971,0.975,3972,1.016,3973,2.28,3974,3.07,3975,2.344,3976,3.07,3977,3.07,3978,1.814,3979,2.344,3980,3.07,3981,3.07,3982,3.07,3983,3.07,3984,2.633,3985,3.07,3986,3.07,3987,3.401,3988,4.857,3989,2.129,3990,4.42,3991,5.178,3992,3.375,3993,3.07,3994,1.814,3995,2.672,3996,3.225,3997,2.852,3998,3.07,3999,3.07,4000,3.07,4001,3.225,4002,2.852,4003,2.366,4004,1.427,4005,1.9,4006,2.611,4007,2.344,4008,2.817,4009,3.07,4010,3.07,4011,3.07,4012,3.07,4013,4.726,4014,3.954,4015,4.42,4016,3.07,4017,4.42,4018,3.059,4019,2.344,4020,2.344,4021,3.059,4022,1.957,4023,3.79,4024,3.954,4025,1.489,4026,3.301,4027,2.129,4028,1.489,4029,2.129,4030,2.633,4031,1.814,4032,1.691,4033,1.403,4034,3.07,4035,2.633,4036,2.344,4037,1.957,4038,2.817,4039,1.489,4040,2.633,4041,5.033,4042,3.375,4043,1.814,4044,3.79,4045,3.79,4046,3.07,4047,4.44,4048,5.844,4049,3.954,4050,3.07,4051,5.178,4052,4.44,4053,4.857,4054,3.07,4055,2.633,4056,3.07,4057,3.79,4058,6.002,4059,2.633,4060,2.633,4061,2.633,4062,3.07,4063,3.07,4064,4.42,4065,3.07,4066,2.633,4067,3.07,4068,3.591,4069,3.07,4070,3.591,4071,3.07,4072,3.07,4073,3.07,4074,2.633,4075,2.633,4076,3.07,4077,3.07,4078,2.129,4079,2.633,4080,4.857,4081,5.178,4082,3.07,4083,5.178,4084,2.633,4085,4.42,4086,4.42,4087,3.07,4088,2.633,4089,2.633,4090,3.07,4091,3.79,4092,1.814,4093,4.42,4094,3.07,4095,4.42,4096,2.611,4097,3.79,4098,2.344,4099,2.633,4100,3.07,4101,3.07,4102,3.07,4103,3.07,4104,1.489,4105,1.527,4106,6.31,4107,3.07,4108,2.129,4109,2.435,4110,3.07,4111,3.07,4112,3.07,4113,2.344,4114,1.814,4115,2.129,4116,4.42,4117,3.07,4118,2.344,4119,5.178,4120,5.664,4121,1.957,4122,3.07,4123,3.07,4124,3.07,4125,3.07,4126,3.07,4127,4.42,4128,4.42,4129,2.633,4130,3.07,4131,3.07,4132,3.07,4133,3.07,4134,2.633,4135,2.633,4136,2.633,4137,3.07,4138,3.07,4139,3.07,4140,3.07,4141,3.07,4142,3.07,4143,4.42,4144,3.07,4145,5.178,4146,4.42,4147,3.07,4148,3.07,4149,4.42,4150,3.07,4151,4.42,4152,3.07,4153,2.633,4154,2.129,4155,4.42,4156,3.07,4157,4.42,4158,4.42,4159,2.611,4160,3.07,4161,3.07,4162,2.633,4163,3.07,4164,3.07,4165,4.42,4166,3.07,4167,3.07,4168,3.07,4169,1.254,4170,2.344,4171,1.254,4172,3.07,4173,2.633,4174,2.633,4175,3.07,4176,4.42,4177,2.344,4178,3.07,4179,3.07,4180,3.07,4181,2.129,4182,3.07,4183,3.07,4184,4.42,4185,2.344,4186,3.79,4187,3.07,4188,3.07,4189,3.07,4190,3.07,4191,3.07,4192,3.07,4193,3.07,4194,3.07,4195,3.07,4196,3.07,4197,3.07,4198,3.07,4199,3.07,4200,3.07,4201,3.07,4202,3.07,4203,3.07]],["title/azure/genai.html",[2,4.44,3,4.108,4,6.123,5,2.912,51,1.557,129,2.411,1012,17.793]],["breadcrumb/azure/genai.html",[6,0.224,129,1.296,983,4.302]],["description/azure/genai.html",[4,2.309,38,4.891,51,0.817,85,0.755,129,1.265,244,1.437,365,2.118,459,2.411,468,3.227,527,0.338,850,0.755,872,1.337,986,7.811,990,3.789,1012,9.337,1046,4.651,1164,6.64,1696,3.408,2013,6.64,2081,3.408,2237,9.337,2693,5.69]],["body/azure/genai.html",[0,0.119,2,1.011,4,0.664,7,0.784,9,0.249,11,0.157,13,0.61,14,0.293,16,0.487,17,0.71,19,0.806,25,1.55,26,0.357,27,0.52,28,0.442,29,0.088,31,0.541,32,0.168,33,0.253,34,0.183,41,0.146,43,0.152,44,0.152,45,0.327,47,0.075,48,0.059,50,0.838,51,0.338,52,0.42,53,0.174,54,0.207,56,0.339,58,0.466,60,0.351,66,0.281,67,0.246,70,0.838,76,0.249,77,0.327,79,0.418,80,0.343,81,0.659,82,0.753,83,0.186,85,0.292,86,0.131,88,0.047,89,0.049,90,0.646,92,0.494,93,1.144,94,0.53,96,0.72,99,0.854,100,0.487,102,0.078,103,0.129,104,0.149,106,1,107,0.271,110,0.478,112,0.584,114,0.711,115,0.427,116,0.159,117,0.228,118,0.531,119,1.132,121,0.412,123,0.467,126,0.059,128,0.71,129,0.54,130,0.505,131,0.505,132,0.797,133,0.103,140,0.453,141,0.982,143,0.439,145,0.569,146,0.569,148,0.181,150,0.622,151,0.794,154,0.432,160,0.296,161,0.289,162,0.259,171,1.473,173,0.316,176,0.457,178,0.453,180,0.363,181,1.088,182,0.471,183,0.316,187,0.413,188,0.593,189,0.659,190,1.818,191,0.806,192,0.319,194,0.413,198,0.343,199,0.593,200,0.616,203,1.462,207,0.638,209,0.314,214,0.588,216,0.861,218,0.544,220,1.217,221,0.418,222,0.553,227,0.171,232,0.616,235,1.339,236,2.034,241,0.454,244,0.598,245,0.774,249,0.38,251,1.058,252,0.357,253,0.466,254,0.537,256,0.929,262,0.419,263,0.383,264,0.364,265,0.622,270,0.777,271,0.357,273,0.228,274,0.261,276,0.561,277,0.461,278,0.461,280,0.418,281,0.461,282,0.638,288,0.167,290,1.473,292,0.388,293,0.711,298,1.152,299,0.61,300,0.624,303,0.257,304,0.419,305,0.66,308,0.487,312,0.413,313,0.96,315,0.882,316,0.453,318,0.649,323,0.615,326,0.684,327,0.439,328,0.557,329,0.378,330,0.378,333,1.353,335,0.616,336,1.832,337,1.504,339,0.302,340,0.518,341,0.411,342,0.994,343,0.943,344,0.231,346,0.134,350,0.803,351,0.131,353,0.223,360,1.197,363,0.592,365,0.869,368,1.777,369,1.473,373,0.882,374,0.631,376,0.684,383,1.138,388,1.586,394,0.631,395,0.631,397,0.854,400,0.494,404,1.476,410,0.254,411,0.638,412,0.638,413,0.638,414,0.188,415,0.117,416,0.152,417,0.188,418,0.334,419,0.262,420,0.262,424,0.907,425,0.363,426,0.413,427,1.034,430,0.673,432,1.407,433,0.954,435,1.339,438,0.797,439,1.08,440,0.975,442,0.694,443,1.48,446,0.288,450,1.875,451,0.686,459,0.958,467,1.972,468,0.929,469,1.6,473,0.388,475,0.797,480,1.203,481,1.2,485,0.388,487,0.39,488,0.939,494,2.452,496,0.521,498,0.442,500,1.313,504,0.836,507,0.884,509,2.288,510,1.266,511,0.438,512,0.041,513,0.592,517,1.722,521,0.453,522,0.492,523,0.569,527,0.133,528,1.181,529,0.758,530,1.911,531,0.579,532,1.034,539,0.316,540,0.684,544,0.649,547,0.783,550,0.269,551,0.27,556,1.722,557,1.138,558,0.927,560,0.71,564,0.363,565,1.09,566,0.682,572,0.419,580,0.288,582,1.506,596,1.088,626,0.975,627,1.417,628,0.38,630,0.466,631,0.982,634,0.454,636,0.494,637,0.67,640,0.413,641,1.504,647,0.751,649,0.492,650,1.2,653,0.413,654,1.709,656,0.24,657,0.484,659,0.83,660,0.982,661,0.651,662,0.838,666,0.882,670,1.189,675,1.2,682,0.738,685,0.649,686,0.327,687,0.316,693,0.457,699,0.758,702,0.569,703,0.797,706,1.6,708,0.751,716,2.187,717,0.564,725,0.439,733,1.2,744,1.262,747,1.329,756,0.504,768,1.144,769,0.494,773,1.2,775,0.494,780,0.927,781,2.151,783,0.838,790,0.684,793,0.975,807,0.388,845,0.307,846,1.977,849,1.265,850,0.294,856,1.152,872,0.445,873,0.217,882,0.838,884,1.709,887,1.339,888,1.617,889,0.929,890,1.637,891,1.879,899,0.71,902,0.927,903,0.783,905,0.439,909,0.553,912,1.383,917,0.228,919,0.521,921,2.187,925,3.362,928,0.53,949,2.297,954,0.756,982,1.504,983,1.755,984,1.417,986,3.311,987,0.758,988,1.709,989,0.557,990,1.09,991,3.809,992,0.17,1000,2.126,1001,0.593,1002,0.269,1003,3.333,1004,0.553,1005,1.921,1006,0.495,1007,1.026,1008,2.151,1009,0.927,1011,1.612,1012,3.946,1013,1.504,1014,2.731,1018,0.269,1019,1.026,1020,0.388,1036,0.553,1042,3.319,1045,2.838,1046,1.338,1052,1.637,1092,0.649,1102,3.041,1103,1.383,1104,3.236,1105,3.705,1106,3.705,1107,1.699,1108,1.913,1109,3.705,1110,2.873,1111,1.472,1112,1.814,1113,1.6,1114,1.6,1115,2.151,1116,1.329,1117,3.705,1118,3.998,1119,1.246,1122,1.272,1123,0.395,1130,1.026,1143,2.099,1147,0.982,1148,1.417,1152,2.297,1156,0.927,1160,1.6,1162,2.368,1164,2.563,1166,0.72,1167,0.228,1172,4.213,1173,0.72,1174,2.984,1175,2.014,1176,3.56,1177,0.943,1179,3.076,1180,4.196,1181,1.72,1183,3.841,1185,1.504,1189,1.977,1190,1.832,1191,1.2,1192,2.869,1193,2.63,1194,1.138,1199,2.368,1200,0.927,1203,0.882,1213,0.631,1228,1.617,1229,2.63,1230,0.751,1238,0.439,1242,0.932,1243,2.368,1253,0.882,1260,2.659,1265,1.977,1268,2.151,1269,0.53,1270,0.975,1271,0.553,1275,0.72,1283,1.144,1284,2.151,1288,0.316,1289,0.838,1294,0.316,1333,0.494,1334,0.61,1336,1.2,1350,1.179,1360,1.08,1361,0.873,1364,4.789,1365,3.946,1366,4.789,1369,1.977,1373,0.975,1375,1.724,1376,1.977,1377,0.72,1379,3.627,1380,1.339,1381,2.151,1385,0.838,1386,1.331,1388,1.977,1392,1.13,1402,2.659,1403,2.297,1404,2.151,1406,0.982,1423,0.523,1436,1.504,1438,2.869,1440,3.627,1441,2.38,1442,1.417,1445,0.684,1446,1.026,1448,2.63,1463,1.339,1473,0.838,1484,2.159,1494,1.504,1495,1.417,1496,1.417,1503,0.202,1513,0.72,1523,0.316,1539,0.884,1550,0.927,1555,0.927,1566,0.72,1572,0.975,1577,0.584,1609,2.922,1612,2.426,1622,1.266,1667,0.783,1676,1.331,1679,3.076,1680,0.882,1681,1.026,1683,0.72,1687,2.151,1696,1.217,1700,0.982,1712,1.266,1734,1.832,1773,1.504,1784,1.4,1794,0.553,1796,1.026,1854,1.701,1866,0.557,1877,1.6,1881,1.504,1886,1.265,1891,1.504,1929,2.838,1935,2.159,1938,1.266,1956,0.553,1957,0.758,1960,1.138,1962,1.138,1967,1.43,2006,1.135,2008,0.61,2013,2.695,2028,0.466,2036,1.504,2039,2.301,2060,1.417,2064,1.722,2081,0.584,2083,1.265,2085,1.832,2096,2.014,2108,2.075,2109,0.758,2110,0.694,2115,1.135,2122,2.014,2127,2.099,2145,1.832,2212,0.975,2216,1.197,2220,1.138,2237,2.687,2309,1.977,2320,3.087,2346,1.709,2399,2.38,2417,2.034,2418,0.927,2434,1.4,2444,0.943,2563,1.6,2574,1.977,2578,1.709,2588,1.977,2590,1.203,2619,1.6,2629,1.417,2656,1.543,2677,1.339,2687,1.473,2692,1.504,2693,1.637,2694,0.982,2704,1.832,2724,2.659,2730,1.138,2731,1.709,2732,1.709,2733,1.709,2826,3.817,2873,2.368,2876,1.832,2968,1.832,3009,2.838,3039,0.523,3122,0.553,3214,3.16,3221,1.265,3397,3.611,3447,2.838,3464,0.684,3465,1.329,3567,1.789,3587,1.832,3603,1.4,3617,1.709,3828,1.338,3833,1.977,3849,0.616,3857,3.076,3875,1.977,3888,1.417,3890,1.746,3905,2.034,3910,3.455,3911,3.641,3917,3.076,3921,2.151,3925,3.319,3926,3.319,3928,2.869,3938,3.076,3948,3.041,3949,3.236,3950,3.133,3956,3.636,3958,2.63,3960,1.789,3965,3.841,3967,3.817,3968,3.399,3971,1.255,3972,1.473,3973,2.687,3975,2.368,3978,2.63,3979,2.368,3987,3.604,3989,2.151,3994,1.832,3995,3.109,3996,3.524,3997,3.319,4001,3.604,4002,3.708,4003,2.866,4004,1.513,4005,2.425,4008,3.627,4039,1.504,4068,2.151,4070,2.151,4092,1.832,4096,4.036,4114,3.817,4159,2.63,4204,4.452,4205,4.036,4206,6.026,4207,6.026,4208,3.101,4209,3.101,4210,2.659,4211,3.101,4212,3.101,4213,3.611,4214,1.832,4215,1.6,4216,6.61,4217,3.101,4218,3.101,4219,6.461,4220,3.101,4221,4.452,4222,6.914,4223,5.69,4224,4.465,4225,5.207,4226,3.399,4227,5.69,4228,3.101,4229,4.789,4230,6.461,4231,4.452,4232,4.452,4233,3.817,4234,4.452,4235,3.101,4236,3.101,4237,2.659,4238,2.151,4239,2.659,4240,5.69,4241,3.101,4242,4.452,4243,2.368,4244,3.399,4245,4.452,4246,4.452,4247,4.452,4248,4.879,4249,3.101,4250,3.101,4251,5.69,4252,3.101,4253,4.452,4254,2.368,4255,7.191,4256,1.6,4257,3.101,4258,4.452,4259,4.452,4260,3.101,4261,2.659,4262,2.659,4263,1.977,4264,3.101,4265,1.722,4266,3.101,4267,3.101,4268,3.101,4269,3.101,4270,3.101,4271,5.207,4272,5.207,4273,4.452,4274,4.452,4275,3.101,4276,4.452,4277,6.986,4278,7.292,4279,3.101,4280,3.101,4281,1.138,4282,3.101,4283,4.452,4284,4.452,4285,1.832,4286,3.101,4287,5.207,4288,3.101,4289,5.207,4290,3.101,4291,3.101,4292,3.101,4293,3.101,4294,3.101,4295,4.452,4296,3.101,4297,2.151,4298,2.659,4299,1.977,4300,2.368,4301,5.207,4302,2.659,4303,1.709,4304,4.452,4305,3.399,4306,2.659,4307,3.101,4308,3.101,4309,3.101,4310,2.368,4311,6.61,4312,5.207,4313,3.101,4314,3.101,4315,3.101,4316,3.101,4317,5.207,4318,5.69,4319,5.69,4320,5.69,4321,5.69,4322,3.101,4323,4.452,4324,3.101,4325,4.452,4326,3.101,4327,3.101,4328,1.832,4329,3.101,4330,3.101,4331,3.101,4332,3.101,4333,3.101,4334,3.101,4335,3.101,4336,3.101,4337,3.087,4338,3.399,4339,3.101,4340,2.151,4341,3.101,4342,3.101,4343,2.659,4344,3.101,4345,3.101,4346,2.368,4347,2.659,4348,2.659,4349,3.101,4350,2.659,4351,2.659,4352,5.69,4353,2.151,4354,1.977,4355,2.659,4356,2.659,4357,2.659,4358,2.368,4359,2.659,4360,2.659,4361,1.709,4362,1.977,4363,1.977,4364,3.101,4365,4.452,4366,3.101,4367,3.101,4368,3.101,4369,3.101,4370,5.207,4371,5.207,4372,3.101,4373,3.101,4374,3.101,4375,3.101,4376,3.101,4377,2.368,4378,3.101,4379,2.368,4380,2.368,4381,3.101,4382,2.368,4383,2.659,4384,3.817,4385,2.151,4386,3.817,4387,2.63,4388,2.838,4389,2.659,4390,2.368,4391,3.817,4392,3.101,4393,3.087,4394,3.101,4395,2.659,4396,3.101,4397,1.977,4398,3.101,4399,3.817,4400,3.101,4401,4.465,4402,2.659,4403,3.101,4404,3.101,4405,4.452,4406,3.101,4407,3.101,4408,2.659,4409,1.977,4410,2.659,4411,2.659,4412,2.659,4413,2.659,4414,3.101,4415,2.659,4416,3.101]],["title/azure/iam.html",[2,4.693,3,4.342,4,6.362,5,3.077,129,2.549,564,2.048]],["breadcrumb/azure/iam.html",[6,0.224,129,1.296,564,1.041]],["description/azure/iam.html",[4,2.309,31,1.33,33,0.883,53,0.446,85,0.755,107,1.579,253,2.722,297,7.39,302,6.64,376,3.991,410,0.648,897,1.709,990,3.789,1033,5.69,1080,3.053,1503,0.515,1696,3.408,1786,3.227,4109,9.969,4387,10.692,4417,9.969]],["body/azure/iam.html",[0,0.118,2,1.011,3,0.827,4,0.671,7,0.395,9,0.274,10,1.29,11,0.161,13,0.616,14,0.426,16,0.627,17,0.719,20,1.16,25,1.1,26,0.362,27,0.516,28,0.207,29,0.128,31,0.51,33,0.274,34,0.179,35,0.216,41,0.077,43,0.119,44,0.157,45,0.422,47,0.128,48,0.06,50,0.854,51,0.285,53,0.178,54,0.406,56,0.493,58,0.678,60,0.317,61,0.733,62,0.321,64,1.363,65,0.298,66,0.284,67,0.259,68,0.658,69,0.298,76,0.533,77,0.387,78,1.363,79,0.422,80,0.366,81,0.493,82,0.658,83,0.178,85,0.313,86,0.113,88,0.047,89,0.05,90,0.501,92,0.504,94,0.584,95,2.271,97,0.888,98,0.759,99,0.448,100,0.493,101,0.733,102,0.073,103,0.132,104,0.217,106,1.127,107,0.394,110,0.464,111,0.627,113,0.71,114,0.658,115,0.2,116,0.188,117,0.497,118,0.487,119,1.188,121,0.437,122,0.995,123,0.458,124,0.533,125,0.854,126,0.042,127,0.395,128,0.839,129,0.533,130,0.494,131,0.494,133,0.104,136,0.993,140,0.535,143,0.448,144,0.854,146,0.497,148,0.164,149,0.395,150,0.345,151,0.563,152,0.533,153,0.493,154,0.444,156,0.272,160,0.253,161,0.271,162,0.261,165,0.394,168,1.159,173,0.335,178,0.535,180,0.37,182,0.476,183,0.676,184,0.528,185,1.842,187,0.765,189,0.493,191,0.813,192,0.302,193,0.71,194,0.399,198,0.43,199,0.765,206,0.563,207,0.321,209,0.191,212,0.277,214,0.461,216,0.809,217,1.532,218,0.537,219,0.789,220,1.081,221,0.422,222,0.51,223,0.421,226,1.363,227,0.183,232,0.628,233,0.678,234,0.595,239,0.345,241,0.501,242,0.854,244,0.575,245,0.528,246,1.352,247,0.661,249,0.352,250,0.733,251,0.533,252,0.362,253,1.148,254,0.298,258,0.839,262,0.406,263,0.422,264,0.381,265,0.493,270,0.584,271,0.395,272,1.908,273,0.477,274,0.161,275,0.765,276,0.609,277,0.488,278,0.504,279,0.302,280,0.387,281,0.446,282,0.584,287,0.839,288,0.209,289,1.363,290,1.045,292,0.394,293,0.395,294,0.678,297,2.8,298,0.804,299,0.687,300,0.622,301,1.159,302,2.763,303,0.266,304,0.406,305,0.647,308,0.69,311,0.272,312,0.701,315,0.898,316,0.535,317,0.888,319,0.563,321,1.532,323,0.394,326,0.697,327,0.813,328,0.564,329,0.381,330,0.381,332,0.888,333,0.944,335,1.045,339,0.301,340,0.477,341,0.406,342,0.977,343,0.913,344,0.263,346,0.098,350,0.765,351,0.134,353,0.158,363,0.596,365,0.528,374,0.639,376,1.661,383,2.105,388,1.508,394,0.745,395,0.745,397,0.813,400,0.839,404,1.321,410,0.271,411,0.584,412,0.584,413,0.584,414,0.182,415,0.113,416,0.147,417,0.182,418,0.328,419,0.253,420,0.253,424,1.006,425,0.37,426,0.421,430,0.618,431,0.898,433,0.639,436,2.412,441,0.448,442,0.701,443,0.898,444,0.345,446,0.274,450,1.715,451,0.681,459,0.421,467,1.804,468,0.563,473,0.394,480,1.795,484,0.849,486,1.74,487,0.392,488,0.765,490,0.839,496,0.528,498,0.434,500,1.321,503,4.504,504,0.765,506,1.159,507,0.628,509,2.149,510,1.29,511,0.412,513,0.573,514,0.849,521,0.584,522,0.426,523,0.655,524,0.533,527,0.107,528,1.081,529,0.772,532,1.409,539,0.618,540,1.338,544,0.944,546,1.715,547,0.475,550,0.419,551,0.239,552,1.282,556,1.222,558,1.348,560,0.719,562,0.854,564,0.407,565,0.661,566,0.72,568,1.045,571,3.142,572,0.464,580,0.29,582,1.16,596,0.772,628,0.301,629,0.997,633,1.29,634,0.459,636,0.719,637,0.791,640,0.421,649,0.497,653,0.421,655,0.804,656,0.359,657,0.254,659,0.839,660,1.338,661,0.717,666,1.495,670,1.065,673,0.595,676,1.74,682,0.448,684,0.993,686,0.446,687,0.642,688,0.661,690,1.332,693,0.604,696,1.282,708,0.761,713,0.854,717,0.501,738,1.221,744,1.102,745,0.697,756,0.461,758,0.812,760,1.159,764,0.849,768,0.812,769,0.915,771,0.628,776,1.159,784,0.854,791,0.628,799,1.348,801,2.191,807,0.394,816,1.379,845,0.161,856,1.082,863,0.678,872,0.448,873,0.282,877,0.504,885,1.185,894,1.731,895,1.289,896,4.511,897,0.69,899,0.719,903,0.475,905,0.448,906,0.535,912,1.266,913,1.045,917,0.232,919,0.672,920,0.772,928,0.321,932,1.1,933,1.1,936,2.551,954,0.76,986,2.619,989,0.395,990,1.453,992,0.128,1001,0.421,1002,0.191,1006,0.488,1007,1.045,1009,1.715,1010,1.045,1018,0.317,1033,0.993,1034,2.043,1036,0.804,1044,1.63,1046,0.812,1051,1.63,1058,2.412,1080,1.141,1092,1.201,1107,0.812,1112,1.1,1119,0.628,1123,0.276,1124,0.944,1126,1.655,1128,2.622,1143,1.1,1145,1.222,1146,0.772,1152,2.327,1164,1.655,1167,0.331,1169,2.327,1173,1.047,1177,0.475,1181,1.465,1186,0.345,1190,1.866,1213,0.612,1227,1.532,1232,2.014,1233,0.993,1235,0.733,1238,0.983,1242,0.661,1252,0.772,1255,0.733,1258,1.222,1261,0.944,1262,1.29,1264,2.187,1269,0.459,1270,1.418,1283,0.812,1286,1.886,1288,0.321,1333,0.504,1334,0.672,1336,2.035,1343,1.1,1348,0.777,1350,1.024,1358,1.74,1360,1.1,1361,0.658,1362,1.74,1373,0.993,1375,0.733,1377,0.733,1378,1.63,1385,1.219,1392,0.628,1425,1.159,1438,1.74,1445,0.697,1478,1.706,1503,0.201,1506,2.898,1513,0.733,1518,0.898,1519,2.191,1520,2.665,1523,0.535,1525,0.563,1526,1.842,1527,2.061,1528,2.569,1529,1.363,1530,1.348,1531,1.363,1534,3.444,1535,3.278,1536,2.709,1538,1.159,1539,0.628,1540,0.993,1541,1.363,1543,0.993,1544,1.348,1548,1.741,1549,2.477,1551,1.74,1552,2.348,1553,2.485,1555,0.944,1556,1.571,1557,0.719,1559,3.108,1560,1.1,1561,2.187,1564,1.027,1565,2.804,1566,1.508,1571,1.63,1572,0.993,1577,0.849,1594,2.412,1597,2.191,1603,1.947,1606,0.595,1609,2.783,1612,2.035,1613,3.161,1614,2.875,1616,0.995,1619,0.697,1623,2.875,1625,1.159,1627,1.363,1635,1.29,1638,0.504,1640,3.128,1644,2.412,1665,1.282,1666,1.222,1667,0.678,1676,0.944,1677,0.557,1678,1.1,1681,1.492,1684,2.148,1689,1.363,1690,0.944,1691,2.191,1694,0.894,1696,1.409,1699,1.942,1700,1.16,1701,1.63,1706,2.412,1709,0.993,1711,2.271,1712,1.29,1714,1.045,1717,2.477,1734,1.866,1748,2.412,1749,3.128,1763,3.979,1764,1.532,1765,1.444,1766,1.74,1773,1.532,1777,2.478,1781,2.714,1782,1.363,1786,1.286,1787,1.045,1790,1.045,1791,1.29,1792,0.849,1793,1.045,1794,0.938,1795,2.271,1796,1.899,1799,2.014,1801,1.63,1830,1.29,1832,1.573,1846,2.191,1847,2.412,1852,0.898,1864,1.363,1866,0.395,1877,1.63,1884,2.875,1886,0.898,1894,1.444,1897,1.532,1898,1.74,1915,0.993,1921,0.944,1922,1.444,1932,1.532,1952,1.222,1954,1.159,1956,0.804,1974,0.759,2006,1.081,2008,0.528,2009,1.045,2029,1.1,2031,1.29,2039,2.105,2044,1.159,2047,0.993,2064,1.745,2066,1.159,2075,1.444,2081,0.991,2092,1.74,2096,1.745,2097,2.412,2100,1.363,2113,3.353,2115,0.849,2118,1.74,2119,1.74,2133,2.148,2141,1.1,2156,3.161,2162,2.014,2163,1.814,2166,2.898,2200,2.148,2203,0.898,2209,1.29,2212,0.993,2215,1.159,2216,1.205,2224,1.745,2255,1.222,2328,1.045,2434,0.993,2444,0.863,2452,1.842,2458,1.74,2476,0.661,2563,2.327,2566,2.014,2573,1.444,2578,2.485,2583,1.492,2592,3.108,2632,1.532,2656,1.271,2658,2.709,2665,2.187,2669,2.191,2677,1.363,2678,2.477,2686,0.533,2687,1.045,2691,2.898,2693,1.908,2695,1.866,2701,3.131,2822,2.619,2831,2.875,2867,1.363,2868,1.159,2883,1.363,2965,2.709,2968,3.838,2986,2.968,3009,2.014,3017,1.866,3038,2.191,3039,1.141,3051,3.278,3128,3.476,3141,0.898,3214,3.295,3215,2.327,3237,2.404,3279,1.363,3310,1.532,3394,1.63,3428,3.128,3462,2.961,3465,0.995,3537,0.772,3551,2.014,3553,2.709,3603,1.804,3617,1.74,3691,1.532,3776,1.866,3808,2.412,3833,2.014,3849,1.487,3850,1.63,3852,1.866,3859,1.348,3890,1.422,3903,1.74,3905,2.404,3908,2.191,3925,3.578,3926,3.161,3948,2.783,3949,2.961,3950,1.532,3956,3.256,3971,1.392,3972,1.741,3973,2.714,3987,3.427,3995,1.63,3996,2.714,4001,3.427,4003,2.773,4004,1.436,4005,2.105,4021,3.108,4025,1.532,4028,1.532,4029,2.191,4039,1.532,4066,2.709,4092,1.866,4096,2.665,4109,2.485,4114,1.866,4169,1.842,4256,3.538,4310,2.412,4337,2.191,4377,2.412,4379,5.072,4380,3.444,4382,5.072,4384,3.868,4387,4.472,4388,4.731,4417,2.898,4418,3.128,4419,1.363,4420,2.014,4421,2.412,4422,4.381,4423,5.951,4424,3.159,4425,3.159,4426,2.412,4427,3.159,4428,2.014,4429,2.014,4430,2.622,4431,3.159,4432,2.709,4433,3.159,4434,1.492,4435,2.709,4436,1.29,4437,2.404,4438,4.511,4439,5.261,4440,3.159,4441,2.709,4442,1.363,4443,2.709,4444,3.868,4445,2.412,4446,3.444,4447,3.159,4448,2.875,4449,2.191,4450,3.159,4451,1.63,4452,4.511,4453,3.159,4454,3.159,4455,3.159,4456,2.709,4457,4.511,4458,5.411,4459,5.411,4460,5.411,4461,6.311,4462,3.159,4463,3.159,4464,2.709,4465,4.511,4466,3.159,4467,3.159,4468,3.159,4469,4.511,4470,3.979,4471,3.159,4472,3.159,4473,3.159,4474,5.203,4475,2.412,4476,2.709,4477,2.709,4478,3.159,4479,3.159,4480,3.159,4481,4.511,4482,3.159,4483,4.511,4484,3.159,4485,4.511,4486,4.511,4487,2.709,4488,4.511,4489,3.868,4490,5.738,4491,5.261,4492,3.159,4493,3.648,4494,4.511,4495,4.511,4496,3.159,4497,3.159,4498,3.159,4499,4.511,4500,4.511,4501,6.311,4502,3.159,4503,3.159,4504,3.159,4505,3.159,4506,4.511,4507,3.159,4508,3.159,4509,3.159,4510,3.868,4511,4.819,4512,5.203,4513,3.159,4514,1.444,4515,2.709,4516,2.191,4517,2.709,4518,2.412,4519,4.688,4520,2.412,4521,3.159,4522,3.159,4523,3.159,4524,1.29,4525,2.412,4526,2.412,4527,2.412,4528,3.159,4529,3.159,4530,3.159,4531,3.159,4532,4.511,4533,2.709,4534,3.159,4535,3.159,4536,3.159,4537,3.159,4538,3.159,4539,6.069,4540,6.069,4541,5.738,4542,3.159,4543,3.159,4544,2.709,4545,2.709,4546,3.159,4547,3.159,4548,2.709,4549,3.159,4550,3.159,4551,3.159,4552,2.709,4553,3.868,4554,3.159,4555,3.868,4556,2.709,4557,3.159,4558,3.159,4559,2.709,4560,4.511,4561,2.709,4562,2.709,4563,3.159,4564,4.511,4565,3.159,4566,3.159,4567,2.709,4568,3.159,4569,3.159,4570,2.709,4571,3.159,4572,2.709,4573,3.159,4574,3.159,4575,3.159,4576,3.159,4577,2.191,4578,3.159,4579,3.868,4580,2.709,4581,2.709,4582,3.868,4583,3.868,4584,3.159,4585,5.738,4586,2.191,4587,1.74,4588,3.868,4589,2.709,4590,3.159,4591,2.014,4592,3.159,4593,3.159,4594,2.412,4595,3.159,4596,2.709,4597,3.159,4598,3.159,4599,3.159,4600,2.709,4601,4.511,4602,3.159,4603,5.261,4604,2.191,4605,3.159,4606,2.191,4607,5.261,4608,3.159,4609,2.191,4610,5.261,4611,2.191,4612,3.159,4613,3.159,4614,4.511,4615,3.159,4616,3.159,4617,4.511,4618,3.159,4619,3.159,4620,2.191,4621,3.159,4622,3.159,4623,3.159,4624,3.159,4625,4.511,4626,3.159,4627,3.159,4628,2.709,4629,3.159,4630,3.159,4631,4.511,4632,5.738,4633,3.159,4634,4.511,4635,3.159,4636,3.159,4637,3.159,4638,3.159,4639,4.511,4640,2.709,4641,3.159,4642,3.159,4643,2.709,4644,3.159,4645,2.014,4646,2.709,4647,1.866,4648,2.191,4649,3.159,4650,3.159,4651,3.868,4652,4.511,4653,2.709,4654,3.658,4655,3.159,4656,2.412,4657,4.511,4658,2.404,4659,4.511,4660,4.511,4661,5.738,4662,5.261,4663,5.738,4664,5.738,4665,4.511,4666,3.159,4667,3.159,4668,3.159,4669,3.159,4670,3.159,4671,3.159,4672,3.159,4673,3.159,4674,3.159,4675,3.159,4676,3.159,4677,3.159,4678,4.511,4679,3.159,4680,3.159,4681,3.159,4682,4.511,4683,3.159,4684,2.709,4685,3.159,4686,2.191,4687,3.159,4688,3.159,4689,4.511,4690,3.159,4691,1.63,4692,2.709,4693,3.159,4694,2.412,4695,3.159,4696,3.159,4697,4.92,4698,4.511,4699,3.159,4700,5.261,4701,1.63,4702,3.159,4703,2.412,4704,3.159,4705,3.159,4706,2.709,4707,3.159,4708,3.159,4709,2.709,4710,3.868,4711,3.159,4712,2.412,4713,2.412,4714,3.159,4715,3.159,4716,4.511,4717,2.709,4718,3.159,4719,3.159,4720,4.511,4721,3.159,4722,3.159,4723,3.159]],["title/azure/index.html",[2,4.976,3,4.605,4,6.619,5,3.263,129,2.703]],["breadcrumb/azure/index.html",[6,0.257,129,1.489]],["description/azure/index.html",[2,2.673,4,2.649,28,1.363,29,0.591,85,0.866,89,0.163,115,1.317,129,1.452,244,1.649,288,0.667,511,1.408,845,1.056,872,1.534,1123,1.268,1696,3.909]],["body/azure/index.html",[0,0.11,2,0.985,3,0.795,4,0.898,17,0.923,20,1.552,28,0.438,29,0.2,32,0.141,33,0.25,37,0.633,38,1.805,40,0.294,43,0.138,44,0.146,47,0.141,48,0.088,51,0.301,52,0.547,53,0.165,67,0.206,85,0.302,88,0.043,102,0.07,103,0.242,104,0.278,107,0.505,110,0.405,111,0.633,115,0.446,116,0.207,117,0.491,119,0.923,126,0.077,129,0.527,144,1.565,154,0.387,160,0.279,244,0.59,247,1.212,249,0.387,276,0.465,288,0.214,302,2.125,346,0.108,365,0.824,376,1.277,410,0.252,459,0.772,468,1.033,511,0.453,512,0.077,527,0.125,551,0.242,564,0.375,688,1.212,693,0.465,694,1.916,736,1.821,779,0.923,791,1.15,804,4.015,845,0.34,850,0.294,872,0.52,897,0.547,905,1.024,906,0.589,917,0.425,983,1.344,986,2.499,990,1.212,1010,1.916,1046,1.488,1055,2.24,1080,0.977,1123,0.43,1164,2.582,1167,0.425,1288,0.589,1294,0.589,1356,3.691,1503,0.206,1538,2.125,1696,1.384,1949,0.772,1951,1.344,2008,0.824,2009,1.916,2010,3.421,2012,2.24,2013,2.125,2025,2.365,2029,2.017,2057,1.565,2081,1.09,2237,2.988,2463,2.988,2576,2.209,2630,3.19,2686,1.127,2693,2.212,2694,1.595,3141,1.646,3218,1.731,3401,1.488,3691,2.808,3845,1.916,3846,4.015,3847,4.015,4004,1.398,4005,2.582,4105,1.631,4387,3.421,4429,3.691,4724,2.988,4725,4.015,4726,3.421]],["title/azure/ir.html",[2,4.44,3,4.108,4,6.123,5,2.912,129,2.411,288,1.107,511,2.339]],["breadcrumb/azure/ir.html",[6,0.198,129,1.147,288,0.527,511,1.113]],["description/azure/ir.html",[33,0.621,52,1.648,129,1.221,288,0.561,297,7.128,410,0.625,511,1.184,629,2.326,710,7.128,791,3.468,894,4.053,917,1.283,1130,5.776,2028,2.626,2029,6.08,2076,8.465,2115,3.287,2467,4.053,2628,7.978,3848,7.978,4003,7.978,4005,6.405,4105,4.265,4727,13.33]],["body/azure/ir.html",[0,0.12,2,1.011,3,0.839,4,0.567,9,0.272,11,0.163,13,0.362,14,0.623,16,0.338,17,0.708,19,0.736,20,0.682,26,0.417,27,0.524,28,0.472,29,0.126,30,0.582,31,0.382,32,0.126,33,0.272,34,0.184,35,0.212,40,0.129,43,0.143,44,0.151,45,0.417,47,0.108,48,0.083,51,0.272,52,0.697,53,0.172,54,0.207,55,0.836,56,0.485,58,0.465,60,0.337,61,1.207,62,0.452,64,1.334,65,0.292,66,0.373,67,0.268,69,0.536,71,1.077,76,0.483,77,0.227,78,1.334,79,0.483,80,0.378,81,0.568,82,0.555,83,0.173,85,0.31,86,0.113,88,0.047,89,0.045,90,0.388,92,0.493,94,0.578,95,1.334,97,0.522,98,0.386,102,0.083,103,0.185,104,0.273,106,0.708,107,0.496,108,2.75,110,0.397,111,0.485,113,0.704,114,0.65,115,0.397,116,0.186,117,0.442,118,0.56,119,1.139,120,1.023,121,0.389,122,0.682,123,0.431,124,0.522,125,0.836,126,0.075,127,0.555,128,0.906,129,0.535,130,0.477,131,0.477,132,0.794,133,0.103,136,1.396,137,0.362,138,0.718,139,0.682,140,0.638,141,0.682,143,0.629,145,0.536,146,0.609,148,0.076,149,0.555,150,0.568,152,0.522,153,0.338,154,0.431,156,0.187,160,0.185,161,0.261,162,0.257,165,0.454,167,1.031,168,1.141,170,1.141,173,0.148,176,0.456,178,0.578,180,0.362,182,0.441,183,0.578,185,1.262,187,0.693,191,0.888,192,0.315,193,0.362,194,0.407,195,1.334,198,0.378,199,0.693,201,0.972,203,0.794,206,1.013,207,0.71,209,0.187,212,0.217,213,1.085,214,0.503,216,0.86,218,0.521,219,0.928,220,0.582,221,0.417,222,0.494,226,1.917,227,0.152,228,2.144,231,1.703,232,0.614,233,0.465,234,0.836,239,0.568,241,0.525,242,0.836,244,0.595,245,0.755,246,1.659,249,0.38,251,1.089,252,0.503,253,0.782,254,0.675,256,0.551,259,1.077,261,1.195,262,0.497,263,0.501,264,0.268,265,0.621,270,0.727,271,0.369,272,1.396,273,0.227,274,0.186,275,0.802,276,0.54,277,0.508,278,0.513,279,0.316,280,0.417,281,0.417,282,0.529,287,0.708,288,0.245,290,1.023,294,0.905,297,2.976,298,0.551,299,0.419,300,0.651,302,1.907,303,0.247,304,0.347,305,0.609,308,0.485,310,1.334,311,0.378,312,0.693,313,0.749,316,0.315,317,0.877,319,0.551,322,0.718,323,0.525,327,0.736,329,0.314,330,0.314,332,0.522,333,0.647,335,1.129,339,0.288,340,0.485,341,0.398,342,0.946,343,0.782,344,0.186,346,0.097,350,0.693,351,0.129,353,0.18,363,0.568,365,0.362,366,1.917,374,0.953,376,1.524,383,1.134,384,0.749,388,1.319,394,0.629,395,0.629,397,0.438,400,0.829,404,1.312,410,0.273,411,0.529,412,0.529,413,0.529,414,0.188,415,0.113,416,0.138,417,0.17,418,0.308,419,0.237,420,0.217,424,0.708,425,0.665,426,0.802,430,0.612,431,1.477,433,0.967,435,1.334,438,0.794,441,0.736,444,0.722,446,0.334,450,1.799,451,0.675,453,0.972,467,1.634,473,0.576,484,0.582,485,0.71,487,0.378,488,0.693,490,0.708,496,0.665,498,0.462,499,1.813,500,0.93,501,0.915,504,0.693,506,1.141,507,0.882,509,1.72,511,0.507,512,0.098,513,0.491,514,0.836,521,0.612,522,0.292,523,0.623,524,0.522,527,0.083,528,0.979,531,0.452,532,1.455,533,1.826,539,0.315,540,1.146,542,1.396,544,0.93,550,0.421,551,0.251,553,1.413,554,1.396,560,0.906,561,1.334,563,0.879,566,0.675,570,1.262,571,2.704,572,0.347,587,1.023,596,0.755,628,0.297,629,0.995,630,0.782,631,0.979,633,1.262,634,0.496,636,0.708,637,0.465,640,0.412,649,0.292,650,1.196,653,0.592,655,0.551,656,0.386,659,0.493,660,1.456,661,0.555,670,1.015,675,1.196,682,0.888,684,0.972,686,0.326,687,0.745,688,1.496,693,0.548,696,1.477,699,0.755,702,0.338,703,1.141,710,1.262,713,0.836,717,0.587,736,0.972,741,1.413,744,0.93,745,1.653,746,0.979,753,1.077,756,0.548,758,0.794,760,0.794,765,0.999,769,0.906,775,0.493,776,0.794,780,1.328,783,0.836,784,1.2,791,1.475,792,0.972,799,0.924,802,1.336,807,0.388,808,1.697,813,1.917,816,1.244,845,0.328,849,0.879,850,0.129,856,0.792,863,0.465,872,0.497,873,0.217,877,0.493,885,0.792,887,1.334,891,1.615,894,1.734,895,1.015,899,0.829,900,1.134,902,0.924,903,0.465,905,0.936,906,0.578,909,0.792,912,1.327,913,1.469,914,1.023,917,0.559,919,0.608,920,1.27,926,1.499,927,2.198,954,0.362,989,0.65,990,0.647,992,0.108,1002,0.314,1005,1.334,1006,0.382,1018,0.378,1020,0.71,1036,0.551,1040,1.023,1050,2.011,1052,0.972,1054,0.805,1056,0.718,1080,1.206,1092,1.088,1107,0.794,1108,0.879,1110,1.196,1111,1.244,1116,0.682,1119,0.882,1123,0.394,1124,1.698,1126,1.134,1128,2.596,1130,1.023,1141,0.718,1143,1.547,1146,0.755,1148,1.413,1153,1.595,1155,1.334,1156,1.554,1165,0.967,1167,0.227,1168,0.551,1173,0.718,1175,1.196,1177,0.465,1181,0.718,1186,0.568,1213,0.27,1228,1.262,1230,0.522,1233,0.972,1235,0.718,1238,0.438,1251,1.023,1253,0.879,1255,0.718,1257,2.375,1261,1.328,1262,2.32,1269,0.452,1271,0.927,1274,1.023,1278,1.873,1279,0.582,1283,1.547,1286,1.554,1288,0.315,1294,0.578,1333,0.959,1334,0.755,1336,2.198,1343,1.547,1348,0.817,1349,1.826,1350,1.015,1352,1.826,1357,1.196,1372,2.36,1375,0.718,1386,1.698,1389,1.917,1392,0.614,1425,1.63,1446,1.469,1447,2.964,1478,1.2,1503,0.208,1523,0.529,1525,0.792,1530,1.328,1531,1.334,1535,1.499,1548,2.073,1549,2.786,1552,1.718,1554,2.144,1556,1.81,1557,0.708,1560,1.077,1564,1.012,1571,1.595,1573,2.011,1577,1.07,1606,0.979,1609,2.52,1612,2.011,1618,1.334,1619,1.146,1625,1.63,1626,1.787,1628,1.413,1634,0.836,1644,2.36,1645,1.703,1665,0.879,1669,1.141,1677,0.483,1678,1.077,1679,1.826,1680,1.615,1684,1.813,1690,0.924,1694,0.853,1696,1.398,1699,1.929,1700,0.682,1710,1.134,1734,1.826,1763,2.144,1764,1.499,1765,1.413,1777,1.262,1781,2.682,1787,1.033,1794,0.927,1801,1.595,1832,0.924,1852,0.879,1853,1.413,1859,1.413,1864,1.334,1866,0.807,1869,1.917,1872,1.971,1874,1.703,1876,0.879,1877,1.595,1883,1.547,1885,1.2,1891,1.499,1892,1.077,1915,1.396,1921,0.924,1922,1.413,1932,2.154,1952,1.718,1953,2.32,1960,1.134,1967,1.462,1974,0.555,2006,1.07,2007,1.826,2008,0.362,2020,1.72,2026,1.627,2027,3.071,2028,1.075,2029,2.597,2030,2.662,2031,2.32,2032,1.971,2033,2.651,2036,2.918,2037,2.624,2038,3.604,2039,2.562,2040,1.971,2041,1.826,2042,1.826,2043,1.595,2044,1.134,2045,1.499,2046,1.595,2047,1.787,2048,1.703,2049,2.154,2050,1.703,2051,2.144,2052,1.499,2054,2.931,2055,2.651,2056,2.651,2058,2.651,2059,2.36,2060,1.413,2061,1.718,2062,1.595,2063,3.94,2064,1.196,2065,1.873,2066,2.562,2067,2.36,2068,1.971,2069,2.144,2070,2.651,2071,2.651,2072,2.36,2075,2.596,2076,1.499,2077,2.651,2078,1.328,2079,1.826,2080,2.651,2081,0.836,2082,0.972,2083,1.477,2084,1.413,2085,2.624,2086,2.144,2087,2.36,2088,2.651,2089,1.703,2090,0.879,2092,1.703,2096,2.424,2100,2.452,2102,1.262,2103,2.198,2104,0.682,2106,3.313,2108,1.469,2109,0.755,2110,0.412,2111,1.077,2112,1.196,2113,1.971,2115,1.133,2116,2.144,2118,1.703,2119,1.703,2120,2.36,2121,2.36,2122,1.196,2123,2.144,2124,2.291,2125,2.36,2126,1.134,2131,3.391,2133,1.262,2141,1.81,2151,3.391,2156,2.863,2157,3.808,2158,3.808,2162,2.831,2163,1.698,2166,1.703,2197,2.144,2198,2.144,2199,2.144,2200,2.122,2203,0.879,2209,1.813,2212,0.972,2216,0.882,2220,1.134,2223,1.396,2225,1.499,2228,3.08,2231,2.863,2235,2.447,2238,2.144,2240,1.971,2241,2.144,2242,2.36,2243,1.703,2244,2.243,2247,1.413,2249,1.262,2251,2.36,2252,1.703,2300,1.971,2301,3.08,2302,2.144,2316,2.36,2320,2.144,2322,2.36,2327,2.831,2328,1.72,2335,2.144,2336,2.36,2337,1.262,2338,1.262,2339,1.595,2340,2.144,2344,2.651,2357,1.196,2393,2.36,2394,2.36,2412,1.134,2421,2.52,2423,1.971,2434,0.972,2439,1.826,2442,1.718,2444,0.855,2467,1.685,2563,2.291,2628,2.03,2632,2.154,2656,1.19,2657,1.595,2665,1.499,2678,2.452,2686,1.015,2691,1.703,2693,1.634,2694,1.423,2701,2.682,2704,1.826,2750,2.36,2822,2.903,2859,1.595,2868,1.63,2875,2.029,2979,1.703,2986,2.596,3009,1.971,3017,1.826,3039,1.114,3051,1.499,3096,1.826,3120,1.334,3128,1.703,3141,0.879,3145,1.595,3149,1.63,3214,3.331,3215,2.682,3401,1.61,3403,1.595,3406,1.595,3460,3.08,3464,0.682,3465,0.979,3555,1.2,3569,1.971,3603,0.972,3606,1.388,3608,4.457,3670,2.624,3674,1.826,3766,1.826,3776,1.826,3826,1.499,3828,0.794,3845,2.073,3848,3.331,3849,1.458,3852,1.826,3853,1.971,3854,1.262,3857,3.071,3859,0.924,3860,1.826,3875,1.971,3878,2.36,3890,1.978,3905,2.03,3910,2.863,3911,3.556,3925,2.863,3926,2.863,3927,2.36,3928,2.863,3931,2.36,3932,2.36,3938,2.624,3948,2.52,3949,2.682,3950,2.154,3956,3.33,3958,2.624,3960,0.972,3961,2.651,3962,2.651,3965,2.831,3971,1.327,3972,1.469,3973,1.595,3978,1.826,3987,3.33,3994,1.826,3995,2.291,3996,3.105,3997,1.703,4001,3.33,4002,3.13,4003,3.119,4004,1.486,4005,2.79,4033,1.413,4047,2.651,4049,2.36,4068,2.144,4070,2.144,4092,2.624,4105,1.773,4114,3.071,4115,3.604,4121,3.836,4134,2.651,4159,2.624,4256,2.682,4310,2.36,4337,2.144,4354,1.971,4393,3.08,4423,5.767,4458,2.651,4459,2.651,4460,2.651,4470,2.144,4474,3.808,4475,2.36,4476,2.651,4477,2.651,4487,2.651,4493,2.144,4511,4.595,4512,4.872,4516,2.144,4519,3.08,4520,2.36,4533,2.651,4545,2.651,4548,2.651,4552,2.651,4553,2.651,4555,2.651,4556,2.651,4559,2.651,4561,2.651,4562,2.651,4567,3.808,4570,2.651,4572,4.872,4577,3.08,4579,2.651,4580,3.808,4581,2.651,4582,3.808,4583,3.808,4586,2.144,4587,1.703,4588,2.651,4589,2.651,4600,2.651,4606,2.144,4611,3.08,4620,2.144,4647,1.826,4697,2.651,4709,2.651,4727,4.338,4728,2.182,4729,1.595,4730,2.447,4731,2.36,4732,4.441,4733,4.173,4734,1.595,4735,3.091,4736,2.144,4737,1.595,4738,1.262,4739,2.36,4740,2.144,4741,3.091,4742,2.651,4743,3.091,4744,3.091,4745,3.091,4746,4.441,4747,4.441,4748,3.091,4749,3.091,4750,3.091,4751,3.091,4752,3.091,4753,3.091,4754,3.091,4755,3.091,4756,4.441,4757,3.091,4758,3.091,4759,3.091,4760,3.091,4761,3.091,4762,2.144,4763,2.36,4764,3.091,4765,3.091,4766,3.091,4767,3.091,4768,2.651,4769,2.144,4770,4.441,4771,3.091,4772,3.091,4773,3.091,4774,4.441,4775,3.091,4776,3.091,4777,3.091,4778,3.091,4779,2.651,4780,4.441,4781,3.091,4782,1.826,4783,3.091,4784,4.457,4785,4.457,4786,1.595,4787,2.651,4788,3.091,4789,3.391,4790,1.703,4791,3.091,4792,1.595,4793,2.651,4794,1.499,4795,2.36,4796,2.36,4797,2.651,4798,2.651,4799,0.836,4800,2.36,4801,1.971,4802,3.091,4803,2.36,4804,4.441,4805,4.441,4806,3.091,4807,3.091,4808,3.091,4809,4.441,4810,5.198,4811,3.091,4812,3.091,4813,3.091,4814,3.091,4815,3.091,4816,5.198,4817,3.091,4818,3.091,4819,3.091,4820,3.091,4821,2.651,4822,4.441,4823,4.441,4824,3.091,4825,3.808,4826,3.08,4827,3.808,4828,3.808,4829,3.091,4830,3.091,4831,3.091,4832,5.198,4833,3.091,4834,4.441,4835,4.441,4836,3.091,4837,3.091,4838,2.651,4839,3.091,4840,3.091,4841,3.091,4842,3.091,4843,3.091,4844,3.091,4845,2.36,4846,4.441,4847,3.091,4848,3.091,4849,3.091,4850,3.091,4851,3.091,4852,3.091,4853,3.091,4854,4.441,4855,3.091,4856,5.198,4857,2.651,4858,3.091,4859,3.091,4860,0.972,4861,2.651,4862,3.091,4863,3.091,4864,3.808,4865,2.651,4866,3.091,4867,3.091,4868,1.262,4869,4.441,4870,2.144,4871,2.36,4872,3.091,4873,3.091,4874,6.265,4875,2.651,4876,3.091,4877,2.651,4878,3.091,4879,3.091,4880,4.441,4881,3.091,4882,3.091,4883,3.091,4884,3.091,4885,3.091,4886,3.091,4887,3.091,4888,3.091,4889,3.091,4890,3.091,4891,3.091,4892,3.091,4893,4.441,4894,3.091,4895,3.091,4896,3.091,4897,3.091,4898,3.091,4899,3.091,4900,3.091,4901,3.091,4902,3.091,4903,3.091,4904,3.091,4905,3.091,4906,3.091,4907,4.441,4908,3.091,4909,5.198,4910,3.091,4911,3.091,4912,4.441,4913,3.808,4914,4.441,4915,4.441,4916,3.091,4917,3.091,4918,2.651,4919,3.091,4920,2.36,4921,3.091,4922,3.091,4923,3.091,4924,3.091,4925,3.091,4926,3.091,4927,3.091,4928,3.091,4929,3.091,4930,1.971,4931,2.651]],["title/azure/kubernetes.html",[2,4.693,3,4.342,4,6.362,5,3.077,129,2.549,2576,12.06]],["breadcrumb/azure/kubernetes.html",[6,0.224,129,1.296,1949,2.469]],["description/azure/kubernetes.html",[4,1.604,37,1.374,38,3.397,40,0.524,43,0.26,44,0.394,51,0.567,53,0.31,85,0.524,115,0.797,119,2.004,129,1.797,160,0.524,162,0.45,244,0.998,276,1.009,410,0.682,512,0.166,779,2.004,850,0.524,872,0.929,1055,4.862,1123,0.768,1164,4.612,1167,0.923,1503,0.543,1696,3.589,1949,1.675,1951,2.918,1974,1.571,2576,4.159,2630,6.924,2686,2.121,2693,3.952,2694,2.772,4004,2.632,4725,8.716,4726,7.426,4932,10.777]],["body/azure/kubernetes.html",[0,0.111,2,1.011,3,0.767,4,0.966,5,0.582,7,0.75,9,0.211,11,0.16,19,0.625,26,0.246,27,0.432,28,0.34,29,0.087,31,0.324,32,0.137,33,0.258,34,0.171,35,0.211,37,0.813,38,1.688,40,0.298,41,0.152,43,0.156,44,0.156,45,0.459,47,0.126,48,0.075,50,0.828,51,0.336,52,0.289,53,0.18,54,0.346,58,0.851,60,0.348,66,0.279,67,0.266,69,0.289,70,1.193,73,1.486,76,0.454,77,0.473,79,0.246,80,0.341,81,0.565,82,0.75,83,0.177,85,0.31,86,0.135,88,0.049,89,0.047,90,0.633,92,0.489,93,1.329,94,0.312,99,0.625,100,0.565,102,0.075,103,0.128,104,0.147,106,0.489,107,0.267,109,1.252,110,0.214,113,0.359,114,0.708,115,0.418,117,0.493,118,0.539,119,1.15,121,0.266,123,0.449,124,0.873,126,0.058,128,0.704,129,0.543,130,0.419,131,0.437,133,0.109,134,0.335,137,0.359,145,0.534,146,0.488,148,0.159,149,0.383,154,0.401,156,0.185,158,1.401,160,0.275,161,0.275,162,0.265,165,0.451,167,1.201,168,0.788,173,0.308,176,0.547,178,0.576,182,0.461,183,0.576,184,0.359,185,1.802,189,0.335,191,0.802,192,0.316,194,0.411,198,0.411,199,0.689,200,1.241,206,0.547,207,0.683,209,0.341,212,0.184,213,0.749,214,0.591,216,0.832,220,0.831,221,0.324,222,0.562,227,0.16,230,1.601,239,0.482,241,0.545,244,0.58,245,0.517,249,0.295,250,0.712,253,0.461,254,0.534,256,0.787,258,0.489,261,0.609,262,0.378,263,0.416,264,0.405,270,0.751,271,0.306,273,0.225,274,0.249,275,0.754,276,0.454,277,0.441,278,0.473,279,0.211,280,0.38,281,0.459,284,0.788,287,0.489,288,0.142,289,1.323,297,1.252,298,0.787,299,0.566,300,0.63,301,1.125,303,0.249,304,0.43,305,0.664,308,0.565,311,0.341,312,0.408,316,0.526,317,0.517,323,0.385,324,1.186,327,0.625,328,0.552,329,0.377,330,0.377,332,0.517,333,1.256,339,0.304,340,0.459,341,0.409,342,0.986,344,0.203,346,0.057,350,0.832,351,0.139,353,0.132,363,0.634,365,0.359,366,1.323,369,1.014,373,0.871,374,0.434,376,1.141,383,2.201,385,0.749,388,1.495,394,0.434,395,0.434,397,0.625,400,0.489,404,1.444,410,0.265,414,0.216,415,0.135,416,0.152,417,0.187,418,0.333,419,0.261,420,0.261,424,0.825,425,0.731,426,0.754,427,1.028,430,0.655,432,1.53,433,0.934,441,0.625,442,0.588,443,1.255,444,0.656,446,0.308,450,1.867,451,0.685,467,1.886,469,2.669,473,0.494,474,2.432,484,0.974,485,0.708,487,0.388,488,0.799,490,1.026,491,1.252,498,0.47,506,1.134,507,1.028,509,2.067,511,0.424,512,0.097,513,0.681,514,0.577,519,0.712,520,1.07,521,0.449,522,0.289,523,0.622,524,0.517,527,0.106,528,1.129,529,0.749,531,0.312,538,0.964,544,0.924,550,0.377,551,0.269,553,2.017,557,1.125,560,0.489,562,0.828,563,0.871,566,0.608,570,0.871,572,0.378,580,0.287,586,1.486,610,1.014,626,0.964,628,0.401,636,0.489,637,0.778,640,0.754,641,1.486,647,0.517,649,0.634,650,1.186,653,0.689,655,0.547,656,0.279,657,0.517,658,1.954,661,0.647,666,1.47,667,2.628,670,0.955,672,0.577,680,1.581,682,0.625,684,1.627,687,0.734,688,0.924,690,1.45,693,0.246,696,0.871,702,0.335,703,1.134,725,0.434,733,1.186,739,1.581,746,0.831,747,1.323,753,1.537,754,1.068,756,0.539,764,0.577,765,0.902,769,0.704,771,0.609,779,1.231,782,0.749,784,1.398,790,1.141,792,0.964,802,1.329,805,1.401,807,0.385,845,0.341,849,1.255,850,0.31,856,1.009,863,0.461,871,2.233,872,0.527,873,0.301,877,0.489,882,1.53,884,1.688,890,1.388,895,0.873,897,0.634,898,1.688,902,1.319,903,0.461,906,0.526,908,1.125,912,1.42,917,0.225,919,0.359,927,2.001,933,1.537,954,0.605,987,1.264,989,0.781,992,0.107,1001,0.799,1002,0.388,1005,1.323,1006,0.38,1009,1.319,1011,0.788,1018,0.362,1020,0.552,1021,1.323,1033,2.244,1036,1.009,1040,1.014,1050,1.186,1055,2.189,1056,0.712,1080,1.112,1092,0.642,1103,0.676,1110,2.636,1112,1.802,1113,1.581,1114,1.581,1116,0.676,1119,0.609,1122,1.526,1123,0.455,1128,2.741,1141,1.45,1145,1.186,1153,1.581,1160,1.581,1164,1.125,1166,0.712,1167,0.537,1168,0.923,1173,1.201,1177,1.025,1181,1.201,1186,0.565,1191,1.186,1213,0.523,1228,1.47,1229,1.811,1230,0.955,1235,0.712,1238,0.951,1239,1.486,1255,1.025,1264,1.486,1269,0.67,1271,0.787,1273,1.811,1288,0.526,1289,1.398,1315,1.486,1335,1.688,1343,1.068,1346,1.708,1348,0.359,1350,1.149,1352,1.811,1361,0.383,1363,1.323,1392,0.877,1403,1.581,1406,0.676,1423,0.517,1424,1.802,1425,1.125,1473,0.828,1474,0.871,1478,0.828,1484,2.14,1494,1.486,1495,1.401,1496,1.401,1503,0.215,1513,0.712,1523,0.763,1530,0.916,1540,0.964,1543,0.964,1556,1.802,1557,0.996,1559,1.811,1564,0.733,1577,0.974,1606,0.577,1609,2.14,1612,2.001,1613,2.432,1616,0.973,1621,0.745,1633,1.252,1635,1.802,1638,0.704,1639,0.788,1665,0.871,1667,0.94,1676,0.916,1677,0.246,1681,1.014,1685,1.46,1689,1.323,1694,1.011,1696,1.359,1700,1.141,1710,1.125,1711,2.233,1714,1.014,1734,1.811,1757,1.068,1764,1.486,1773,1.486,1784,0.964,1786,1.07,1791,1.252,1794,0.547,1832,0.916,1833,2.628,1854,1.546,1856,0.871,1861,1.802,1864,1.323,1883,1.068,1929,1.954,1931,1.486,1933,0.964,1935,1.486,1938,1.802,1940,2.34,1949,1.024,1950,1.78,1951,1.733,1953,2.112,1956,0.547,1957,0.749,1960,1.125,1965,3.118,1967,1.426,1974,0.805,2006,0.577,2022,2.844,2039,2.201,2060,1.401,2065,1.319,2081,0.577,2082,0.964,2083,0.871,2092,1.688,2096,2.32,2110,0.588,2115,1.241,2163,0.916,2200,1.802,2203,0.871,2212,0.964,2215,1.125,2216,0.877,2223,0.964,2304,1.581,2326,2.125,2332,0.974,2412,1.125,2421,1.486,2444,0.94,2451,2.072,2452,1.252,2454,1.954,2455,1.401,2457,2.125,2458,1.688,2461,1.014,2463,3.657,2468,3.982,2469,3.823,2474,3.982,2475,1.811,2476,0.924,2477,0.964,2479,3.893,2501,5.915,2539,2.525,2541,3.559,2542,3.691,2543,3.441,2544,4.075,2545,4.075,2546,2.908,2547,2.125,2551,2.233,2553,2.628,2555,2.628,2563,1.581,2571,3.344,2573,2.017,2575,1.971,2576,2.567,2577,1.971,2580,1.323,2581,3.691,2585,3.122,2589,1.688,2590,1.53,2592,1.811,2601,5.267,2606,2.125,2623,1.688,2627,2.125,2628,2.017,2630,3.697,2632,1.486,2633,0.964,2645,1.252,2646,1.581,2647,1.954,2648,2.125,2655,2.628,2656,1.549,2659,3.982,2675,1.811,2678,2.589,2679,1.581,2684,1.323,2686,1.223,2687,1.014,2688,2.608,2691,2.432,2693,2.28,2694,1.623,2700,2.34,2730,1.125,2732,1.688,2733,1.688,2739,1.401,2764,3.095,2803,2.34,2806,2.628,2815,1.898,2828,2.432,2868,1.125,2874,1.401,2962,1.186,2982,1.323,3036,1.78,3039,0.517,3051,1.486,3085,0.916,3113,2.34,3122,0.787,3141,1.609,3143,2.814,3149,1.125,3214,3.405,3218,0.916,3231,2.608,3237,1.401,3336,0.964,3361,1.688,3394,1.581,3407,1.688,3500,1.125,3502,2.364,3537,1.078,3538,1.014,3544,1.014,3567,2.11,3571,1.068,3603,1.886,3609,2.608,3613,2.508,3617,1.688,3670,1.811,3775,2.432,3792,1.954,3815,2.628,3825,1.811,3828,1.134,3833,1.954,3845,1.014,3849,1.279,3850,2.277,3857,1.811,3858,1.252,3859,0.916,3865,2.34,3886,3.061,3887,2.34,3890,1.74,3897,2.125,3898,2.744,3905,1.401,3911,3.905,3914,2.34,3928,3.304,3938,1.811,3943,1.954,3948,3.029,3949,3.223,3950,2.908,3956,3.559,3958,3.344,3971,0.973,3972,1.014,3973,2.277,3975,2.34,3978,1.811,3979,2.34,3987,3.463,3995,3.095,3996,3.223,3997,3.304,4001,3.515,4002,3.118,4003,2.741,4004,1.459,4005,2.077,4008,1.954,4013,4.724,4014,2.34,4018,1.811,4021,1.811,4030,5.52,4032,1.688,4037,1.954,4039,2.14,4041,3.95,4044,2.628,4045,2.628,4049,2.34,4052,2.628,4053,2.628,4055,2.628,4057,2.628,4059,2.628,4060,2.628,4061,2.628,4068,2.125,4070,2.125,4080,2.628,4084,2.628,4092,3.056,4096,3.344,4098,3.37,4099,2.628,4129,2.628,4162,2.628,4169,1.252,4177,2.34,4224,4.853,4226,2.34,4233,2.628,4237,2.628,4244,3.95,4353,2.125,4377,2.34,4379,2.34,4380,2.34,4382,2.34,4383,2.628,4393,2.125,4409,1.954,4428,1.954,4430,1.401,4489,2.628,4493,3.587,4515,2.628,4516,2.125,4519,2.125,4587,1.688,4658,1.401,4694,4.321,4725,4.834,4734,2.277,4739,2.34,4796,2.34,4933,3.065,4934,2.628,4935,3.065,4936,2.34,4937,6.898,4938,2.628,4939,5.173,4940,3.065,4941,2.628,4942,2.277,4943,6.247,4944,5.998,4945,3.065,4946,3.065,4947,2.628,4948,3.065,4949,3.065,4950,3.065,4951,4.414,4952,3.065,4953,3.065,4954,2.628,4955,3.065,4956,3.065,4957,3.065,4958,5.659,4959,2.125,4960,5.659,4961,3.065,4962,3.065,4963,5.173,4964,5.998,4965,4.414,4966,5.173,4967,4.414,4968,4.414,4969,3.785,4970,4.414,4971,2.608,4972,4.414,4973,4.414,4974,4.414,4975,4.414,4976,4.414,4977,3.785,4978,3.785,4979,4.414,4980,3.065,4981,3.065,4982,3.065,4983,3.065,4984,3.065,4985,3.065,4986,6.589,4987,3.065,4988,4.414,4989,3.065,4990,3.065,4991,3.065,4992,3.065,4993,3.065,4994,3.065,4995,4.77,4996,4.414,4997,3.95,4998,2.628,4999,1.954,5000,2.34,5001,3.785,5002,2.125,5003,3.065,5004,3.065,5005,3.065,5006,3.065,5007,4.414,5008,4.414,5009,3.065,5010,4.414,5011,5.998,5012,3.065,5013,3.065,5014,3.065,5015,3.065,5016,3.065,5017,3.065,5018,4.414,5019,3.065,5020,3.785,5021,3.065,5022,3.065,5023,3.065,5024,6.247,5025,3.065,5026,3.065,5027,3.065,5028,3.065,5029,2.125,5030,3.065,5031,3.065,5032,2.628,5033,2.628,5034,3.065,5035,3.785,5036,3.785,5037,2.628,5038,2.628,5039,3.065,5040,3.065,5041,3.065,5042,3.065,5043,3.065,5044,3.065,5045,3.065,5046,3.065,5047,3.065,5048,3.065,5049,3.065,5050,4.414,5051,3.065,5052,5.173,5053,3.065,5054,5.173,5055,3.065,5056,3.065,5057,3.785,5058,2.628,5059,3.065,5060,3.065,5061,2.125,5062,3.065,5063,3.785,5064,2.897,5065,4.436,5066,3.065,5067,3.065,5068,2.628,5069,2.628,5070,3.065,5071,3.065,5072,2.34,5073,3.065,5074,2.628,5075,3.065,5076,3.065,5077,3.065,5078,4.414,5079,2.34,5080,3.065,5081,3.065,5082,4.414,5083,3.065,5084,3.065,5085,4.436,5086,2.628,5087,2.628,5088,2.34,5089,1.954,5090,2.34,5091,3.065,5092,2.628,5093,3.37,5094,1.954,5095,3.065,5096,4.436,5097,3.785,5098,2.125,5099,2.628,5100,1.252,5101,3.065,5102,3.065,5103,3.065,5104,3.065,5105,3.065,5106,3.065,5107,3.065,5108,3.065,5109,3.065,5110,3.065,5111,3.065,5112,3.065,5113,5.173,5114,5.173,5115,3.065,5116,2.628,5117,2.628,5118,3.065,5119,3.065,5120,3.065,5121,3.065,5122,3.065,5123,3.065,5124,2.125,5125,3.065,5126,3.065,5127,3.065,5128,3.065,5129,2.34,5130,1.323,5131,4.853,5132,1.954,5133,3.065,5134,2.628,5135,3.065,5136,3.065,5137,3.065,5138,3.065,5139,3.065,5140,3.065,5141,3.065,5142,3.065,5143,3.065,5144,3.065,5145,3.065,5146,5.173,5147,5.173,5148,3.065,5149,3.065,5150,3.065,5151,3.065,5152,3.065,5153,3.065,5154,3.065]],["title/azure/logging.html",[2,5.954,3,3.898,4,5.902,5,2.763,129,2.288,244,2.599,845,1.665]],["breadcrumb/azure/logging.html",[2,1.895,6,0.178,129,1.029,244,1.169,845,0.749]],["description/azure/logging.html",[2,2.288,3,2.117,129,1.243,160,0.742,162,0.636,244,2.4,410,0.636,487,1.072,693,1.967,845,0.904,885,3.169,1055,6.875,1164,6.521,2694,3.919,2868,6.521,3401,4.567,4005,6.521,4731,13.57,5155,15.238]],["body/azure/logging.html",[0,0.116,2,1.011,3,0.885,4,0.572,5,0.442,7,0.655,9,0.273,10,1.28,11,0.139,13,0.367,16,0.343,26,0.42,27,0.485,28,0.488,29,0.189,32,0.076,33,0.251,34,0.181,35,0.25,40,0.131,41,0.139,43,0.145,44,0.156,45,0.23,47,0.076,48,0.083,51,0.316,52,0.713,53,0.182,54,0.433,55,0.847,56,0.343,58,0.91,60,0.349,61,1.216,62,0.456,64,1.353,65,0.423,66,0.35,67,0.262,68,0.561,69,0.494,76,0.252,77,0.23,78,1.353,79,0.36,80,0.345,81,0.572,82,0.561,83,0.182,84,1.269,85,0.305,86,0.113,87,0.845,88,0.043,89,0.048,90,0.597,91,0.691,92,0.5,93,0.805,94,0.533,95,2.912,96,0.728,97,0.529,98,0.392,99,1.045,100,0.49,101,1.041,102,0.078,103,0.131,104,0.216,106,0.715,107,0.549,109,1.28,110,0.366,112,0.59,113,0.669,114,0.561,115,0.332,116,0.112,119,1.182,121,0.189,123,0.421,124,0.529,126,0.089,129,0.539,130,0.472,131,0.472,133,0.121,134,0.572,135,0.675,136,0.985,138,0.728,139,0.691,140,0.533,141,0.989,142,1.566,143,0.444,144,0.847,145,0.594,146,0.296,148,0.177,149,0.392,150,0.708,151,0.934,152,0.757,153,0.343,154,0.404,156,0.271,157,1.998,160,0.318,161,0.306,162,0.265,165,0.273,169,1.566,170,0.805,173,0.327,182,0.475,183,0.616,184,0.367,187,0.418,191,0.742,192,0.31,193,0.613,194,0.411,197,1.28,198,0.426,199,0.418,200,0.623,201,0.985,203,1.153,204,1.726,206,0.934,207,0.456,209,0.271,212,0.297,213,1.096,214,0.459,216,0.762,218,0.545,219,0.561,221,0.462,222,0.551,227,0.076,230,1.041,232,0.623,233,0.675,234,0.59,235,1.353,236,1.432,241,0.621,244,0.616,245,0.367,246,1.346,247,0.939,249,0.433,251,1.021,254,0.612,256,0.559,259,1.991,260,1.902,262,0.443,263,0.487,265,0.572,270,0.751,271,0.283,273,0.23,274,0.161,275,0.806,276,0.252,277,0.476,278,0.509,279,0.214,280,0.42,281,0.42,282,0.533,288,0.213,290,1.037,292,0.457,293,0.866,294,0.947,296,1.353,298,0.559,300,0.637,303,0.237,304,0.382,305,0.626,306,1.936,311,0.271,312,0.598,313,0.529,316,0.319,317,0.965,318,1.097,319,0.559,323,0.499,326,0.691,329,0.345,330,0.345,333,0.939,335,0.891,339,0.306,340,0.487,341,0.398,342,0.954,343,0.86,344,0.187,346,0.124,348,1.726,350,0.762,351,0.121,353,0.194,360,0.623,363,0.626,366,1.936,373,1.489,374,0.635,384,0.757,388,1.405,394,0.444,395,0.444,397,0.635,400,0.964,404,1.197,410,0.273,411,0.616,412,0.533,413,0.533,414,0.171,415,0.107,416,0.139,417,0.157,418,0.301,419,0.219,420,0.219,425,0.367,426,0.418,430,0.582,431,0.891,432,0.847,446,0.34,450,1.566,451,0.689,467,1.647,471,1.432,472,1.212,475,0.805,482,1.405,484,0.986,485,0.392,487,0.445,488,0.698,491,1.28,496,0.708,498,0.421,499,2.139,500,1.097,501,0.444,504,0.598,506,0.805,508,1.52,509,2.002,511,0.41,512,0.094,513,0.683,516,0.623,519,0.728,520,1.221,521,0.319,522,0.612,523,0.612,524,1.021,527,0.059,528,0.986,531,0.582,532,1.041,539,0.533,542,0.985,547,0.675,550,0.365,551,0.307,552,1.489,553,3.199,556,1.212,557,1.15,558,1.881,563,0.891,564,0.176,565,0.656,566,0.594,570,0.891,571,1.936,572,0.451,580,0.327,588,2.471,591,3.644,596,1.397,610,1.484,626,1.798,628,0.209,630,0.788,631,0.989,634,0.565,636,0.5,637,0.675,639,1.998,649,0.296,655,1.079,656,0.242,657,0.42,659,0.5,660,1.488,661,0.561,662,1.701,666,1.275,670,0.884,671,1.212,673,0.845,678,2.173,682,0.742,684,0.985,685,0.939,686,0.532,687,0.697,688,0.939,690,1.461,692,2.393,693,0.605,702,0.343,713,1.416,715,2.468,744,0.656,745,0.691,746,0.59,747,1.155,756,0.532,759,2.934,760,0.805,765,1.003,767,1.212,768,1.346,771,0.623,774,1.52,779,0.5,781,3.11,784,1.416,790,0.989,791,1.34,793,1.979,799,1.341,802,0.805,807,0.565,808,1.469,813,1.353,845,0.343,849,1.275,850,0.131,856,0.559,872,0.553,873,0.239,877,0.5,880,1.726,882,1.701,885,1.02,891,0.891,895,1.062,899,1.091,909,1.182,912,1.155,913,1.037,917,0.385,919,0.669,920,0.766,928,0.456,932,1.092,933,1.092,954,0.669,987,1.096,989,0.392,1000,2.139,1001,0.418,1002,0.189,1006,0.23,1009,0.937,1036,0.934,1041,1.617,1049,0.805,1055,2.026,1080,1.093,1103,0.989,1116,0.691,1119,0.623,1123,0.428,1124,0.937,1125,1.353,1126,1.15,1128,3.083,1143,1.562,1146,0.766,1148,1.432,1155,1.353,1156,1.881,1159,1.562,1164,2.794,1165,0.892,1166,1.041,1167,0.546,1168,1.156,1173,1.216,1177,0.675,1181,1.767,1182,1.936,1186,0.572,1200,0.937,1203,0.891,1213,0.549,1230,0.884,1240,1.998,1252,0.766,1253,0.891,1255,0.728,1257,1.432,1261,0.937,1271,0.559,1274,1.037,1281,1.851,1283,0.805,1334,0.367,1336,1.735,1343,1.991,1346,1.212,1348,0.525,1349,2.65,1350,1.021,1361,0.787,1363,1.353,1373,0.985,1375,0.728,1378,1.617,1386,2.071,1389,1.936,1392,0.623,1425,2.098,1437,0.989,1445,0.691,1447,2.335,1503,0.179,1509,1.851,1518,0.891,1523,0.319,1543,0.985,1557,1.176,1560,1.092,1564,0.81,1577,0.59,1609,2.54,1612,2.026,1616,0.989,1619,0.989,1622,1.28,1626,0.985,1639,1.153,1666,1.212,1676,0.937,1677,0.459,1678,1.562,1680,1.275,1681,2.082,1683,0.728,1696,1.139,1699,1.341,1701,1.617,1709,0.985,1714,1.037,1765,1.432,1769,3.15,1773,2.175,1781,1.617,1787,0.891,1792,0.845,1793,1.484,1794,1.079,1796,1.037,1832,1.981,1853,1.432,1854,2.111,1856,1.842,1864,2.261,1866,0.561,1869,1.936,1870,1.726,1881,1.52,1883,2.35,1885,1.212,1886,0.891,1922,1.432,1925,1.851,1929,1.998,1930,2.314,1938,1.28,1943,3.999,1962,1.15,1965,1.726,1966,1.15,1967,1.318,2017,1.041,2026,1.635,2028,0.471,2029,2.192,2039,2.542,2048,1.726,2057,1.635,2060,1.432,2066,1.15,2079,2.65,2081,1.305,2082,1.41,2083,1.789,2092,1.726,2096,2.853,2104,1.155,2109,1.096,2110,0.839,2111,2.107,2115,0.986,2122,1.735,2127,1.092,2128,1.998,2141,1.092,2156,2.471,2162,2.859,2163,0.937,2200,2.139,2201,2.175,2212,0.985,2220,1.15,2225,1.52,2233,1.353,2249,1.28,2252,2.471,2326,2.173,2332,0.845,2337,1.831,2338,1.28,2341,2.173,2400,2.885,2418,0.937,2423,2.859,2434,1.979,2444,0.788,2461,2.002,2467,0.728,2476,1.197,2560,2.393,2563,2.702,2576,1.733,2583,1.037,2590,1.416,2626,2.173,2633,0.985,2645,1.28,2656,1.388,2677,1.353,2678,3.021,2686,1.093,2688,1.851,2693,0.985,2694,1.698,2700,2.393,2701,2.314,2704,1.851,2730,1.15,2739,1.432,2745,2.471,2749,2.687,2860,3.632,2868,2.668,2869,2.175,2870,1.617,2874,1.432,2875,1.41,2885,1.998,2889,1.998,2946,2.393,2947,2.173,2958,3.339,2976,1.353,2983,1.617,2986,1.432,3009,1.998,3014,2.173,3034,1.52,3051,1.52,3085,1.341,3086,2.393,3116,1.851,3119,2.314,3122,0.934,3141,1.275,3149,1.15,3214,3.227,3218,0.937,3231,3.378,3243,2.468,3244,1.726,3303,1.998,3304,1.092,3310,1.52,3314,1.212,3394,1.617,3401,1.346,3428,3.632,3538,1.733,3539,1.28,3555,0.847,3567,1.41,3620,3.339,3674,1.851,3765,2.687,3792,1.998,3818,4.365,3823,1.726,3845,1.037,3848,3.166,3849,1.444,3852,1.851,3854,1.28,3857,1.851,3860,1.851,3861,0.891,3862,0.985,3886,4.364,3890,2.07,3892,2.687,3894,2.173,3902,1.831,3903,1.726,3910,3.15,3911,3.15,3912,3.632,3925,3.15,3926,3.15,3928,1.726,3938,3.094,3939,3.632,3941,3.632,3942,4.494,3943,3.339,3948,2.772,3949,2.702,3950,2.175,3956,2.95,3957,3.846,3959,2.687,3964,2.687,3966,2.687,3971,0.989,3972,1.037,3973,1.617,3987,3.575,3988,2.687,3992,3.999,3995,2.702,3996,3.42,3997,2.471,4001,3.247,4002,3.333,4003,2.876,4004,1.534,4005,2.668,4008,3.339,4013,3.11,4043,1.851,4079,2.687,4092,1.851,4105,1.478,4114,3.094,4121,4.012,4154,2.173,4159,1.851,4171,1.831,4181,3.11,4185,3.424,4256,1.617,4303,1.726,4361,2.885,4362,1.998,4391,4.902,4393,3.11,4395,3.846,4397,2.859,4399,5.941,4401,5.557,4402,3.846,4408,4.491,4409,1.998,4410,2.687,4411,2.687,4412,2.687,4413,2.687,4415,5.187,4417,1.726,4448,1.998,4456,2.687,4464,2.687,4514,2.05,4516,2.173,4517,2.687,4587,1.726,4594,3.424,4640,3.846,4686,2.173,4691,1.617,4694,2.393,4728,1.824,4729,1.617,4733,4.364,4734,1.617,4782,2.65,4792,1.617,4794,2.175,4803,2.393,4857,2.687,4868,1.28,4871,2.393,4930,1.998,5001,2.687,5002,3.11,5058,2.687,5068,2.687,5069,2.687,5072,2.393,5074,3.846,5079,3.999,5087,3.846,5088,3.424,5089,2.859,5092,2.687,5134,2.687,5156,3.134,5157,4.485,5158,3.134,5159,3.134,5160,3.999,5161,5.238,5162,3.771,5163,1.851,5164,4.485,5165,3.134,5166,2.859,5167,2.687,5168,3.644,5169,3.134,5170,2.393,5171,4.485,5172,2.687,5173,2.173,5174,3.134,5175,5.717,5176,6.05,5177,5.717,5178,3.134,5179,3.134,5180,3.134,5181,2.859,5182,1.432,5183,4.485,5184,4.485,5185,3.134,5186,3.134,5187,3.134,5188,4.485,5189,3.134,5190,3.134,5191,3.134,5192,3.134,5193,3.134,5194,3.134,5195,3.134,5196,3.134,5197,3.134,5198,1.851,5199,2.393,5200,3.134,5201,3.134,5202,3.134,5203,2.687,5204,2.687,5205,4.485,5206,3.134,5207,4.485,5208,3.134,5209,3.134,5210,3.134,5211,3.134,5212,3.134,5213,3.134,5214,2.687,5215,3.134,5216,3.134,5217,3.134,5218,4.485,5219,3.134,5220,2.393,5221,3.134,5222,3.134,5223,3.134,5224,3.134,5225,2.687,5226,3.134,5227,3.134,5228,2.393,5229,3.134,5230,5.238,5231,5.238,5232,5.238,5233,4.485,5234,3.134,5235,3.134,5236,3.846,5237,2.393,5238,2.393,5239,4.485,5240,3.134,5241,5.238,5242,3.134,5243,3.134,5244,3.134,5245,4.485,5246,3.134,5247,3.134,5248,3.134,5249,3.134,5250,3.134,5251,3.134,5252,3.134,5253,3.134,5254,3.134,5255,3.134,5256,3.134,5257,3.134,5258,3.134,5259,3.134,5260,3.134,5261,3.134,5262,2.687,5263,4.485,5264,5.238,5265,3.134,5266,3.644,5267,3.134,5268,3.134,5269,3.134,5270,3.134,5271,3.134,5272,3.134,5273,4.485,5274,3.134,5275,3.134,5276,3.134,5277,3.134,5278,2.859,5279,3.134,5280,3.134,5281,3.134,5282,4.485,5283,3.134,5284,3.846,5285,3.134,5286,2.393,5287,2.687,5288,2.687,5289,3.134,5290,3.134,5291,3.134,5292,3.134,5293,5.238,5294,3.134,5295,3.134,5296,3.134,5297,3.134,5298,3.134,5299,3.134,5300,3.134,5301,3.134,5302,3.134,5303,3.11,5304,3.134,5305,3.134,5306,3.134,5307,3.134,5308,3.134,5309,3.134,5310,3.134,5311,3.134,5312,5.238,5313,3.134,5314,3.134,5315,3.134,5316,3.134,5317,3.134,5318,3.134,5319,3.134,5320,3.134,5321,4.485,5322,4.485,5323,4.485,5324,4.485,5325,3.134,5326,2.95,5327,3.134,5328,3.134,5329,3.134,5330,3.134,5331,5.238,5332,2.314,5333,3.134,5334,5.238,5335,3.134,5336,2.687,5337,2.687,5338,3.134,5339,3.134,5340,3.134,5341,3.134,5342,2.687,5343,3.134,5344,3.134,5345,4.902,5346,5.238,5347,4.485,5348,4.485,5349,3.424,5350,4.485,5351,3.134,5352,3.134,5353,3.134]],["title/azure/network.html",[2,4.693,3,4.342,4,6.362,5,3.077,115,2.312,129,2.549]],["breadcrumb/azure/network.html",[6,0.224,115,1.175,129,1.296]],["description/azure/network.html",[4,2.352,29,0.525,67,0.656,115,1.169,129,1.757,144,4.983,153,2.015,527,0.345,850,0.769,882,4.983,889,3.288,1167,1.354,2012,7.132,2015,10.155,3218,5.511,3401,4.738,3691,8.939,3858,7.528,3898,8.939,4724,9.512]],["body/azure/network.html",[0,0.118,2,1.011,3,0.533,4,0.571,7,0.755,9,0.25,11,0.153,16,0.571,19,1.007,26,0.42,27,0.512,28,0.473,29,0.163,32,0.185,33,0.272,34,0.176,35,0.214,40,0.187,41,0.178,43,0.141,44,0.153,47,0.161,48,0.093,50,1.209,51,0.337,52,0.676,53,0.181,54,0.463,55,0.844,56,0.341,60,0.334,61,1.214,62,0.674,64,1.348,65,0.295,66,0.326,67,0.255,68,0.755,69,0.594,73,1.515,76,0.251,77,0.229,78,1.348,79,0.251,80,0.391,81,0.624,82,0.828,83,0.176,84,1.202,85,0.306,86,0.113,87,0.588,88,0.047,89,0.049,90,0.456,91,0.689,92,0.498,93,0.803,94,0.318,95,2.256,96,0.725,97,0.527,98,0.391,99,0.443,100,0.341,101,0.725,102,0.083,103,0.13,104,0.274,107,0.39,110,0.422,111,0.489,112,0.588,113,0.668,114,0.391,115,0.488,116,0.112,117,0.329,118,0.505,119,1.115,120,1.033,121,0.365,122,0.689,123,0.463,124,0.755,125,0.844,126,0.083,127,0.559,128,0.833,129,0.54,130,0.493,131,0.493,132,0.803,133,0.107,134,0.489,135,0.47,137,0.366,138,0.725,139,0.689,141,1.259,142,1.707,143,0.634,144,1.956,146,0.494,148,0.141,149,0.391,150,0.571,151,0.557,152,0.755,153,0.624,154,0.404,156,0.315,158,1.427,160,0.289,161,0.299,162,0.254,165,0.498,169,0.934,170,1.344,171,1.48,173,0.334,176,0.608,178,0.581,182,0.404,183,0.318,184,0.366,185,1.827,187,0.416,188,0.416,190,3.034,191,0.856,192,0.317,193,0.612,194,0.414,197,1.827,198,0.344,200,1.499,201,1.795,203,1.78,205,1.088,206,0.798,207,0.581,209,0.315,211,0.937,212,0.252,213,0.763,214,0.556,216,0.805,217,1.515,218,0.536,219,0.391,220,0.984,221,0.419,222,0.444,225,1.277,232,0.62,233,0.673,234,0.588,241,0.549,242,1.209,244,0.526,245,0.524,246,1.344,251,0.882,254,0.494,256,0.798,258,0.963,259,1.088,260,1.407,262,0.493,263,0.444,264,0.379,265,0.341,270,0.581,273,0.384,274,0.112,276,0.251,277,0.518,278,0.529,279,0.273,280,0.419,281,0.444,282,0.581,285,1.731,289,1.348,291,1.275,292,0.39,293,0.391,294,0.859,298,1.121,299,0.422,300,0.656,301,2.095,302,2.095,303,0.258,304,0.382,305,0.625,306,1.348,308,0.341,311,0.27,312,0.697,313,0.963,316,0.455,317,0.527,318,0.937,319,0.932,323,0.498,326,0.987,327,0.809,328,0.391,329,0.365,330,0.365,331,1.731,332,0.527,333,1.195,335,0.62,336,1.845,339,0.297,340,0.487,341,0.406,342,0.968,343,0.859,344,0.216,346,0.098,350,0.761,351,0.128,353,0.181,363,0.295,373,0.888,374,0.741,384,0.755,388,1.503,394,0.634,395,0.634,397,0.741,404,1.432,410,0.266,411,0.581,412,0.581,413,0.581,414,0.171,415,0.107,416,0.139,417,0.171,418,0.317,419,0.238,420,0.238,424,0.713,426,0.416,427,1.2,430,0.64,432,1.209,433,0.955,435,1.931,438,1.15,439,1.088,441,0.981,443,1.486,444,0.341,446,0.214,450,1.707,451,0.68,459,0.882,467,1.795,472,1.208,473,0.456,482,1.039,485,0.828,487,0.344,488,0.761,490,0.498,496,0.524,497,1.348,498,0.404,499,2.753,501,0.955,504,0.805,507,1.249,508,1.515,509,2.191,511,0.387,512,0.059,513,0.637,519,0.725,520,0.557,521,0.318,523,0.539,524,0.755,527,0.142,528,1.075,531,0.532,532,1.214,539,0.532,542,0.982,543,0.713,544,0.937,550,0.344,551,0.281,552,1.623,557,1.146,560,0.498,563,0.888,566,0.295,571,2.256,572,0.299,577,1.515,580,0.327,592,1.515,628,0.209,630,0.786,631,0.689,634,0.39,636,0.713,640,0.805,641,1.515,647,1.18,649,0.539,653,0.416,655,0.798,656,0.169,657,0.359,660,1.259,661,0.391,662,0.844,670,1.019,673,0.588,675,1.208,682,0.938,686,0.522,687,0.736,690,1.214,693,0.251,694,1.033,708,0.963,711,1.845,715,2.256,738,1.403,744,1.432,746,1.219,747,1.333,754,1.088,756,0.52,758,1.15,764,0.588,765,0.498,771,1.039,782,1.536,783,0.843,784,1.209,791,0.62,794,0.934,798,1.845,799,1.338,805,1.427,807,0.527,808,1.883,813,2.608,816,0.62,845,0.159,849,0.888,850,0.319,855,2.535,856,1.078,872,0.465,873,0.218,877,1.104,881,1.721,882,1.891,885,0.932,887,2.91,888,1.486,889,1.121,890,1.977,895,0.755,897,0.637,903,0.47,908,1.146,909,1.078,912,1.259,914,1.48,919,0.668,920,0.763,922,1.275,926,1.515,928,0.318,933,1.821,954,0.736,990,1.095,992,0.076,1001,0.761,1006,0.476,1011,1.344,1018,0.188,1025,1.845,1034,2.236,1036,0.798,1046,1.15,1051,1.612,1052,0.982,1080,1.214,1119,0.62,1123,0.442,1125,1.348,1128,3.026,1143,1.821,1145,1.208,1148,1.427,1159,1.088,1160,1.612,1164,1.642,1166,0.725,1167,0.419,1168,1.018,1177,0.47,1181,1.039,1182,1.348,1186,0.341,1200,0.934,1213,0.527,1230,0.527,1235,0.725,1251,1.033,1259,1.208,1269,0.455,1270,0.982,1276,1.338,1278,0.934,1294,0.455,1333,1.002,1334,0.366,1335,1.721,1348,0.366,1350,0.527,1353,2.166,1360,1.088,1361,0.654,1386,0.934,1406,0.987,1423,0.755,1424,1.275,1433,1.642,1435,2.309,1436,2.535,1444,1.48,1463,1.931,1473,2.013,1474,1.623,1478,1.75,1479,2.704,1484,2.17,1503,0.172,1507,1.845,1518,0.888,1520,1.845,1523,0.455,1528,1.208,1539,0.62,1543,0.982,1550,1.879,1557,1.075,1560,1.821,1564,0.443,1609,2.768,1612,2.208,1619,0.689,1621,0.755,1625,1.146,1638,0.498,1665,0.888,1667,1.093,1669,1.15,1677,0.485,1689,1.348,1690,0.934,1696,0.843,1699,0.934,1700,0.689,1773,2.768,1777,1.275,1778,2.166,1786,0.798,1791,1.275,1792,0.588,1796,1.033,1832,0.934,1853,2.045,1854,1.338,1866,0.559,1869,1.348,1870,2.88,1871,1.612,1872,1.991,1876,0.888,1883,1.088,1892,1.558,1924,2.166,1931,1.515,1933,0.982,1956,0.557,1957,0.763,1967,1.534,1974,0.391,2006,0.588,2012,2.706,2017,1.537,2029,1.088,2039,2.589,2057,1.699,2081,0.588,2093,1.515,2100,2.256,2109,1.093,2110,0.416,2115,0.984,2122,1.208,2200,1.827,2201,2.17,2208,1.845,2214,1.845,2215,1.146,2216,1.134,2222,2.385,2224,1.208,2225,1.515,2229,2.535,2249,1.275,2265,1.146,2321,1.721,2331,2.17,2413,1.208,2429,1.275,2435,1.991,2444,0.859,2455,1.427,2470,1.991,2475,1.845,2476,1.095,2477,0.982,2478,1.612,2551,2.256,2582,1.721,2583,1.033,2589,1.721,2590,1.209,2621,1.515,2629,1.427,2633,1.795,2656,1.552,2657,2.309,2665,1.515,2678,2.858,2686,1.137,2693,1.644,2694,0.689,2764,1.612,2815,1.642,2832,2.166,2833,1.721,2854,2.567,2864,1.612,2874,1.427,2878,1.991,2976,1.348,3019,2.535,3034,2.17,3036,2.25,3039,0.527,3085,0.934,3089,1.845,3123,1.721,3124,1.721,3144,1.931,3149,1.146,3210,4.127,3211,2.166,3213,2.678,3214,3.322,3215,1.612,3218,2.07,3221,0.888,3223,2.166,3224,1.991,3225,3.639,3226,3.103,3227,3.103,3229,3.103,3230,2.385,3232,3.089,3243,1.931,3244,1.721,3256,2.465,3264,3.416,3271,2.166,3272,3.959,3291,2.331,3292,3.573,3293,3.089,3294,3.912,3295,3.625,3296,3.625,3299,3.103,3300,3.089,3301,3.103,3302,3.625,3303,1.991,3304,1.088,3306,1.515,3309,2.166,3310,1.515,3311,1.612,3312,1.721,3313,1.275,3314,1.208,3320,1.845,3336,0.982,3361,1.721,3362,2.385,3363,2.385,3364,2.385,3365,1.845,3366,1.845,3367,2.166,3372,3.837,3373,3.837,3375,3.625,3391,1.845,3399,2.713,3401,1.937,3431,3.416,3441,3.103,3459,1.845,3465,0.689,3503,1.348,3506,1.991,3531,2.385,3537,0.763,3538,1.033,3539,1.275,3556,1.721,3571,1.088,3574,2.385,3599,2.166,3606,0.763,3691,3.317,3833,1.991,3848,3.27,3849,1.359,3850,1.612,3852,1.845,3853,1.991,3854,2.331,3858,2.467,3859,0.934,3860,1.845,3861,0.888,3862,0.982,3865,3.416,3868,4.39,3872,2.678,3873,2.678,3875,3.332,3878,2.385,3887,2.385,3890,1.98,3894,2.166,3895,2.166,3896,2.678,3897,3.103,3898,3.708,3900,2.678,3902,1.275,3905,1.427,3906,2.678,3908,2.166,3910,3.145,3911,3.815,3912,4.991,3913,5.678,3914,3.416,3916,3.103,3917,3.912,3918,2.678,3919,2.678,3920,3.992,3921,3.103,3925,3.145,3926,3.145,3927,2.385,3928,3.714,3929,3.837,3930,3.837,3931,2.385,3932,2.385,3933,2.678,3934,2.678,3935,2.678,3936,2.678,3937,2.678,3939,3.103,3941,3.103,3942,3.625,3943,2.852,3948,2.768,3949,2.945,3950,2.768,3951,2.385,3956,3.53,3958,3.089,3965,2.852,3971,1.259,3972,1.48,3973,2.309,3978,1.845,3987,3.692,3992,2.385,3994,1.845,3995,2.945,3996,3.117,3997,3.145,4001,3.417,4002,3.328,4003,2.609,4004,1.387,4005,2.095,4006,3.089,4013,2.166,4041,4.614,4074,2.678,4088,2.678,4089,2.678,4091,2.678,4096,2.644,4097,2.678,4105,1.093,4121,3.332,4154,3.103,4159,1.845,4171,1.827,4185,2.385,4226,2.385,4229,2.385,4244,2.385,4248,2.678,4281,1.146,4337,2.166,4343,2.678,4346,2.385,4348,2.678,4350,2.678,4351,2.678,4353,2.166,4354,4.298,4355,2.678,4356,2.678,4357,2.678,4358,4.359,4359,2.678,4360,2.678,4385,3.103,4436,1.827,4499,2.678,4587,1.721,4658,2.045,4724,2.697,4779,2.678,4821,2.678,4825,3.837,4826,3.103,4827,2.678,4828,3.837,4947,2.678,4959,4.36,5033,2.678,5035,2.678,5036,2.678,5037,2.678,5038,2.678,5100,1.827,5116,2.678,5117,3.837,5173,3.959,5199,2.385,5214,2.678,5236,3.837,5238,2.385,5278,1.991,5286,2.385,5326,1.612,5336,2.678,5354,2.678,5355,4.36,5356,1.827,5357,3.332,5358,3.837,5359,3.124,5360,3.124,5361,2.678,5362,1.991,5363,1.991,5364,2.385,5365,2.678,5366,4.19,5367,2.678,5368,3.124,5369,3.124,5370,2.678,5371,2.678,5372,3.124,5373,5.551,5374,4.483,5375,3.124,5376,3.124,5377,3.124,5378,3.124,5379,2.385,5380,4.474,5381,3.124,5382,5.228,5383,2.678,5384,3.124,5385,3.124,5386,3.124,5387,4.474,5388,4.474,5389,3.124,5390,4.474,5391,2.678,5392,4.474,5393,3.124,5394,3.124,5395,3.124,5396,3.124,5397,2.166,5398,1.845,5399,3.124,5400,3.124,5401,2.385,5402,2.644,5403,2.678,5404,2.678,5405,2.678,5406,5.551,5407,3.124,5408,3.124,5409,4.474,5410,2.678,5411,3.124,5412,3.124,5413,4.474,5414,2.678,5415,4.474,5416,4.474,5417,3.416,5418,3.124,5419,3.124,5420,3.124,5421,3.124,5422,3.124,5423,3.124,5424,3.124,5425,2.385,5426,3.124,5427,3.124,5428,4.474,5429,3.124,5430,4.474,5431,5.709,5432,5.709,5433,5.181,5434,4.474,5435,3.124,5436,3.124,5437,4.474,5438,4.474,5439,4.474,5440,3.837,5441,3.124,5442,4.474,5443,3.124,5444,3.124,5445,3.124,5446,3.124,5447,2.166,5448,3.124,5449,2.166,5450,2.385,5451,3.124,5452,3.124,5453,3.124,5454,4.474,5455,4.474,5456,4.474,5457,4.474,5458,4.474,5459,4.474,5460,4.474,5461,3.416,5462,3.124,5463,3.124,5464,3.124,5465,4.474,5466,4.474,5467,4.474,5468,3.124,5469,3.124,5470,3.124,5471,3.124,5472,3.124,5473,3.124,5474,2.385,5475,2.678,5476,3.124,5477,1.991,5478,3.124,5479,3.124,5480,4.474,5481,5.709,5482,4.474,5483,2.678,5484,4.474,5485,3.124,5486,3.124,5487,3.124,5488,3.124,5489,3.124,5490,3.124,5491,3.124,5492,3.124,5493,3.124,5494,3.124,5495,3.124,5496,3.124,5497,3.124,5498,3.837,5499,3.124,5500,3.124,5501,4.474,5502,4.474,5503,3.124,5504,3.124,5505,3.124,5506,3.124,5507,3.124,5508,2.678,5509,2.166,5510,3.124]],["title/azure/workloads.html",[2,4.693,3,4.342,4,6.362,5,3.077,129,2.549,1123,2.227]],["breadcrumb/azure/workloads.html",[6,0.224,129,1.296,1123,1.132]],["description/azure/workloads.html",[2,3.355,4,1.982,53,0.55,129,1.086,249,1.038,512,0.205,520,2.77,694,5.14,702,1.698,918,2.201,1123,1.362,1269,1.581,1279,2.925,1294,1.581,1503,0.635,1557,2.476,2054,8.015,2576,5.14,2694,4.915,3336,4.885,4105,3.795,4429,9.902,4971,9.178,5002,10.772,5511,13.321]],["body/azure/workloads.html",[0,0.119,2,1.012,3,0.82,4,0.896,7,0.748,9,0.286,11,0.151,13,0.356,14,0.287,15,2.109,16,0.563,17,0.7,19,0.799,23,0.909,25,1.06,26,0.453,27,0.529,28,0.37,29,0.147,31,0.224,32,0.169,33,0.268,34,0.107,35,0.21,40,0.215,41,0.163,43,0.133,44,0.154,45,0.323,47,0.107,48,0.09,49,0.909,50,0.822,51,0.314,53,0.186,54,0.439,55,0.822,56,0.332,58,0.458,60,0.27,61,1.196,62,0.524,64,1.313,65,0.287,66,0.305,67,0.267,68,0.644,69,0.606,70,0.822,71,1.06,76,0.453,77,0.378,79,0.352,80,0.311,81,0.563,82,0.549,83,0.173,84,1.066,85,0.297,86,0.105,87,0.573,88,0.046,89,0.053,90,0.449,91,0.671,92,0.485,93,0.782,94,0.31,95,1.895,96,1.309,97,0.513,98,0.38,99,0.431,100,0.563,101,0.706,102,0.079,103,0.183,104,0.146,107,0.265,110,0.418,111,0.654,113,0.796,114,0.549,115,0.425,116,0.157,117,0.439,118,0.48,119,1.024,121,0.34,123,0.46,124,0.869,125,0.822,126,0.068,127,0.549,128,0.7,129,0.54,130,0.476,131,0.476,132,1.537,133,0.103,134,0.48,135,0.458,137,0.356,138,0.706,139,0.671,140,0.31,141,1.319,142,1.686,143,0.431,144,1.616,145,0.414,146,0.565,148,0.154,149,0.549,150,0.332,151,0.543,152,0.513,153,0.332,154,0.377,156,0.34,158,1.39,160,0.284,161,0.297,162,0.263,165,0.383,168,0.782,170,1.324,171,1.006,173,0.286,176,0.538,178,0.574,182,0.465,183,0.574,184,0.603,187,0.405,189,0.563,190,2.103,191,0.799,192,0.314,193,0.784,194,0.4,198,0.388,200,1.188,203,1.128,207,0.524,212,0.183,214,0.516,216,0.751,218,0.52,220,1.126,221,0.472,222,0.554,223,0.751,225,0.743,227,0.074,228,2.109,230,0.706,232,1.188,233,0.937,234,0.573,238,1.242,239,0.48,241,0.492,244,0.54,245,0.66,246,1.128,249,0.448,251,0.513,252,0.453,253,0.66,254,0.565,256,1.006,258,1.024,259,1.06,262,0.484,263,0.224,264,0.265,270,0.75,271,0.305,273,0.458,274,0.202,276,0.244,277,0.511,278,0.52,279,0.286,281,0.378,282,0.524,284,0.782,287,0.485,291,1.242,292,0.383,293,0.644,298,1.066,299,0.486,300,0.613,303,0.251,304,0.377,305,0.588,306,2.581,307,1.676,308,0.48,311,0.184,312,0.751,313,0.741,316,0.574,317,0.741,319,0.783,321,2.498,322,0.706,327,0.431,329,0.311,330,0.311,332,0.869,333,1.078,335,0.872,339,0.284,340,0.458,341,0.398,342,0.936,343,0.775,344,0.251,346,0.082,350,0.686,351,0.125,353,0.154,360,0.604,363,0.606,365,0.784,369,1.006,374,0.431,376,0.671,384,0.513,388,1.491,394,0.431,395,0.431,397,0.622,404,1.442,410,0.27,411,0.524,412,0.524,413,0.524,414,0.154,415,0.096,416,0.125,417,0.154,418,0.298,419,0.215,420,0.215,424,0.821,425,0.603,426,0.405,427,0.604,430,0.609,432,1.187,433,0.949,441,0.883,443,0.865,444,0.761,446,0.246,450,1.54,451,0.65,467,1.62,468,0.543,473,0.574,475,1.128,480,0.822,481,1.698,485,0.705,487,0.311,488,0.686,490,0.485,491,2.442,496,0.7,497,1.313,498,0.429,500,0.637,501,0.932,504,0.686,509,1.704,511,0.349,512,0.099,513,0.532,514,0.573,516,0.872,519,1.388,520,1.262,521,0.31,522,0.486,523,0.642,524,0.513,527,0.12,528,0.97,530,1.116,532,0.706,537,1.475,542,0.957,550,0.34,551,0.274,554,0.957,560,0.485,564,0.171,568,1.704,570,0.865,571,1.313,572,0.4,580,0.314,596,1.378,624,1.313,626,0.957,628,0.293,629,0.405,630,0.458,631,1.319,634,0.383,636,0.7,637,0.458,647,0.869,649,0.287,650,1.698,652,2.418,655,0.543,656,0.367,657,0.559,660,0.671,661,0.38,662,0.822,670,0.952,673,0.97,681,2.223,682,0.73,686,0.483,687,0.701,690,1.388,693,0.453,694,2.458,702,0.616,708,0.741,713,0.822,715,2.223,717,0.449,725,0.622,736,0.957,738,1.196,744,0.919,746,0.827,747,0.671,753,1.06,754,1.06,756,0.559,758,0.782,760,0.782,764,0.97,765,1.024,767,1.698,768,0.782,769,0.485,771,1.023,773,1.177,779,0.993,782,1.522,783,0.827,784,0.822,787,1.797,790,0.671,794,1.312,802,1.69,803,1.313,808,1.449,812,2.109,815,2.798,816,0.604,845,0.317,849,0.865,850,0.183,864,1.006,872,0.542,873,0.28,877,0.485,887,1.313,895,0.513,897,0.588,899,0.899,905,0.73,906,0.447,912,1.136,918,1.084,919,0.356,921,1.006,932,2.237,954,0.729,987,1.258,989,0.896,990,0.637,992,0.107,1001,0.797,1002,0.34,1005,1.895,1006,0.224,1009,0.909,1011,0.782,1018,0.265,1019,1.006,1020,0.38,1036,1.006,1040,1.006,1046,1.128,1048,1.475,1049,0.782,1052,0.957,1054,0.847,1056,1.019,1080,1.236,1103,0.671,1111,1.023,1119,0.872,1122,1.683,1123,0.444,1125,1.895,1126,1.116,1128,2.733,1130,1.006,1143,1.794,1146,0.743,1147,1.136,1158,2.129,1159,1.06,1165,0.431,1166,1.196,1167,0.527,1168,1.146,1169,2.265,1174,1.313,1177,0.775,1181,0.706,1186,0.48,1194,1.116,1200,2.175,1213,0.522,1228,0.865,1230,1.162,1238,0.431,1239,1.475,1253,1.771,1255,0.706,1264,2.735,1269,0.701,1271,0.919,1276,1.54,1278,0.909,1279,1.173,1281,1.797,1283,1.601,1288,0.447,1289,0.822,1294,0.763,1333,0.993,1334,0.66,1348,0.356,1350,1.009,1360,1.06,1361,0.838,1375,1.019,1377,1.019,1378,2.91,1390,2.109,1392,0.604,1406,0.968,1408,1.461,1423,0.741,1433,1.116,1437,0.671,1441,1.39,1445,0.671,1463,1.895,1472,1.475,1473,1.524,1474,0.865,1478,0.822,1479,2.303,1484,2.129,1503,0.21,1504,0.782,1510,2.418,1518,0.865,1523,0.609,1525,1.302,1526,1.242,1530,0.909,1533,2.798,1539,1.023,1543,1.88,1548,1.006,1550,2.116,1552,1.177,1555,0.909,1557,1.155,1564,0.622,1566,1.527,1606,0.573,1609,2.498,1612,1.698,1613,1.676,1619,0.671,1632,1.177,1633,1.793,1634,0.97,1667,1.008,1669,0.782,1677,0.352,1684,1.242,1685,1.452,1689,2.434,1690,1.312,1692,1.475,1693,2.798,1694,0.431,1696,1.21,1699,1.312,1700,0.671,1701,1.57,1709,0.957,1711,2.223,1757,2.17,1773,1.475,1782,1.313,1785,2.006,1786,1.111,1792,0.573,1830,1.242,1832,0.909,1861,1.242,1866,0.549,1876,1.248,1877,1.57,1883,1.529,1886,0.865,1893,2.594,1896,1.939,1935,1.475,1945,1.676,1948,4.147,1949,0.83,1951,1.447,1953,1.793,1954,1.116,1956,1.111,1957,1.073,1960,1.116,1967,1.517,1974,0.644,2009,1.452,2017,1.599,2018,2.498,2019,2.006,2023,1.797,2026,1.392,2028,0.458,2039,2.554,2044,1.611,2045,1.475,2054,3.591,2064,1.177,2065,1.312,2074,1.313,2081,0.827,2083,0.865,2085,3.043,2102,1.242,2109,1.073,2110,0.751,2115,0.97,2116,2.109,2122,1.698,2126,2.554,2200,1.242,2208,1.797,2213,1.06,2215,1.116,2216,1.188,2244,1.895,2255,1.177,2328,1.006,2332,1.333,2357,2.485,2412,1.116,2421,1.475,2444,0.775,2451,0.957,2452,1.242,2455,1.39,2473,1.676,2476,0.919,2559,1.797,2563,1.57,2571,1.797,2576,2.25,2580,1.895,2585,2.129,2590,0.822,2619,1.57,2621,1.475,2623,1.676,2624,2.323,2633,1.62,2656,1.442,2673,2.109,2678,2.581,2684,1.895,2686,0.952,2690,1.57,2691,1.676,2693,1.38,2694,1.674,2704,1.797,2752,2.265,2854,2.413,2870,2.265,2883,1.313,2894,1.475,2982,1.313,3019,1.475,3034,1.475,3039,0.952,3085,0.909,3096,2.594,3115,3.533,3116,1.797,3119,2.658,3121,3.933,3122,1.311,3140,2.418,3141,1.464,3144,2.223,3149,1.116,3214,3.337,3215,1.57,3221,1.248,3231,1.797,3243,1.313,3248,2.608,3275,1.895,3288,1.006,3291,2.623,3292,3.085,3293,1.797,3294,3.043,3306,2.129,3311,1.57,3312,1.676,3313,1.242,3314,2.485,3336,2.384,3344,3.933,3391,2.594,3393,1.676,3397,2.109,3401,1.843,3409,2.265,3459,2.594,3460,2.109,3464,1.45,3534,2.798,3535,2.594,3536,2.735,3537,1.569,3538,2.216,3539,2.735,3540,1.06,3541,2.323,3542,2.109,3543,1.242,3545,2.109,3551,1.939,3554,2.323,3555,1.524,3558,2.109,3559,2.323,3560,2.323,3561,2.323,3562,2.323,3563,2.323,3564,1.797,3569,1.939,3570,2.323,3571,1.06,3600,2.109,3601,2.109,3603,1.62,3606,1.569,3613,3.248,3614,4.836,3628,2.103,3660,2.109,3661,2.109,3662,2.109,3676,2.109,3685,2.109,3694,2.608,3747,1.939,3748,2.109,3749,2.109,3766,1.797,3772,2.323,3775,3.107,3776,1.797,3778,3.795,3792,2.798,3828,0.782,3845,1.452,3849,1.306,3852,1.797,3853,1.939,3854,1.242,3857,4.314,3858,2.544,3859,0.909,3860,1.797,3861,0.865,3862,0.957,3864,1.676,3875,1.939,3886,2.109,3888,2.006,3890,1.913,3894,2.109,3895,2.109,3897,2.109,3898,3.248,3905,1.39,3910,2.838,3911,3.538,3912,4.56,3920,3.352,3921,2.109,3925,2.838,3926,2.838,3928,3.432,3938,2.594,3939,2.109,3941,2.109,3942,3.044,3943,1.939,3948,2.498,3949,2.658,3950,2.498,3951,2.323,3956,3.509,3958,3.043,3960,0.957,3965,1.939,3968,2.323,3971,0.968,3972,1.006,3973,1.57,3978,1.797,3984,2.608,3987,3.456,3995,2.265,3996,2.91,3997,2.418,4001,3.215,4002,2.418,4003,2.354,4004,1.305,4005,1.611,4006,1.797,4008,1.939,4025,1.475,4033,1.39,4096,1.797,4098,3.352,4105,1.877,4109,3.432,4121,2.798,4135,2.608,4136,3.764,4153,3.764,4154,3.044,4159,1.797,4181,4.147,4214,1.797,4229,2.323,4256,1.57,4281,1.116,4285,3.043,4353,3.044,4354,3.812,4361,1.676,4429,4.543,4511,2.323,4524,1.793,4587,2.838,4686,2.109,4726,2.594,4730,1.676,4737,2.265,4739,2.323,4784,2.608,4785,2.608,4790,1.676,4792,2.91,4794,1.475,4799,0.822,4860,0.957,4913,3.764,4918,2.608,4920,2.323,4954,3.764,4969,3.764,4971,2.594,4977,3.764,4978,3.764,4995,2.323,5000,3.352,5002,5.113,5020,3.764,5064,1.313,5072,3.933,5079,2.323,5085,2.608,5086,2.608,5090,2.323,5100,1.793,5199,2.323,5237,2.323,5332,1.57,5345,2.608,5349,2.323,5354,2.608,5358,2.608,5367,2.608,5370,2.608,5371,2.608,5373,4.417,5374,3.764,5398,1.797,5402,2.594,5403,2.608,5404,2.608,5405,2.608,5406,3.764,5417,2.323,5440,2.608,5511,5.128,5512,3.042,5513,3.379,5514,5.98,5515,1.676,5516,2.323,5517,3.042,5518,2.608,5519,5.115,5520,3.042,5521,4.417,5522,3.352,5523,4.306,5524,3.764,5525,3.044,5526,3.042,5527,6.231,5528,3.042,5529,3.042,5530,2.608,5531,3.283,5532,5.64,5533,2.323,5534,2.109,5535,4.39,5536,5.64,5537,3.352,5538,2.418,5539,5.744,5540,2.323,5541,5.64,5542,3.042,5543,2.323,5544,2.608,5545,3.042,5546,3.764,5547,2.323,5548,3.042,5549,1.57,5550,3.572,5551,2.323,5552,1.676,5553,3.042,5554,3.042,5555,3.042,5556,2.608,5557,2.608,5558,3.042,5559,3.042,5560,3.042,5561,4.836,5562,3.042,5563,4.836,5564,3.042,5565,5.128,5566,3.042,5567,3.042,5568,5.151,5569,5.151,5570,3.764,5571,4.39,5572,3.042,5573,3.042,5574,1.793,5575,3.042,5576,3.042,5577,3.042,5578,3.042,5579,3.042,5580,3.042,5581,3.042,5582,2.608,5583,3.042,5584,3.042,5585,3.042,5586,3.042,5587,1.993,5588,5.151,5589,5.151,5590,5.151,5591,3.042,5592,3.042,5593,5.64,5594,3.042,5595,4.39,5596,3.042,5597,3.764,5598,4.39,5599,3.042,5600,3.042,5601,4.39,5602,5.151,5603,4.39,5604,4.39,5605,5.151,5606,4.39,5607,4.39,5608,4.39,5609,4.39,5610,4.39,5611,3.042,5612,3.042,5613,3.042,5614,4.39,5615,4.39,5616,4.39,5617,3.042,5618,4.39,5619,4.39,5620,3.042,5621,3.764,5622,3.042,5623,3.042,5624,3.042,5625,3.042,5626,3.042,5627,3.042,5628,4.39,5629,3.042,5630,3.042,5631,3.042,5632,3.042,5633,3.042,5634,4.417,5635,3.352,5636,3.042,5637,3.042,5638,2.608,5639,3.042,5640,3.042,5641,3.042,5642,4.39,5643,3.042,5644,4.39,5645,4.417,5646,3.042,5647,3.042,5648,3.042,5649,3.042,5650,3.042,5651,3.042,5652,3.042,5653,3.042,5654,3.042,5655,3.042,5656,3.042,5657,3.042,5658,3.042,5659,3.042,5660,3.042,5661,3.042,5662,3.042,5663,3.042,5664,3.042,5665,3.042,5666,4.39,5667,4.39,5668,3.042,5669,4.39,5670,3.042,5671,3.042,5672,3.042,5673,3.042,5674,3.042,5675,3.042,5676,4.39,5677,4.39,5678,3.042,5679,3.764,5680,4.39,5681,3.042,5682,3.042,5683,2.109,5684,3.764,5685,2.608,5686,2.323,5687,3.042,5688,3.352,5689,3.042,5690,5.98,5691,3.042,5692,3.042,5693,4.39,5694,4.39,5695,4.39,5696,3.042,5697,3.042,5698,3.042,5699,3.042,5700,2.323,5701,3.042,5702,3.042,5703,3.042,5704,3.042,5705,3.042,5706,3.042,5707,3.042,5708,3.042,5709,3.042,5710,3.042,5711,3.042,5712,3.042,5713,3.042,5714,3.042,5715,4.39,5716,3.042,5717,3.042,5718,3.042,5719,2.323,5720,2.608,5721,3.042,5722,3.042,5723,3.042,5724,3.042,5725,3.042,5726,4.39,5727,3.042,5728,3.042,5729,3.042,5730,3.042,5731,3.042,5732,3.042,5733,3.042,5734,3.042,5735,2.109,5736,3.042]],["title/compliance-matrix.html",[2,4.976,3,4.605,4,4.933,5,3.263,133,0.637,4860,12.154]],["breadcrumb/compliance-matrix.html",[6,0.224,133,0.306,4860,5.827]],["description/compliance-matrix.html",[0,0.329,67,0.709,83,0.484,86,0.373,87,4.984,88,0.148,102,0.241,133,0.329,351,0.373,415,0.373,416,0.484,417,0.597,419,0.831,420,0.831,2008,2.332,4860,6.264]],["body/compliance-matrix.html",[0,0.123,2,1.004,3,0.822,4,0.919,5,0.598,9,0.24,11,0.161,14,0.58,20,1.109,27,0.53,28,0.33,33,0.259,47,0.122,48,0.091,49,1.503,51,0.312,53,0.164,54,0.443,60,0.24,66,0.271,67,0.276,69,0.58,76,0.493,83,0.189,84,0.897,86,0.142,87,1.156,88,0.057,89,0.04,90,0.663,94,0.742,97,1.118,98,0.863,102,0.074,103,0.21,104,0.242,110,0.429,113,0.588,115,0.319,116,0.253,117,0.529,118,0.568,120,1.663,122,1.462,123,0.336,126,0.095,129,0.515,130,0.51,131,0.51,133,0.117,134,0.823,136,2.171,137,0.588,138,1.539,139,1.675,148,0.124,151,0.897,156,0.4,161,0.277,172,1.388,184,0.829,187,0.67,189,0.755,193,0.719,200,1.371,204,3.382,205,1.751,211,1.053,212,0.256,218,0.564,242,1.659,244,0.399,252,0.493,263,0.369,264,0.303,265,0.671,270,0.512,277,0.541,278,0.541,279,0.293,282,0.72,284,1.292,288,0.161,293,0.629,311,0.303,314,1.581,322,1.167,332,0.848,341,0.271,344,0.18,351,0.14,353,0.199,363,0.652,368,1.292,410,0.253,411,0.72,412,0.72,413,0.72,414,0.224,415,0.139,416,0.177,417,0.219,418,0.363,419,0.304,420,0.304,459,0.883,466,3.029,484,0.947,498,0.336,504,0.67,511,0.416,516,0.999,520,0.897,522,0.626,543,0.979,552,1.429,560,0.801,564,0.282,619,3.168,647,0.848,651,1.581,664,2.438,672,1.156,688,1.388,716,2.193,717,0.578,764,0.947,775,0.801,807,0.628,845,0.256,872,0.539,921,1.663,928,0.512,982,2.438,983,1.693,989,0.629,1003,3.42,1004,0.897,1011,1.292,1012,2.594,1013,2.438,1014,2.737,1015,2.769,1019,1.663,1020,0.629,1021,2.17,1054,0.712,1102,3.214,1103,1.462,1104,3.42,1105,3.916,1106,3.916,1107,1.703,1108,1.884,1109,3.916,1110,2.821,1111,0.999,1116,1.462,1123,0.307,1143,1.751,1146,1.228,1163,2.17,1167,0.487,1177,0.923,1261,1.503,1276,1.503,1350,0.848,1383,3.839,1392,1.431,1405,2.297,1432,4.596,1437,1.109,1445,1.109,1504,1.774,1544,2.064,1547,2.941,1575,3.42,1616,1.354,1621,0.848,1623,3.205,1634,0.947,1643,2.769,1787,1.22,1792,0.947,1830,2.053,1855,3.486,1856,1.745,1866,0.768,1891,2.438,1949,0.96,1950,1.93,1957,1.228,1988,2.769,2008,0.854,2061,1.945,2095,1.053,2319,4.225,2329,2.769,2432,2.138,2442,2.375,2444,0.756,2451,2.084,2452,2.707,2454,3.205,2458,2.769,2463,3.562,2539,2.466,2540,4.787,2541,3.42,2542,3.916,2543,3.651,2544,3.916,2545,3.916,2575,2.138,2576,2.031,2577,2.138,2677,2.17,2687,1.663,2695,2.97,2747,4.311,2985,2.053,3031,2.97,3297,1.292,3465,1.109,3549,2.594,3603,1.93,3778,2.97,3825,2.97,3826,2.438,3870,2.297,4028,2.977,4032,3.9,4420,3.205,4514,2.297,4527,3.839,4729,2.594,4799,1.359,4860,2.293,5286,3.839,5397,3.486,5546,4.311,5551,3.839,5737,4.311,5738,5.027,5739,5.027,5740,3.486,5741,4.311,5742,4.688,5743,4.688,5744,6.14,5745,5.027,5746,6.14,5747,5.027,5748,3.205,5749,6.14,5750,4.311,5751,5.027,5752,5.027,5753,5.027,5754,5.027,5755,4.311,5756,5.027,5757,5.027,5758,5.027,5759,5.027,5760,4.311,5761,6.14,5762,6.14,5763,5.027,5764,5.027,5765,5.027,5766,5.027,5767,5.027,5768,4.688,5769,4.311,5770,5.264,5771,6.14,5772,3.205,5773,4.311,5774,6.14,5775,6.14,5776,5.027,5777,5.027,5778,3.839,5779,5.027,5780,5.027,5781,5.027,5782,3.205,5783,4.311,5784,3.205,5785,4.311,5786,4.311]],["title/gcp/data.html",[2,4.44,3,4.108,4,6.123,5,2.912,28,2.265,29,0.982,130,2.411]],["breadcrumb/gcp/data.html",[6,0.198,28,1.077,29,0.467,130,1.147]],["description/gcp/data.html",[2,3.187,3,3.464,28,1.371,29,0.594,32,0.345,33,0.505,37,2.281,43,0.294,45,1.043,52,1.971,130,0.993,159,2.011,162,0.508,219,1.775,227,0.345,264,0.857,444,1.552,564,0.797,768,3.648,1690,4.243,2057,3.837,2216,2.82,2467,3.296,3845,4.697,5787,5.796,5788,5.208,5789,8.387]],["body/gcp/data.html",[0,0.119,1,2.32,2,1.011,3,0.923,4,0.862,7,0.562,9,0.301,11,0.139,13,0.614,14,0.496,16,0.574,17,0.502,21,1.526,26,0.421,27,0.515,28,0.504,29,0.189,30,0.592,31,0.231,32,0.182,33,0.27,34,0.109,35,0.358,37,0.819,40,0.315,41,0.166,43,0.159,44,0.154,45,0.496,47,0.076,48,0.069,51,0.332,52,0.712,53,0.181,54,0.472,55,0.85,56,0.344,57,2.891,58,0.911,60,0.335,61,0.73,62,0.697,65,0.572,66,0.243,67,0.259,68,0.811,69,0.425,70,1.548,76,0.567,77,0.421,79,0.361,80,0.317,81,0.492,82,0.393,83,0.178,84,0.561,85,0.188,86,0.113,87,0.592,88,0.048,89,0.055,90,0.275,91,0.694,92,0.502,93,1.156,94,0.32,96,0.73,98,0.393,100,0.492,101,0.73,102,0.082,103,0.131,104,0.252,105,1.566,106,1.005,107,0.392,110,0.4,111,0.492,112,1.079,113,0.777,114,0.393,115,0.451,116,0.161,117,0.477,119,0.966,121,0.38,123,0.443,124,0.531,126,0.076,127,0.562,129,0.501,130,0.529,131,0.485,133,0.107,134,0.492,135,0.789,137,0.526,138,0.73,139,1.463,140,0.458,141,0.992,142,1.712,143,0.446,144,0.85,145,0.496,146,0.613,148,0.171,149,0.393,150,0.344,151,0.802,152,0.759,153,0.344,154,0.21,155,2.182,156,0.408,159,1.094,160,0.301,161,0.299,162,0.258,164,1.285,165,0.5,167,0.73,169,0.94,170,1.349,172,1.479,173,0.352,176,0.253,178,0.641,180,0.614,182,0.383,184,0.738,187,0.419,188,0.864,189,0.344,191,0.637,192,0.307,193,0.614,194,0.391,197,2.649,198,0.366,199,0.9,200,1.138,203,0.808,206,0.936,207,0.583,209,0.4,212,0.253,214,0.46,216,0.419,217,1.526,218,0.535,219,0.788,220,0.988,221,0.477,222,0.463,223,0.96,229,1.836,232,0.893,233,0.789,234,0.847,238,1.285,239,0.492,241,0.392,242,0.85,244,0.58,245,0.67,249,0.443,251,0.531,252,0.486,254,0.425,256,1.157,258,0.913,260,2.253,261,0.893,262,0.434,263,0.386,264,0.445,265,0.344,270,0.751,271,0.358,272,1.65,273,0.445,274,0.205,275,0.977,276,0.253,277,0.519,278,0.537,279,0.29,280,0.421,281,0.445,282,0.583,285,2.438,287,0.502,288,0.101,291,2.143,292,0.55,293,0.788,294,0.789,298,0.561,299,0.541,302,1.65,303,0.226,304,0.383,305,0.655,308,0.492,311,0.418,312,0.599,313,0.886,315,0.894,316,0.458,317,0.759,318,0.942,319,0.802,323,0.392,327,0.812,328,0.393,329,0.346,330,0.346,332,0.966,335,0.625,339,0.299,340,0.487,341,0.398,342,0.965,343,0.861,344,0.253,346,0.084,349,1.526,350,0.763,351,0.126,352,1.263,353,0.199,354,2.101,360,1.403,363,0.496,365,0.614,388,0.73,392,1.623,394,0.446,395,0.446,397,0.637,400,0.502,410,0.205,411,0.583,412,0.583,413,0.583,414,0.172,415,0.107,416,0.139,417,0.172,418,0.317,419,0.239,420,0.239,424,0.717,425,0.759,426,0.599,427,1.318,428,2.182,429,2.182,430,0.583,431,0.894,433,0.858,434,0.894,438,0.808,439,1.096,440,0.989,441,0.446,444,0.662,446,0.323,451,0.595,459,0.763,472,1.217,473,0.5,474,1.733,481,1.74,482,1.33,484,1.079,487,0.38,488,0.763,490,0.502,493,3.58,496,0.82,498,0.421,501,0.94,504,0.763,507,1.043,508,2.938,511,0.389,513,0.541,514,1.079,519,0.73,520,0.936,521,0.458,522,0.613,523,0.572,524,0.759,527,0.107,528,0.592,531,0.32,532,0.73,539,0.583,540,0.694,544,0.942,546,1.344,550,0.38,551,0.263,553,2.399,554,1.65,561,1.941,562,0.85,564,0.413,565,0.659,566,0.595,572,0.383,580,0.31,587,2.005,588,2.477,592,2.181,619,2.32,620,2.182,621,2.182,626,0.989,628,0.351,629,0.419,630,0.676,634,0.5,636,0.717,640,0.763,647,0.531,649,0.572,653,0.419,655,0.802,656,0.358,657,0.486,659,0.837,660,1.263,661,0.562,662,1.216,670,0.531,671,1.217,672,0.592,673,1.272,676,1.733,682,0.637,685,0.659,686,0.386,687,0.749,688,1.509,693,0.253,696,1.92,697,1.526,702,0.344,703,1.62,705,2.657,708,0.531,709,1.926,710,2.143,717,0.5,725,0.971,726,2.031,733,1.74,734,2.182,738,0.73,746,1.079,747,0.694,754,1.096,756,0.46,758,0.808,764,0.592,765,0.913,767,1.217,768,1.705,769,0.502,771,0.625,775,0.502,779,0.502,782,1.674,790,0.694,791,1.043,792,2.18,799,1.344,802,1.349,805,2.055,807,0.392,808,1.949,809,3.434,813,1.358,816,0.625,832,2.698,845,0.16,849,1.492,850,0.295,856,0.561,863,1.089,872,0.448,873,0.253,877,1.092,880,1.733,888,0.894,897,0.496,899,0.913,903,0.473,905,0.744,906,0.32,913,1.041,917,0.33,918,0.744,919,0.368,924,4.373,926,2.545,928,0.458,930,2.402,933,1.828,936,2.545,949,1.623,954,0.526,987,1.099,990,1.099,992,0.147,1001,0.599,1005,1.358,1006,0.386,1011,0.808,1018,0.19,1019,1.041,1020,0.656,1039,1.096,1040,1.488,1054,0.971,1056,1.219,1080,1.277,1092,0.659,1119,0.625,1122,0.769,1123,0.396,1141,1.33,1148,1.438,1156,1.344,1158,1.526,1165,0.812,1166,0.73,1167,0.231,1168,0.802,1170,0.694,1173,0.73,1186,0.492,1191,2.438,1203,0.894,1213,0.392,1230,0.531,1240,2.005,1251,1.488,1252,1.399,1255,1.219,1259,1.217,1266,1.859,1269,0.617,1274,1.041,1275,0.73,1288,0.32,1294,0.32,1333,0.837,1334,0.526,1360,1.828,1361,0.562,1375,1.044,1377,1.219,1386,1.344,1392,0.625,1406,0.694,1423,0.886,1426,2.402,1437,0.992,1438,1.733,1442,2.617,1445,1.158,1472,2.777,1478,0.85,1479,1.836,1500,5.404,1503,0.163,1513,0.73,1518,0.894,1523,0.458,1527,2.055,1530,0.94,1539,0.625,1548,1.041,1555,0.94,1560,1.566,1564,0.446,1606,0.592,1616,0.992,1621,0.759,1622,1.285,1628,1.438,1634,1.141,1645,1.733,1646,2.182,1667,1.094,1669,1.156,1676,1.811,1677,0.521,1683,1.219,1685,1.041,1686,2.698,1690,1.884,1709,0.989,1711,1.358,1712,1.285,1772,2.32,1786,1.204,1787,0.893,1790,1.041,1791,2.143,1792,0.592,1794,0.802,1801,1.623,1830,1.285,1832,1.569,1864,1.358,1876,0.894,1881,2.181,1897,1.526,1898,1.733,1921,0.94,1922,1.438,1938,2.143,1954,1.926,1967,1.389,1974,0.716,2006,1.249,2007,2.657,2020,1.041,2026,0.85,2050,2.477,2057,2.038,2062,1.623,2064,1.217,2068,3.346,2078,0.94,2090,0.894,2095,1.574,2111,1.096,2127,1.566,2210,3.972,2216,1.204,2223,0.989,2229,1.526,2230,2.005,2235,2.891,2265,1.926,2335,2.182,2346,1.733,2368,2.698,2412,1.154,2413,1.217,2416,2.545,2418,0.94,2421,1.526,2425,5.563,2432,1.828,2444,1.103,2451,0.989,2467,1.044,2470,2.005,2476,0.942,2477,0.989,2551,1.358,2590,0.85,2618,2.698,2628,1.438,2629,1.438,2631,2.182,2633,1.414,2666,2.777,2675,1.859,2677,1.358,2679,3.252,2683,2.657,2684,1.358,2687,1.041,2689,2.957,2690,1.623,2730,1.65,2737,3.119,2744,2.005,2815,1.926,2892,4.008,2902,1.737,2982,1.358,2983,2.32,3019,1.526,3034,1.526,3036,0.989,3039,0.531,3065,2.402,3115,3.101,3122,0.936,3123,2.477,3124,2.477,3128,1.733,3140,1.733,3144,1.358,3153,2.005,3221,0.894,3288,1.041,3289,1.859,3304,1.566,3361,1.733,3393,1.733,3399,2.265,3406,2.32,3407,1.733,3459,1.859,3462,1.623,3464,0.992,3465,0.694,3503,1.941,3544,1.041,3571,1.096,3579,2.32,3603,1.982,3628,2.339,3769,2.182,3825,1.859,3828,0.808,3845,2.509,3848,1.438,3849,1.204,3854,1.285,3855,2.402,3856,3.833,3859,1.569,3861,0.894,3862,0.989,3864,2.477,3866,4.229,3867,3.032,3869,2.402,3870,2.399,3902,1.285,3903,1.733,3960,1.801,3971,0.694,4019,2.402,4020,4.008,4022,2.005,4023,2.698,4024,3.434,4025,1.526,4026,2.005,4031,2.657,4032,1.733,4033,1.438,4035,2.698,4036,2.402,4037,2.005,4048,4.501,4078,3.119,4105,1.099,4106,3.856,4254,2.402,4281,1.154,4328,1.859,4419,1.358,4434,1.041,4609,2.182,4653,5.195,4728,1.995,4729,1.623,5064,1.358,5100,2.143,5130,1.358,5181,2.005,5198,1.859,5266,3.346,5332,2.32,5355,2.182,5449,2.182,5513,2.769,5516,2.402,5570,2.698,5587,1.217,5597,2.698,5787,3.142,5788,2.381,5789,3.101,5790,1.526,5791,2.657,5792,2.182,5793,2.402,5794,3.101,5795,4.954,5796,6.059,5797,1.526,5798,3.119,5799,5.727,5800,4.497,5801,2.181,5802,4.008,5803,4.008,5804,3.972,5805,3.64,5806,3.146,5807,4.497,5808,5.249,5809,3.146,5810,3.146,5811,2.005,5812,3.146,5813,3.146,5814,2.698,5815,2.698,5816,2.402,5817,4.911,5818,3.146,5819,3.146,5820,3.146,5821,3.146,5822,5.727,5823,4.911,5824,3.146,5825,2.182,5826,1.859,5827,3.646,5828,5.727,5829,3.146,5830,3.346,5831,4.497,5832,3.146,5833,4.497,5834,5.946,5835,4.626,5836,4.626,5837,4.808,5838,3.146,5839,3.146,5840,3.434,5841,3.119,5842,3.146,5843,3.64,5844,3.146,5845,3.146,5846,3.64,5847,3.146,5848,3.146,5849,2.402,5850,3.146,5851,5.727,5852,3.972,5853,3.856,5854,4.497,5855,3.119,5856,2.777,5857,3.434,5858,3.434,5859,3.146,5860,3.434,5861,3.862,5862,4.501,5863,4.501,5864,1.623,5865,3.146,5866,3.146,5867,2.698,5868,3.146,5869,3.146,5870,3.972,5871,3.146,5872,3.146,5873,3.146,5874,3.146,5875,3.146,5876,3.146,5877,2.955,5878,3.434,5879,2.698,5880,3.146,5881,3.856,5882,3.146,5883,2.72,5884,3.856,5885,2.402,5886,2.698,5887,2.698,5888,2.698,5889,3.146,5890,3.146,5891,5.249,5892,1.623,5893,3.146,5894,2.402,5895,4.497,5896,2.698,5897,2.657,5898,2.698,5899,3.146,5900,4.497,5901,3.146,5902,3.146,5903,4.201,5904,5.249,5905,3.856,5906,2.402,5907,3.856,5908,5.727,5909,5.249,5910,3.146,5911,3.146,5912,3.146,5913,3.856,5914,3.856,5915,4.497,5916,3.146,5917,4.497,5918,4.497,5919,5.249,5920,4.008,5921,5.249,5922,5.249,5923,2.402,5924,2.402,5925,3.146,5926,3.146,5927,4.008,5928,4.008,5929,5.249,5930,4.008,5931,4.008,5932,5.249,5933,3.101,5934,4.501,5935,5.727,5936,3.146,5937,3.146,5938,4.501,5939,3.146,5940,4.501,5941,4.626,5942,4.501,5943,3.146,5944,3.146,5945,3.146,5946,3.146,5947,3.146,5948,4.501,5949,3.146,5950,3.146,5951,3.856,5952,3.146,5953,3.64,5954,2.698,5955,4.497,5956,3.146,5957,3.146,5958,2.698,5959,2.005,5960,3.146,5961,3.146,5962,3.434,5963,2.005,5964,3.146,5965,2.698,5966,3.146,5967,3.146,5968,5.249,5969,3.146,5970,3.146,5971,3.146,5972,4.497,5973,3.146,5974,2.698,5975,2.182,5976,3.146,5977,4.497,5978,3.146,5979,3.146,5980,3.146,5981,4.497,5982,3.146,5983,3.146,5984,3.146,5985,4.497,5986,2.402,5987,3.146,5988,3.146,5989,5.249,5990,3.146,5991,3.146,5992,3.146,5993,2.698,5994,3.146,5995,3.146,5996,3.146,5997,2.402,5998,3.146,5999,3.146,6000,3.146,6001,2.698,6002,2.182,6003,3.146,6004,4.497,6005,4.497,6006,2.698,6007,3.146,6008,3.146,6009,4.497,6010,3.146,6011,3.146,6012,3.856,6013,3.146,6014,3.146,6015,3.146,6016,2.402,6017,3.146,6018,5.249,6019,3.146,6020,3.146,6021,3.146,6022,3.146,6023,3.146,6024,3.146,6025,3.146,6026,3.146,6027,3.146,6028,3.146,6029,3.146,6030,3.146,6031,3.146,6032,3.146,6033,3.146,6034,3.146,6035,3.146,6036,4.497,6037,3.146,6038,3.146,6039,3.146,6040,2.182,6041,3.146,6042,4.497,6043,3.146,6044,3.146,6045,3.146,6046,3.146,6047,3.146,6048,2.698,6049,3.146,6050,3.146,6051,2.698,6052,3.146,6053,3.146,6054,4.497,6055,3.146,6056,3.146,6057,3.146,6058,3.146,6059,3.146,6060,3.146,6061,3.146,6062,3.146,6063,3.146,6064,3.146,6065,3.146,6066,3.146,6067,3.146,6068,3.146,6069,3.146,6070,3.146,6071,3.146,6072,3.146,6073,3.146,6074,3.146,6075,3.146,6076,3.146,6077,3.146,6078,3.146,6079,2.402,6080,3.146,6081,3.146,6082,3.146]],["title/gcp/genai.html",[2,4.213,3,3.898,4,5.902,5,2.763,130,2.288,983,7.597,1013,15.867,1014,12.006]],["breadcrumb/gcp/genai.html",[6,0.224,130,1.296,983,4.302]],["description/gcp/genai.html",[4,2.081,28,1.515,33,0.821,34,0.396,51,1.041,60,0.779,67,0.821,130,1.14,148,0.402,188,2.172,244,1.295,459,2.172,983,3.785,990,3.414,992,0.396,1013,7.906,1014,5.982,1192,8.982,1389,7.037,4205,9.633,5787,6.658,6083,11.306,6084,11.306,6085,12.449]],["body/gcp/genai.html",[0,0.118,1,2.342,2,1.01,3,0.909,4,0.735,5,0.269,7,0.897,9,0.291,11,0.169,13,0.373,14,0.301,16,0.348,17,0.724,19,0.452,21,3.069,25,1.581,26,0.463,27,0.509,28,0.491,29,0.164,31,0.447,32,0.11,33,0.27,34,0.176,35,0.324,37,0.712,40,0.24,41,0.164,43,0.154,44,0.151,45,0.334,47,0.11,48,0.081,51,0.342,52,0.629,53,0.184,54,0.445,56,0.348,58,0.683,60,0.347,62,0.644,67,0.264,69,0.301,70,0.861,76,0.424,77,0.423,79,0.424,80,0.382,82,0.814,83,0.186,86,0.132,87,0.6,88,0.048,89,0.048,90,0.648,92,0.724,100,0.348,102,0.084,103,0.133,104,0.153,106,0.918,107,0.396,110,0.426,114,0.568,115,0.202,116,0.189,117,0.234,118,0.256,119,0.508,121,0.433,123,0.453,126,0.06,129,0.491,130,0.524,131,0.491,132,0.819,133,0.11,134,0.348,135,0.479,137,0.373,140,0.324,141,1.001,145,0.301,146,0.598,148,0.188,150,0.496,153,0.348,154,0.213,156,0.274,159,0.974,160,0.295,161,0.221,162,0.262,165,0.461,167,0.74,168,1.167,169,0.953,171,1.502,173,0.275,176,0.364,178,0.663,180,0.674,182,0.303,184,0.741,188,0.943,189,0.578,191,0.452,192,0.295,193,0.373,194,0.409,198,0.348,199,0.887,201,1.002,203,0.819,204,1.756,206,0.568,207,0.324,209,0.382,211,0.667,212,0.133,214,0.489,216,0.425,218,0.547,220,1.192,221,0.447,222,0.505,227,0.077,232,0.633,239,0.348,241,0.591,244,0.611,245,0.804,247,0.667,248,2.032,249,0.385,250,0.74,251,1.123,252,0.256,254,0.301,257,2.21,261,0.902,262,0.303,263,0.388,264,0.393,265,0.578,270,0.462,271,0.329,272,2.048,273,0.423,274,0.253,276,0.424,277,0.498,278,0.489,279,0.217,280,0.334,281,0.465,282,0.644,284,0.819,288,0.102,292,0.581,294,0.479,296,1.376,298,0.81,299,0.499,300,0.396,303,0.246,304,0.423,305,0.691,308,0.63,311,0.319,312,0.768,315,1.29,316,0.324,318,0.667,319,0.568,323,0.607,324,1.756,328,0.398,329,0.393,330,0.393,331,1.233,332,0.538,338,2.342,339,0.304,340,0.447,341,0.406,342,0.984,343,0.916,344,0.251,346,0.136,350,0.811,351,0.132,352,1.396,353,0.223,360,1.05,363,0.544,365,0.674,368,1.167,374,0.452,384,0.892,389,2.733,394,0.452,395,0.452,397,0.816,400,0.508,410,0.227,411,0.644,412,0.644,413,0.644,414,0.19,415,0.118,416,0.154,417,0.19,418,0.336,419,0.264,420,0.264,424,0.971,425,0.619,426,0.425,427,1.294,430,0.663,432,1.429,433,0.452,441,0.897,442,0.605,443,0.906,444,0.348,446,0.275,451,0.663,459,0.962,472,1.233,473,0.552,480,0.861,485,0.72,487,0.382,488,0.95,490,0.724,494,1.756,496,0.531,497,1.376,498,0.423,501,0.643,504,0.425,509,1.502,511,0.46,512,0.076,513,0.575,514,0.996,520,0.568,521,0.663,522,0.499,523,0.598,524,0.766,527,0.14,530,1.666,531,0.62,532,0.74,539,0.462,540,1.001,543,0.724,546,0.953,547,0.795,550,0.402,551,0.221,552,0.906,556,1.233,560,0.971,562,1.227,563,0.906,564,0.423,565,1.206,566,0.663,568,1.502,571,1.376,572,0.385,580,0.338,582,1.396,587,1.502,596,1.109,610,1.749,626,1.99,628,0.213,630,0.795,631,1.001,634,0.503,636,0.724,637,0.683,647,0.538,649,0.544,650,1.233,651,1.002,653,0.811,655,0.943,656,0.329,657,0.424,658,2.032,659,0.508,660,0.703,661,0.568,662,0.861,670,0.766,672,0.6,673,0.855,682,0.452,685,1.275,686,0.334,687,0.699,693,0.256,702,0.348,703,1.359,705,1.883,708,0.766,716,2.203,717,0.6,725,1.044,733,1.233,736,1.002,745,0.703,747,0.703,755,1.169,756,0.489,760,0.819,764,0.996,768,1.359,769,0.508,774,1.546,775,0.724,776,1.359,783,0.855,790,0.703,793,1.915,802,0.819,807,0.396,845,0.231,850,0.133,856,0.568,863,0.795,864,1.055,872,0.468,873,0.133,880,1.756,889,0.943,891,1.29,899,0.843,905,0.452,906,0.324,909,0.943,917,0.234,919,0.674,925,1.883,928,0.586,931,2.733,938,2.21,949,1.645,954,0.741,982,2.201,983,1.752,985,0.861,986,2.628,987,1.626,989,0.791,990,0.95,991,4.045,992,0.182,999,4.244,1002,0.348,1003,3.36,1004,1.225,1005,1.959,1006,0.423,1008,2.21,1009,0.953,1011,1.167,1012,1.645,1013,3.765,1014,2.854,1015,1.756,1016,2.032,1017,1.376,1018,0.319,1019,1.502,1020,0.761,1021,1.376,1033,1.812,1034,1.662,1036,0.568,1042,2.894,1043,2.032,1044,1.645,1045,2.894,1046,0.819,1049,1.359,1052,1.99,1054,0.863,1092,0.95,1102,3.069,1103,1.396,1104,3.266,1105,3.848,1106,3.739,1107,1.627,1108,1.892,1109,3.739,1110,2.897,1111,1.485,1112,1.581,1113,2.342,1114,1.645,1116,1.271,1117,3.848,1118,4.035,1119,1.257,1122,0.779,1123,0.439,1124,0.953,1128,1.457,1129,2.912,1141,1.338,1146,1.109,1149,2.434,1152,1.645,1157,2.21,1165,0.863,1166,1.227,1168,0.568,1172,2.032,1174,2.487,1175,1.233,1176,2.682,1177,0.683,1180,3.598,1181,1.414,1182,1.376,1183,3.673,1184,2.21,1191,1.233,1192,4.082,1193,1.883,1194,1.666,1200,0.953,1203,1.29,1212,2.501,1213,0.591,1228,1.503,1229,2.682,1230,0.538,1233,1.812,1238,0.863,1239,1.546,1242,1.206,1252,1.488,1258,2.229,1266,1.883,1269,0.62,1273,3.404,1275,0.74,1276,1.357,1279,0.6,1283,0.819,1288,0.462,1289,1.227,1294,0.324,1334,0.674,1344,1.645,1352,1.883,1359,2.201,1361,0.661,1363,1.376,1365,2.21,1375,1.054,1376,4.035,1377,1.227,1379,2.894,1380,1.376,1381,3.148,1385,2.017,1386,0.953,1388,2.032,1389,1.376,1392,0.633,1403,1.645,1404,2.21,1405,1.457,1406,0.703,1423,0.538,1424,1.301,1428,1.883,1430,1.645,1437,0.703,1440,3.673,1445,1.001,1448,3.124,1494,1.546,1495,1.457,1496,1.457,1503,0.198,1506,1.756,1523,0.324,1530,0.953,1539,1.05,1556,2.121,1557,0.508,1561,1.546,1571,1.645,1603,1.376,1616,0.703,1619,0.703,1621,0.766,1626,1.002,1633,1.301,1634,1.226,1638,0.508,1665,0.906,1666,1.233,1667,0.479,1669,0.819,1676,1.357,1677,0.463,1678,1.11,1694,0.643,1700,0.703,1714,1.502,1766,1.756,1767,3.37,1777,1.301,1778,2.21,1782,1.376,1787,0.633,1830,1.854,1832,1.357,1852,0.906,1854,1.58,1865,2.032,1876,0.906,1886,0.906,1933,1.002,1935,2.201,1938,2.159,1954,1.666,1956,0.81,1957,0.779,1964,1.645,1967,0.667,1974,0.72,2006,1.343,2007,3.124,2042,1.883,2044,1.169,2054,1.645,2057,0.861,2060,1.457,2079,2.682,2081,0.6,2083,1.29,2090,0.906,2095,1.532,2104,0.703,2108,2.094,2110,0.768,2115,1.147,2127,1.581,2130,1.457,2141,1.11,2145,2.682,2163,1.82,2210,2.21,2212,1.002,2213,1.581,2216,0.633,2265,1.94,2317,2.21,2357,1.756,2411,2.21,2417,1.457,2418,0.953,2432,2.121,2433,1.376,2434,1.662,2436,1.756,2444,1.143,2461,1.055,2477,1.427,2575,1.581,2580,1.959,2588,2.032,2590,1.961,2621,1.546,2628,1.457,2629,1.457,2646,1.645,2647,2.032,2656,0.667,2657,1.645,2689,2.628,2692,1.546,2730,1.666,2731,2.501,2732,1.756,2733,1.756,2822,1.376,2825,2.894,2875,1.662,2883,1.376,2892,2.434,2976,1.376,2982,1.376,2983,1.645,2986,1.457,3039,0.538,3065,2.434,3115,1.883,3125,2.434,3393,1.756,3394,1.645,3407,1.756,3447,2.032,3464,1.166,3465,1.166,3503,3.206,3505,2.733,3534,3.37,3537,0.779,3544,1.502,3567,1.662,3603,1.002,3670,1.883,3787,3.466,3828,0.819,3862,1.002,3882,3.148,3960,1.915,3971,0.703,4031,1.883,4039,1.546,4078,2.21,4104,2.201,4205,4.305,4263,3.673,4265,1.756,4300,3.466,4305,2.434,4306,2.733,4361,1.756,4409,2.032,4420,3.37,4434,1.055,4451,2.342,4658,2.633,4701,1.645,4712,2.434,4728,2.205,4868,1.301,4942,2.973,5064,1.376,5088,2.434,5100,1.854,5163,1.883,5326,1.645,5356,1.301,5447,2.21,5645,2.733,5735,2.21,5787,2.987,5788,2.114,5804,4.222,5805,3.995,5825,3.666,5826,3.404,5827,3.618,5846,2.21,5855,2.21,5856,2.794,5857,2.434,5858,2.434,5860,4.65,5864,1.645,5877,2.973,5878,2.434,5879,2.733,5883,1.959,5906,2.434,5907,2.733,5924,2.434,5927,2.434,5928,2.434,5930,2.434,5931,3.466,5933,1.883,5934,2.733,5938,2.733,5940,2.733,5941,2.434,5942,2.733,5959,2.894,5962,2.434,6083,4.222,6084,4.978,6085,4.037,6086,7.316,6087,3.187,6088,3.187,6089,3.187,6090,2.733,6091,4.65,6092,6.775,6093,3.187,6094,3.892,6095,3.187,6096,3.187,6097,3.187,6098,3.187,6099,4.539,6100,3.187,6101,4.539,6102,3.148,6103,3.187,6104,3.892,6105,3.187,6106,5.247,6107,4.539,6108,3.892,6109,3.187,6110,3.187,6111,3.187,6112,3.466,6113,3.187,6114,3.187,6115,3.187,6116,3.187,6117,3.187,6118,3.187,6119,3.187,6120,3.187,6121,3.187,6122,3.124,6123,3.187,6124,3.187,6125,4.539,6126,5.287,6127,2.733,6128,3.187,6129,3.187,6130,3.187,6131,7.179,6132,2.733,6133,1.457,6134,3.187,6135,3.187,6136,3.187,6137,4.539,6138,3.187,6139,3.187,6140,3.187,6141,3.187,6142,3.187,6143,3.187,6144,3.187,6145,3.187,6146,3.187,6147,3.187,6148,3.187,6149,3.187,6150,3.187,6151,5.287,6152,3.187,6153,3.187,6154,3.187,6155,3.187,6156,3.187,6157,3.187,6158,2.21,6159,3.187,6160,3.187,6161,3.187,6162,3.187,6163,3.148,6164,3.187,6165,3.187,6166,3.187,6167,2.434,6168,3.187,6169,4.539,6170,3.187,6171,3.187,6172,3.892,6173,3.187,6174,3.187,6175,3.187,6176,3.187,6177,4.539,6178,4.539,6179,3.187,6180,2.733,6181,3.187,6182,3.187,6183,2.032,6184,1.645,6185,4.539,6186,3.187,6187,3.187,6188,3.187,6189,4.533,6190,3.187,6191,3.187,6192,3.187,6193,3.187,6194,6.329,6195,3.187,6196,3.187,6197,3.187,6198,3.187,6199,3.187,6200,5.761,6201,3.187,6202,3.187,6203,3.187,6204,3.187,6205,3.187,6206,3.187,6207,3.187,6208,3.187,6209,3.187,6210,3.148,6211,4.539,6212,3.148,6213,2.894,6214,3.187,6215,3.187,6216,3.187,6217,3.187,6218,3.187,6219,3.187,6220,3.187,6221,3.187,6222,3.187,6223,3.187,6224,3.187,6225,3.187,6226,3.187,6227,5.247,6228,3.892,6229,2.21,6230,2.21,6231,3.187,6232,2.733,6233,2.733,6234,4.65,6235,1.546,6236,2.733,6237,2.434,6238,4.539,6239,3.892,6240,2.434,6241,3.466,6242,3.187,6243,4.539,6244,4.539,6245,3.187,6246,3.187,6247,3.187,6248,3.187,6249,3.466,6250,3.187,6251,3.466,6252,3.148,6253,3.187,6254,3.187,6255,3.187,6256,3.187,6257,3.187,6258,3.187,6259,3.187,6260,2.434,6261,4.539,6262,3.187,6263,3.187,6264,2.733,6265,2.21,6266,2.733,6267,2.733,6268,3.892,6269,3.187,6270,2.21,6271,2.434,6272,5.287,6273,3.187,6274,3.187,6275,3.187,6276,3.187,6277,3.187,6278,3.187,6279,3.187,6280,3.187,6281,3.187,6282,3.187,6283,3.187,6284,3.187,6285,4.539,6286,2.434,6287,3.187,6288,3.187,6289,3.187,6290,3.187,6291,4.399,6292,3.187,6293,3.187,6294,2.733,6295,3.187,6296,3.187,6297,2.733,6298,3.187,6299,3.187,6300,3.187,6301,2.733,6302,1.883,6303,1.883,6304,3.187,6305,3.187,6306,3.187,6307,3.187,6308,3.187,6309,3.187,6310,3.187,6311,3.187,6312,3.187,6313,2.733,6314,5.287,6315,2.733,6316,3.187,6317,3.187,6318,4.539,6319,3.187,6320,3.187,6321,3.187,6322,3.187,6323,3.187,6324,3.187,6325,4.539,6326,3.187,6327,3.187,6328,3.187,6329,3.187,6330,2.434,6331,3.187,6332,3.187,6333,3.187,6334,3.187,6335,3.187,6336,3.187,6337,3.187,6338,3.187,6339,3.187,6340,3.187,6341,3.187,6342,4.539,6343,3.187,6344,3.187]],["title/gcp/iam.html",[2,4.693,3,4.342,4,6.362,5,3.077,130,2.549,564,2.048]],["breadcrumb/gcp/iam.html",[6,0.224,130,1.296,564,1.041]],["description/gcp/iam.html",[4,3.247,34,0.456,41,0.456,43,0.388,51,1.149,67,0.668,107,1.639,130,1.314,188,2.503,253,2.826,360,3.732,564,1.055,897,1.774,1123,1.148,1503,0.535,1555,5.616,1694,2.662,2590,5.077]],["body/gcp/iam.html",[0,0.117,2,1.009,3,0.915,4,0.684,7,0.578,9,0.256,11,0.159,14,0.603,16,0.637,17,0.522,26,0.431,27,0.521,28,0.431,31,0.24,32,0.149,33,0.266,34,0.186,35,0.32,41,0.178,43,0.158,44,0.157,45,0.394,47,0.079,48,0.043,51,0.347,52,0.437,53,0.18,54,0.427,56,0.358,58,0.807,60,0.279,61,0.76,62,0.471,65,0.55,66,0.25,67,0.264,68,0.409,69,0.309,70,0.884,76,0.566,77,0.501,79,0.371,80,0.396,82,0.769,83,0.183,84,1.04,85,0.302,86,0.119,87,0.616,88,0.05,89,0.055,92,0.855,94,0.471,97,1.038,98,0.798,99,0.93,100,0.586,101,1.353,102,0.077,103,0.193,104,0.157,107,0.509,109,1.336,110,0.408,111,0.672,112,0.616,113,0.628,114,0.798,115,0.37,116,0.166,117,0.34,118,0.371,119,0.522,120,1.082,121,0.385,122,1.02,123,0.475,126,0.061,127,0.409,128,0.522,129,0.507,130,0.533,131,0.504,133,0.105,134,0.358,135,0.492,136,1.029,137,0.383,143,0.655,146,0.581,148,0.186,149,0.409,150,0.358,152,0.552,154,0.309,156,0.197,159,0.464,160,0.257,161,0.274,162,0.264,165,0.468,170,0.841,171,1.53,172,1.524,173,0.358,176,0.263,178,0.593,180,0.682,182,0.358,183,0.593,184,0.628,185,1.888,186,2.085,187,0.715,188,0.715,189,0.358,191,0.826,192,0.304,193,0.768,194,0.391,198,0.404,199,0.97,206,0.583,207,0.471,209,0.411,213,0.799,214,0.579,216,0.616,218,0.548,219,0.409,220,0.616,221,0.501,222,0.24,225,0.799,227,0.171,230,1.556,238,1.336,239,0.358,241,0.595,244,0.602,245,0.628,246,0.841,247,0.685,249,0.39,251,0.552,253,1.061,254,0.309,256,0.583,258,0.522,260,1.454,262,0.439,263,0.469,264,0.422,265,0.358,270,0.694,271,0.362,272,2.173,273,0.452,274,0.235,276,0.566,277,0.526,278,0.526,279,0.314,281,0.469,282,0.626,285,1.266,288,0.105,290,1.53,292,0.573,293,0.409,294,0.492,296,1.412,298,0.583,299,0.55,300,0.621,303,0.259,304,0.456,305,0.672,307,1.802,308,0.717,311,0.324,312,0.908,313,1.15,316,0.546,317,0.78,319,1.339,322,0.76,323,0.595,327,0.655,329,0.396,330,0.396,333,0.685,339,0.306,340,0.469,341,0.408,342,0.99,343,0.96,344,0.228,346,0.119,350,0.819,351,0.139,352,1.356,353,0.139,360,1.486,373,0.93,374,0.93,376,1.02,384,0.552,385,0.799,394,0.76,395,0.76,397,0.464,400,0.737,410,0.22,411,0.626,412,0.694,413,0.626,414,0.184,415,0.119,416,0.155,417,0.191,418,0.33,419,0.257,420,0.257,424,0.98,430,0.626,433,0.464,438,1.188,441,0.871,442,0.777,446,0.156,451,0.633,459,0.819,468,0.825,473,0.285,480,1.774,481,1.266,483,3.294,487,0.385,488,0.819,490,0.522,496,0.383,498,0.411,500,0.968,504,0.616,510,1.336,511,0.433,512,0.071,513,0.603,516,0.919,519,1.245,520,0.583,521,0.471,522,0.437,523,0.633,524,0.552,527,0.086,528,0.871,529,0.799,530,1.697,531,0.682,532,1.353,538,1.029,539,0.546,540,1.356,543,0.855,546,0.978,547,0.696,550,0.437,551,0.243,560,0.737,561,1.412,563,0.93,564,0.429,566,0.716,568,1.082,580,0.34,582,0.722,592,1.586,596,0.799,628,0.219,629,0.874,630,0.696,631,1.02,633,1.336,634,0.537,637,0.696,640,0.777,641,1.586,647,0.552,649,0.309,650,1.789,653,0.616,655,1.138,656,0.362,657,0.263,659,0.855,660,1.478,661,0.578,666,0.93,670,0.984,672,1.098,673,1.262,682,0.76,686,0.394,687,0.711,688,0.685,690,1.074,693,0.371,698,1.336,699,1.424,703,1.723,708,0.552,709,1.2,711,2.732,725,0.966,726,1.789,736,1.454,738,0.76,744,0.685,746,1.098,747,0.722,754,1.14,756,0.527,758,0.841,764,1.098,769,0.522,771,1.304,773,1.266,775,0.737,776,0.841,780,1.382,791,1.065,792,1.029,793,1.029,798,1.933,802,1.378,816,1.065,846,2.085,849,0.93,852,1.789,863,0.877,871,2.516,872,0.495,873,0.299,885,0.583,888,0.93,894,1.524,895,1.179,897,0.711,899,1.046,902,1.603,905,0.464,906,0.333,912,1.356,917,0.34,918,0.655,919,0.541,922,2.511,928,0.626,934,1.802,936,2.242,989,0.578,990,0.685,992,0.149,1001,0.436,1002,0.197,1004,0.957,1006,0.24,1018,0.396,1033,1.454,1034,1.686,1035,2.386,1036,1.097,1041,1.688,1054,0.95,1080,0.984,1092,1.123,1107,1.58,1112,2.142,1119,0.919,1122,0.799,1123,0.453,1124,1.603,1129,2.547,1141,1.353,1145,1.789,1146,0.799,1147,1.286,1156,0.978,1165,0.464,1166,1.245,1170,1.478,1191,2.816,1203,0.93,1213,0.404,1235,1.353,1238,0.871,1242,0.685,1251,1.082,1252,1.31,1258,1.266,1259,1.266,1261,0.978,1269,0.471,1270,1.029,1271,0.583,1273,3.877,1275,0.76,1276,1.382,1278,0.978,1279,0.616,1283,1.188,1288,0.471,1289,0.884,1333,0.522,1334,0.798,1336,1.266,1348,0.383,1350,0.78,1357,1.266,1358,1.802,1361,0.729,1362,1.802,1373,1.029,1375,1.074,1377,0.76,1384,1.586,1406,1.183,1408,0.799,1433,1.2,1435,1.688,1437,1.02,1503,0.215,1506,1.802,1509,1.933,1511,2.269,1513,0.76,1519,2.269,1522,1.688,1523,0.65,1524,2.805,1525,0.583,1526,1.888,1527,1.495,1528,2.255,1529,1.996,1533,2.085,1535,3.096,1538,1.2,1539,1.222,1540,1.833,1543,1.029,1544,0.978,1545,2.498,1546,2.085,1547,1.336,1549,1.412,1551,1.802,1554,4.264,1555,2.004,1556,1.14,1561,2.242,1564,0.826,1565,1.412,1566,1.074,1573,2.47,1577,1.158,1585,3.719,1595,2.085,1597,2.269,1603,1.996,1612,1.789,1613,1.802,1614,2.948,1616,1.02,1618,1.412,1621,0.905,1622,1.888,1627,1.412,1632,1.266,1633,1.336,1634,1.158,1635,1.336,1638,0.855,1639,1.188,1643,2.547,1665,0.93,1676,1.382,1677,0.494,1680,0.93,1681,1.775,1683,1.074,1684,1.888,1685,1.082,1692,1.586,1694,1.015,1699,1.743,1700,1.478,1710,1.968,1711,1.412,1712,1.336,1713,1.611,1749,2.269,1764,1.586,1766,1.802,1781,3.173,1782,1.412,1786,0.583,1791,1.336,1792,0.616,1793,1.082,1794,1.04,1795,1.412,1796,1.53,1830,1.336,1846,2.269,1852,0.93,1854,1.382,1856,0.93,1865,2.085,1866,0.409,1876,0.93,1877,2.386,1884,2.085,1892,1.14,1893,1.933,1921,0.978,1938,2.511,1946,1.802,1949,0.436,1952,1.789,1957,0.799,1958,1.802,1960,1.2,1961,2.547,1962,1.968,1963,3.531,1964,2.386,1966,1.697,1967,0.968,1974,0.769,1994,2.805,1995,2.805,1996,2.805,1997,2.805,2000,1.586,2004,2.805,2006,1.402,2008,0.541,2060,1.495,2073,3.449,2074,1.412,2078,1.382,2081,0.616,2084,1.495,2090,0.93,2095,1.569,2096,2.828,2100,2.315,2110,0.436,2115,1.316,2117,1.802,2127,2.224,2133,1.888,2141,1.611,2163,1.603,2166,3.517,2216,0.65,2220,1.2,2233,1.996,2249,1.336,2265,1.697,2325,2.269,2328,1.53,2332,0.616,2357,2.47,2413,1.266,2424,2.805,2429,1.336,2432,1.14,2436,1.266,2444,1.137,2451,2.197,2461,2.035,2471,2.498,2472,2.269,2478,1.688,2485,2.805,2546,2.827,2560,2.498,2564,2.085,2578,3.211,2583,1.082,2585,3.389,2590,2.013,2592,1.933,2645,1.336,2656,0.685,2665,2.242,2666,1.586,2673,2.269,2682,2.085,2685,4.998,2687,1.082,2689,3.016,2695,1.933,2862,2.315,2875,2.063,2883,1.996,2902,1.082,2968,2.732,2979,1.802,2982,1.996,2983,3.008,3039,0.78,3051,1.586,3116,1.933,3120,1.412,3148,2.498,3156,2.805,3221,0.93,3225,2.085,3256,1.802,3278,1.688,3288,1.082,3304,1.611,3311,1.688,3400,2.732,3402,3.965,3465,0.722,3478,3.207,3503,1.996,3567,1.029,3574,2.498,3577,3.531,3659,2.498,3828,0.841,3849,0.919,3859,0.978,3862,1.029,3866,2.085,3902,1.336,3960,2.063,3971,1.356,4105,1.13,4169,2.881,4173,2.805,4215,3.008,4243,2.498,4256,1.688,4265,1.266,4281,1.697,4338,2.498,4419,1.412,4430,1.495,4448,2.948,4470,2.269,4628,2.805,4658,1.495,4713,2.498,4728,2.224,4738,1.336,4800,2.498,4868,1.336,4941,2.805,4995,4.451,5130,1.996,5181,2.085,5398,1.933,5534,2.269,5587,1.266,5686,2.498,5788,2.256,5794,3.444,5801,3.096,5827,3.611,5841,3.719,5843,3.207,5856,2.827,5864,2.767,5877,2.767,5883,2.755,5885,2.498,5896,3.965,5897,3.444,5898,2.805,5913,2.805,5914,2.805,5959,2.948,5975,3.207,6001,2.805,6090,3.965,6091,5.336,6102,4.791,6106,3.531,6112,3.531,6122,3.633,6127,2.805,6133,2.113,6158,2.269,6167,2.498,6210,2.269,6212,2.269,6213,2.085,6229,2.269,6230,3.207,6265,2.269,6302,3.169,6303,3.169,6345,2.315,6346,2.085,6347,2.805,6348,2.805,6349,2.805,6350,2.664,6351,3.272,6352,4.264,6353,3.272,6354,4.624,6355,5.627,6356,3.272,6357,5.364,6358,4.451,6359,4.624,6360,3.272,6361,3.272,6362,3.272,6363,2.805,6364,3.272,6365,4.998,6366,3.272,6367,4.624,6368,3.272,6369,3.272,6370,5.364,6371,4.624,6372,3.272,6373,3.419,6374,3.419,6375,3.272,6376,3.272,6377,3.272,6378,3.272,6379,3.272,6380,2.805,6381,3.272,6382,4.624,6383,2.805,6384,3.272,6385,2.805,6386,3.272,6387,3.272,6388,3.272,6389,3.272,6390,3.272,6391,3.531,6392,2.269,6393,2.805,6394,3.272,6395,5.829,6396,3.272,6397,3.272,6398,3.272,6399,3.272,6400,3.272,6401,5.364,6402,3.272,6403,2.805,6404,3.272,6405,5.829,6406,3.272,6407,3.272,6408,3.272,6409,3.272,6410,3.272,6411,3.272,6412,4.624,6413,3.531,6414,3.531,6415,3.272,6416,3.272,6417,3.272,6418,3.272,6419,3.272,6420,3.272,6421,3.272,6422,3.272,6423,3.272,6424,3.272,6425,4.624,6426,2.805,6427,3.272,6428,2.805,6429,4.624,6430,3.272,6431,3.272,6432,3.272,6433,3.272,6434,3.272,6435,5.992,6436,3.272,6437,2.805,6438,4.624,6439,3.272,6440,3.272,6441,3.272,6442,3.272,6443,3.272,6444,3.272,6445,4.624,6446,3.272,6447,3.272,6448,3.272,6449,4.624,6450,3.272,6451,3.272,6452,3.272,6453,3.272,6454,3.272,6455,3.272,6456,3.272,6457,3.272,6458,3.272,6459,3.272,6460,3.272,6461,3.272,6462,3.272,6463,3.965,6464,3.272,6465,3.272,6466,3.272,6467,3.272,6468,3.272,6469,3.272,6470,3.272,6471,4.095,6472,3.272,6473,3.272,6474,4.998,6475,2.805,6476,3.272,6477,3.272,6478,3.272,6479,3.272,6480,3.272,6481,4.624,6482,4.624,6483,3.272,6484,3.272,6485,3.272,6486,3.272,6487,3.272,6488,3.272,6489,3.272,6490,3.272,6491,4.624,6492,3.272,6493,3.272,6494,4.624,6495,3.272,6496,3.272,6497,3.272,6498,3.272,6499,3.272,6500,3.272,6501,3.272,6502,3.272,6503,3.272,6504,3.272,6505,3.272,6506,3.272,6507,3.272,6508,3.272,6509,2.805,6510,3.272,6511,2.805,6512,3.272,6513,2.805,6514,3.272,6515,3.272,6516,2.805,6517,3.272,6518,3.272,6519,2.085,6520,4.624,6521,3.272,6522,3.272,6523,3.272,6524,3.272,6525,3.272,6526,3.272,6527,3.272,6528,3.272,6529,3.272,6530,3.272,6531,3.272,6532,3.272,6533,2.805,6534,3.272,6535,3.272,6536,2.498,6537,3.272,6538,3.272,6539,2.085,6540,5.364,6541,2.805,6542,3.272,6543,3.272,6544,4.624,6545,3.272,6546,3.272,6547,3.272,6548,3.272,6549,3.272,6550,3.272,6551,3.272,6552,3.272,6553,3.272,6554,2.805,6555,3.272,6556,3.272,6557,3.272,6558,3.272,6559,3.272,6560,3.272,6561,3.272,6562,3.272,6563,2.805,6564,3.272,6565,2.498,6566,3.272,6567,3.272,6568,3.272,6569,3.272]],["title/gcp/index.html",[2,4.976,3,4.605,4,6.619,5,3.263,130,2.703]],["breadcrumb/gcp/index.html",[6,0.257,130,1.489]],["description/gcp/index.html",[4,2.827,28,1.455,29,0.631,89,0.174,115,1.405,130,1.549,244,1.76,288,0.712,511,1.503,564,1.245,872,1.638,1123,1.354]],["body/gcp/index.html",[0,0.11,2,0.983,3,0.899,4,0.898,13,0.678,17,0.923,20,1.552,28,0.475,29,0.19,32,0.141,33,0.25,34,0.162,35,0.277,37,0.633,41,0.141,43,0.12,44,0.152,47,0.141,48,0.088,51,0.336,53,0.143,60,0.277,67,0.257,88,0.043,102,0.07,103,0.242,104,0.278,110,0.405,111,0.633,115,0.446,116,0.207,117,0.517,126,0.077,130,0.467,148,0.174,153,0.633,154,0.387,159,0.821,167,1.55,172,1.213,176,0.465,188,0.963,244,0.584,247,1.213,249,0.387,264,0.349,288,0.214,293,0.724,346,0.108,353,0.174,360,1.327,365,0.782,459,0.772,511,0.453,551,0.242,564,0.406,688,1.213,736,1.821,779,0.923,791,1.151,804,4.016,845,0.34,850,0.279,872,0.543,882,1.565,905,1.025,906,0.589,917,0.426,983,1.345,990,1.213,992,0.141,1010,1.916,1013,2.809,1014,2.125,1123,0.442,1167,0.426,1192,3.191,1200,1.731,1288,0.589,1356,3.692,1389,2.5,1503,0.19,1504,1.716,1523,0.589,1538,2.125,1618,2.5,1694,0.821,1713,2.017,1861,2.727,1949,0.772,1951,1.345,2008,0.824,2009,1.916,2010,3.422,2013,2.45,2015,3.191,2025,2.365,2030,2.017,2095,1.398,2451,1.821,2461,1.916,2575,2.451,2862,2.5,3122,1.033,3141,1.646,3218,1.731,3403,2.988,3606,1.415,3858,2.365,4105,1.415,4205,3.422,4942,2.988,5787,2.727,5789,3.422,5892,2.988,6083,4.016,6084,4.016,6085,4.423,6183,3.692,6570,3.422,6571,4.966]],["title/gcp/ir.html",[2,4.44,3,4.108,4,6.123,5,2.912,130,2.411,288,1.107,511,2.339]],["breadcrumb/gcp/ir.html",[6,0.198,130,1.147,288,0.527,511,1.113]],["description/gcp/ir.html",[2,2.745,3,2.54,13,1.711,34,0.518,43,0.302,51,0.66,130,1.022,148,0.361,159,2.071,219,1.827,244,1.161,288,0.469,292,1.275,451,1.38,511,0.991,629,1.947,710,5.968,745,3.223,791,2.903,894,3.393,917,1.567,1054,2.071,1279,2.752,1503,0.416,2028,2.198,2075,6.679,2076,7.087,2628,6.679,5788,5.363,5892,7.541,6570,8.635]],["body/gcp/ir.html",[0,0.118,2,1.01,3,0.92,4,0.673,9,0.275,11,0.169,13,0.873,14,0.428,16,0.495,17,0.507,19,0.642,23,2.053,25,1.107,26,0.364,27,0.513,28,0.347,29,0.129,30,0.853,31,0.233,32,0.11,33,0.265,34,0.181,35,0.252,37,0.577,38,0.859,40,0.24,41,0.11,43,0.14,44,0.155,45,0.233,47,0.077,48,0.08,51,0.31,52,0.701,53,0.169,54,0.452,55,0.859,56,0.347,58,0.478,60,0.311,61,0.738,62,0.585,65,0.3,66,0.351,67,0.266,68,0.397,69,0.3,71,1.838,76,0.522,77,0.447,79,0.534,80,0.367,81,0.347,82,0.719,83,0.17,84,0.941,85,0.189,86,0.108,88,0.043,89,0.041,94,0.585,97,0.89,98,0.719,100,0.495,101,0.738,102,0.076,106,0.507,107,0.395,108,1.452,110,0.369,111,0.495,112,0.598,113,0.74,114,0.397,115,0.202,116,0.114,117,0.423,118,0.424,119,0.722,120,1.499,121,0.367,122,0.999,123,0.445,124,0.764,125,0.859,126,0.076,127,0.719,128,0.507,129,0.502,130,0.518,131,0.48,132,1.164,133,0.104,137,0.372,140,0.537,141,0.999,142,1.354,143,0.748,144,0.859,145,0.3,146,0.597,148,0.18,149,0.397,150,0.577,151,0.567,152,0.536,153,0.347,154,0.303,156,0.318,157,2.025,159,1.076,160,0.189,161,0.133,162,0.261,165,0.395,167,1.468,168,0.817,169,1.354,172,1.438,173,0.302,174,2.426,176,0.424,178,0.662,180,0.372,181,0.776,182,0.406,183,0.461,184,0.372,187,0.867,191,0.815,192,0.29,194,0.385,198,0.347,199,0.767,205,1.107,206,0.941,207,0.662,209,0.192,211,0.665,212,0.264,213,1.107,214,0.488,216,0.767,218,0.516,219,0.949,221,0.333,222,0.423,223,0.603,224,2.025,227,0.14,232,1.143,234,0.598,235,1.371,239,0.347,241,0.633,244,0.607,245,0.618,246,1.356,247,0.665,249,0.473,251,0.89,252,0.543,253,0.681,254,0.656,259,1.107,260,0.999,261,1.345,262,0.212,263,0.423,264,0.401,265,0.347,270,0.72,271,0.379,272,1.988,273,0.233,274,0.206,275,0.943,276,0.508,277,0.516,278,0.511,279,0.252,280,0.388,281,0.465,282,0.537,284,1.164,288,0.24,290,1.051,292,0.395,293,0.397,294,0.794,296,1.371,297,2.155,299,0.3,300,0.461,303,0.261,304,0.406,305,0.656,310,2.278,311,0.192,313,0.764,314,0.999,316,0.619,317,0.764,318,0.665,319,1.085,323,0.606,327,0.45,328,0.397,329,0.347,330,0.347,331,1.229,335,1.208,339,0.295,340,0.489,341,0.398,342,0.95,343,0.865,344,0.114,346,0.085,349,2.559,350,0.703,351,0.13,352,1.164,353,0.19,354,1.937,360,0.9,363,0.498,368,0.817,374,0.642,376,1.341,384,0.764,394,0.642,395,0.642,400,0.722,404,0.665,410,0.206,411,0.537,412,0.537,413,0.537,414,0.172,415,0.108,416,0.128,417,0.158,418,0.302,419,0.22,420,0.22,424,0.722,425,0.74,426,0.767,430,0.619,431,1.729,433,0.45,435,1.955,438,0.817,440,0.999,444,0.495,446,0.341,450,1.354,451,0.69,453,1.988,459,0.902,463,2.337,467,1.424,468,0.808,473,0.531,482,0.738,484,0.598,485,0.566,487,0.401,488,0.842,490,0.507,493,3.118,496,0.673,498,0.384,500,0.665,501,0.642,504,0.423,507,0.9,511,0.492,512,0.098,513,0.574,514,0.994,516,0.631,520,0.567,521,0.689,522,0.428,523,0.543,524,0.89,530,1.166,531,0.619,532,1.225,538,0.999,540,1.164,542,0.999,543,0.507,547,0.478,550,0.438,551,0.22,553,1.452,556,1.229,560,1.008,562,0.859,564,0.416,565,0.948,566,0.677,570,0.903,572,0.384,580,0.152,583,1.166,587,1.051,589,1.877,596,1.486,629,1.005,630,0.794,634,0.277,636,0.722,637,0.478,639,2.887,640,0.603,648,1.877,649,0.3,651,0.999,653,0.423,655,0.567,656,0.359,657,0.424,659,0.917,661,0.76,664,1.541,666,0.903,670,0.536,671,1.752,672,0.994,673,0.853,676,2.495,682,0.922,684,0.999,686,0.233,687,0.756,688,1.105,693,0.551,694,1.051,696,1.5,702,0.495,703,1.356,710,2.804,715,1.955,717,0.591,725,0.922,736,0.999,738,1.225,744,0.665,745,1.659,746,1.083,756,0.488,758,1.625,762,1.877,765,0.722,771,0.631,773,1.229,775,0.507,779,0.507,783,0.853,784,1.427,791,1.143,793,1.988,794,1.354,803,1.371,807,0.395,808,1.893,816,1.048,845,0.372,856,1.026,863,1.114,872,0.542,873,0.254,889,0.567,894,1.76,895,0.764,897,0.706,899,1.128,900,1.662,903,0.478,905,0.943,906,0.537,909,0.808,912,1.164,914,1.051,917,0.552,918,0.45,919,0.372,922,1.297,927,2.226,928,0.323,989,0.791,1002,0.414,1004,0.941,1006,0.233,1007,1.746,1017,1.371,1018,0.318,1019,1.051,1020,0.791,1021,1.955,1034,0.999,1036,0.941,1039,1.107,1040,1.499,1050,1.752,1052,1.66,1054,0.642,1056,0.738,1080,0.536,1092,0.948,1107,0.817,1111,1.143,1119,0.631,1122,0.776,1123,0.352,1124,1.72,1125,1.371,1129,2.495,1130,1.746,1141,1.052,1147,0.999,1148,2.07,1150,2.203,1165,1.069,1168,0.808,1170,1.341,1173,1.412,1177,0.478,1181,1.412,1186,0.629,1203,0.903,1213,0.277,1228,1.287,1230,0.536,1233,1.424,1235,1.225,1238,0.748,1242,1.105,1252,1.545,1253,1.287,1255,1.052,1261,0.95,1262,2.483,1263,2.025,1265,2.025,1267,2.725,1269,0.619,1274,1.051,1275,1.052,1276,1.354,1278,1.578,1279,1.343,1283,1.356,1333,0.97,1334,0.762,1348,0.712,1350,0.764,1357,1.752,1359,1.541,1361,0.76,1373,0.999,1377,0.738,1378,1.639,1385,1.224,1392,0.631,1406,0.701,1408,1.107,1420,2.426,1423,0.89,1425,2.232,1437,0.999,1446,1.051,1474,0.903,1503,0.215,1504,1.563,1507,2.676,1510,2.495,1525,0.808,1528,1.229,1529,1.371,1530,0.95,1539,0.631,1544,0.95,1548,1.746,1549,2.278,1551,1.75,1553,1.75,1555,0.95,1557,0.507,1561,1.541,1564,1.017,1565,1.371,1566,0.738,1572,1.66,1573,1.752,1577,1.225,1585,2.203,1603,1.955,1606,0.994,1610,1.639,1619,1.269,1621,0.764,1623,2.025,1626,1.988,1630,2.426,1634,0.994,1642,2.725,1666,1.229,1667,0.478,1669,1.164,1672,2.025,1675,2.203,1677,0.488,1680,1.5,1683,1.225,1684,1.297,1690,0.95,1694,0.984,1695,1.639,1696,0.598,1699,1.945,1700,0.701,1712,1.297,1717,1.955,1757,1.107,1763,3.141,1765,2.07,1766,1.75,1781,1.639,1786,0.808,1787,0.631,1790,1.051,1792,0.598,1794,0.567,1796,1.051,1832,1.354,1852,1.729,1856,1.287,1864,1.371,1865,2.025,1874,1.75,1876,0.903,1883,1.107,1885,1.555,1915,1.809,1918,2.725,1921,0.95,1931,1.541,1935,1.541,1956,0.941,1957,0.776,1964,1.639,1967,1.273,1974,0.76,2006,1.382,2020,2.012,2022,1.371,2026,1.83,2029,2.444,2030,2.64,2036,2.79,2040,2.025,2041,1.877,2042,1.877,2043,1.639,2044,1.166,2051,2.203,2054,2.337,2057,1.644,2064,2.226,2065,0.95,2066,2.683,2073,1.541,2074,1.955,2075,2.412,2076,2.79,2078,1.354,2081,1.145,2082,0.999,2083,0.903,2085,1.877,2089,1.75,2091,2.725,2095,1.547,2096,2.738,2098,2.025,2100,2.808,2102,1.849,2103,2.042,2106,2.887,2108,1.051,2109,1.107,2110,0.603,2112,1.229,2113,2.025,2115,0.853,2133,1.849,2141,1.107,2163,1.354,2166,3.35,2197,2.203,2198,2.203,2199,2.203,2209,2.349,2216,0.631,2224,1.229,2235,1.75,2237,1.639,2239,3.458,2244,1.371,2247,1.452,2249,1.297,2250,2.887,2300,2.025,2301,3.141,2302,2.203,2304,1.639,2319,2.025,2322,4.03,2327,2.887,2328,1.499,2333,3.884,2341,2.203,2342,2.426,2393,2.426,2394,2.426,2397,2.676,2412,1.662,2413,1.229,2418,2.116,2421,2.79,2429,1.297,2432,2.004,2434,0.999,2436,2.353,2440,2.725,2444,1.114,2461,2.24,2467,1.412,2559,1.877,2583,1.051,2590,1.644,2628,1.452,2632,2.559,2666,2.79,2675,1.877,2689,1.955,2695,1.877,2696,3.141,2768,2.725,2859,1.639,2860,2.203,2861,2.025,2862,1.955,2874,2.07,2875,1.912,2881,2.887,2889,2.025,2890,2.203,2894,1.541,2985,1.849,2986,2.629,3039,0.971,3094,2.203,3120,1.371,3122,0.567,3128,3.35,3140,1.75,3143,4.24,3218,0.95,3221,1.287,3243,2.278,3244,2.495,3288,1.051,3391,1.877,3406,2.337,3478,3.141,3502,2.07,3503,1.955,3507,1.877,3538,1.499,3549,1.639,3567,0.999,3571,1.107,3607,2.426,3628,2.349,3766,2.676,3787,2.426,3797,2.426,3826,1.541,3828,0.817,3845,1.499,3848,2.07,3849,1.143,3858,2.155,3859,1.354,3864,1.75,3888,2.07,3890,1.798,3895,2.203,3902,1.297,3960,1.66,3971,0.999,3994,2.676,4004,0.665,4026,2.025,4031,1.877,4033,1.452,4039,1.541,4040,2.725,4043,4,4105,1.545,4115,2.203,4169,2.349,4256,1.639,4265,1.229,4281,1.166,4361,2.495,4390,3.458,4430,2.07,4436,1.297,4470,3.66,4520,2.426,4526,2.426,4647,2.676,4727,4.393,4728,1.838,4730,2.495,4734,1.639,4769,3.66,4789,2.426,4790,2.908,4803,2.426,4870,4.384,4930,2.025,4942,1.639,5166,2.025,5182,1.452,5220,2.426,5225,2.725,5326,1.639,5477,3.667,5515,1.75,5539,2.725,5587,1.229,5679,2.725,5700,4.03,5720,3.884,5787,2.349,5788,2.441,5790,1.541,5791,2.676,5795,3.458,5801,2.559,5802,2.426,5803,2.426,5825,2.203,5827,3.654,5830,2.025,5836,2.426,5837,4.217,5849,2.426,5852,3.66,5853,2.725,5855,2.203,5856,2.196,5857,2.426,5858,2.426,5861,2.887,5862,3.884,5863,3.884,5864,2.337,5867,2.725,5870,2.203,5877,2.337,5878,2.426,5881,2.725,5883,1.955,5892,3.702,5897,1.877,5920,2.426,5954,2.725,5959,2.025,5962,3.458,6016,2.426,6102,2.203,6104,2.725,6112,2.426,6122,3.593,6158,2.203,6163,2.203,6167,2.426,6210,2.203,6212,2.203,6213,2.025,6230,3.66,6260,2.426,6286,3.458,6301,2.725,6302,1.877,6303,1.877,6350,2.07,6355,4.933,6358,4.393,6363,2.725,6365,2.725,6373,2.025,6374,2.025,6383,4.933,6385,2.725,6435,3.884,6437,2.725,6463,2.725,6471,4.393,6554,2.725,6570,4.416,6572,2.426,6573,2.725,6574,2.203,6575,3.177,6576,5.753,6577,3.169,6578,4.933,6579,4.933,6580,3.884,6581,5.278,6582,4.526,6583,3.177,6584,2.495,6585,3.177,6586,3.884,6587,2.725,6588,4.384,6589,3.884,6590,2.426,6591,3.177,6592,2.725,6593,2.725,6594,3.177,6595,3.177,6596,3.177,6597,1.452,6598,3.177,6599,3.177,6600,5.753,6601,3.177,6602,3.177,6603,4.529,6604,5.278,6605,3.177,6606,3.177,6607,3.177,6608,3.177,6609,3.177,6610,3.177,6611,3.177,6612,3.177,6613,4.529,6614,3.177,6615,4.526,6616,5.753,6617,3.177,6618,3.177,6619,3.177,6620,4.529,6621,3.177,6622,3.177,6623,3.177,6624,3.177,6625,4.529,6626,3.177,6627,3.177,6628,3.177,6629,3.177,6630,3.177,6631,3.177,6632,3.177,6633,3.177,6634,3.177,6635,3.177,6636,3.177,6637,3.177,6638,3.177,6639,3.177,6640,5.278,6641,3.177,6642,3.177,6643,3.177,6644,2.426,6645,3.177,6646,2.725,6647,2.025,6648,3.177,6649,5.278,6650,2.725,6651,3.177,6652,3.458,6653,2.725,6654,2.725,6655,5.278,6656,5.753,6657,5.278,6658,4.529,6659,4.529,6660,3.177,6661,3.177,6662,3.177,6663,3.177,6664,3.177,6665,3.177,6666,3.177,6667,3.177,6668,3.177,6669,5.753,6670,4.933,6671,3.177,6672,3.177,6673,3.177,6674,3.177,6675,3.177,6676,3.177,6677,3.177,6678,5.753,6679,3.884,6680,2.725,6681,3.884,6682,4.526,6683,2.725,6684,3.177,6685,3.177,6686,3.177,6687,3.177,6688,3.177,6689,5.278,6690,3.177,6691,3.177,6692,3.177,6693,3.177,6694,3.177,6695,3.177,6696,3.177,6697,3.177,6698,3.177,6699,3.177,6700,3.177,6701,3.177,6702,3.177,6703,3.177,6704,3.177,6705,3.177,6706,3.177,6707,3.177,6708,3.177,6709,3.177,6710,3.177,6711,3.177,6712,3.177,6713,3.177,6714,3.177,6715,3.177,6716,3.177,6717,3.177,6718,3.177,6719,3.177,6720,4.529,6721,3.177,6722,3.177,6723,3.177,6724,2.025,6725,2.725,6726,2.426,6727,3.177,6728,2.725,6729,2.426,6730,2.203,6731,1.877,6732,3.177,6733,3.177,6734,3.177,6735,6.082,6736,3.177,6737,3.177,6738,3.177,6739,3.177,6740,3.177,6741,3.177,6742,3.177,6743,2.725,6744,3.177,6745,4.529,6746,3.177,6747,3.177,6748,3.177,6749,2.725,6750,3.177,6751,4.529,6752,3.177,6753,3.177,6754,3.177,6755,3.177,6756,4.529,6757,4.529,6758,4.529,6759,3.177,6760,3.177,6761,3.177,6762,3.177,6763,3.177,6764,3.177,6765,3.177,6766,3.177,6767,3.177,6768,3.177,6769,3.177,6770,3.177,6771,3.177,6772,3.177,6773,3.177,6774,3.177,6775,2.725,6776,3.177,6777,3.177,6778,3.177,6779,2.203,6780,3.177,6781,4.933,6782,3.177,6783,5.278,6784,3.177,6785,4.529,6786,3.177,6787,4.529,6788,4.529,6789,4.529,6790,5.753,6791,4.529,6792,4.529,6793,3.177,6794,3.177,6795,4.529,6796,3.177,6797,3.177,6798,3.177]],["title/gcp/kubernetes.html",[2,4.693,3,4.342,4,6.362,5,3.077,130,2.549,2575,12.696]],["breadcrumb/gcp/kubernetes.html",[6,0.224,130,1.296,1949,2.469]],["description/gcp/kubernetes.html",[3,2.117,4,2.268,44,0.368,115,1.127,117,1.306,148,0.438,244,1.411,292,1.551,779,2.833,850,0.742,872,1.313,1123,1.086,1167,1.306,1503,0.506,1861,7.257,1949,2.368,1951,4.126,2013,6.521,2095,3.721,2451,5.588,2575,6.19,3818,13.57,6571,15.238]],["body/gcp/kubernetes.html",[0,0.118,2,1.009,3,0.904,4,0.956,5,0.594,7,0.401,9,0.254,11,0.158,13,0.376,14,0.303,20,1.006,26,0.426,27,0.457,28,0.462,29,0.13,31,0.449,32,0.154,33,0.266,34,0.173,35,0.333,37,0.775,40,0.309,41,0.182,43,0.153,44,0.153,45,0.48,47,0.111,48,0.07,51,0.334,52,0.303,53,0.167,54,0.305,56,0.351,58,0.686,62,0.646,66,0.312,67,0.271,68,0.793,69,0.303,73,1.557,76,0.535,77,0.521,79,0.258,80,0.194,82,0.401,83,0.183,86,0.136,88,0.05,89,0.051,90,0.655,92,0.922,93,1.486,94,0.327,100,0.351,102,0.079,103,0.134,104,0.154,106,0.512,107,0.28,109,1.311,110,0.319,112,1.089,114,0.571,115,0.471,116,0.246,117,0.542,118,0.524,121,0.415,123,0.465,124,0.896,126,0.042,127,0.401,128,0.512,129,0.444,130,0.529,131,0.456,133,0.105,137,0.376,140,0.327,145,0.599,146,0.501,148,0.186,150,0.351,154,0.305,159,0.647,160,0.255,161,0.255,162,0.266,165,0.28,167,0.746,168,1.173,169,0.96,173,0.329,176,0.366,178,0.664,180,0.621,182,0.305,184,0.677,188,0.889,189,0.351,190,1.311,191,0.647,192,0.308,193,0.534,194,0.386,198,0.424,200,1.148,207,0.621,209,0.349,212,0.134,214,0.524,216,0.608,219,0.571,221,0.39,222,0.558,223,0.428,227,0.129,229,1.863,230,1.06,232,0.638,241,0.533,242,0.868,244,0.609,245,0.534,247,0.672,249,0.355,252,0.426,254,0.63,256,0.814,261,0.638,262,0.386,263,0.39,264,0.434,270,0.715,271,0.312,272,1.669,274,0.254,275,0.608,277,0.466,278,0.49,279,0.153,280,0.236,281,0.48,288,0.147,290,1.51,292,0.608,293,0.401,298,0.947,303,0.259,304,0.446,305,0.678,306,2.495,308,0.58,310,1.386,311,0.402,312,0.428,323,0.533,324,1.242,326,1.006,327,0.647,328,0.723,329,0.402,330,0.402,331,1.242,332,0.542,339,0.308,341,0.41,342,0.997,343,0.798,344,0.239,346,0.135,350,0.87,351,0.14,352,0.708,353,0.137,363,0.599,365,0.376,368,0.825,369,1.062,373,0.913,374,0.455,385,0.784,394,0.455,395,0.455,397,0.865,404,0.672,414,0.219,415,0.136,416,0.154,417,0.19,418,0.336,419,0.265,420,0.265,424,0.727,425,0.376,426,0.707,427,1.148,430,0.7,431,0.913,433,0.455,438,0.825,439,1.118,441,0.647,442,0.707,443,0.913,444,0.58,446,0.333,451,0.641,459,0.917,472,1.765,475,0.825,477,2.452,480,0.868,481,1.765,484,0.605,485,0.401,487,0.409,488,0.845,490,0.846,494,1.769,496,0.376,498,0.47,500,0.955,501,0.899,506,0.825,507,0.907,511,0.43,512,0.097,513,0.599,514,1.089,519,1.233,520,0.947,521,0.646,522,0.546,523,0.641,527,0.135,529,0.784,530,1.674,531,0.54,539,0.54,540,0.708,543,0.727,544,0.672,547,0.483,550,0.409,551,0.303,552,0.913,554,1.435,556,1.242,558,0.96,560,0.512,562,0.868,564,0.404,565,0.672,566,0.501,572,0.386,580,0.276,586,1.557,596,1.297,624,1.386,626,1.669,627,1.467,628,0.355,629,0.428,631,0.708,634,0.601,635,3.685,636,0.846,640,0.608,647,0.77,649,0.577,650,1.242,651,1.435,653,0.608,655,0.947,656,0.246,657,0.426,659,0.512,660,0.708,661,0.401,662,1.233,663,2.227,666,1.297,672,1.089,673,1.256,676,1.769,681,2.817,682,0.647,685,0.672,686,0.236,687,0.679,688,0.955,693,0.426,694,1.51,699,0.784,703,1.486,706,2.355,708,0.975,709,1.178,713,1.233,717,0.504,725,1.024,733,1.765,739,2.355,744,0.672,746,1.195,747,1.275,753,1.118,754,1.118,756,0.535,765,0.727,768,0.825,769,0.727,776,1.173,779,1.227,782,1.297,783,0.605,790,0.708,793,1.435,814,3.941,816,0.638,845,0.311,849,1.643,850,0.304,851,2.227,856,0.573,868,1.386,872,0.493,873,0.272,888,1.297,889,0.573,890,2.097,894,0.746,895,0.542,897,0.431,899,0.727,903,0.483,906,0.54,909,0.947,917,0.39,918,1.018,919,0.781,928,0.54,933,1.118,934,2.514,938,2.227,945,2.753,954,0.534,989,0.834,992,0.078,1001,0.428,1002,0.194,1005,1.97,1006,0.335,1007,1.062,1011,0.825,1018,0.275,1019,1.062,1020,0.664,1021,1.386,1033,1.669,1039,1.118,1054,0.899,1055,2.236,1056,1.06,1092,0.672,1103,0.708,1108,0.913,1110,2.72,1112,1.849,1113,1.657,1114,1.657,1122,1.412,1123,0.447,1141,1.598,1145,1.242,1153,1.657,1166,1.06,1167,0.517,1168,0.573,1170,0.708,1173,0.746,1177,0.483,1185,1.557,1186,0.499,1191,1.242,1194,2.121,1200,1.364,1203,0.913,1213,0.582,1228,1.509,1230,1.125,1235,0.746,1238,0.925,1242,1.21,1252,1.115,1255,0.746,1269,0.742,1270,1.01,1271,0.814,1273,1.897,1274,1.062,1278,0.96,1283,0.825,1287,1.386,1288,0.621,1289,1.65,1294,0.588,1315,2.574,1333,0.512,1346,1.242,1348,0.621,1350,0.77,1359,1.557,1360,1.118,1361,0.723,1377,0.746,1406,1.006,1423,0.896,1424,1.311,1425,1.178,1437,0.708,1445,1.347,1473,0.868,1480,2.909,1494,1.557,1495,1.467,1496,1.467,1503,0.2,1513,0.746,1523,0.752,1527,1.467,1531,1.386,1539,0.638,1548,1.062,1550,0.96,1555,0.96,1556,1.589,1557,0.512,1564,0.752,1577,0.605,1616,0.708,1621,0.542,1622,1.863,1633,1.311,1634,1.311,1638,0.512,1639,0.825,1666,1.765,1667,1.003,1676,1.364,1677,0.524,1680,0.913,1681,1.51,1683,1.342,1684,1.311,1685,1.062,1694,0.455,1700,1.275,1713,1.118,1714,1.062,1757,1.849,1770,1.467,1778,3.164,1782,1.386,1786,0.947,1790,1.062,1794,0.573,1796,1.062,1832,0.96,1852,0.913,1854,1.587,1857,2.753,1861,2.81,1886,0.913,1892,1.118,1925,1.897,1949,1.013,1950,1.92,1951,1.748,1954,1.178,1956,1.031,1957,1.115,1965,2.514,1967,1.472,1974,0.664,1980,4.414,2006,1.296,2013,2.555,2022,2.495,2028,0.483,2054,2.739,2057,0.868,2060,1.467,2081,1.324,2082,1.01,2083,1.297,2095,1.56,2099,1.765,2104,1.171,2110,0.428,2111,1.118,2115,1.195,2126,1.948,2127,1.589,2163,0.96,2203,1.297,2212,1.01,2213,1.118,2216,1.148,2220,1.674,2252,1.769,2332,0.605,2346,1.769,2418,0.96,2432,1.118,2434,1.818,2436,1.765,2444,1.035,2451,2.406,2452,1.311,2454,2.047,2458,1.769,2461,2.346,2463,3.685,2468,3.685,2469,3.384,2473,2.514,2474,2.047,2475,1.897,2476,1.112,2477,1.01,2479,4.066,2480,3.164,2486,2.452,2539,2.21,2541,3.628,2542,3.749,2543,3.495,2544,4.154,2545,4.154,2546,3.235,2547,2.227,2551,1.386,2571,3.136,2573,1.467,2575,2.691,2576,2.02,2577,2.013,2580,1.386,2581,4.01,2589,1.769,2590,1.9,2606,2.227,2607,2.753,2621,2.213,2623,2.514,2628,1.467,2629,1.467,2630,3.739,2631,2.227,2632,1.557,2633,1.01,2644,4.957,2645,1.311,2646,1.657,2647,2.047,2648,2.227,2656,0.672,2665,1.557,2678,1.386,2679,2.355,2684,1.386,2686,0.542,2689,2.817,2692,1.557,2693,1.435,2704,1.897,2729,2.753,2730,1.178,2731,1.769,2732,1.769,2733,1.769,2734,2.753,2752,1.657,2760,2.227,2764,2.739,2805,3.164,2815,2.395,2825,2.047,2828,3.596,2837,2.909,2853,2.452,2859,1.657,2881,2.047,2886,1.897,2889,2.047,3029,2.514,3039,0.542,3041,1.769,3085,1.364,3115,3.136,3120,1.386,3122,0.573,3130,1.657,3135,1.657,3141,1.855,3153,2.047,3275,1.386,3288,1.756,3380,3.913,3400,2.696,3409,1.657,3439,5.44,3464,0.708,3465,1.399,3537,1.297,3567,1.01,3603,1.01,3606,0.784,3621,2.753,3628,1.311,3670,1.897,3672,2.452,3674,1.897,3704,1.769,3775,3.495,3778,2.696,3828,1.364,3845,1.062,3867,2.426,3902,1.311,3960,1.995,3971,0.708,4075,3.913,4078,2.227,4104,1.557,4108,2.227,4113,2.452,4169,2.951,4177,3.484,4338,2.452,4524,2.168,4586,3.164,4604,3.164,4656,2.452,4658,2.085,4726,2.696,4728,2.21,4734,1.657,4794,1.557,4868,1.863,4934,2.753,4971,3.136,5064,2.495,5124,3.164,5132,2.047,5278,3.685,5326,1.657,5461,4.054,5513,3.24,5519,4.414,5522,3.484,5523,2.452,5537,2.452,5538,2.924,5556,3.913,5768,5.369,5787,2.36,5788,1.178,5816,2.452,5826,1.897,5827,3.551,5856,3.077,5860,3.484,5861,3.892,5864,1.657,5877,3.151,5883,2.738,5892,1.657,5897,1.897,5903,2.227,5906,2.452,5924,2.452,5927,2.452,5928,2.452,5930,2.452,5931,2.452,5941,2.452,5948,2.753,5951,2.753,5958,2.753,6002,2.227,6079,2.452,6106,2.452,6122,1.897,6180,3.913,6184,1.657,6213,2.047,6227,3.484,6228,2.753,6230,2.227,6234,3.484,6237,2.452,6240,3.484,6249,2.452,6251,4.054,6252,3.681,6270,2.227,6291,4.984,6352,3.164,6391,2.452,6474,4.552,6509,2.753,6511,2.753,6513,4.552,6519,2.047,6539,2.047,6743,2.753,6799,5.75,6800,3.211,6801,3.235,6802,3.211,6803,2.753,6804,2.753,6805,5.597,6806,6.107,6807,3.211,6808,3.211,6809,3.211,6810,3.211,6811,5.781,6812,3.211,6813,3.211,6814,3.211,6815,3.211,6816,5.309,6817,3.211,6818,5.781,6819,5.781,6820,5.309,6821,5.781,6822,4.563,6823,4.563,6824,4.563,6825,4.563,6826,5.309,6827,3.913,6828,3.913,6829,2.452,6830,3.211,6831,3.211,6832,3.211,6833,3.211,6834,3.211,6835,3.211,6836,2.452,6837,3.211,6838,6.107,6839,5.781,6840,3.211,6841,3.211,6842,5.309,6843,3.211,6844,3.211,6845,3.211,6846,4.563,6847,2.227,6848,2.753,6849,3.211,6850,3.211,6851,6.345,6852,4.563,6853,4.563,6854,3.211,6855,3.211,6856,3.211,6857,3.211,6858,3.211,6859,2.753,6860,3.211,6861,3.211,6862,3.211,6863,4.563,6864,3.211,6865,4.552,6866,4.563,6867,3.211,6868,3.211,6869,4.563,6870,3.211,6871,5.309,6872,3.211,6873,3.211,6874,3.211,6875,4.563,6876,3.211,6877,3.211,6878,3.211,6879,3.211,6880,4.563,6881,3.211,6882,3.211,6883,3.211,6884,3.211,6885,3.211,6886,3.211,6887,3.211,6888,3.211,6889,3.211,6890,3.211,6891,4.563,6892,3.211,6893,3.211,6894,3.211,6895,3.211,6896,3.211,6897,3.211,6898,3.211,6899,3.211,6900,3.211,6901,3.211,6902,3.211,6903,4.563,6904,3.211,6905,2.227,6906,5.255,6907,2.452,6908,2.753,6909,4.957,6910,5.309,6911,4.957,6912,4.957,6913,1.897,6914,4.552,6915,5.236,6916,3.211,6917,3.913,6918,4.552,6919,4.563,6920,3.913,6921,3.211,6922,3.211,6923,2.753,6924,3.211,6925,2.753,6926,3.211,6927,2.753,6928,2.753,6929,3.211,6930,3.211,6931,2.753,6932,2.753,6933,3.211,6934,3.211,6935,3.211,6936,3.211,6937,3.913,6938,3.913,6939,3.211,6940,2.753,6941,3.211,6942,2.753,6943,2.452,6944,2.753,6945,2.227,6946,3.211,6947,2.753,6948,2.753,6949,4.563,6950,3.211,6951,3.211,6952,3.211,6953,3.211,6954,3.211,6955,3.211,6956,5.309,6957,3.211,6958,3.211,6959,3.211,6960,3.211,6961,3.211,6962,2.753,6963,2.753,6964,2.753,6965,2.753,6966,3.211,6967,3.211,6968,3.211,6969,3.211,6970,3.211,6971,3.211,6972,3.211,6973,3.211,6974,3.211,6975,4.552,6976,2.753,6977,3.913,6978,3.211,6979,3.211,6980,3.211,6981,2.753,6982,3.211,6983,3.211,6984,4.563,6985,3.211,6986,3.211,6987,3.211,6988,3.211,6989,2.753,6990,2.753,6991,3.913,6992,2.047,6993,3.211,6994,2.753,6995,2.753,6996,2.753,6997,3.211,6998,3.211,6999,3.211,7000,2.753,7001,2.753,7002,2.753,7003,3.211,7004,2.753,7005,2.753,7006,2.753,7007,3.211,7008,3.211,7009,2.227,7010,2.452,7011,2.753,7012,3.211,7013,2.227]],["title/gcp/logging.html",[2,5.954,3,3.898,4,5.902,5,2.763,130,2.288,244,2.599,845,1.665]],["breadcrumb/gcp/logging.html",[2,1.895,6,0.178,130,1.029,244,1.169,845,0.749]],["description/gcp/logging.html",[2,1.91,3,1.767,28,0.974,33,0.528,54,0.991,130,1.037,133,0.245,148,0.532,156,0.895,167,3.444,188,1.976,244,2.213,261,2.947,360,2.947,693,1.191,793,4.665,845,1.097,872,1.096,885,2.646,897,1.401,989,1.855,1002,0.895,1504,3.812,2461,7.132,2862,6.403,3555,4.01,5788,5.443,6729,11.327]],["body/gcp/logging.html",[0,0.115,2,1.011,3,0.919,4,0.397,9,0.249,11,0.127,13,0.881,14,0.538,16,0.488,19,0.441,23,1.704,26,0.419,27,0.492,28,0.488,31,0.419,32,0.138,33,0.27,34,0.164,35,0.327,37,0.57,41,0.168,43,0.137,44,0.145,45,0.229,47,0.138,48,0.086,50,0.842,51,0.342,52,0.701,53,0.183,54,0.471,55,0.842,56,0.34,58,0.671,59,1.84,60,0.352,61,0.723,62,0.454,65,0.294,66,0.369,67,0.259,68,0.652,69,0.538,71,1.085,76,0.484,77,0.443,78,2.252,79,0.504,80,0.39,81,0.34,83,0.182,84,0.555,85,0.238,86,0.107,87,1.073,88,0.049,89,0.049,90,0.548,91,0.687,92,0.962,93,0.8,94,0.317,96,0.723,97,0.525,98,0.389,99,0.855,100,0.623,101,1.036,102,0.08,103,0.13,104,0.15,107,0.455,110,0.218,111,0.57,113,0.757,114,0.389,115,0.197,117,0.461,118,0.541,121,0.364,123,0.42,126,0.075,128,0.496,129,0.484,130,0.53,131,0.471,133,0.12,134,0.57,135,0.945,136,0.979,138,0.723,139,0.687,140,0.614,141,1.257,142,1.804,143,0.808,146,0.538,148,0.189,150,0.623,151,0.931,152,0.525,153,0.34,156,0.412,159,1.069,160,0.306,161,0.297,162,0.258,164,1.271,165,0.39,167,1.623,168,1.147,169,0.931,172,1.568,173,0.288,176,0.358,178,0.639,180,0.523,181,0.761,182,0.298,183,0.317,184,0.757,187,0.595,188,0.595,189,0.57,191,0.739,192,0.27,193,0.364,194,0.388,198,0.379,199,0.804,203,0.8,206,0.931,207,0.454,209,0.399,212,0.276,214,0.458,216,0.595,218,0.518,219,0.842,220,0.841,221,0.486,222,0.542,223,0.415,227,0.127,229,1.271,230,0.723,232,0.619,233,0.785,234,0.586,239,0.488,241,0.597,244,0.618,245,0.523,246,0.8,247,0.935,249,0.45,251,0.525,252,0.419,254,0.611,256,0.555,259,1.085,260,1.641,261,1.037,262,0.208,263,0.475,264,0.188,265,0.57,270,0.711,271,0.241,272,1.404,273,0.419,274,0.111,275,0.882,277,0.529,278,0.534,279,0.149,280,0.383,281,0.419,282,0.531,284,0.8,285,1.205,286,1.607,288,0.194,290,1.477,292,0.604,293,0.652,294,0.857,299,0.294,300,0.272,303,0.265,304,0.42,305,0.671,306,2.792,308,0.34,311,0.418,313,0.525,315,1.269,316,0.531,319,1.201,323,0.588,324,1.205,327,0.633,328,0.389,329,0.344,330,0.344,331,2.205,332,0.753,334,1.985,337,1.51,339,0.302,340,0.486,341,0.394,342,0.947,343,0.908,344,0.187,346,0.113,349,1.51,350,0.759,351,0.128,352,1.257,353,0.211,354,2.092,360,1.485,363,0.493,368,0.8,374,0.633,384,0.962,385,1.091,388,0.723,392,1.607,394,0.633,395,0.633,397,0.739,410,0.204,411,0.531,412,0.531,413,0.531,414,0.156,415,0.098,416,0.127,417,0.156,418,0.3,419,0.218,420,0.218,425,0.757,426,0.415,427,0.619,430,0.658,431,1.483,432,0.842,433,0.441,435,1.344,436,2.378,439,1.555,440,1.404,442,0.415,443,0.885,444,0.57,446,0.334,451,0.625,453,0.979,459,0.931,472,1.205,473,0.272,474,1.715,475,0.8,480,1.411,482,1.323,484,0.586,485,0.558,487,0.418,488,0.759,490,0.496,498,0.45,500,0.935,501,0.633,504,0.695,506,1.147,511,0.409,512,0.083,513,0.538,514,0.983,516,0.887,519,1.212,521,0.614,522,0.645,523,0.538,524,0.753,530,1.142,531,0.317,532,1.036,533,1.84,539,0.454,543,0.496,544,1.093,546,0.931,547,0.908,550,0.39,551,0.252,552,1.269,557,1.142,560,0.832,562,1.207,564,0.41,566,0.593,571,1.344,572,0.381,580,0.288,585,2.159,587,1.03,596,1.275,626,1.898,628,0.208,629,0.595,631,0.687,634,0.497,636,1.001,637,0.671,640,0.595,649,0.493,653,0.415,655,0.555,656,0.339,657,0.358,659,0.712,660,1.331,661,0.558,662,1.933,666,0.885,670,0.753,673,1.073,676,1.715,681,1.344,682,0.739,684,0.979,685,1.264,686,0.383,687,0.736,690,1.323,693,0.556,698,2.328,699,0.761,703,1.551,708,0.88,709,1.142,710,1.823,713,0.842,715,1.927,716,1.477,717,0.548,725,1.038,738,1.036,739,2.303,745,0.985,746,0.983,747,0.985,756,0.458,759,1.51,760,0.8,765,0.832,768,1.341,769,0.496,773,1.205,775,0.832,776,0.8,780,1.56,783,0.586,791,0.887,793,1.975,794,1.334,798,1.84,802,0.8,807,0.455,808,1.731,845,0.388,855,1.51,863,1.082,872,0.55,873,0.238,880,1.715,885,0.555,897,0.57,899,0.909,906,0.317,908,1.142,909,1.076,912,1.151,913,1.477,917,0.495,919,0.8,922,1.271,928,0.58,929,2.378,936,1.51,938,3.096,949,1.607,954,0.364,987,0.761,989,0.785,990,0.652,994,3.828,1002,0.45,1004,1.201,1006,0.486,1018,0.344,1019,1.03,1020,0.652,1034,1.792,1036,0.555,1040,1.727,1046,1.341,1049,1.551,1051,1.607,1054,0.89,1056,0.723,1092,0.935,1111,1.037,1119,0.619,1122,1.474,1123,0.348,1124,0.931,1126,1.142,1141,0.723,1143,1.085,1146,0.761,1151,2.378,1159,1.085,1165,0.999,1167,0.229,1168,1.247,1170,0.985,1173,0.723,1175,1.205,1177,0.468,1181,1.323,1184,2.159,1185,1.51,1213,0.597,1230,0.525,1238,0.808,1239,2.531,1242,1.264,1252,1.58,1255,1.036,1259,1.205,1261,0.931,1266,1.84,1269,0.658,1271,0.555,1275,1.401,1278,0.931,1279,1.073,1288,0.531,1294,0.317,1315,1.51,1334,0.364,1343,1.085,1348,0.667,1350,0.88,1359,1.51,1361,0.713,1385,1.207,1386,1.877,1392,1.285,1412,2.378,1425,2.092,1432,2.159,1437,0.687,1445,1.151,1446,1.477,1503,0.162,1504,1.797,1518,0.885,1523,0.658,1538,1.142,1550,1.334,1556,1.818,1557,0.496,1572,1.792,1577,0.841,1603,1.344,1606,0.586,1613,1.715,1616,0.687,1619,0.985,1626,1.975,1632,1.205,1634,0.983,1638,0.496,1641,2.378,1643,2.459,1665,1.269,1667,0.468,1669,1.341,1677,0.458,1678,1.085,1679,1.84,1680,1.483,1682,4.475,1683,1.036,1684,1.271,1690,1.334,1700,0.687,1709,0.979,1711,1.344,1757,1.085,1765,2.04,1769,1.715,1782,1.344,1786,0.931,1787,1.199,1790,1.727,1792,0.841,1793,1.477,1794,0.555,1796,1.477,1854,1.56,1861,2.328,1866,0.827,1869,1.344,1872,1.985,1877,2.693,1881,1.51,1883,1.986,1885,0.842,1886,0.885,1890,2.159,1898,2.459,1915,1.404,1921,0.931,1922,1.423,1925,1.84,1929,1.985,1931,2.926,1932,1.51,1933,0.979,1943,2.378,1951,0.723,1956,1.017,1967,0.935,1974,0.652,1988,1.715,2000,2.165,2006,1.183,2007,1.84,2008,0.364,2022,1.927,2026,1.207,2029,1.818,2030,1.085,2045,1.51,2047,0.979,2049,2.165,2050,1.715,2057,1.748,2061,1.205,2063,2.159,2081,1.136,2082,0.979,2083,1.785,2090,0.885,2095,1.568,2104,0.687,2110,0.595,2111,2.381,2122,1.205,2134,2.67,2163,1.56,2212,0.979,2216,0.619,2220,1.638,2233,2.605,2241,2.159,2244,1.344,2247,1.423,2256,2.67,2265,1.142,2270,2.378,2308,1.985,2316,2.378,2320,3.096,2329,1.715,2331,1.51,2337,2.328,2338,1.823,2339,2.693,2357,1.205,2400,2.459,2418,1.56,2423,1.985,2432,2.347,2434,1.792,2436,1.727,2444,1.142,2461,2.536,2467,1.212,2476,0.652,2539,1.986,2551,1.344,2566,1.985,2573,2.04,2575,1.818,2590,0.842,2656,0.652,2666,2.764,2684,1.344,2689,1.344,2692,2.165,2694,0.687,2696,2.159,2739,1.423,2764,1.607,2859,1.607,2861,1.985,2862,3.161,2866,2.378,2867,1.927,2868,1.142,2869,1.51,2870,1.607,2871,3.828,2872,2.159,2873,2.378,2874,2.04,2875,1.975,2880,3.828,2883,1.344,2884,1.985,2885,2.846,2886,1.84,2894,1.51,2946,2.378,2947,2.159,2976,2.252,2986,2.385,3014,2.159,3031,1.84,3033,2.378,3037,2.378,3039,0.88,3085,1.334,3086,2.378,3090,1.715,3094,2.159,3107,0.931,3119,2.693,3122,1.12,3131,4.198,3135,1.607,3140,1.715,3141,0.885,3143,3.634,3144,1.927,3153,2.846,3218,0.931,3279,1.344,3291,2.328,3304,1.085,3365,2.638,3391,1.84,3459,3.083,3462,1.607,3464,0.687,3465,1.151,3478,3.619,3499,1.985,3502,2.04,3537,0.761,3538,1.03,3539,2.131,3543,1.271,3547,2.67,3551,2.846,3555,0.842,3567,1.641,3571,1.555,3579,1.607,3609,3.083,3613,1.51,3628,2.328,3769,3.096,3792,2.846,3811,2.378,3819,2.67,3823,2.875,3824,2.159,3826,1.51,3828,1.147,3858,2.953,3859,1.334,3861,0.885,3862,0.979,3864,2.459,3902,1.271,3960,1.792,3971,0.985,4004,1.354,4033,1.423,4039,2.764,4105,1.393,4109,2.875,4186,5.777,4214,1.84,4265,2.019,4297,3.096,4363,2.846,4409,1.985,4419,1.344,4428,1.985,4434,1.477,4437,1.423,4443,2.67,4445,2.378,4586,2.159,4656,3.409,4658,1.423,4728,1.986,4733,2.159,4740,2.159,4782,1.84,4860,0.979,4875,2.67,5061,3.096,5089,3.847,5132,3.634,5155,3.828,5160,3.409,5163,2.638,5170,2.378,5172,2.67,5182,2.605,5262,3.828,5266,3.327,5288,2.67,5326,2.941,5332,1.607,5477,1.985,5509,2.159,5587,1.205,5700,3.409,5735,2.159,5740,3.096,5788,2.607,5790,1.51,5791,2.638,5794,4.13,5795,2.378,5801,2.926,5802,2.378,5803,2.378,5804,2.159,5805,2.159,5811,1.985,5817,2.67,5825,2.159,5827,3.667,5830,4.411,5849,2.378,5856,1.51,5864,2.303,5870,3.096,5877,1.607,5883,2.46,5884,2.67,5885,3.409,5886,3.828,5888,2.67,5892,3.414,5897,2.638,5905,2.67,5953,2.159,5959,1.985,6102,3.096,6122,3.083,6133,1.423,6158,3.096,6184,1.607,6210,3.619,6212,3.619,6213,3.327,6227,5.284,6234,5.144,6237,2.378,6239,3.828,6240,3.985,6241,4.795,6249,3.409,6251,5.144,6252,4.672,6260,2.378,6265,2.159,6266,2.67,6286,2.378,6302,1.84,6303,1.84,6330,2.378,6358,5.144,6373,1.985,6374,1.985,6391,3.409,6393,2.67,6428,3.828,6516,4.475,6519,2.846,6536,2.378,6563,4.475,6570,4.49,6573,3.828,6574,3.096,6579,3.828,6580,2.67,6582,3.828,6615,5.777,6650,2.67,6653,2.67,6679,2.67,6680,2.67,6681,2.67,6682,2.67,6683,2.67,6726,2.378,6729,4.795,6731,1.84,6749,2.67,6781,4.475,6991,5.673,6994,2.67,6995,2.67,6996,2.67,7000,2.67,7001,2.67,7002,2.67,7004,2.67,7005,2.67,7006,2.67,7011,3.828,7014,2.378,7015,3.114,7016,6.468,7017,2.67,7018,3.114,7019,6.617,7020,3.083,7021,3.828,7022,2.378,7023,3.828,7024,3.828,7025,4.464,7026,6.468,7027,2.67,7028,4.464,7029,4.464,7030,4.464,7031,4.464,7032,2.378,7033,3.114,7034,3.114,7035,3.114,7036,3.114,7037,5.701,7038,4.464,7039,2.67,7040,3.114,7041,3.114,7042,3.114,7043,3.114,7044,3.114,7045,4.464,7046,2.67,7047,3.114,7048,3.114,7049,3.114,7050,3.114,7051,3.114,7052,3.114,7053,3.114,7054,5.219,7055,3.114,7056,4.464,7057,4.464,7058,3.114,7059,3.114,7060,3.114,7061,3.114,7062,4.464,7063,3.114,7064,3.114,7065,3.114,7066,3.114,7067,3.114,7068,3.114,7069,3.114,7070,3.114,7071,4.464,7072,3.114,7073,3.114,7074,3.114,7075,3.114,7076,4.464,7077,3.114,7078,3.114,7079,4.464,7080,4.464,7081,3.114,7082,3.114,7083,3.114,7084,3.114,7085,3.114,7086,3.114,7087,3.828,7088,3.114,7089,3.114,7090,3.114,7091,3.114,7092,3.114,7093,3.114,7094,3.114,7095,3.114,7096,3.114,7097,3.114,7098,3.114,7099,4.464,7100,4.464,7101,3.114,7102,3.114,7103,5.219,7104,3.114,7105,3.114,7106,3.114,7107,3.114,7108,3.114,7109,3.114,7110,3.114,7111,3.114,7112,3.114,7113,3.114,7114,3.114,7115,3.114,7116,3.114,7117,3.114,7118,3.114,7119,3.114,7120,3.114,7121,3.114,7122,2.67,7123,3.114,7124,3.114,7125,5.219,7126,3.114,7127,4.464,7128,2.67,7129,1.985,7130,3.114,7131,3.114,7132,3.114,7133,3.114,7134,3.114,7135,5.701,7136,3.114,7137,4.464,7138,4.464,7139,3.114,7140,3.114,7141,4.464,7142,3.114,7143,4.464,7144,2.67,7145,2.67,7146,3.114,7147,3.114,7148,3.114,7149,3.828,7150,3.114,7151,3.114,7152,3.114,7153,3.114,7154,3.114,7155,3.114,7156,4.464,7157,3.114,7158,3.114,7159,3.114,7160,4.464,7161,4.464,7162,4.464,7163,3.114,7164,3.114,7165,3.114,7166,3.114,7167,3.114,7168,3.114,7169,2.159,7170,3.114,7171,3.114,7172,3.114,7173,3.114,7174,3.114,7175,3.114,7176,3.114,7177,3.114,7178,3.114,7179,3.114,7180,3.114,7181,3.114,7182,3.114,7183,3.114]],["title/gcp/network.html",[2,4.693,3,4.342,4,6.362,5,3.077,115,2.312,130,2.549]],["breadcrumb/gcp/network.html",[6,0.224,115,1.175,130,1.296]],["description/gcp/network.html",[2,2.171,3,3.247,4,2.152,29,0.48,33,0.6,44,0.349,51,0.761,115,1.069,130,1.179,153,1.843,188,2.246,850,0.986,877,2.688,882,4.557,889,3.007,1499,8.176,2012,6.523,2015,9.289,2095,3.53,3218,5.04,3403,8.7,4792,8.7,6183,10.748]],["body/gcp/network.html",[0,0.119,2,1.01,3,0.917,4,0.728,7,0.653,8,2.38,9,0.316,10,1.273,11,0.127,14,0.57,16,0.623,19,0.442,26,0.25,27,0.508,28,0.343,29,0.188,31,0.229,32,0.179,33,0.269,35,0.3,40,0.13,41,0.183,43,0.092,44,0.158,45,0.229,47,0.127,48,0.059,50,1.207,51,0.347,52,0.493,53,0.179,54,0.42,55,0.842,56,0.341,60,0.351,61,0.724,62,0.742,65,0.493,66,0.364,67,0.261,68,0.755,69,0.57,76,0.519,77,0.229,79,0.504,80,0.27,81,0.341,82,0.559,83,0.178,84,0.556,85,0.13,86,0.113,87,0.587,88,0.047,89,0.051,90,0.39,91,0.687,92,0.712,93,0.801,94,0.455,96,1.037,97,0.526,98,0.39,99,0.442,100,0.341,101,1.037,102,0.084,103,0.13,104,0.274,110,0.422,111,0.488,112,1.218,113,0.523,114,0.559,115,0.482,116,0.187,117,0.384,118,0.359,119,0.712,120,1.031,121,0.39,122,0.687,123,0.45,124,0.754,125,0.842,126,0.075,127,0.39,128,0.712,129,0.493,130,0.523,131,0.493,132,0.801,133,0.1,134,0.488,135,0.469,137,0.523,138,0.724,139,0.687,141,1.385,142,1.878,143,0.442,144,1.632,146,0.593,148,0.163,149,0.39,150,0.488,151,0.556,152,0.754,153,0.66,154,0.208,156,0.188,158,1.424,160,0.285,161,0.3,162,0.258,165,0.456,167,0.724,170,1.614,171,1.887,172,1.539,173,0.334,176,0.595,178,0.614,180,0.707,181,1.091,182,0.208,183,0.673,184,0.668,187,0.415,188,1.03,190,2.921,191,0.74,192,0.31,193,0.757,194,0.395,197,1.273,198,0.364,199,0.415,200,1.472,201,1.405,203,1.757,207,0.723,209,0.379,211,0.935,212,0.252,213,0.761,214,0.359,216,0.415,217,1.511,218,0.534,219,0.39,220,0.983,221,0.509,222,0.509,223,0.76,224,1.987,225,0.761,232,0.619,233,0.469,234,0.587,239,0.488,241,0.456,242,1.411,244,0.584,245,0.611,247,1.093,249,0.349,251,0.526,254,0.493,256,0.797,258,0.962,259,1.086,262,0.513,263,0.328,264,0.399,265,0.341,270,0.686,271,0.168,273,0.444,274,0.266,277,0.522,278,0.534,279,0.214,280,0.229,281,0.475,282,0.58,291,1.824,292,0.39,293,0.713,294,0.672,298,1.12,299,0.294,300,0.272,301,2.092,302,2.305,303,0.248,304,0.403,305,0.653,307,2.461,313,1.244,316,0.455,317,0.526,319,1.154,323,0.272,324,1.206,326,1.385,328,0.855,329,0.379,330,0.39,331,1.206,332,0.962,334,1.987,335,0.887,339,0.294,340,0.486,341,0.401,342,0.964,343,0.858,344,0.225,346,0.084,350,0.76,351,0.124,352,1.258,353,0.194,354,2.092,360,1.468,363,0.294,374,0.442,384,0.881,392,1.608,394,0.442,395,0.442,404,0.653,410,0.204,411,0.58,412,0.58,413,0.58,414,0.171,415,0.107,416,0.138,417,0.171,418,0.316,419,0.238,420,0.238,424,0.712,425,0.611,426,0.415,427,1.285,430,0.58,432,1.411,433,0.74,441,1.014,446,0.273,451,0.625,459,0.804,473,0.527,480,0.842,482,0.724,483,1.608,484,0.983,485,0.713,486,3.142,487,0.364,488,0.76,490,0.712,491,1.273,496,0.365,497,1.345,498,0.42,499,2.465,501,0.74,507,1.037,511,0.409,512,0.041,513,0.538,514,0.587,517,1.728,518,1.335,520,0.556,521,0.58,522,0.538,523,0.57,524,0.526,527,0.139,529,0.761,530,1.916,531,0.317,538,0.98,539,0.531,540,0.687,541,1.717,542,1.405,543,0.909,544,0.653,550,0.315,551,0.262,552,0.886,560,0.497,562,0.842,564,0.384,572,0.299,580,0.322,587,1.478,588,2.461,592,1.511,628,0.208,630,0.672,634,0.577,636,0.497,637,0.469,640,0.76,641,2.166,647,0.962,649,0.57,650,1.206,654,3.326,655,0.556,656,0.168,657,0.359,659,0.497,661,0.39,664,1.511,673,0.841,682,0.74,686,0.384,687,0.752,694,1.478,699,0.761,702,0.623,703,1.888,708,1.18,715,1.345,717,0.456,725,0.938,726,1.206,744,1.264,746,1.218,747,0.985,756,0.25,758,1.342,761,2.041,769,0.497,771,0.619,782,1.535,783,1.074,784,1.207,790,0.687,793,0.98,794,0.932,797,2.672,799,0.932,805,2.041,807,0.39,808,1.909,813,2.461,816,0.619,845,0.266,849,0.886,850,0.32,855,2.532,856,0.556,863,1.028,864,1.031,872,0.489,873,0.238,875,2.672,876,1.987,877,1.153,878,1.841,881,1.717,882,1.945,885,1.077,888,0.886,889,1.219,890,1.898,895,0.754,897,0.686,905,0.442,906,0.317,908,1.639,909,1.12,914,1.031,919,0.523,921,1.031,926,1.511,928,0.455,932,1.086,933,2.188,936,2.166,954,0.365,989,0.559,990,0.935,992,0.138,1001,0.898,1006,0.509,1011,0.801,1018,0.188,1020,0.39,1034,0.98,1036,0.931,1039,1.086,1046,0.801,1051,1.608,1054,1.014,1056,1.037,1080,1.236,1092,0.653,1119,0.619,1123,0.455,1141,1.324,1149,2.38,1154,2.672,1155,1.345,1159,1.086,1160,1.608,1166,1.037,1167,0.229,1168,0.556,1169,1.608,1171,2.38,1173,1.037,1174,1.928,1186,0.488,1191,2.645,1213,0.39,1230,0.526,1238,0.442,1251,1.478,1252,1.276,1259,1.206,1269,0.58,1271,0.797,1275,1.324,1276,2.139,1277,2.672,1294,0.455,1333,0.962,1334,0.365,1348,0.365,1357,1.206,1359,1.511,1360,1.556,1361,0.559,1377,1.212,1406,0.687,1408,1.393,1423,0.754,1424,1.824,1433,1.639,1436,3.046,1437,0.985,1444,1.478,1445,1.258,1446,1.031,1447,1.273,1472,3.356,1473,2.027,1474,1.881,1478,1.632,1479,2.702,1499,2.532,1503,0.127,1510,1.717,1518,0.886,1525,0.556,1539,0.619,1540,0.98,1557,0.712,1560,1.819,1564,0.442,1566,0.724,1616,0.687,1619,0.687,1621,0.881,1625,1.639,1634,1.183,1638,0.497,1643,1.717,1665,0.886,1667,1.13,1669,1.551,1676,1.561,1677,0.504,1678,1.086,1683,1.037,1689,1.345,1690,0.932,1713,1.086,1784,2.119,1786,1.077,1787,0.887,1790,1.031,1791,1.273,1792,1.218,1793,2.079,1795,1.345,1853,2.041,1854,0.932,1855,2.161,1856,0.886,1866,0.653,1871,1.608,1874,1.717,1875,2.161,1914,1.717,1924,2.161,1931,2.532,1933,1.405,1938,2.132,1946,1.717,1952,1.206,1954,2.092,1956,0.556,1957,1.091,1964,1.608,1967,0.653,1974,0.559,2006,1.074,2009,1.031,2012,2.503,2017,0.724,2020,1.031,2023,1.841,2026,1.698,2057,1.749,2078,0.932,2081,0.841,2093,1.511,2095,1.612,2099,1.206,2122,1.728,2223,0.98,2229,2.166,2235,2.876,2237,1.608,2249,1.273,2265,1.639,2321,1.717,2331,1.511,2346,1.717,2413,1.206,2429,1.824,2435,1.987,2444,1.143,2452,1.824,2455,1.424,2475,1.841,2476,0.935,2477,0.98,2551,3.088,2564,1.987,2582,2.876,2589,2.876,2621,2.166,2633,0.98,2656,0.935,2666,3.268,2677,1.345,2679,2.942,2689,2.908,2722,2.38,2745,1.717,2815,2.305,2825,1.987,2854,2.687,2864,1.608,2865,2.38,2867,1.345,2874,1.424,2878,1.987,2883,1.928,2885,1.987,2976,1.928,3011,2.848,3034,2.532,3036,2.15,3039,0.754,3051,2.166,3085,0.932,3107,0.932,3123,1.717,3124,1.717,3144,1.928,3145,1.608,3149,1.916,3210,4.359,3211,2.161,3215,1.608,3218,2.282,3221,0.886,3223,2.161,3224,1.987,3225,4.219,3226,2.161,3227,2.161,3229,2.161,3230,2.38,3241,3.83,3243,1.928,3244,1.717,3256,1.717,3271,2.161,3272,3.955,3288,1.887,3289,3.369,3291,2.752,3292,3.338,3293,3.823,3294,3.712,3295,3.621,3296,3.621,3299,3.621,3300,3.085,3301,3.621,3302,3.621,3303,1.987,3304,1.819,3306,1.511,3309,2.161,3310,1.511,3311,1.608,3312,1.717,3313,1.273,3314,1.728,3320,3.085,3335,2.672,3336,0.98,3361,1.717,3362,2.38,3363,2.38,3364,2.38,3365,1.841,3366,1.841,3367,2.161,3375,3.621,3399,2.951,3403,3.608,3441,3.098,3464,1.152,3465,1.258,3500,1.144,3502,2.041,3503,2.606,3506,1.987,3507,1.841,3531,2.38,3536,2.166,3564,1.841,3567,0.98,3571,1.086,3572,2.161,3611,3.955,3628,2.329,3695,2.672,3781,1.717,3849,1.037,3854,1.824,3859,1.561,3861,0.886,3862,0.98,3870,2.041,3890,0.842,3902,1.273,3904,3.411,3916,3.955,3960,1.898,3971,0.687,4104,1.511,4105,1.783,4171,1.273,4215,1.608,4281,1.144,4346,2.38,4347,6.32,4363,1.987,4419,1.345,4446,3.411,4514,2.041,4686,3.098,4717,2.672,4724,2.305,4728,1.986,4730,1.717,4737,2.305,4792,3.115,4794,2.166,4845,4.61,4870,2.161,5173,4.486,5182,2.041,5238,3.411,5356,1.273,5357,1.987,5364,2.38,5366,2.161,5398,1.841,5401,2.38,5414,2.672,5417,3.411,5449,4.186,5474,2.38,5475,2.672,5561,4.477,5587,1.206,5688,2.38,5788,1.144,5790,1.511,5791,2.639,5792,2.161,5793,2.38,5794,3.369,5801,3.209,5827,3.631,5830,3.848,5834,5.176,5835,5.053,5837,4.356,5840,3.411,5841,3.098,5843,3.621,5846,3.955,5852,3.621,5856,2.765,5861,2.848,5864,1.608,5870,2.161,5877,2.942,5883,1.928,5897,1.841,5903,4.186,5953,3.098,5986,3.987,5997,4.355,6012,4.89,6016,3.987,6048,5.387,6132,2.672,6133,1.424,6183,4.56,6267,2.672,6302,1.841,6303,1.841,6313,2.672,6373,1.987,6374,1.987,6403,3.83,6413,2.38,6414,2.38,6426,2.672,6829,3.987,6836,2.38,6945,2.161,7032,2.38,7046,2.672,7184,3.117,7185,5.222,7186,6.47,7187,6.037,7188,2.672,7189,3.117,7190,6.037,7191,4.467,7192,5.222,7193,7.154,7194,2.848,7195,5.222,7196,3.83,7197,5.222,7198,5.703,7199,4.477,7200,4.467,7201,4.467,7202,6.037,7203,3.117,7204,3.117,7205,4.467,7206,4.467,7207,4.467,7208,3.117,7209,3.117,7210,3.117,7211,4.467,7212,2.672,7213,3.117,7214,3.117,7215,3.117,7216,3.117,7217,3.117,7218,3.117,7219,3.117,7220,6.739,7221,3.117,7222,3.117,7223,4.467,7224,3.117,7225,4.467,7226,4.467,7227,4.467,7228,4.467,7229,3.117,7230,3.117,7231,3.117,7232,3.117,7233,4.467,7234,3.117,7235,3.117,7236,3.117,7237,3.117,7238,3.117,7239,4.467,7240,3.117,7241,3.117,7242,3.117,7243,3.117,7244,3.117,7245,3.117,7246,2.672,7247,3.117,7248,5.222,7249,3.83,7250,4.467,7251,4.467,7252,4.467,7253,3.117,7254,3.117,7255,3.117,7256,3.117,7257,3.117,7258,3.117,7259,3.117,7260,3.117,7261,3.117,7262,3.117,7263,3.117,7264,3.117,7265,3.117,7266,3.117,7267,4.467,7268,4.467,7269,3.117,7270,3.117,7271,3.117,7272,3.117,7273,3.117,7274,3.117,7275,3.117,7276,3.117,7277,3.117,7278,3.117,7279,3.117,7280,4.467,7281,5.222,7282,3.117,7283,2.848,7284,2.672,7285,3.117,7286,3.117,7287,2.672,7288,3.117,7289,3.117,7290,3.117,7291,3.117,7292,3.117,7293,3.117,7294,3.117,7295,3.117,7296,2.38,7297,3.117,7298,3.117,7299,2.38,7300,6.739,7301,4.467,7302,3.117,7303,3.117,7304,6.037,7305,3.117,7306,3.117,7307,3.117,7308,3.117,7309,3.117,7310,3.117,7311,3.117,7312,3.117,7313,3.117,7314,3.117,7315,3.117,7316,3.117,7317,3.117,7318,3.117,7319,3.117,7320,3.117,7321,3.117,7322,3.117,7323,3.117,7324,3.117,7325,3.117,7326,3.117,7327,3.117,7328,3.117,7329,3.117,7330,3.117,7331,4.467,7332,4.467,7333,3.117,7334,5.222,7335,4.467,7336,3.117,7337,3.117,7338,3.117,7339,3.117,7340,3.117,7341,3.117,7342,3.117,7343,3.117,7344,3.117,7345,3.117,7346,2.161,7347,3.117,7348,3.117,7349,3.117,7350,3.117,7351,3.117,7352,3.117,7353,3.117,7354,3.117,7355,3.117,7356,3.117,7357,3.117,7358,3.117,7359,3.117,7360,3.117,7361,3.117,7362,3.117,7363,4.467,7364,3.117,7365,3.117,7366,3.117,7367,3.117,7368,3.117,7369,4.467,7370,3.117,7371,3.117,7372,3.117,7373,3.117,7374,3.117,7375,3.117,7376,3.117,7377,3.117,7378,3.117,7379,3.117,7380,3.117,7381,3.117,7382,6.037,7383,4.467,7384,3.117,7385,3.117,7386,3.117,7387,3.117]],["title/gcp/workloads.html",[2,4.693,3,4.342,4,6.362,5,3.077,130,2.549,1123,2.227]],["breadcrumb/gcp/workloads.html",[6,0.224,130,1.296,1123,1.132]],["description/gcp/workloads.html",[2,3.161,3,1.667,4,2.636,34,0.34,51,0.632,53,0.51,117,1.028,130,0.979,756,1.123,918,1.983,1123,1.262,1200,4.183,1361,1.75,1441,6.395,1503,0.399,1618,6.04,1694,1.983,1861,5.714,1962,5.135,2013,5.135,2110,1.864,2332,2.635,2575,4.874,3119,7.22,3122,2.496,3464,3.086,3535,8.268,3606,3.419,4105,5.998,4942,7.22,7283,8.92]],["body/gcp/workloads.html",[0,0.118,2,1.01,3,0.909,4,0.892,9,0.249,11,0.126,13,0.8,14,0.42,16,0.622,18,2.369,19,0.631,21,2.16,23,0.928,26,0.249,27,0.498,31,0.486,32,0.152,33,0.263,34,0.166,35,0.309,37,0.723,40,0.238,41,0.126,43,0.153,44,0.156,47,0.126,48,0.069,51,0.334,53,0.181,54,0.481,56,0.487,57,1.709,60,0.316,61,0.72,62,0.453,65,0.293,66,0.349,67,0.264,68,0.808,69,0.492,76,0.54,77,0.327,79,0.484,80,0.314,81,0.339,82,0.651,83,0.183,84,0.553,85,0.281,86,0.106,88,0.045,89,0.053,90,0.389,91,0.982,92,0.495,93,1.144,94,0.453,96,1.034,97,0.524,98,0.388,99,0.738,100,0.622,101,1.034,102,0.08,103,0.186,104,0.214,110,0.421,111,0.339,112,0.839,113,0.61,114,0.388,115,0.361,116,0.186,117,0.518,118,0.358,119,0.907,120,1.027,121,0.39,123,0.442,124,0.751,125,0.839,126,0.069,127,0.388,128,0.907,129,0.484,130,0.519,131,0.484,132,1.144,133,0.115,135,0.67,137,0.363,140,0.658,141,1.149,142,1.701,143,0.44,144,1.204,145,0.492,146,0.592,148,0.171,149,0.808,150,0.659,151,1.015,152,0.751,153,0.339,154,0.298,156,0.314,160,0.262,161,0.292,162,0.26,165,0.389,167,1.321,168,1.463,170,0.797,172,0.65,173,0.347,176,0.358,178,0.579,182,0.45,183,0.316,184,0.61,187,0.413,188,0.758,191,0.738,192,0.305,193,0.734,194,0.395,195,2.248,198,0.422,199,0.758,200,0.885,203,1.339,207,0.658,209,0.343,212,0.251,213,0.758,214,0.504,216,0.413,218,0.534,219,0.388,220,1.072,221,0.383,222,0.547,223,0.994,224,1.978,227,0.126,230,1.209,233,0.906,234,1.135,239,0.339,241,0.389,242,1.204,244,0.571,245,0.363,246,0.797,247,0.65,249,0.419,251,0.96,252,0.418,254,0.537,256,0.553,260,1.4,262,0.419,263,0.327,264,0.314,265,0.569,270,0.754,271,0.281,272,1.638,273,0.443,274,0.225,276,0.358,277,0.525,278,0.531,279,0.272,281,0.418,282,0.579,285,1.723,290,1.027,291,1.267,292,0.603,293,0.784,294,0.467,296,1.922,298,0.553,303,0.231,304,0.38,305,0.653,306,2.601,308,0.339,316,0.53,317,0.524,318,1.192,319,1.218,321,1.505,322,1.034,323,0.455,326,1.255,327,0.631,328,0.557,329,0.343,330,0.343,331,1.2,332,1.058,339,0.298,340,0.486,341,0.397,342,0.958,343,0.856,344,0.259,346,0.121,349,1.505,350,0.758,351,0.124,352,1.255,353,0.194,354,2.088,360,1.357,363,0.293,368,0.797,369,1.027,384,0.751,392,1.601,394,0.44,395,0.44,397,0.631,410,0.216,411,0.579,412,0.579,413,0.579,414,0.171,415,0.106,416,0.138,417,0.171,418,0.316,419,0.238,420,0.238,424,0.83,425,0.788,426,0.694,427,0.616,430,0.579,431,0.882,432,1.538,433,0.44,441,0.631,442,0.593,444,0.723,446,0.331,451,0.636,459,0.694,473,0.497,475,0.797,482,1.209,484,0.839,485,0.388,487,0.343,488,0.694,491,1.818,496,0.521,497,2.248,498,0.348,501,0.889,507,0.616,508,1.505,511,0.353,512,0.095,513,0.492,517,1.2,518,0.928,519,0.72,520,0.794,521,0.453,522,0.592,523,0.569,524,0.751,527,0.083,531,0.453,539,0.638,543,1,544,0.65,546,1.802,550,0.269,551,0.186,560,0.907,561,1.339,562,0.839,564,0.384,565,0.932,566,0.624,572,0.419,580,0.327,587,2.227,588,2.453,592,1.505,628,0.403,634,0.271,636,0.71,637,0.467,640,0.593,647,0.524,649,0.592,655,1.119,656,0.24,657,0.574,661,0.557,666,0.882,672,0.584,673,1.302,681,2.985,682,0.631,684,0.976,686,0.228,687,0.658,688,0.65,690,1.456,693,0.418,694,1.027,702,0.487,703,1.796,708,0.751,715,1.339,717,0.497,725,1.061,726,1.2,744,0.932,745,0.684,746,0.839,753,1.081,756,0.593,758,1.463,760,0.797,762,2.631,764,0.584,765,0.71,771,0.885,772,2.631,779,1,780,0.928,784,0.839,794,0.928,803,2.248,807,0.271,808,1.927,813,1.339,814,1.833,816,0.616,845,0.342,850,0.186,856,1.075,863,1.108,872,0.531,873,0.129,877,0.961,885,0.929,887,1.922,897,0.293,905,0.806,906,0.613,917,0.228,918,1.078,919,0.363,928,0.453,933,1.081,936,2.76,954,0.61,987,1.788,989,0.784,992,0.075,1000,1.267,1001,0.593,1011,1.144,1018,0.314,1020,0.808,1033,1.4,1034,0.976,1041,1.601,1047,2.152,1048,2.16,1050,1.2,1054,1.05,1055,1.2,1056,0.72,1080,1.274,1092,0.65,1103,0.684,1111,0.616,1119,0.616,1122,1.273,1123,0.453,1141,1.399,1146,1.273,1147,1.458,1155,1.339,1165,0.44,1166,0.72,1167,0.461,1170,0.684,1173,1.321,1177,0.783,1182,1.922,1186,0.569,1190,2.631,1191,2.015,1194,2.088,1200,2.067,1213,0.526,1228,1.266,1230,1.225,1238,0.854,1242,0.65,1251,1.027,1252,1.391,1255,1.209,1269,0.613,1270,1.4,1271,0.929,1275,1.321,1276,1.331,1279,0.839,1286,0.928,1288,0.453,1289,0.839,1294,0.613,1315,1.505,1333,0.83,1334,0.61,1348,0.61,1350,0.751,1357,1.723,1361,0.904,1373,0.976,1377,1.034,1406,1.149,1423,0.879,1424,1.267,1441,2.38,1442,1.418,1445,0.684,1473,0.839,1474,1.481,1478,0.839,1479,2.561,1503,0.188,1504,1.463,1518,0.882,1523,0.685,1525,1.267,1539,1.035,1543,0.976,1550,1.557,1553,1.709,1556,1.551,1560,1.081,1564,0.806,1610,1.601,1612,2.015,1616,0.684,1618,3.12,1619,0.684,1621,0.524,1628,1.418,1634,1.407,1636,2.369,1638,0.495,1639,0.797,1643,1.709,1646,3.088,1666,1.2,1667,1.04,1669,0.797,1676,1.331,1677,0.484,1680,0.882,1681,1.027,1683,0.72,1690,0.928,1694,0.631,1701,1.601,1703,2.152,1704,1.978,1706,2.369,1708,3.088,1709,0.976,1710,1.139,1713,1.081,1757,2.099,1770,2.38,1784,1.79,1786,1.075,1787,1.035,1790,1.027,1792,0.584,1854,1.331,1860,2.152,1861,2.699,1864,1.922,1866,0.388,1876,0.882,1885,0.839,1888,4.179,1894,1.418,1921,0.928,1925,1.833,1933,0.976,1938,1.818,1945,2.453,1949,0.803,1950,0.976,1951,1.321,1954,1.139,1956,0.553,1962,1.634,1967,1.192,1974,0.784,1982,2.369,1988,1.709,2006,1.268,2013,2.756,2019,1.418,2025,1.818,2028,0.67,2045,2.76,2050,1.709,2054,2.298,2064,1.2,2074,1.922,2081,1.327,2082,0.976,2083,0.882,2095,1.575,2104,1.255,2110,0.694,2111,1.081,2115,0.584,2126,1.634,2213,1.081,2216,1.035,2223,1.4,2231,2.453,2243,1.709,2244,1.339,2294,3.4,2317,2.152,2325,2.152,2332,1.286,2397,1.833,2406,2.152,2412,1.634,2413,1.2,2433,1.339,2436,1.2,2444,1.147,2451,2.032,2455,1.418,2458,1.709,2471,2.369,2487,2.661,2573,1.418,2575,2.379,2576,1.027,2580,2.905,2584,3.819,2585,1.505,2590,1.204,2623,1.709,2656,0.932,2665,1.505,2666,2.76,2679,3.411,2683,1.833,2684,1.339,2689,2.905,2694,0.684,2722,3.4,2730,1.634,2779,1.339,2815,1.634,2822,1.339,2828,1.709,2830,2.453,2833,2.453,2854,1.634,2867,1.922,2870,1.601,2875,1.638,2902,1.883,2959,2.369,2982,2.248,3029,1.709,3036,1.79,3039,0.751,3051,2.16,3085,0.928,3090,1.709,3119,2.298,3120,2.985,3122,1.282,3135,2.298,3144,2.248,3148,2.369,3149,1.139,3218,1.331,3220,1.833,3221,1.266,3256,1.709,3278,1.601,3288,1.723,3289,1.833,3291,3.051,3292,2.688,3304,1.814,3306,1.505,3313,1.267,3314,2.727,3336,0.976,3393,1.709,3409,2.298,3464,1.566,3465,0.684,3499,1.978,3507,1.833,3534,2.839,3535,1.833,3537,1.579,3539,2.127,3543,1.818,3555,0.839,3556,2.453,3558,2.152,3567,1.79,3571,1.551,3600,2.152,3601,2.152,3606,1.874,3609,1.833,3628,2.324,3660,2.152,3661,2.152,3662,2.152,3676,3.947,3682,3.642,3683,2.631,3685,2.152,3688,2.661,3697,2.369,3747,2.839,3748,2.152,3749,2.152,3775,3.642,3776,1.833,3778,1.833,3798,2.661,3828,1.144,3832,2.661,3845,1.883,3850,2.298,3854,1.267,3859,1.557,3864,1.709,3867,1.418,3870,1.418,3902,1.818,3903,1.709,3950,2.16,3960,1.895,3971,0.684,4025,1.505,4043,4.164,4105,1.871,4109,2.869,4115,3.088,4169,2.324,4285,3.078,4299,1.978,4328,2.631,4361,1.709,4419,1.922,4434,1.027,4438,3.819,4524,2.561,4706,2.661,4728,1.982,4782,1.833,4860,0.976,4868,1.267,4942,3.71,4971,1.833,5063,2.661,5064,2.601,5099,2.661,5100,1.267,5130,1.339,5132,2.839,5170,2.369,5266,2.839,5278,1.978,5356,1.267,5363,1.978,5461,3.4,5513,3.357,5515,2.869,5519,5.216,5521,3.819,5522,3.977,5523,3.4,5524,3.819,5525,3.088,5531,1.978,5537,2.369,5538,3.32,5547,3.977,5563,3.819,5582,2.661,5587,1.2,5621,3.819,5635,4.79,5787,2.324,5790,1.505,5791,2.631,5793,2.369,5794,3.078,5797,1.505,5804,2.152,5805,2.152,5827,3.662,5830,2.839,5835,5.459,5836,4.346,5837,4.987,5840,3.4,5841,3.088,5843,3.088,5846,3.088,5852,4.584,5856,2.76,5861,3.628,5864,1.601,5877,2.688,5892,1.601,5903,3.947,5920,2.369,5923,3.4,5953,3.088,5963,1.978,5965,5.168,5974,3.819,5975,3.088,5986,2.369,5993,3.819,5997,3.4,6091,2.369,6108,3.819,6122,1.833,6163,2.152,6189,4.466,6302,1.833,6303,1.833,6330,3.4,6350,2.38,6352,3.612,6373,1.978,6374,1.978,6413,2.369,6414,2.369,6570,1.833,6586,2.661,6652,3.4,6670,2.661,6724,3.842,6779,2.152,6799,4.346,6829,2.369,6836,2.369,6859,2.661,6906,4.934,6909,3.819,6911,4.466,6912,4.466,6914,4.88,6915,5.379,6917,2.661,6918,3.819,6920,2.661,6923,2.661,6925,2.661,6927,2.661,6928,2.661,6931,2.661,6932,3.819,6937,2.661,6938,2.661,6940,2.661,6944,2.661,6947,4.466,6948,2.661,6962,2.661,6963,2.661,6964,2.661,6975,3.819,6976,4.466,6977,4.466,7010,2.369,7017,2.661,7020,2.631,7022,2.369,7032,2.369,7129,1.978,7144,3.819,7145,3.819,7283,4.682,7284,2.661,7287,2.661,7388,6.027,7389,4.453,7390,3.103,7391,3.103,7392,2.661,7393,2.661,7394,4.453,7395,4.453,7396,3.819,7397,4.453,7398,3.4,7399,5.168,7400,3.819,7401,4.466,7402,4.453,7403,4.453,7404,2.661,7405,3.103,7406,2.152,7407,2.661,7408,1.978,7409,3.103,7410,3.103,7411,3.103,7412,3.103,7413,3.103,7414,3.103,7415,3.103,7416,4.453,7417,3.103,7418,3.103,7419,3.103,7420,4.453,7421,3.103,7422,3.103,7423,3.103,7424,3.103,7425,3.103,7426,3.103,7427,3.103,7428,3.103,7429,4.453,7430,3.103,7431,3.103,7432,3.103,7433,2.661,7434,6.987,7435,3.103,7436,3.103,7437,3.103,7438,3.103,7439,3.103,7440,3.103,7441,3.103,7442,3.103,7443,3.103,7444,3.103,7445,6.462,7446,3.103,7447,4.453,7448,4.453,7449,4.453,7450,4.453,7451,3.103,7452,4.453,7453,4.453,7454,5.209,7455,2.661,7456,3.103,7457,3.103,7458,3.103,7459,4.453,7460,3.103,7461,3.103,7462,3.103,7463,3.103,7464,3.103,7465,3.103,7466,4.453,7467,4.453,7468,3.103,7469,4.453,7470,4.453,7471,3.103,7472,3.103,7473,5.209,7474,2.661,7475,2.152,7476,4.453,7477,3.103,7478,3.977,7479,4.453,7480,3.103,7481,3.103,7482,3.103,7483,4.453,7484,3.103,7485,3.103,7486,3.103,7487,3.103,7488,3.103,7489,3.103,7490,3.103,7491,3.103,7492,3.103,7493,5.209,7494,3.103,7495,3.103,7496,3.103,7497,3.103,7498,3.103,7499,3.103,7500,3.103,7501,2.369,7502,3.103,7503,3.103,7504,3.103,7505,3.103,7506,3.103,7507,3.103,7508,3.103,7509,3.103,7510,1.978,7511,3.103,7512,3.103,7513,3.103,7514,3.103,7515,3.103,7516,3.103,7517,4.453,7518,5.209,7519,5.209,7520,3.103,7521,3.103,7522,4.453,7523,4.453,7524,3.103,7525,3.103,7526,3.103,7527,3.103,7528,3.103,7529,3.103,7530,3.103,7531,3.103,7532,2.661,7533,3.103,7534,3.103,7535,3.103,7536,3.103,7537,3.103,7538,3.103,7539,3.103,7540,3.103,7541,3.103,7542,3.103,7543,3.103,7544,3.103,7545,3.103,7546,3.103,7547,3.103,7548,3.103,7549,3.103,7550,3.103,7551,3.103,7552,3.103,7553,3.103,7554,3.103,7555,3.103,7556,3.103,7557,3.103,7558,3.103,7559,3.103,7560,3.103,7561,3.103,7562,3.103,7563,3.103,7564,2.661,7565,4.466,7566,2.661,7567,3.103,7568,3.103,7569,3.103,7570,2.661,7571,2.661,7572,3.103,7573,3.103,7574,5.209,7575,3.103,7576,3.103,7577,4.453,7578,4.466,7579,3.103,7580,3.103,7581,3.103,7582,3.103,7583,3.103,7584,3.103,7585,3.103,7586,5.692,7587,3.103,7588,4.453,7589,4.453,7590,5.209,7591,4.453,7592,3.103,7593,3.103,7594,6.027,7595,3.103,7596,3.103,7597,3.103,7598,3.103,7599,3.103,7600,3.103,7601,2.661,7602,3.103,7603,3.103,7604,3.103,7605,3.103,7606,3.103,7607,3.103,7608,3.103,7609,3.819,7610,3.103,7611,3.103,7612,3.103,7613,3.103]],["title/general/compliance-frameworks.html",[2,4.976,3,4.605,4,4.933,5,3.263,133,0.637,134,4.225]],["breadcrumb/general/compliance-frameworks.html",[6,0.198,110,1.147,133,0.27,134,1.793]],["description/general/compliance-frameworks.html",[2,2.465,5,1.617,67,0.681,83,0.465,86,0.482,88,0.143,90,1.671,126,0.253,414,0.574,415,0.358,416,0.465,417,0.574,418,1.232,419,0.799,420,0.799,2043,9.88,2044,7.026]],["body/general/compliance-frameworks.html",[0,0.122,2,0.948,3,0.907,4,0.856,5,0.539,9,0.279,11,0.171,12,2.738,16,0.506,17,0.739,19,0.657,20,1.022,21,2.247,26,0.513,27,0.516,28,0.304,29,0.182,32,0.142,33,0.258,34,0.155,35,0.354,40,0.193,41,0.142,43,0.121,44,0.121,47,0.142,48,0.077,49,1.385,50,1.252,51,0.312,53,0.179,57,2.553,65,0.437,66,0.315,67,0.275,77,0.34,80,0.28,83,0.187,85,0.193,86,0.142,87,1.203,88,0.055,89,0.055,90,0.659,98,0.579,99,0.98,100,0.506,102,0.056,104,0.223,106,0.739,109,1.892,110,0.324,112,0.873,115,0.37,116,0.253,117,0.519,121,0.432,122,1.557,126,0.097,128,0.93,129,0.483,130,0.469,131,0.408,133,0.124,134,0.832,135,0.697,136,2.109,137,0.683,138,1.557,139,1.479,140,0.594,143,0.827,145,0.437,148,0.165,149,0.799,150,0.506,152,0.782,156,0.386,160,0.193,161,0.244,165,0.404,172,1.404,173,0.221,176,0.372,178,0.472,182,0.31,184,0.867,189,0.756,195,3.046,198,0.405,200,1.159,205,1.614,209,0.405,212,0.288,218,0.553,221,0.429,222,0.34,227,0.142,239,0.506,242,1.252,244,0.507,245,0.683,247,0.97,249,0.39,250,1.076,252,0.608,253,0.697,262,0.31,265,0.771,274,0.166,276,0.372,277,0.519,278,0.508,279,0.305,282,0.683,284,1.191,285,1.793,287,0.739,288,0.187,292,0.404,293,0.799,294,0.697,299,0.603,300,0.404,310,2,311,0.28,314,1.457,315,1.659,316,0.472,326,1.022,335,1.269,340,0.34,341,0.25,344,0.209,346,0.125,351,0.119,353,0.201,360,0.92,365,0.542,368,1.642,404,0.97,410,0.24,411,0.65,412,0.65,413,0.594,414,0.219,415,0.141,416,0.182,417,0.221,418,0.368,419,0.305,420,0.295,424,0.739,425,0.542,426,0.778,427,1.373,430,0.472,438,1.191,442,0.778,444,0.506,446,0.221,484,1.099,498,0.31,504,0.851,511,0.455,512,0.077,518,1.385,521,0.594,522,0.551,524,0.985,529,1.132,536,3.213,549,3.973,551,0.193,552,1.659,565,0.97,566,0.437,572,0.427,580,0.279,587,2.114,589,3.448,610,1.533,619,2.391,629,0.778,634,0.509,636,0.93,647,0.782,656,0.25,672,1.263,686,0.34,702,0.698,717,0.509,733,1.793,741,2.118,745,1.022,764,1.099,776,1.5,780,1.385,785,2.391,790,1.022,802,1.191,807,0.653,845,0.236,864,1.533,872,0.55,873,0.193,878,3.448,901,3.973,903,0.697,905,0.905,906,0.65,918,0.657,919,0.542,927,1.793,936,2.247,985,1.252,989,0.73,996,4.457,1004,1.041,1009,1.385,1010,1.931,1018,0.386,1020,0.73,1048,2.247,1052,1.835,1054,0.827,1107,1.5,1111,0.92,1112,2.336,1115,3.213,1116,1.557,1119,0.92,1167,0.469,1170,1.022,1177,1.009,1181,1.076,1182,2,1186,0.638,1213,0.509,1235,1.355,1238,0.827,1255,1.355,1269,0.594,1274,1.533,1275,1.076,1276,1.385,1279,1.263,1286,1.385,1333,0.739,1375,1.355,1385,2.046,1403,3.011,1405,2.92,1406,1.022,1408,1.751,1423,0.985,1444,1.533,1446,1.533,1474,1.317,1494,2.247,1495,2.118,1496,2.667,1503,0.166,1504,1.5,1513,1.605,1540,1.457,1544,1.745,1547,2.609,1550,1.91,1557,0.739,1558,3.213,1565,2,1572,1.457,1575,3.011,1577,0.873,1595,3.721,1606,1.263,1610,2.391,1622,1.892,1625,1.7,1638,0.93,1677,0.469,1678,1.614,1689,2,1692,3.572,1694,0.905,1767,2.954,1787,1.159,1788,3.213,1789,3.775,1790,2.287,1856,1.317,1867,3.973,1876,1.659,1883,1.614,1894,2.118,1933,1.457,1949,0.778,1956,0.826,1960,2.142,1974,0.73,2008,0.748,2025,1.892,2028,0.697,2030,2.033,2031,1.892,2043,3.801,2044,2.733,2052,2.247,2066,1.7,2081,0.873,2082,1.457,2083,1.907,2086,3.213,2087,3.538,2090,1.907,2095,1.222,2099,2.595,2102,2.383,2103,1.793,2104,1.287,2112,2.472,2224,2.258,2265,1.7,2332,0.873,2406,3.213,2433,2,2444,0.697,2452,2.383,2539,1.614,2546,2.247,2588,2.954,2645,1.892,2646,2.391,2666,2.247,2677,2,2687,1.931,2730,1.7,2731,2.553,2732,2.553,2733,3.215,2739,2.118,2803,3.538,2805,3.213,2822,2,2824,4.047,2868,1.7,2874,2.118,2875,1.457,2883,2,2940,5.122,2941,5.479,2962,1.793,2967,2.553,2983,2.391,2985,1.892,3019,2.83,3029,2.553,3039,0.782,3085,1.745,3089,3.775,3237,3.065,3280,3.538,3297,1.5,3300,3.448,3320,3.448,3361,2.553,3365,3.448,3366,2.738,3399,2,3460,3.213,3465,1.022,3502,2.118,3537,1.426,3538,1.931,3539,2.383,3544,1.931,3549,2.391,3564,3.775,3568,3.538,3664,3.973,3680,2.391,3747,2.954,3808,3.538,3825,2.738,3826,2.247,3853,2.954,3860,2.738,3861,1.965,3866,4.073,3905,2.118,4022,2.954,4213,3.213,4238,3.213,4239,5.005,4434,2.398,4435,3.973,4436,2.383,4441,3.973,4514,2.118,4648,3.213,4730,2.553,4763,4.457,4799,1.252,4860,1.835,5124,3.213,5162,2.553,5163,3.963,5198,2.738,5284,3.973,5379,4.457,5410,3.973,5509,4.047,5534,3.213,5740,3.213,5741,3.973,5742,3.538,5743,3.538,5784,2.954,5786,6.052,5798,3.213,5811,2.954,5883,2,6133,2.118,6235,2.247,6294,3.973,6347,3.973,6350,2.118,6541,3.973,6584,2.553,6590,4.457,6593,5.005,6724,2.954,6847,3.213,6943,4.457,7169,3.213,7194,2.954,7249,3.973,7406,5.072,7408,2.954,7455,3.973,7614,4.634,7615,3.973,7616,3.973,7617,4.457,7618,6.052,7619,5.837,7620,3.538,7621,4.634,7622,5.005,7623,6.39,7624,5.479,7625,3.721,7626,4.634,7627,5.005,7628,3.973,7629,4.634,7630,5.005,7631,5.479,7632,4.457,7633,3.973,7634,3.973,7635,5.837,7636,4.634,7637,4.634,7638,3.973,7639,4.634,7640,4.634,7641,4.634,7642,4.634,7643,5.837,7644,4.634,7645,3.538,7646,4.431,7647,4.634,7648,3.973,7649,4.634,7650,4.047,7651,4.634,7652,3.775,7653,4.634,7654,2.954,7655,2.118,7656,4.634,7657,4.634,7658,5.837,7659,4.634,7660,3.973,7661,3.973,7662,4.634,7663,4.634,7664,4.634,7665,4.634,7666,4.634,7667,4.634,7668,4.634,7669,4.634,7670,5.837,7671,4.634,7672,4.634,7673,4.634,7674,4.634,7675,3.973,7676,3.213,7677,4.634,7678,5.837,7679,3.011,7680,5.005,7681,4.634,7682,4.634,7683,4.634,7684,4.634,7685,4.634,7686,4.634,7687,4.634,7688,5.005,7689,4.634,7690,3.213,7691,3.538,7692,5.837,7693,4.634,7694,4.634,7695,4.634,7696,5.837,7697,4.634,7698,4.634,7699,4.634,7700,4.634,7701,4.634,7702,4.634,7703,4.634,7704,4.634,7705,4.047,7706,4.457,7707,4.457,7708,6.39,7709,4.634,7710,4.634,7711,4.634,7712,4.634,7713,4.634,7714,4.634,7715,4.634,7716,4.634,7717,4.634,7718,4.634,7719,4.634,7720,4.634,7721,4.634]],["title/general/data.html",[2,4.44,3,4.108,4,4.401,5,2.912,28,2.265,29,0.982,104,1.658,110,2.411]],["breadcrumb/general/data.html",[6,0.198,28,1.077,29,0.467,110,1.147]],["description/general/data.html",[28,1.423,29,0.617,40,0.904,43,0.448,53,0.535,104,1.042,105,7.548,106,3.455,110,1.515,112,4.081,765,3.455,792,6.814,1165,3.071]],["body/general/data.html",[0,0.115,2,0.962,3,0.89,7,0.752,9,0.287,11,0.169,13,0.704,14,0.385,16,0.657,17,0.65,19,0.941,20,0.899,23,1.218,26,0.513,27,0.519,28,0.511,29,0.211,30,1.31,31,0.47,32,0.146,33,0.26,34,0.146,35,0.287,36,4.73,37,0.794,38,1.625,39,3.175,40,0.321,41,0.181,42,2.408,43,0.161,44,0.156,45,0.553,46,3.312,47,0.099,49,1.606,51,0.338,52,0.706,53,0.189,56,0.587,57,2.96,62,0.612,65,0.507,66,0.325,67,0.271,69,0.507,70,1.795,76,0.483,79,0.513,80,0.426,81,0.445,82,0.51,83,0.173,85,0.17,86,0.128,88,0.048,89,0.047,99,0.761,102,0.087,103,0.17,104,0.339,105,2.585,106,1.158,107,0.525,108,3.035,110,0.477,111,0.657,112,1.203,113,0.704,114,0.799,115,0.433,116,0.229,118,0.431,121,0.412,123,0.359,126,0.071,127,0.51,128,0.65,129,0.514,130,0.494,131,0.514,133,0.11,135,0.613,137,0.798,140,0.547,145,0.385,146,0.385,148,0.168,149,0.51,151,0.727,152,0.688,153,0.445,156,0.386,159,0.941,161,0.277,162,0.192,165,0.356,172,1.125,173,0.305,176,0.327,180,0.477,181,0.996,182,0.359,183,0.547,185,2.194,189,0.587,192,0.285,194,0.325,198,0.42,199,0.851,202,2.598,203,1.047,205,1.419,206,0.727,207,0.65,209,0.461,211,0.853,212,0.251,213,0.996,214,0.483,218,0.519,219,0.893,221,0.299,222,0.299,223,0.543,225,1.313,226,1.759,227,0.099,229,2.944,231,3.659,233,0.613,234,1.012,235,2.319,236,2.455,238,1.664,239,0.445,240,1.158,241,0.525,242,1.88,244,0.552,249,0.427,252,0.533,253,0.613,254,0.644,258,0.65,259,1.419,260,2.187,261,1.067,262,0.456,263,0.395,264,0.431,265,0.699,271,0.368,275,0.974,276,0.431,279,0.287,280,0.395,281,0.299,282,0.547,284,1.381,287,1.087,288,0.205,292,0.356,298,0.958,299,0.507,302,1.972,303,0.215,304,0.272,306,2.594,308,0.587,311,0.386,313,0.688,318,1.125,322,0.946,323,0.525,327,0.761,329,0.363,330,0.363,332,0.688,335,1.194,339,0.17,340,0.299,341,0.29,344,0.268,346,0.1,351,0.142,353,0.18,363,0.568,365,0.777,373,1.158,374,0.852,376,1.326,385,1.313,410,0.249,411,0.547,412,0.547,413,0.547,414,0.204,415,0.128,416,0.099,417,0.122,418,0.257,419,0.17,420,0.17,425,0.777,426,0.543,427,1.194,439,1.872,440,1.281,442,0.801,446,0.305,468,0.727,473,0.356,485,0.853,487,0.386,490,0.857,496,0.629,497,1.759,498,0.272,501,1.047,506,1.047,511,0.408,514,1.132,516,0.81,521,0.415,522,0.385,527,0.076,529,1.623,531,0.415,538,1.281,539,0.415,540,1.185,543,1.087,546,1.797,547,0.613,550,0.401,551,0.277,553,2.747,554,2.009,558,1.218,560,1.149,561,1.759,562,1.727,564,0.373,565,0.853,566,0.507,567,3.112,568,1.348,570,1.158,572,0.482,580,0.195,619,2.103,628,0.456,629,0.716,630,0.808,633,2.194,634,0.356,636,0.65,640,0.543,647,0.688,649,0.385,651,1.281,653,0.716,655,0.727,656,0.345,657,0.513,660,0.899,672,1.251,675,2.472,678,4.168,679,4.168,680,2.772,681,2.594,684,1.281,685,1.456,686,0.442,688,1.125,693,0.513,696,2.006,702,0.445,703,1.787,708,0.907,710,2.194,717,0.58,733,1.577,745,1.185,746,0.767,755,1.495,759,1.976,764,0.767,765,0.857,767,2.079,768,1.907,769,0.857,771,0.81,774,2.606,782,1.469,783,1.132,785,2.103,790,1.185,792,2.342,794,1.218,802,1.047,807,0.356,845,0.338,850,0.17,863,0.613,867,3.112,871,2.758,872,0.444,873,0.224,891,1.527,894,0.946,895,1.151,899,0.65,900,1.495,902,1.218,906,0.415,909,0.727,911,3.495,913,2.363,914,1.348,917,0.299,920,1.313,921,1.989,927,2.079,928,0.547,932,1.419,933,2.094,989,0.672,992,0.173,1001,0.543,1002,0.412,1006,0.47,1007,1.348,1017,2.319,1018,0.246,1020,0.51,1033,2.246,1035,2.103,1036,0.727,1041,3.102,1047,2.826,1048,2.606,1049,1.642,1052,1.281,1054,0.577,1056,0.946,1108,1.158,1111,0.81,1116,1.603,1117,3.175,1123,0.328,1126,1.495,1130,1.778,1156,1.218,1158,1.976,1159,1.419,1163,2.594,1165,1.062,1167,0.299,1168,1.072,1177,0.808,1180,2.408,1187,3.726,1197,3.112,1203,1.817,1213,0.356,1230,0.907,1235,1.248,1238,0.577,1251,1.348,1255,0.946,1262,1.664,1279,0.767,1283,1.047,1294,0.415,1333,0.65,1334,0.629,1343,2.094,1346,1.577,1357,1.577,1361,0.51,1375,0.946,1377,1.248,1380,2.594,1384,2.915,1385,1.844,1386,1.986,1387,3.726,1390,2.826,1392,0.81,1408,0.996,1421,3.495,1423,0.688,1428,3.552,1430,2.103,1437,0.899,1441,2.747,1445,0.899,1503,0.201,1513,1.248,1522,2.103,1526,2.194,1527,1.862,1529,2.319,1540,1.281,1548,1.778,1550,1.218,1552,1.577,1555,1.218,1557,0.65,1559,2.408,1561,1.976,1564,0.577,1575,2.103,1577,0.767,1606,1.203,1614,3.425,1619,0.899,1626,1.89,1629,4.432,1634,1.012,1677,0.327,1683,1.248,1693,2.598,1694,0.852,1701,2.772,1704,3.425,1707,2.826,1709,1.281,1711,1.759,1757,2.094,1767,2.598,1784,1.69,1785,2.455,1787,0.81,1794,1.072,1822,3.112,1832,1.218,1852,1.817,1854,1.218,1866,0.853,1877,2.103,1880,2.408,1884,2.598,1935,1.976,1952,1.577,1959,2.408,1960,1.495,1961,2.245,1967,0.853,1988,2.245,2008,0.477,2028,0.961,2032,2.598,2041,2.408,2057,1.102,2061,1.577,2064,1.577,2065,1.606,2075,1.862,2078,1.218,2090,1.817,2095,1.338,2102,2.194,2103,2.326,2109,1.561,2110,0.543,2130,2.92,2132,4.103,2203,1.158,2215,1.495,2216,1.194,2224,1.577,2255,1.577,2300,2.598,2332,0.767,2337,2.785,2338,2.194,2339,3.297,2340,3.726,2398,3.112,2399,2.747,2412,2.552,2416,1.976,2418,1.218,2429,1.664,2432,1.872,2434,1.281,2439,2.408,2467,1.584,2477,1.281,2582,2.245,2583,1.348,2619,2.772,2628,1.862,2629,2.455,2633,1.69,2645,1.664,2646,2.103,2682,2.598,2686,1.264,2690,2.103,2694,1.409,2730,1.495,2737,2.826,2744,2.598,2821,3.112,2822,1.759,2869,1.976,2875,1.69,2876,2.408,2889,2.598,2890,2.826,2902,1.778,2962,2.326,2967,2.245,2979,2.245,3027,2.826,3029,2.245,3096,2.408,3122,1.14,3130,2.103,3141,1.158,3231,2.408,3290,3.495,3297,1.381,3304,1.872,3310,3.099,3500,1.495,3537,0.996,3540,1.419,3543,2.194,3546,4.607,3556,2.245,3557,2.598,3618,2.408,3828,1.381,3834,3.112,3845,2.114,3847,4.168,3849,0.81,3855,4.59,3856,4.22,3859,1.218,3866,2.598,3867,3.117,3870,2.455,3888,1.862,4019,4.59,4026,3.832,4027,3.726,4038,2.598,4214,2.408,4215,2.103,4297,2.826,4386,3.495,4418,2.826,4436,2.455,4524,1.664,4544,3.495,4591,3.425,4729,2.772,4734,2.103,4738,1.664,4792,2.103,4793,4.607,4799,1.102,4801,2.598,4932,3.495,5032,3.495,5089,4.074,5130,3.047,5198,3.175,5228,3.112,5303,2.826,5326,2.103,5332,3.427,5356,2.712,5362,3.425,5447,3.726,5518,4.607,5587,1.577,5784,2.598,5787,2.61,5788,1.495,5789,4.03,5790,1.976,5826,3.552,5933,2.408,6235,1.976,6297,3.495,6565,3.112,6577,2.96,6730,3.726,6731,2.408,6779,2.826,6847,4.823,6992,2.598,7023,3.495,7296,3.112,7299,3.112,7679,3.102,7722,3.495,7723,2.826,7724,6.642,7725,4.103,7726,4.075,7727,3.495,7728,4.075,7729,5.48,7730,5.373,7731,5.373,7732,4.075,7733,4.075,7734,4.075,7735,4.075,7736,4.075,7737,4.075,7738,5.373,7739,4.075,7740,4.075,7741,4.075,7742,3.112,7743,3.495,7744,4.075,7745,3.495,7746,3.495,7747,5.373,7748,5.373,7749,4.075,7750,3.495,7751,3.495,7752,4.075,7753,1.976,7754,4.103,7755,4.075,7756,4.075,7757,5.373,7758,4.075,7759,3.495,7760,5.373,7761,5.373,7762,4.075,7763,4.075,7764,3.495,7765,6.011,7766,4.075,7767,5.373,7768,6.011,7769,4.075,7770,3.425,7771,3.495,7772,3.495,7773,4.075,7774,4.075,7775,3.495,7776,5.373,7777,4.075,7778,3.495,7779,3.495,7780,3.495,7781,3.495,7782,3.495,7783,3.495,7784,3.495,7785,4.075,7786,3.495,7787,3.495,7788,4.607,7789,4.075,7790,2.826,7791,4.075,7792,4.075,7793,4.075,7794,4.075,7795,2.826,7796,4.075,7797,3.112,7798,3.726,7799,4.075,7800,3.112,7801,2.245,7802,4.075,7803,4.075,7804,4.075]],["title/general/genai.html",[2,4.693,3,4.342,4,4.651,5,3.077,104,1.752,872,2.694,983,8.463]],["breadcrumb/general/genai.html",[6,0.224,110,1.296,983,4.302]],["description/general/genai.html",[102,0.227,103,0.784,104,0.903,280,1.38,716,6.215,872,1.388,903,2.826,983,4.361,986,8.108,992,0.456,1002,1.134,1003,13.128,1014,6.893,1102,9.109,1103,4.143,1104,9.693,1108,5.34,1174,8.108,2417,8.585]],["body/general/genai.html",[0,0.124,2,0.812,3,0.861,4,0.922,5,0.532,7,0.821,9,0.301,11,0.179,13,0.461,16,0.646,17,0.942,19,0.744,21,1.91,25,1.83,27,0.454,28,0.493,29,0.15,30,0.742,33,0.252,34,0.144,35,0.301,40,0.164,41,0.153,43,0.14,44,0.122,47,0.096,48,0.052,50,1.064,51,0.32,52,0.62,53,0.183,54,0.474,58,0.592,60,0.314,62,0.534,66,0.319,67,0.27,68,0.657,69,0.595,76,0.316,77,0.386,79,0.596,80,0.428,81,0.646,83,0.144,85,0.282,86,0.098,88,0.05,89,0.041,90,0.516,92,0.628,94,0.534,99,0.744,100,0.646,102,0.076,103,0.219,104,0.344,105,1.372,107,0.458,110,0.501,114,0.845,115,0.333,116,0.247,117,0.386,118,0.422,121,0.416,123,0.421,124,0.886,126,0.094,127,0.492,129,0.482,130,0.441,131,0.441,132,1.012,133,0.114,137,0.692,139,1.39,140,0.534,145,0.496,148,0.178,149,0.492,150,0.718,151,1.124,153,0.689,156,0.238,160,0.274,161,0.299,162,0.242,165,0.344,167,1.464,168,1.012,169,1.767,171,1.738,173,0.323,178,0.534,180,0.857,181,0.962,182,0.263,183,0.534,189,0.43,192,0.164,194,0.34,198,0.238,199,0.875,201,1.238,205,1.372,206,1.054,207,0.534,209,0.238,211,0.825,212,0.164,214,0.527,218,0.434,219,0.492,220,1.37,221,0.463,222,0.496,225,0.962,226,1.7,227,0.153,233,0.592,234,0.742,236,3.402,239,0.43,244,0.6,245,0.861,246,1.35,248,2.51,249,0.351,251,1.241,260,1.652,263,0.289,264,0.317,265,0.646,271,0.213,273,0.386,274,0.266,276,0.6,277,0.531,278,0.434,279,0.282,280,0.531,281,0.289,288,0.19,292,0.344,293,0.492,297,1.608,299,0.372,303,0.268,304,0.468,308,0.574,311,0.317,312,0.84,315,2.116,318,0.825,322,1.372,323,0.589,327,0.558,328,0.492,329,0.357,330,0.357,331,1.524,332,0.886,333,0.825,335,0.782,336,2.327,338,3.049,339,0.282,340,0.434,341,0.319,344,0.251,346,0.136,351,0.144,353,0.189,363,0.372,365,0.865,368,1.62,373,1.119,374,0.957,383,1.445,384,0.886,385,1.54,397,0.558,404,0.825,414,0.118,415,0.074,416,0.128,417,0.118,418,0.251,419,0.164,420,0.164,425,0.615,426,0.7,431,1.68,432,1.064,433,0.744,438,1.35,441,0.558,442,0.525,444,0.718,446,0.342,451,0.558,453,1.238,459,0.975,463,2.71,468,1.23,470,1.524,472,2.032,473,0.516,475,1.519,481,2.032,482,1.22,487,0.317,488,0.787,498,0.439,504,0.525,506,1.012,509,2.235,511,0.428,512,0.083,513,0.372,516,0.782,517,2.286,520,1.054,521,0.687,522,0.496,527,0.118,531,0.687,537,3.057,539,0.401,543,0.837,544,0.825,547,0.79,550,0.238,552,1.68,554,2.124,560,0.628,562,1.597,563,1.119,564,0.295,565,1.444,566,0.638,568,1.955,572,0.263,580,0.188,582,1.63,583,1.445,619,3.253,628,0.263,629,0.525,630,0.592,631,1.39,634,0.344,640,0.525,647,1.064,649,0.677,651,1.238,653,0.9,656,0.365,657,0.554,660,1.303,662,1.42,670,0.664,671,2.032,672,1.113,687,0.642,692,3.007,693,0.316,699,1.283,702,0.718,716,2.235,717,0.516,725,0.558,744,1.32,753,1.83,756,0.316,764,1.272,765,0.628,768,1.801,771,1.043,774,2.547,776,1.857,780,1.57,782,0.962,783,0.742,785,2.032,791,1.174,794,1.177,807,0.573,845,0.321,850,0.247,852,1.524,855,1.91,856,0.937,863,0.889,864,1.303,872,0.51,873,0.274,877,0.628,889,0.702,891,1.991,902,2.142,903,0.592,905,1.005,906,0.534,909,0.702,917,0.289,920,0.962,925,3.492,927,1.524,928,0.687,932,1.372,949,2.032,954,0.852,982,3.057,983,1.647,984,2.4,985,1.917,986,3.315,987,1.778,988,2.894,989,0.788,991,3.98,992,0.188,998,3.377,999,4.522,1000,1.608,1001,0.7,1002,0.416,1003,3.853,1004,0.702,1006,0.515,1007,1.303,1009,1.767,1012,3.253,1013,3.185,1014,2.789,1015,2.17,1016,2.51,1018,0.357,1019,2.173,1020,0.657,1021,1.7,1033,1.238,1035,3.049,1039,1.372,1041,2.71,1042,4.019,1043,4.306,1044,3.253,1045,4.187,1046,1.736,1049,1.35,1051,2.71,1052,2.231,1054,0.744,1102,3.44,1103,1.565,1104,3.558,1105,2.327,1106,2.327,1107,1.35,1108,1.867,1109,3.103,1110,1.524,1111,0.782,1116,1.39,1117,4.383,1118,4.306,1119,1.461,1123,0.413,1124,1.963,1142,1.445,1146,0.962,1159,1.372,1160,3.253,1162,4.011,1163,1.7,1164,1.445,1165,0.744,1167,0.289,1171,3.007,1172,3.767,1174,3.213,1175,2.846,1176,4.325,1177,1.142,1179,2.327,1180,3.88,1181,1.22,1183,4.187,1184,2.731,1185,2.547,1186,0.79,1192,3.722,1194,1.445,1203,1.68,1213,0.344,1232,2.51,1238,0.931,1240,2.51,1242,1.237,1251,1.738,1253,1.119,1256,3.007,1258,2.286,1259,1.524,1262,2.413,1269,0.401,1270,1.238,1275,1.22,1276,1.177,1282,4.011,1283,1.519,1284,2.731,1286,1.177,1288,0.601,1294,0.668,1333,0.628,1336,2.032,1348,0.615,1359,2.547,1361,0.931,1363,1.7,1369,4.306,1373,1.238,1375,1.699,1376,4.019,1377,1.22,1378,3.253,1379,3.767,1380,2.267,1385,1.064,1386,1.177,1387,3.642,1389,2.267,1405,1.8,1406,1.158,1408,0.962,1420,3.007,1423,0.886,1440,3.767,1441,2.701,1446,1.303,1447,2.145,1448,4.325,1503,0.187,1518,1.119,1523,0.401,1538,1.445,1539,0.782,1544,1.963,1547,2.145,1575,2.032,1577,1.187,1606,0.989,1610,2.032,1619,0.869,1630,3.007,1633,1.608,1634,0.742,1638,1.117,1641,3.007,1665,1.119,1666,1.524,1677,0.316,1696,0.742,1700,0.869,1709,1.238,1713,1.83,1764,1.91,1765,1.8,1784,1.238,1792,0.742,1793,1.303,1866,0.657,1885,1.064,1891,3.057,1930,2.71,1931,2.547,1933,1.238,1948,2.731,1957,0.962,1962,1.445,1966,1.445,1974,0.492,2008,0.461,2010,3.492,2013,1.445,2025,1.608,2028,0.79,2052,1.91,2065,1.177,2079,3.103,2081,1.272,2082,1.238,2084,1.8,2090,1.792,2103,1.524,2104,0.869,2108,2.391,2109,0.962,2110,0.933,2115,1.336,2124,2.71,2209,2.145,2213,1.372,2223,1.238,2237,3.486,2243,2.17,2265,1.445,2332,0.742,2397,2.327,2405,4.011,2411,2.731,2416,2.866,2417,3.325,2432,1.83,2434,1.858,2442,2.032,2455,1.8,2476,1.1,2559,2.327,2564,2.51,2626,2.731,2659,3.348,2665,3.185,2666,2.547,2687,1.303,2693,1.238,2694,0.869,2744,2.51,2745,3.473,2830,2.17,2859,2.71,2869,1.91,2874,1.8,2884,3.348,2958,2.51,3039,0.664,3090,2.17,3118,2.145,3131,3.492,3135,2.032,3221,1.119,3243,1.7,3313,2.413,3394,2.032,3397,2.731,3406,2.032,3465,1.521,3499,2.51,3537,1.54,3538,1.738,3543,1.608,3549,3.049,3555,1.064,3617,2.17,3683,3.103,3770,4.513,3781,2.17,3827,5.068,3828,1.62,3850,2.032,3882,3.642,3989,2.731,4004,0.825,4021,2.327,4028,2.866,4039,1.91,4114,2.327,4170,4.011,4205,4.191,4213,3.642,4261,3.377,4263,4.396,4281,1.445,4299,3.767,4305,5.266,4328,2.327,4361,2.17,4389,5.068,4421,3.007,4434,1.955,4436,1.608,4514,1.8,4524,1.608,4643,4.504,4729,3.049,4738,1.608,4794,1.91,4845,4.814,4920,5.266,5094,3.767,5130,1.7,5182,2.881,5326,2.032,5356,1.608,5363,2.51,5543,3.007,5549,2.032,5574,1.608,5587,1.524,5748,2.51,5760,3.377,5823,3.377,6083,2.731,6172,3.377,6235,2.547,6236,3.377,6268,3.377,6392,2.731,6539,2.51,6588,3.642,6907,3.007,6913,3.725,7169,2.731,7194,2.51,7199,3.377,7510,2.51,7618,3.377,7652,2.327,7705,3.642,7723,2.731,7725,3.007,7753,1.91,7779,3.377,7788,4.504,7805,1.91,7806,3.377,7807,3.007,7808,3.377,7809,5.253,7810,3.377,7811,3.938,7812,5.068,7813,5.253,7814,5.91,7815,3.938,7816,3.377,7817,3.938,7818,3.938,7819,5.91,7820,3.938,7821,4.504,7822,4.504,7823,3.938,7824,3.377,7825,5.253,7826,5.253,7827,3.938,7828,3.938,7829,3.007,7830,5.91,7831,3.938,7832,3.938,7833,3.377,7834,3.377,7835,3.938,7836,5.253,7837,2.731,7838,3.377,7839,5.253,7840,3.938,7841,3.938,7842,3.377,7843,3.938,7844,3.377,7845,3.938,7846,3.938,7847,3.938,7848,3.938,7849,3.938,7850,3.938,7851,3.938,7852,3.938,7853,3.938,7854,3.377,7855,3.938,7856,3.938,7857,3.938,7858,3.938,7859,3.938,7860,3.938,7861,2.51,7862,5.253,7863,3.938,7864,3.938,7865,3.377]],["title/general/iam.html",[2,4.693,3,4.342,4,4.651,5,3.077,104,1.752,110,2.549,564,2.048]],["breadcrumb/general/iam.html",[6,0.224,110,1.296,564,1.041]],["description/general/iam.html",[33,0.771,53,0.535,104,1.042,107,1.891,110,1.515,227,0.679,253,3.26,564,1.218,1503,0.617,1522,11.181,1523,2.205,1694,3.071]],["body/general/iam.html",[0,0.122,2,0.992,3,0.907,4,0.868,5,0.341,9,0.193,11,0.161,14,0.601,16,0.583,19,0.572,26,0.48,27,0.54,28,0.435,30,1.005,32,0.145,33,0.271,34,0.182,35,0.316,37,0.583,40,0.223,41,0.145,43,0.156,44,0.157,45,0.468,47,0.098,48,0.079,51,0.327,53,0.187,54,0.442,58,0.803,60,0.316,62,0.41,65,0.565,66,0.367,67,0.271,68,0.828,69,0.381,70,1.617,77,0.439,79,0.324,81,0.583,83,0.177,85,0.266,86,0.119,88,0.045,89,0.032,91,0.89,92,0.643,96,0.936,98,0.667,99,0.756,101,0.936,102,0.072,104,0.364,106,0.643,107,0.628,110,0.373,111,0.758,113,0.625,114,0.504,115,0.256,116,0.237,117,0.486,118,0.324,119,1.055,123,0.4,126,0.092,129,0.518,130,0.503,131,0.518,133,0.099,135,0.607,136,1.268,137,0.472,140,0.609,141,0.89,144,1.09,145,0.504,148,0.1,149,0.504,150,0.696,151,1.067,152,0.9,153,0.583,154,0.27,156,0.361,157,2.571,159,0.756,160,0.266,161,0.294,162,0.237,165,0.466,168,1.037,172,0.845,173,0.341,175,2.439,180,0.868,181,0.985,182,0.27,187,0.848,188,0.711,189,0.654,192,0.276,193,0.7,194,0.397,198,0.322,199,0.938,200,0.801,204,2.222,205,2.306,206,0.719,207,0.41,209,0.322,211,1.117,212,0.303,214,0.324,218,0.468,221,0.296,222,0.486,223,0.797,225,1.461,226,1.741,227,0.185,230,0.936,233,0.9,234,0.76,239,0.696,240,1.147,241,0.352,244,0.576,246,1.537,249,0.4,250,1.239,252,0.428,253,1.145,258,0.643,262,0.27,263,0.296,264,0.243,265,0.787,271,0.367,272,1.678,273,0.545,274,0.237,276,0.59,279,0.337,280,0.296,281,0.296,282,0.41,284,1.037,287,1.015,288,0.13,289,2.303,292,0.352,293,0.667,297,2.179,299,0.717,300,0.605,302,1.958,303,0.252,304,0.357,305,0.504,308,0.724,311,0.384,312,0.906,313,1.009,316,0.41,319,1.256,320,2.222,321,2.588,322,0.936,323,0.352,328,0.667,329,0.361,330,0.361,332,0.9,333,1.333,338,2.081,339,0.25,340,0.439,341,0.357,344,0.248,346,0.127,351,0.144,353,0.204,363,0.381,370,1.881,374,0.964,376,1.587,388,1.389,404,0.845,410,0.243,411,0.41,412,0.41,413,0.41,414,0.191,415,0.119,416,0.13,417,0.16,418,0.255,419,0.168,420,0.168,424,0.643,425,0.7,426,0.711,427,0.801,432,1.09,434,1.147,438,1.037,440,1.268,442,0.537,444,0.583,446,0.304,468,0.719,473,0.555,480,1.442,484,1.247,487,0.361,496,0.7,498,0.27,499,1.647,500,0.845,504,0.537,509,1.335,511,0.274,512,0.071,513,0.504,516,1.06,517,1.56,518,1.595,522,0.381,523,0.381,527,0.112,528,0.76,529,1.304,531,0.609,538,1.268,539,0.41,540,1.319,541,2.222,543,0.851,550,0.399,551,0.276,559,2.383,561,2.303,562,1.617,563,1.147,564,0.433,565,0.845,566,0.693,568,1.979,572,0.442,580,0.286,583,1.48,610,1.766,628,0.27,629,0.797,630,0.803,634,0.605,637,0.803,640,0.537,649,0.625,653,0.938,656,0.4,657,0.428,662,1.442,664,2.588,671,1.56,686,0.439,690,0.936,693,0.428,698,1.647,699,0.985,702,0.696,703,1.537,709,1.48,717,0.352,726,2.065,753,1.405,756,0.428,759,1.956,764,1.005,768,1.371,773,1.56,775,0.851,780,1.206,782,1.304,783,1.005,791,1.06,807,0.466,815,3.402,816,1.399,845,0.205,850,0.168,852,1.56,855,1.956,863,0.803,872,0.489,873,0.317,876,2.571,877,0.851,891,1.517,894,1.389,895,1.224,897,0.601,899,1.084,902,1.206,903,0.803,905,0.902,906,0.648,917,0.296,918,0.756,919,0.625,920,1.461,928,0.543,932,1.405,954,0.7,985,1.09,988,2.222,989,0.891,992,0.155,996,3.08,1001,0.711,1002,0.384,1004,1.067,1006,0.517,1007,1.766,1010,1.335,1018,0.419,1020,0.667,1034,2.139,1035,2.081,1046,1.037,1052,1.678,1056,0.936,1107,1.371,1112,1.859,1116,0.89,1119,1.06,1122,1.555,1123,0.44,1124,2.105,1125,2.581,1130,1.335,1142,1.958,1147,1.404,1163,1.741,1168,0.952,1170,1.404,1173,0.936,1177,0.803,1186,0.696,1193,2.383,1213,0.352,1230,0.681,1235,0.936,1238,0.847,1242,0.845,1253,1.517,1270,1.268,1273,3.153,1274,1.335,1275,1.239,1278,1.206,1279,1.281,1280,2.383,1286,1.788,1288,0.609,1289,1.442,1294,0.41,1334,0.824,1348,0.625,1350,0.681,1361,0.881,1369,2.571,1373,1.678,1375,0.936,1403,2.081,1406,1.177,1409,2.222,1425,1.48,1437,1.319,1442,3.219,1445,0.89,1478,1.09,1503,0.221,1504,1.701,1505,2.383,1506,2.94,1511,2.797,1513,1.478,1522,3.416,1523,0.77,1526,1.647,1528,2.888,1529,3.17,1535,2.588,1539,1.264,1540,1.268,1541,1.741,1543,1.268,1547,2.179,1548,1.979,1549,3.106,1551,3.295,1552,2.314,1553,2.222,1554,3.701,1555,1.788,1562,2.797,1563,4.147,1564,0.983,1565,3.17,1566,1.579,1572,2.181,1573,2.065,1575,2.081,1595,2.571,1606,0.76,1621,0.681,1626,1.268,1627,1.741,1635,1.647,1638,1.015,1639,1.748,1665,1.147,1669,1.037,1685,1.979,1689,1.741,1690,1.206,1694,1.05,1695,2.081,1696,1.342,1700,0.89,1712,2.179,1713,1.405,1717,2.581,1774,3.08,1777,1.647,1785,1.843,1788,2.797,1790,1.766,1791,2.777,1792,1.005,1793,1.335,1794,1.067,1796,1.335,1799,2.571,1856,1.147,1866,0.504,1885,1.09,1886,1.809,1892,1.405,1894,1.843,1915,1.268,1921,1.206,1948,3.701,1949,0.537,1950,1.678,1951,1.478,1952,1.56,1953,1.647,1955,3.701,1956,1.181,1957,1.304,1960,1.48,1961,2.222,1967,0.845,1974,0.667,2000,1.956,2006,1.281,2008,0.824,2009,1.335,2028,0.9,2044,1.48,2045,3.086,2052,2.9,2073,1.956,2074,1.741,2078,1.206,2090,1.517,2094,2.797,2095,1.386,2096,1.56,2098,2.571,2099,1.56,2100,2.857,2108,2.106,2109,0.985,2110,0.848,2115,1.005,2117,2.222,2126,1.48,2127,1.859,2203,1.147,2216,0.801,2217,3.08,2233,2.581,2238,2.797,2250,2.571,2317,2.797,2397,2.383,2433,2.857,2444,0.607,2457,2.797,2573,2.439,2576,1.335,2577,1.405,2581,2.383,2583,1.335,2585,2.9,2592,2.383,2624,3.08,2645,1.647,2686,1.074,2690,2.081,2693,1.268,2827,3.459,2831,2.571,2833,2.222,2875,1.678,2884,3.402,2902,1.766,2968,3.534,2976,1.741,3019,1.956,3096,2.383,3107,1.788,3122,0.952,3141,1.147,3229,2.797,3244,2.222,3278,2.081,3288,1.335,3297,1.371,3381,3.459,3394,2.081,3403,2.081,3462,2.081,3464,0.89,3465,0.89,3500,1.48,3503,2.303,3507,2.383,3555,1.09,3567,1.678,3569,2.571,3603,1.268,3618,2.383,3628,1.647,3683,2.383,3828,1.037,3849,1.416,3850,2.081,3862,1.678,3867,1.843,3880,3.08,3890,1.442,3901,3.459,3905,1.843,4020,3.08,4032,2.222,4171,1.647,4238,2.797,4281,1.48,4340,3.701,4362,2.571,4387,2.383,4388,2.571,4417,2.94,4419,1.741,4428,3.812,4430,2.439,4436,2.599,4442,1.741,4444,3.459,4445,3.08,4448,2.571,4449,2.797,4514,1.843,4525,3.08,4596,3.459,4646,3.459,4647,3.153,4648,2.797,4654,2.571,4742,3.459,4786,2.081,4790,2.222,4799,1.09,5094,2.571,5168,3.402,5198,2.383,5220,3.08,5237,3.08,5356,1.647,5515,2.222,5525,2.797,5531,2.571,5534,2.797,5574,1.647,5790,2.588,5797,1.956,5801,1.956,5811,2.571,5815,3.459,6232,3.459,6345,2.303,6350,2.439,6352,2.797,6471,3.08,6475,3.459,6533,3.459,6577,2.222,6597,1.843,6644,4.075,6724,2.571,6905,2.797,7169,2.797,7408,3.402,7510,2.571,7620,4.075,7645,3.08,7679,3.416,7690,2.797,7691,3.08,7753,2.9,7764,3.459,7770,3.812,7801,2.94,7805,1.956,7812,3.459,7866,3.08,7867,3.08,7868,5.055,7869,3.459,7870,4.075,7871,3.402,7872,4.034,7873,5.337,7874,4.576,7875,4.034,7876,3.459,7877,4.034,7878,4.034,7879,5.337,7880,2.082,7881,3.459,7882,4.034,7883,4.034,7884,4.034,7885,4.034,7886,5.337,7887,5.981,7888,4.576,7889,4.034,7890,6.365,7891,5.458,7892,4.86,7893,4.86,7894,4.576,7895,4.034,7896,5.337,7897,4.034,7898,3.459,7899,4.576,7900,3.459,7901,4.034,7902,3.08,7903,5.128,7904,4.034,7905,4.034,7906,4.034,7907,5.337,7908,4.034,7909,4.034,7910,2.797,7911,3.459,7912,3.08,7913,3.459,7914,3.459,7915,4.034,7916,3.459]],["title/general/index.html",[2,4.693,3,5.939,4,4.651,5,3.077,110,2.549,872,2.694]],["breadcrumb/general/index.html",[6,0.257,110,1.489]],["description/general/index.html",[3,2.238,23,5.616,28,1.234,102,0.227,103,0.784,104,0.903,115,1.191,122,4.143,133,0.31,134,2.053,244,1.492,511,1.274,564,1.055,702,2.053,872,1.388,992,0.456,1002,1.134,1123,1.148,2008,2.199,2030,6.543]],["body/general/index.html",[0,0.124,2,0.95,3,0.905,4,0.834,5,0.552,11,0.136,20,1.442,23,1.669,27,0.47,28,0.455,29,0.197,32,0.136,33,0.233,34,0.136,40,0.233,41,0.159,43,0.135,48,0.086,51,0.252,53,0.171,58,0.84,66,0.301,67,0.263,68,0.698,80,0.418,83,0.179,86,0.13,87,1.231,88,0.052,90,0.57,95,2.821,100,0.61,102,0.084,103,0.273,104,0.333,105,1.945,106,1.042,107,0.487,110,0.39,111,0.61,112,1.051,115,0.44,116,0.2,118,0.525,120,1.847,121,0.337,122,1.576,126,0.086,129,0.457,130,0.457,131,0.457,133,0.118,134,0.814,143,0.791,148,0.176,149,0.698,154,0.373,159,0.791,160,0.233,161,0.233,173,0.267,176,0.448,184,0.654,192,0.233,198,0.337,209,0.394,211,1.369,227,0.159,239,0.61,244,0.55,252,0.525,253,0.84,262,0.373,273,0.41,274,0.2,279,0.267,280,0.48,287,0.89,288,0.23,292,0.57,294,0.84,303,0.2,308,0.61,311,0.431,312,0.744,319,0.996,344,0.2,346,0.122,348,3.076,351,0.134,353,0.167,414,0.167,415,0.122,416,0.159,417,0.196,418,0.267,419,0.273,420,0.233,442,0.952,444,0.758,473,0.487,485,0.698,511,0.5,512,0.074,518,1.669,547,0.983,550,0.337,551,0.273,554,1.756,563,1.587,564,0.367,580,0.267,624,2.41,628,0.373,630,0.84,649,0.527,656,0.301,696,1.587,702,0.781,711,3.862,716,1.847,764,1.051,765,1.042,785,2.881,792,1.756,845,0.353,850,0.233,864,1.847,872,0.554,873,0.233,877,0.89,882,1.509,889,0.996,891,1.587,903,0.84,918,0.791,983,1.296,992,0.181,1001,0.744,1002,0.439,1003,2.881,1014,2.049,1018,0.337,1102,2.708,1103,1.231,1104,2.881,1108,1.587,1122,1.364,1123,0.424,1143,1.945,1165,0.791,1213,0.487,1242,1.369,1353,3.872,1385,1.767,1444,1.847,1503,0.197,1522,2.881,1523,0.568,1525,0.996,1530,1.669,1606,1.051,1669,1.435,1677,0.448,1694,0.926,1785,2.552,1795,2.41,1960,2.049,2008,0.765,2009,1.847,2025,2.28,2036,2.708,2037,3.299,2038,3.872,2039,2.049,2043,2.881,2044,2.049,2045,2.708,2102,2.28,2104,1.442,2110,0.744,2112,2.16,2213,1.945,2417,2.987,2539,1.945,2546,2.708,2687,1.847,2902,1.847,2985,2.669,3304,1.945,3464,1.231,3502,2.552,3537,1.597,3861,1.858,3868,3.299,3888,2.552,4108,3.872,4171,2.28,4303,3.076,4388,3.559,4451,2.881,4737,2.881,4738,2.28,5782,3.559,5794,3.299,5883,2.41,6346,3.559,6590,4.263,7615,4.788,7616,4.788,7617,4.992,7620,4.263,7650,3.872,7805,2.708,7917,4.788,7918,3.872,7919,4.788,7920,4.263,7921,4.263,7922,4.788,7923,4.788,7924,3.872,7925,4.788]],["title/general/ir.html",[2,4.44,3,4.108,4,4.401,5,2.912,104,1.658,110,2.411,288,1.107,511,2.339]],["breadcrumb/general/ir.html",[6,0.198,110,1.147,288,0.527,511,1.113]],["description/general/ir.html",[3,2.64,104,1.065,110,1.549,261,4.401,288,0.712,310,9.563,511,1.503,512,0.293,696,6.298,917,1.628,2036,10.745,2076,10.745]],["body/general/ir.html",[0,0.121,2,0.984,3,0.911,4,0.494,5,0.495,9,0.248,11,0.163,12,2.289,13,0.453,14,0.49,16,0.568,17,0.934,19,0.549,20,1.483,26,0.524,27,0.502,28,0.469,29,0.196,30,0.729,31,0.494,32,0.163,33,0.266,34,0.185,37,0.423,39,3.069,40,0.162,41,0.126,43,0.08,44,0.149,45,0.46,47,0.094,48,0.083,51,0.295,52,0.68,53,0.172,54,0.347,56,0.423,60,0.299,62,0.394,65,0.366,66,0.316,67,0.268,68,0.484,69,0.366,70,1.047,76,0.503,77,0.48,79,0.56,80,0.313,81,0.568,82,0.783,83,0.152,84,0.691,85,0.162,86,0.131,88,0.039,89,0.041,91,0.854,94,0.665,97,0.654,98,0.484,99,0.973,100,0.568,102,0.071,104,0.343,105,1.349,107,0.587,108,3.073,110,0.488,111,0.641,112,0.729,113,0.804,114,0.484,115,0.414,116,0.246,117,0.431,118,0.417,119,0.618,121,0.406,123,0.392,124,0.654,126,0.095,127,0.733,128,0.618,129,0.5,130,0.47,131,0.516,133,0.086,134,0.714,135,0.583,140,0.665,143,0.736,145,0.49,146,0.366,148,0.18,149,0.817,152,0.876,154,0.436,156,0.313,159,0.83,161,0.261,162,0.139,165,0.511,167,1.561,168,0.996,169,1.158,172,1.088,173,0.248,175,1.77,176,0.578,178,0.596,182,0.259,183,0.394,184,0.453,187,0.692,188,0.87,192,0.245,194,0.281,198,0.406,199,0.692,205,2.042,206,1.045,207,0.529,209,0.354,211,0.811,212,0.245,218,0.494,219,0.841,220,0.978,221,0.285,223,0.516,225,0.946,226,2.242,227,0.126,229,1.582,231,2.134,233,1.033,234,0.978,235,2.53,238,1.582,239,0.423,240,1.78,242,1.047,244,0.594,246,1.506,249,0.419,252,0.311,253,1.05,254,0.659,259,1.349,260,2.114,261,1.364,262,0.459,263,0.513,264,0.378,265,0.641,271,0.392,273,0.505,274,0.139,275,0.87,276,0.551,277,0.513,278,0.519,279,0.28,280,0.48,281,0.382,282,0.394,287,0.618,288,0.248,290,1.282,291,1.582,292,0.338,293,0.484,294,0.982,296,1.672,297,2.121,298,0.691,299,0.591,300,0.546,301,1.421,302,2.151,303,0.258,304,0.259,308,0.423,310,3.083,311,0.406,312,0.516,313,0.989,315,1.78,316,0.394,317,1.178,318,1.088,319,1.294,322,1.361,323,0.511,326,0.854,328,0.817,329,0.354,330,0.354,332,0.654,335,0.77,337,2.519,339,0.287,340,0.382,341,0.209,344,0.139,346,0.117,349,2.519,351,0.137,353,0.156,367,1.999,370,2.054,374,0.887,376,1.515,385,0.946,388,0.899,399,2.519,400,0.828,410,0.246,411,0.394,412,0.394,413,0.394,414,0.206,415,0.128,416,0.126,417,0.156,418,0.248,419,0.162,420,0.162,425,0.765,430,0.394,434,1.477,435,1.672,438,1.335,440,1.218,441,0.736,444,0.751,446,0.299,450,1.158,468,0.691,473,0.587,484,0.729,487,0.414,490,0.618,491,1.582,494,2.134,496,0.453,500,1.088,510,1.582,511,0.507,512,0.099,514,1.104,518,1.158,520,0.926,521,0.699,522,0.617,523,0.648,532,0.899,539,0.699,540,1.44,542,1.218,547,0.583,550,0.441,551,0.291,553,2.374,554,1.969,560,0.828,564,0.41,566,0.685,570,1.477,572,0.419,580,0.334,582,1.146,624,1.672,627,1.77,628,0.419,629,0.99,633,1.582,637,0.583,640,0.516,641,2.519,651,1.969,653,0.692,656,0.353,657,0.471,659,0.828,660,1.293,661,0.484,671,2.01,672,0.729,675,2.267,676,2.134,685,1.227,686,0.494,687,0.529,688,1.55,690,0.899,691,1.719,693,0.574,696,2.063,702,0.423,703,1.335,708,0.654,710,3.011,715,1.672,716,1.282,717,0.338,738,0.899,741,1.77,745,1.626,753,1.349,756,0.54,758,0.996,761,2.374,764,0.978,765,1.041,767,2.423,769,0.618,775,0.618,776,1.335,780,1.158,783,1.104,784,1.404,785,1.999,792,2.266,793,1.843,794,1.158,802,0.996,807,0.338,845,0.377,856,0.691,863,0.882,868,1.672,871,2.242,872,0.558,873,0.295,877,0.618,881,2.134,889,0.926,891,1.477,894,1.719,895,1.216,897,0.49,898,2.862,899,1.095,903,0.583,905,0.83,908,1.421,909,0.926,912,1.381,914,1.719,917,0.556,918,0.736,919,0.733,927,1.499,928,0.529,987,0.946,989,0.649,992,0.152,1001,0.516,1002,0.378,1004,1.165,1006,0.494,1009,1.158,1018,0.421,1020,0.484,1021,2.242,1034,1.218,1038,2.686,1039,1.809,1040,1.719,1044,1.999,1048,2.519,1049,1.335,1051,1.999,1052,1.218,1054,0.83,1056,0.899,1103,0.854,1108,1.666,1111,1.336,1116,1.381,1119,1.032,1123,0.411,1124,1.553,1126,1.421,1130,2.339,1142,1.421,1143,1.809,1147,0.854,1156,1.752,1159,2.042,1163,1.672,1165,1.012,1166,0.899,1169,1.999,1177,0.781,1185,2.842,1186,0.423,1189,2.469,1203,1.101,1213,0.453,1227,1.878,1230,1.057,1232,2.469,1233,1.969,1238,0.549,1253,1.477,1254,1.77,1257,1.77,1261,1.158,1262,2.121,1269,0.394,1271,0.691,1275,1.361,1287,1.672,1288,0.394,1291,4.782,1294,0.394,1333,1.095,1334,0.608,1348,0.787,1372,3.967,1384,2.842,1385,1.404,1386,1.872,1403,1.999,1405,1.77,1409,2.134,1425,2.298,1436,1.878,1437,1.146,1446,1.282,1503,0.211,1504,1.679,1507,2.289,1508,3.311,1523,0.394,1525,1.261,1526,1.582,1528,1.499,1529,1.672,1538,1.421,1539,1.032,1540,1.218,1543,1.218,1544,1.158,1548,2.272,1549,1.672,1557,1.041,1562,2.686,1564,0.736,1565,1.672,1566,1.454,1572,1.218,1573,2.423,1577,0.978,1616,0.854,1621,0.654,1624,1.499,1628,1.77,1629,4.064,1632,1.499,1634,0.729,1638,0.998,1665,1.101,1666,2.01,1677,0.503,1678,1.349,1680,1.666,1683,1.454,1685,1.939,1687,2.686,1692,2.519,1694,1.002,1695,1.999,1696,1.104,1711,1.672,1714,1.282,1717,1.672,1757,2.042,1766,2.134,1784,1.218,1787,1.032,1789,2.289,1793,1.282,1794,1.165,1799,2.469,1853,1.77,1866,0.649,1876,1.101,1880,2.289,1881,1.878,1885,1.693,1932,2.519,1933,2.114,1937,5.6,1952,1.499,1956,0.691,1958,2.134,1962,1.421,2008,0.608,2017,1.206,2020,2.072,2022,2.242,2027,2.289,2028,1.063,2030,2.543,2032,4.45,2036,3.464,2037,3.859,2039,1.421,2040,3.736,2041,4.058,2042,3.069,2043,2.68,2044,2.151,2047,1.218,2050,2.134,2061,1.499,2062,1.999,2063,3.602,2064,2.601,2065,1.752,2066,2.52,2075,2.679,2076,2.842,2078,1.158,2086,2.686,2089,2.134,2095,1.368,2096,2.01,2099,2.423,2100,1.672,2102,2.393,2103,2.01,2109,0.946,2110,0.781,2112,1.499,2115,0.978,2117,2.134,2133,2.557,2206,3.967,2209,2.393,2213,1.349,2214,2.289,2216,1.032,2217,2.958,2220,1.421,2222,2.958,2223,1.633,2232,2.686,2240,2.469,2247,1.77,2265,1.421,2307,3.311,2323,2.289,2326,4.662,2327,2.469,2331,1.878,2337,1.582,2338,1.582,2339,1.999,2357,1.499,2399,1.77,2406,2.686,2412,1.906,2413,1.499,2416,1.878,2417,1.77,2418,2.01,2432,1.349,2439,2.289,2444,0.882,2467,1.516,2470,3.311,2472,2.686,2476,0.811,2573,2.679,2574,2.469,2632,1.878,2657,1.999,2668,2.686,2675,3.069,2686,0.654,2692,1.878,2694,1.293,2695,2.289,2739,1.77,2822,1.672,2859,3.231,2862,1.672,2869,2.519,2872,2.686,2883,1.672,2894,1.878,2902,1.939,2981,4.454,2986,2.862,3027,2.686,3036,1.218,3039,0.654,3041,2.134,3089,2.289,3107,1.952,3120,3.013,3126,3.322,3127,3.322,3142,3.322,3218,1.553,3222,3.322,3232,2.289,3237,1.77,3275,1.672,3297,0.996,3310,2.519,3401,1.335,3409,1.999,3447,3.311,3465,0.854,3538,1.282,3543,1.582,3567,1.633,3613,1.878,3620,3.736,3671,3.322,3682,2.134,3691,1.878,3766,3.069,3811,2.958,3826,1.878,3828,0.996,3845,2.161,3849,1.164,3850,1.999,3858,2.121,3861,1.101,3862,1.218,3890,1.693,3898,2.519,4004,0.811,4005,1.421,4022,2.469,4027,3.602,4028,3.037,4104,2.519,4105,1.596,4214,3.069,4256,1.999,4303,2.134,4417,2.862,4426,2.958,4430,2.679,4434,1.719,4436,2.121,4437,2.985,4518,2.958,4524,1.582,4526,3.967,4691,1.999,4692,3.322,4734,1.999,4736,4.662,4738,2.121,4769,2.686,4786,2.68,4792,1.999,4799,1.404,4860,1.843,4868,2.121,5162,2.862,5182,1.77,5303,2.686,5349,2.958,5533,2.958,5552,2.862,5557,3.322,5772,2.469,5788,1.421,5798,2.686,5963,4.286,6229,2.686,6264,3.322,6315,3.322,6346,2.469,6392,2.686,6539,3.311,6572,2.958,6577,2.134,6584,3.704,6588,3.602,7020,4.124,7129,2.469,7622,3.322,7632,2.958,7638,4.454,7646,2.686,7648,5.026,7652,3.463,7679,3.231,7790,2.686,7795,2.686,7797,2.958,7801,2.862,7805,1.878,7829,2.958,7837,3.602,7854,3.322,7871,2.469,7880,1.843,7892,2.958,7926,3.874,7927,3.874,7928,4.454,7929,3.874,7930,2.686,7931,2.686,7932,3.322,7933,2.958,7934,5.195,7935,3.874,7936,3.322,7937,3.874,7938,3.874,7939,6.532,7940,5.195,7941,3.602,7942,3.874,7943,3.322,7944,3.874,7945,3.874,7946,3.874,7947,3.322,7948,3.874,7949,3.874,7950,5.195,7951,3.874,7952,4.454,7953,5.195,7954,2.958,7955,3.874,7956,3.322,7957,3.874,7958,5.6,7959,3.874,7960,3.874,7961,3.874,7962,3.874,7963,5.861,7964,6.868,7965,5.195,7966,5.861,7967,5.37,7968,5.861,7969,3.874,7970,5.195,7971,5.195,7972,5.861,7973,3.874,7974,3.874,7975,3.874,7976,3.874,7977,3.874,7978,3.874,7979,3.874,7980,3.874,7981,2.01,7982,5.861,7983,3.874,7984,4.782,7985,5.195,7986,3.967,7987,5.195,7988,2.958,7989,3.322,7990,4.454,7991,3.874,7992,3.874,7993,3.874,7994,3.874,7995,3.874,7996,3.874,7997,3.874,7998,3.874,7999,3.322,8000,3.874,8001,3.874,8002,3.874,8003,3.874,8004,5.195,8005,3.874,8006,3.874,8007,3.874,8008,3.874,8009,3.322,8010,3.874,8011,3.322,8012,3.874,8013,3.874,8014,3.322,8015,3.874,8016,3.874,8017,3.874,8018,3.874,8019,3.874,8020,3.874,8021,3.874,8022,3.874,8023,2.958,8024,3.322,8025,3.874,8026,3.874,8027,3.874,8028,3.322,8029,3.874,8030,3.874,8031,2.686,8032,2.686]],["title/general/kubernetes.html",[2,4.693,3,4.342,4,4.651,5,3.077,104,1.752,872,2.694,1949,4.857]],["breadcrumb/general/kubernetes.html",[6,0.224,110,1.296,1949,2.469]],["description/general/kubernetes.html",[89,0.14,102,0.215,103,0.742,104,1.178,133,0.293,134,1.942,280,1.306,779,2.833,872,1.313,903,2.673,928,1.808,992,0.432,1002,1.072,1119,3.53,1213,1.551,1949,2.368,2684,7.67,3314,6.875,5784,11.328,8033,15.238,8034,15.238,8035,13.57]],["body/general/kubernetes.html",[0,0.119,2,0.967,3,0.828,4,0.943,5,0.608,7,0.508,9,0.194,11,0.175,14,0.567,16,0.586,17,0.957,20,1.408,26,0.482,27,0.508,28,0.267,31,0.518,32,0.161,33,0.271,34,0.175,35,0.305,37,0.586,38,1.622,40,0.303,41,0.178,43,0.137,44,0.15,45,0.441,47,0.146,48,0.054,49,1.908,51,0.338,53,0.186,58,0.807,60,0.326,65,0.384,67,0.274,68,0.83,69,0.384,76,0.326,77,0.394,79,0.533,80,0.362,81,0.586,83,0.181,85,0.17,86,0.119,87,0.765,88,0.048,89,0.047,90,0.652,91,0.896,92,0.957,97,0.686,98,0.508,99,0.76,100,0.586,102,0.065,103,0.17,104,0.328,106,1.086,109,1.659,113,0.476,115,0.474,116,0.26,117,0.441,118,0.43,121,0.411,123,0.401,124,0.686,126,0.094,127,0.508,129,0.499,130,0.477,131,0.464,133,0.112,134,0.76,137,0.476,139,1.324,143,0.76,148,0.187,150,0.444,153,0.586,156,0.324,160,0.294,161,0.17,162,0.244,165,0.355,167,1.541,169,1.215,173,0.341,176,0.533,178,0.675,180,0.798,182,0.272,183,0.413,184,0.476,188,0.541,189,0.586,192,0.17,193,0.476,194,0.385,199,0.926,200,1.065,206,0.725,207,0.675,208,3.102,209,0.324,211,0.851,212,0.266,213,1.559,214,0.43,218,0.299,221,0.441,222,0.518,225,1.31,227,0.179,230,1.245,239,0.444,244,0.603,249,0.443,252,0.43,254,0.384,262,0.272,263,0.394,264,0.245,265,0.444,270,0.718,271,0.324,273,0.299,274,0.262,275,0.85,277,0.529,278,0.524,279,0.305,280,0.441,288,0.213,292,0.524,293,0.508,298,0.725,299,0.643,303,0.249,304,0.272,305,0.506,306,1.754,308,0.656,310,1.754,311,0.411,315,1.706,318,0.851,322,1.394,323,0.524,328,0.83,329,0.324,330,0.324,332,0.905,333,1.389,339,0.298,340,0.488,341,0.29,344,0.252,346,0.124,351,0.142,353,0.161,363,0.506,369,1.344,384,0.686,388,0.943,410,0.145,414,0.191,415,0.119,416,0.099,417,0.122,418,0.256,419,0.17,420,0.17,425,0.628,426,0.714,433,0.85,438,1.044,441,1.021,442,0.714,444,0.444,446,0.347,468,1.07,473,0.557,475,1.044,480,1.449,482,0.943,490,0.957,498,0.272,501,0.576,503,3.718,507,1.192,508,3.305,510,2.19,511,0.364,512,0.099,518,1.215,519,0.943,520,0.956,521,0.546,522,0.384,523,0.384,524,1.013,527,0.13,529,0.993,537,1.97,538,1.278,546,1.215,547,0.611,550,0.431,551,0.305,552,1.524,564,0.301,566,0.603,572,0.427,580,0.287,596,0.993,630,0.611,634,0.355,636,0.855,640,0.85,647,0.686,649,0.506,653,0.714,657,0.482,660,0.896,664,1.97,681,2.314,685,0.851,686,0.299,687,0.65,690,1.394,693,0.43,699,0.993,702,0.444,706,2.767,708,0.686,709,2.342,713,1.098,717,0.468,739,2.096,744,1.336,756,0.566,761,2.451,764,0.765,768,1.64,771,1.381,775,0.648,776,1.705,779,1.226,784,1.794,790,0.896,791,1.065,792,1.278,793,1.686,799,1.215,807,0.355,845,0.207,850,0.25,856,1.07,864,1.344,868,1.754,872,0.562,873,0.305,877,0.648,889,0.956,890,1.278,897,0.603,900,1.491,903,0.611,905,0.76,906,0.611,912,1.408,917,0.394,918,1.021,922,1.659,928,0.675,934,2.238,954,0.777,987,0.993,990,1.336,992,0.155,1000,1.659,1001,0.884,1002,0.419,1004,0.956,1006,0.469,1011,1.044,1017,1.754,1018,0.362,1020,0.75,1033,2.349,1035,3.64,1036,0.956,1039,2.223,1040,2.255,1044,2.096,1046,1.044,1052,1.278,1055,2.074,1119,1.431,1122,0.993,1123,0.465,1141,1.673,1159,1.415,1163,1.754,1165,0.76,1166,0.943,1167,0.524,1177,0.611,1181,1.394,1186,0.586,1194,1.491,1200,1.603,1203,1.524,1212,2.954,1213,0.595,1235,0.943,1238,0.904,1242,0.851,1255,1.394,1269,0.413,1270,1.278,1271,0.725,1281,2.401,1283,1.044,1288,0.611,1289,1.449,1294,0.413,1315,2.6,1334,0.476,1346,1.572,1348,0.628,1361,0.67,1377,0.943,1392,0.807,1423,1.077,1424,1.659,1445,0.896,1446,1.344,1474,1.706,1503,0.213,1504,1.044,1513,0.943,1520,2.401,1523,0.733,1525,0.725,1539,0.807,1540,1.278,1541,1.754,1543,1.278,1544,1.794,1557,0.648,1558,2.817,1559,2.401,1564,0.576,1606,0.765,1625,1.968,1634,1.01,1638,0.855,1639,1.044,1666,1.572,1667,0.807,1677,0.326,1685,1.774,1690,1.215,1692,2.911,1694,0.76,1696,0.765,1700,0.896,1702,3.102,1709,1.278,1714,1.774,1770,1.857,1772,2.767,1784,1.278,1786,0.956,1794,0.956,1861,1.659,1866,0.508,1886,1.524,1888,2.817,1894,1.857,1930,2.096,1949,1.031,1950,2.323,1951,1.792,1952,2.322,1953,2.19,1965,3.932,1966,2.202,2006,1.01,2008,0.476,2010,2.401,2022,2.314,2025,2.19,2026,1.098,2028,0.903,2031,1.659,2049,2.6,2081,1.01,2082,1.887,2085,3.168,2089,3.307,2090,1.814,2095,1.123,2097,3.102,2108,1.344,2109,0.993,2115,1.283,2213,1.415,2216,1.065,2224,1.572,2265,1.491,2323,2.401,2331,1.97,2332,0.765,2337,1.659,2338,1.659,2399,1.857,2400,2.238,2444,0.611,2448,2.817,2449,4.583,2450,4.095,2451,2.341,2452,1.659,2461,1.986,2463,2.096,2467,1.638,2468,4.43,2469,4.069,2474,2.59,2476,0.851,2477,2.007,2479,3.546,2480,3.718,2539,2.53,2540,3.718,2541,3.097,2542,3.771,2543,3.307,2544,3.546,2545,3.546,2546,1.97,2575,2.584,2576,2.362,2577,2.421,2579,3.102,2580,2.591,2581,3.546,2583,1.986,2590,1.098,2609,3.102,2626,2.817,2630,4.07,2633,2.007,2678,1.754,2681,5.69,2682,2.59,2684,2.755,2689,2.314,2691,3.755,2693,2.218,2730,1.491,2752,2.767,2756,3.484,2760,2.817,2764,3.293,2779,1.754,2815,1.491,2822,1.754,2828,3.307,2831,2.59,2832,2.817,2833,2.238,2837,3.418,2853,5.067,2854,2.501,2887,2.817,2982,2.314,3039,0.686,3041,2.238,3122,0.725,3135,2.096,3141,1.155,3237,1.857,3238,2.817,3297,1.378,3306,1.97,3314,2.469,3464,1.324,3499,2.59,3503,1.754,3536,1.97,3537,0.993,3538,1.986,3606,1.559,3613,3.218,3628,1.659,3680,2.096,3682,3.307,3704,2.238,3781,2.954,3960,1.278,4028,1.97,4031,2.401,4038,3.418,4262,4.598,4263,2.59,4299,4.069,4363,2.59,4419,1.754,4437,1.857,4725,4.726,4726,3.168,4738,1.659,4799,1.098,4936,4.874,4971,3.168,4997,5.546,4998,3.484,4999,4.069,5000,4.095,5064,3.155,5094,2.59,5096,5.69,5097,5.147,5098,3.718,5129,4.095,5130,2.591,5131,5.473,5163,2.401,5278,3.418,5513,1.857,5538,2.238,5543,4.095,5587,2.322,5719,3.102,5768,3.102,5772,2.59,5782,3.418,5783,3.484,5784,3.826,6133,2.451,6270,2.817,6584,2.238,6799,5.204,6805,5.147,6913,2.401,6965,3.484,7013,2.817,7188,3.484,7194,2.59,7398,3.102,7478,3.102,7628,3.484,7805,1.97,7806,3.484,7807,3.102,7810,3.484,7822,3.484,7893,3.102,8023,3.102,8033,5.147,8034,4.598,8035,3.102,8036,4.063,8037,4.063,8038,4.063,8039,4.063,8040,4.063,8041,5.362,8042,6.002,8043,5.362,8044,5.362,8045,4.063,8046,5.362,8047,4.598,8048,6.636,8049,6.383,8050,5.362,8051,6.002,8052,6.002,8053,3.102,8054,5.362,8055,5.362,8056,4.063,8057,6.002,8058,4.063,8059,4.063,8060,4.063,8061,4.063,8062,3.102,8063,4.063,8064,4.063,8065,4.063,8066,4.063,8067,5.362,8068,5.362,8069,3.102,8070,4.063,8071,3.484,8072,6.002,8073,4.063,8074,4.063,8075,4.063,8076,6.636,8077,4.063,8078,4.598,8079,4.063,8080,5.362,8081,5.69,8082,6.002,8083,4.063,8084,4.063,8085,4.063,8086,4.063,8087,4.063,8088,5.362,8089,4.063,8090,4.063,8091,4.063,8092,4.063,8093,4.063,8094,4.063,8095,4.063,8096,5.362,8097,4.063,8098,4.063,8099,4.063,8100,4.063,8101,4.063]],["title/general/logging.html",[2,5.954,3,3.898,4,4.176,5,2.763,104,1.573,110,2.288,244,2.599,845,1.665]],["breadcrumb/general/logging.html",[2,1.895,6,0.178,110,1.029,244,1.169,845,0.749]],["description/general/logging.html",[104,1.042,110,1.515,148,0.535,244,2.221,292,1.891,487,1.308,547,3.26,845,1.423,1165,3.071,4171,8.849,4303,11.938]],["body/general/logging.html",[0,0.12,2,0.963,3,0.898,5,0.347,7,0.754,9,0.196,11,0.166,13,0.852,14,0.388,17,0.655,20,0.906,23,1.228,26,0.484,27,0.519,28,0.478,29,0.183,30,1.332,32,0.147,33,0.261,34,0.185,35,0.288,40,0.171,41,0.1,43,0.112,44,0.146,46,2.263,47,0.1,48,0.08,51,0.319,52,0.704,53,0.164,54,0.428,55,1.11,56,0.701,60,0.258,62,0.614,65,0.388,66,0.386,67,0.272,69,0.629,70,1.46,76,0.33,77,0.397,79,0.484,80,0.248,81,0.449,82,0.514,83,0.169,84,0.733,85,0.225,86,0.113,88,0.048,89,0.042,94,0.614,98,0.514,102,0.084,104,0.32,105,1.431,106,1.022,107,0.471,110,0.422,111,0.66,112,1.136,114,0.514,115,0.407,116,0.147,118,0.515,121,0.387,122,1.191,123,0.361,126,0.094,127,0.514,129,0.512,130,0.478,131,0.519,133,0.1,135,0.812,137,0.8,138,0.954,140,0.418,145,0.57,146,0.605,148,0.189,149,0.754,150,0.782,151,0.963,153,0.59,154,0.361,156,0.412,159,1.031,160,0.298,161,0.285,162,0.238,165,0.358,167,1.254,172,1.512,173,0.196,176,0.434,180,0.706,181,1.003,182,0.361,183,0.652,187,0.72,188,0.887,189,0.59,192,0.252,193,0.481,194,0.376,198,0.412,199,0.72,205,1.881,206,0.963,207,0.55,211,0.86,212,0.306,214,0.515,216,0.547,218,0.489,219,0.91,221,0.302,222,0.512,225,1.566,227,0.131,231,2.263,240,2.01,241,0.597,244,0.621,246,1.551,249,0.361,250,0.954,252,0.33,254,0.629,258,0.655,261,1.073,262,0.51,263,0.489,264,0.402,265,0.701,270,0.652,271,0.292,273,0.443,274,0.193,275,0.981,279,0.318,280,0.302,281,0.397,282,0.418,284,1.056,286,2.119,287,1.062,288,0.22,289,1.773,292,0.608,294,0.908,296,2.604,302,1.507,303,0.264,304,0.361,311,0.427,312,0.854,314,1.292,315,1.167,316,0.55,317,0.693,319,0.733,321,1.992,322,0.954,323,0.597,327,0.765,328,0.754,329,0.326,330,0.326,335,0.816,339,0.171,340,0.302,341,0.222,344,0.229,346,0.135,351,0.139,353,0.218,365,0.779,373,1.535,374,0.987,385,1.003,388,0.954,397,0.582,400,0.861,410,0.249,411,0.418,412,0.418,413,0.418,414,0.181,415,0.12,416,0.1,417,0.123,418,0.258,419,0.171,420,0.171,430,0.418,433,0.765,434,1.535,439,1.431,444,0.701,446,0.288,449,3.522,450,1.228,451,0.388,470,1.589,475,1.551,481,1.589,486,2.263,487,0.427,490,0.655,498,0.457,500,1.131,501,0.582,504,0.547,511,0.485,512,0.071,513,0.388,516,1.199,519,0.954,520,0.733,522,0.51,527,0.101,531,0.418,532,0.954,539,0.652,543,0.655,547,1.028,550,0.436,551,0.309,552,1.167,557,1.507,558,1.228,560,0.861,564,0.374,565,1.263,566,0.51,568,1.359,570,1.167,572,0.466,582,0.906,586,1.992,596,1.003,610,1.359,624,1.773,627,1.877,628,0.274,629,0.547,633,2.205,634,0.471,636,0.655,637,0.812,640,0.547,651,2.15,653,0.804,656,0.326,657,0.33,659,0.962,660,1.469,661,0.675,662,1.883,671,1.589,672,0.773,679,2.848,685,1.131,686,0.302,690,0.954,693,0.559,696,1.167,708,0.693,710,2.887,713,1.46,725,0.582,738,0.954,745,1.578,746,1.136,753,1.431,754,1.431,755,1.982,756,0.484,758,1.388,764,1.332,765,0.861,771,1.073,775,0.655,782,1.474,783,0.773,787,2.427,790,0.906,791,1.073,794,1.228,801,2.848,803,1.773,807,0.358,845,0.389,863,0.812,871,1.773,872,0.562,873,0.278,877,0.655,885,1.33,891,1.535,895,1.176,897,0.51,899,0.861,900,1.982,903,0.618,905,0.765,908,1.982,909,1.219,917,0.512,919,0.481,920,1.003,921,1.787,928,0.55,954,0.481,989,0.754,992,0.162,997,3.136,1002,0.326,1004,0.733,1006,0.443,1007,1.787,1010,1.359,1011,1.056,1017,1.773,1018,0.248,1033,1.698,1044,2.119,1046,1.056,1048,1.992,1049,1.388,1054,0.582,1056,1.488,1080,0.693,1107,1.388,1108,1.167,1111,1.384,1116,0.906,1123,0.445,1130,1.787,1142,1.507,1150,2.848,1153,2.119,1156,2.158,1163,2.331,1164,2.508,1165,1.07,1166,1.618,1167,0.443,1168,1.219,1177,0.812,1186,0.449,1190,2.427,1203,1.167,1230,1.218,1235,1.401,1238,0.908,1242,1.131,1255,0.954,1258,2.089,1262,2.205,1274,1.787,1275,0.954,1279,0.773,1283,1.388,1287,2.331,1288,0.418,1289,1.11,1294,0.55,1334,0.481,1348,0.481,1350,0.693,1357,2.089,1385,1.46,1386,1.615,1389,2.331,1392,1.273,1406,0.906,1430,2.119,1433,1.507,1444,1.359,1446,1.359,1447,2.205,1473,1.46,1478,1.11,1503,0.198,1504,1.388,1505,2.427,1513,1.254,1526,2.205,1539,1.073,1541,1.773,1543,1.698,1544,1.615,1550,1.228,1555,1.228,1561,1.992,1564,0.908,1577,0.773,1610,2.119,1616,1.191,1619,1.414,1624,2.089,1625,1.507,1626,2.016,1627,1.773,1634,0.773,1638,0.861,1665,1.535,1667,0.618,1677,0.33,1681,1.359,1696,1.017,1709,1.897,1712,2.205,1714,1.787,1757,2.427,1770,2.468,1771,3.136,1784,1.292,1786,0.963,1787,1.199,1792,1.017,1793,1.359,1795,1.773,1832,1.228,1852,1.535,1854,1.615,1856,1.167,1866,0.884,1869,1.773,1881,2.619,1885,1.631,1890,2.848,1914,2.263,1915,1.292,1930,2.119,1954,1.507,1956,0.963,1957,1.319,1961,2.263,1967,0.86,2006,0.773,2017,1.661,2019,1.877,2028,0.618,2037,2.427,2048,2.263,2066,2.594,2075,1.877,2078,1.916,2081,1.136,2082,1.292,2083,1.715,2084,1.877,2089,2.263,2090,1.167,2095,1.342,2096,2.696,2104,0.906,2106,2.618,2108,1.359,2110,0.911,2111,1.881,2118,2.263,2119,2.263,2201,1.992,2209,2.791,2212,1.292,2223,1.292,2224,1.589,2232,2.848,2244,1.773,2255,2.089,2321,2.263,2332,0.773,2337,1.677,2338,1.677,2340,2.848,2396,3.522,2399,3.124,2400,2.263,2412,1.507,2421,1.992,2432,1.431,2433,1.773,2434,2.094,2436,1.589,2439,3.191,2444,1.064,2448,2.848,2461,2.203,2462,4.631,2467,1.618,2476,0.86,2559,3.191,2583,1.359,2633,1.292,2657,2.119,2665,1.992,2675,3.191,2683,2.427,2687,1.359,2690,3.113,2701,2.119,2730,1.507,2731,2.263,2813,3.136,2854,1.507,2862,2.951,2867,1.773,2868,2.508,2869,3.469,2875,1.292,2886,3.565,2959,3.136,2962,1.589,2972,3.136,2985,2.205,3020,3.522,3036,1.292,3038,3.745,3039,0.911,3088,3.522,3090,2.263,3107,1.916,3120,2.331,3141,1.822,3221,1.535,3237,1.877,3275,1.773,3391,2.427,3401,1.388,3431,4.124,3447,2.618,3465,0.906,3535,2.427,3549,2.119,3551,2.618,3556,2.975,3557,2.618,3567,1.292,3579,2.119,3618,2.427,3620,2.618,3781,2.263,3849,0.816,3867,1.877,3868,2.427,3870,1.877,3888,1.877,3890,1.883,3893,5.174,3898,2.619,4003,2.468,4004,1.498,4005,2.352,4171,3.007,4174,3.522,4215,2.119,4354,2.618,4422,3.136,4436,1.677,4437,1.877,4451,2.119,4514,2.468,4524,2.205,4591,2.618,4728,2.233,4729,2.119,4731,3.136,4737,2.119,4738,1.677,4795,4.124,4796,4.124,4797,3.522,4798,3.522,4799,1.46,4801,2.618,4860,1.292,4871,3.136,5061,2.848,5132,2.618,5166,3.443,5167,3.522,5182,1.877,5204,5.174,5303,2.848,5356,1.677,5357,4.442,5398,2.427,5782,2.618,5788,2.214,5792,2.848,5801,1.992,5826,3.934,5892,2.787,6265,2.848,6577,2.975,6584,2.263,6588,3.745,6804,4.631,6992,2.618,7020,2.427,7027,3.522,7087,3.522,7122,3.522,7660,3.522,7676,2.848,7679,3.113,7742,3.136,7743,3.522,7746,3.522,7770,3.847,7780,4.631,7787,3.522,7797,3.136,7798,2.848,7800,3.136,7801,2.263,7805,2.619,7824,4.631,7837,3.745,7844,3.522,7870,3.136,7871,2.618,7880,2.223,7902,3.136,7910,2.848,7912,4.608,7913,3.522,7918,2.848,7928,3.522,7941,2.848,7981,2.089,7986,5.085,8031,4.184,8032,4.74,8102,4.107,8103,4.631,8104,4.631,8105,4.107,8106,4.631,8107,3.522,8108,3.522,8109,4.107,8110,4.107,8111,4.107,8112,4.107,8113,5.401,8114,3.522,8115,4.107,8116,3.522,8117,4.107,8118,4.107,8119,3.522,8120,4.107,8121,4.107,8122,4.107,8123,4.107,8124,4.107,8125,4.107,8126,4.107,8127,4.107,8128,4.107,8129,4.107,8130,4.107,8131,6.034,8132,6.034,8133,4.107,8134,3.522,8135,4.107,8136,4.107,8137,4.107,8138,4.107,8139,4.107,8140,4.107,8141,4.107,8142,4.107,8143,4.107,8144,3.136,8145,3.136,8146,4.107,8147,4.107,8148,4.107,8149,4.107,8150,4.107,8151,4.107,8152,4.107,8153,4.631,8154,4.107,8155,3.136,8156,4.107,8157,4.107,8158,3.522,8159,4.107]],["title/general/methodology.html",[2,5.297,3,4.901,4,5.25,5,3.473,122,9.073]],["breadcrumb/general/methodology.html",[6,0.224,110,1.296,122,4.087]],["description/general/methodology.html",[5,2.055,67,0.866,100,2.661,118,1.954,348,13.41,353,0.73,1242,5.097,2985,9.94]],["body/general/methodology.html",[0,0.125,1,2.231,2,0.975,3,0.84,5,0.471,7,0.541,9,0.324,11,0.168,12,3.299,13,0.654,14,0.408,15,2.998,16,0.61,17,1.042,19,0.982,20,0.954,26,0.448,27,0.487,28,0.406,31,0.41,32,0.168,33,0.257,34,0.171,35,0.296,37,0.473,41,0.105,43,0.115,44,0.135,47,0.105,51,0.252,53,0.107,54,0.373,56,0.473,58,0.65,60,0.207,62,0.44,65,0.408,66,0.233,67,0.275,69,0.408,70,1.169,76,0.497,77,0.41,80,0.373,81,0.473,83,0.18,84,0.996,85,0.18,86,0.139,87,1.165,88,0.05,89,0.053,90,0.605,91,0.954,94,0.568,96,1.297,97,0.942,98,0.698,99,0.926,100,0.676,102,0.052,112,0.814,113,0.506,116,0.234,117,0.518,118,0.595,119,1.079,120,1.848,121,0.443,122,1.493,123,0.373,125,1.169,126,0.074,128,0.689,129,0.391,130,0.391,131,0.433,133,0.12,134,0.789,136,2.128,137,0.853,138,1.436,139,1.364,140,0.568,142,1.292,143,0.926,145,0.617,146,0.527,148,0.153,149,0.773,150,0.796,151,0.771,154,0.452,156,0.408,159,0.613,161,0.289,162,0.248,165,0.487,167,1.004,172,1.169,173,0.331,176,0.347,178,0.44,182,0.289,183,0.629,184,0.845,187,0.744,189,0.74,192,0.233,193,0.654,194,0.353,198,0.431,199,0.576,201,1.36,205,1.945,211,1.169,212,0.301,213,1.056,214,0.347,218,0.525,221,0.41,222,0.525,225,1.056,227,0.15,231,2.382,232,0.859,233,0.65,239,0.715,240,1.229,244,0.519,245,0.506,246,1.435,249,0.413,250,1.004,252,0.589,253,1.103,256,1.103,257,2.998,263,0.542,264,0.431,265,0.676,270,0.44,271,0.233,273,0.454,276,0.525,277,0.41,278,0.454,279,0.312,280,0.48,281,0.454,282,0.568,284,1.111,286,2.231,287,0.986,288,0.179,292,0.487,293,0.541,299,0.688,301,2.049,303,0.263,304,0.413,305,0.408,311,0.418,312,0.576,322,1.004,323,0.377,327,0.791,328,0.698,329,0.373,330,0.373,331,1.673,332,1.103,333,0.905,337,3.282,338,2.231,339,0.273,340,0.41,341,0.334,342,0.576,344,0.252,346,0.13,348,2.382,350,0.576,351,0.137,353,0.222,363,0.675,365,0.845,370,1.36,376,0.954,385,1.056,404,0.905,410,0.242,411,0.568,412,0.568,413,0.568,414,0.222,415,0.139,416,0.171,417,0.211,418,0.342,419,0.258,420,0.258,425,0.506,430,0.568,431,1.229,435,1.866,440,1.36,442,0.902,444,0.676,446,0.345,473,0.54,474,2.382,481,2.16,482,1.297,484,1.231,487,0.337,496,0.765,498,0.373,501,0.926,503,2.998,505,2.998,511,0.478,512,0.057,513,0.408,516,1.109,518,1.669,519,1.004,529,1.056,530,1.586,531,0.568,539,0.568,542,1.36,544,0.905,547,0.65,550,0.431,551,0.18,554,1.36,558,1.849,562,1.767,563,1.758,564,0.314,565,1.369,566,0.527,570,1.229,572,0.289,580,0.331,583,2.544,587,1.848,589,2.554,628,0.373,634,0.54,637,0.983,640,0.744,651,1.36,656,0.353,657,0.448,660,0.954,662,1.169,664,2.097,671,1.673,672,1.275,686,0.318,687,0.44,698,1.765,699,1.056,702,0.473,711,3.999,717,0.377,725,0.613,726,2.393,744,1.295,764,1.165,765,0.689,768,1.111,769,0.689,773,1.673,775,0.689,776,1.111,785,2.231,790,0.954,794,1.292,807,0.591,815,2.756,816,1.377,845,0.367,851,2.998,863,1.043,868,1.866,872,0.548,873,0.282,880,3.076,891,1.229,895,0.729,902,1.292,905,0.959,912,0.954,920,1.056,921,1.848,928,0.44,954,0.506,992,0.168,1002,0.44,1006,0.318,1007,1.431,1009,1.292,1011,1.59,1015,2.382,1016,2.756,1018,0.373,1020,0.846,1035,2.231,1036,0.996,1048,2.097,1049,1.59,1052,1.36,1080,0.729,1103,0.954,1107,1.111,1108,1.229,1112,2.457,1116,1.232,1124,1.849,1130,1.431,1143,1.945,1147,1.364,1159,1.506,1166,1.518,1167,0.318,1168,1.103,1170,1.232,1181,1.004,1186,0.676,1188,3.301,1194,1.586,1212,2.382,1233,1.36,1235,1.518,1238,0.959,1242,0.905,1254,2.827,1255,1.297,1261,1.292,1269,0.568,1274,1.431,1275,1.004,1283,1.435,1286,1.669,1288,0.44,1289,1.169,1294,0.44,1333,0.689,1343,1.945,1348,0.506,1350,0.942,1352,2.554,1353,2.998,1357,2.393,1363,1.866,1373,1.36,1375,1.004,1380,2.41,1385,1.952,1387,2.998,1392,0.859,1403,2.231,1405,1.976,1408,1.597,1430,3.492,1437,1.232,1442,1.976,1447,1.765,1503,0.204,1504,1.111,1506,3.408,1513,1.66,1525,0.996,1526,1.765,1528,2.765,1529,2.992,1530,2.109,1544,2.023,1547,2.919,1548,1.848,1549,2.41,1551,3.076,1552,1.673,1555,1.292,1557,0.89,1558,2.998,1563,3.873,1565,2.67,1566,1.004,1572,1.756,1575,2.231,1595,3.943,1624,1.673,1638,0.689,1677,0.543,1678,1.506,1692,3.17,1700,1.556,1709,1.756,1714,1.848,1771,3.301,1785,1.976,1786,0.771,1788,2.998,1789,3.299,1790,1.431,1791,2.28,1792,0.814,1793,1.431,1794,0.996,1796,1.431,1856,1.229,1866,0.698,1885,1.672,1886,1.229,1894,1.976,1897,2.097,1915,1.945,1921,1.669,1922,1.976,1939,3.301,1959,3.299,1962,2.27,1967,0.905,2006,0.814,2008,0.654,2020,1.431,2021,2.756,2026,1.509,2029,1.506,2031,1.765,2038,3.873,2039,1.586,2046,2.231,2048,2.382,2052,2.097,2065,1.292,2073,2.708,2090,1.97,2092,2.382,2095,0.905,2099,2.529,2104,1.232,2115,0.814,2118,2.382,2119,2.382,2128,2.756,2179,3.301,2203,1.587,2209,1.765,2212,1.36,2224,1.673,2233,1.866,2240,2.756,2244,2.41,2247,2.552,2249,2.28,2294,4.992,2308,2.756,2319,3.56,2323,2.554,2332,1.231,2335,2.998,2336,3.301,2399,2.552,2405,3.301,2418,1.292,2422,3.56,2433,2.822,2452,2.831,2455,3.329,2467,1.004,2476,0.905,2477,1.756,2541,2.231,2546,3,2559,3.299,2645,1.765,2646,2.231,2656,1.169,2657,2.231,2683,2.554,2684,2.41,2694,0.954,2730,1.586,2739,1.976,2810,2.756,2824,2.998,2885,2.756,2962,2.393,2985,1.765,2986,1.976,3027,2.998,3039,1.044,3041,2.382,3089,3.299,3111,3.301,3115,2.554,3118,2.28,3141,1.229,3221,1.229,3224,2.756,3237,2.827,3275,2.41,3300,2.554,3313,1.765,3392,3.707,3399,1.866,3407,2.382,3455,3.707,3465,0.954,3476,2.998,3500,1.586,3502,1.976,3536,2.708,3540,1.945,3544,2.047,3549,2.231,3556,3.076,3557,2.756,3579,2.231,3609,3.299,3680,2.881,3698,4.789,3849,1.109,3858,1.765,3861,1.587,3890,1.169,3952,3.707,4028,2.097,4032,3.408,4104,2.097,4215,2.231,4238,2.998,4254,3.301,4303,3.408,4328,2.554,4340,2.998,4385,2.998,4388,2.756,4390,4.264,4417,2.382,4419,1.866,4420,4.167,4430,1.976,4434,1.848,4437,1.976,4647,2.554,4648,2.998,4713,4.264,4733,2.998,4737,2.881,4763,3.301,4782,2.554,4786,2.231,4799,1.672,4801,2.756,4999,2.756,5064,1.866,5100,1.765,5130,3.044,5162,2.382,5163,2.554,5332,2.231,5356,2.764,5379,4.992,5398,2.554,5447,2.998,5525,3.873,5587,1.673,5683,2.998,5740,2.998,5742,4.264,5743,4.264,5750,5.304,5769,4.789,5772,2.756,5785,3.707,5790,2.097,5798,2.998,5814,3.707,6184,2.881,6235,2.097,6574,2.998,6644,3.301,6779,2.998,6847,2.998,7024,5.606,7194,2.756,7406,2.998,7478,3.301,7609,3.707,7624,4.789,7625,2.756,7627,4.789,7631,3.707,7632,4.264,7645,3.301,7646,3.873,7650,5.051,7652,2.554,7679,2.231,7680,3.707,7688,5.304,7690,2.998,7691,4.264,7705,2.998,7706,4.723,7707,4.723,7725,4.264,7753,2.097,7772,3.707,7798,2.998,7801,3.886,7842,3.707,7861,3.56,7866,3.301,7867,3.301,7868,4.264,7869,3.707,7871,2.756,7876,3.707,7888,4.789,7891,3.707,7892,4.264,7893,3.301,7894,3.707,7899,3.707,7910,2.998,7923,3.707,7924,3.873,7925,4.789,7930,2.998,7931,3.873,7947,3.707,7952,3.707,7954,4.264,8062,3.301,8106,3.707,8134,3.707,8145,4.264,8155,3.301,8160,4.789,8161,4.324,8162,4.324,8163,4.324,8164,5.585,8165,5.585,8166,4.324,8167,6.769,8168,4.324,8169,4.324,8170,4.324,8171,4.264,8172,3.707,8173,3.707,8174,3.301,8175,4.324,8176,4.324,8177,3.707,8178,4.324,8179,5.585,8180,4.324,8181,4.324,8182,3.707,8183,6.186,8184,4.324,8185,4.324,8186,5.585,8187,5.585,8188,4.324,8189,4.324,8190,4.324,8191,3.707,8192,4.324,8193,4.324,8194,4.324,8195,4.324,8196,4.324,8197,4.324,8198,4.324,8199,4.324,8200,4.324,8201,4.324,8202,4.324,8203,4.324,8204,3.707,8205,3.707,8206,4.324,8207,5.585,8208,4.324,8209,4.324,8210,4.324,8211,3.707,8212,3.707,8213,3.707,8214,4.324,8215,5.585,8216,5.585,8217,4.324,8218,4.324,8219,5.585,8220,4.324,8221,4.324,8222,4.324,8223,4.324,8224,4.324,8225,3.707,8226,3.707,8227,4.324,8228,5.585,8229,4.324,8230,4.324,8231,4.324,8232,4.324]],["title/general/network.html",[2,4.693,3,4.342,4,4.651,5,3.077,104,1.752,110,2.549,115,2.312]],["breadcrumb/general/network.html",[6,0.224,110,1.296,115,1.175]],["description/general/network.html",[40,0.848,67,0.724,104,0.977,110,1.422,112,3.829,115,1.29,518,6.078,850,0.848,872,1.503,877,3.241,882,5.496,889,3.626,1294,2.069,1444,6.727,1621,3.43,2031,8.303]],["body/general/network.html",[0,0.12,2,0.955,3,0.918,4,0.517,7,0.881,11,0.161,14,0.626,16,0.697,19,0.939,24,2.231,25,1.864,26,0.481,27,0.542,28,0.48,29,0.198,30,1.008,31,0.298,32,0.18,33,0.256,34,0.161,35,0.325,37,0.585,40,0.298,41,0.181,43,0.084,44,0.146,45,0.393,47,0.098,48,0.071,50,1.792,51,0.348,52,0.382,53,0.176,54,0.443,56,0.443,58,0.609,59,2.393,60,0.194,62,0.412,65,0.382,66,0.289,67,0.271,68,0.797,69,0.505,71,1.411,77,0.468,79,0.325,80,0.244,82,0.506,83,0.155,86,0.112,88,0.04,89,0.052,91,0.893,94,0.412,100,0.443,102,0.084,103,0.169,104,0.327,105,1.411,106,0.646,107,0.523,110,0.283,111,0.78,112,1.327,113,0.474,114,0.797,115,0.491,116,0.228,118,0.325,123,0.426,125,1.095,126,0.088,127,0.669,129,0.529,130,0.493,131,0.525,133,0.088,135,0.609,137,0.474,144,1.62,145,0.382,146,0.382,148,0.148,150,0.443,151,1.182,152,0.683,153,0.725,154,0.358,156,0.362,160,0.25,161,0.284,162,0.237,165,0.523,167,1.48,173,0.325,176,0.59,178,0.412,180,0.626,182,0.271,187,0.713,188,1.012,189,0.443,190,1.654,192,0.223,193,0.474,194,0.289,197,1.654,198,0.4,199,0.54,200,1.501,201,2.332,203,1.946,205,1.864,206,1.069,207,0.412,209,0.362,211,1.12,212,0.294,213,0.989,218,0.5,222,0.44,223,0.713,230,1.242,233,0.609,235,1.748,239,0.655,242,1.62,244,0.56,247,0.848,252,0.325,253,0.609,254,0.382,258,0.646,262,0.485,264,0.244,265,0.697,271,0.219,273,0.54,274,0.249,276,0.325,279,0.256,280,0.51,281,0.298,282,0.412,284,1.041,286,2.09,287,0.646,298,0.722,299,0.685,300,0.633,301,2.432,303,0.262,304,0.271,305,0.505,308,0.697,311,0.323,312,0.798,313,1.076,316,0.649,319,0.954,321,1.964,323,0.523,327,0.574,328,0.9,329,0.385,330,0.362,333,1.12,335,0.805,339,0.25,340,0.393,341,0.289,344,0.252,346,0.124,349,3.492,351,0.143,353,0.16,368,1.041,385,0.989,410,0.192,411,0.412,412,0.412,413,0.412,414,0.18,415,0.112,416,0.161,417,0.121,418,0.256,419,0.169,420,0.169,427,1.063,431,1.703,441,1.064,442,0.54,444,0.697,446,0.325,451,0.505,459,0.95,473,0.556,482,1.242,485,0.749,487,0.244,498,0.271,501,0.574,504,0.713,507,0.805,509,1.77,511,0.363,512,0.079,513,0.382,516,0.805,517,2.564,518,2.132,520,0.954,523,0.382,527,0.142,529,1.464,531,0.733,537,1.964,543,0.646,547,0.609,550,0.411,551,0.223,558,1.211,564,0.301,568,2.109,570,1.151,572,0.358,577,1.964,580,0.349,587,1.77,624,1.748,628,0.271,630,0.901,634,0.353,640,0.849,647,1.172,649,0.714,654,2.231,656,0.219,657,0.566,658,2.582,659,0.646,662,1.975,684,1.683,686,0.393,699,0.989,702,0.585,708,1.011,713,1.095,741,1.851,744,1.12,756,0.325,758,1.041,764,0.763,765,1.057,769,0.646,771,0.805,775,0.955,782,1.464,783,0.763,784,1.62,791,0.805,807,0.523,845,0.206,850,0.321,852,1.567,856,0.722,863,0.609,872,0.561,873,0.25,876,2.582,877,1.22,882,2.035,883,2.808,885,0.722,889,1.342,891,1.521,895,0.903,897,0.505,902,1.211,903,0.959,905,0.758,906,0.412,908,1.963,909,1.339,918,0.758,920,0.989,928,0.545,933,2.087,954,0.877,980,2.761,989,0.749,992,0.13,1001,0.713,1002,0.323,1004,1.069,1006,0.5,1018,0.4,1020,0.506,1025,2.393,1033,2.141,1039,1.411,1049,1.375,1080,1.011,1102,1.964,1103,1.18,1111,0.805,1123,0.467,1125,1.748,1146,0.989,1163,2.861,1167,0.468,1168,0.954,1173,0.94,1176,2.393,1181,1.48,1182,2.31,1186,0.585,1194,1.486,1203,1.151,1230,0.683,1235,1.391,1238,0.758,1239,1.964,1242,0.848,1251,1.34,1253,1.521,1255,0.94,1259,1.567,1271,0.954,1275,1.242,1276,1.211,1281,2.393,1287,1.748,1288,0.545,1289,1.095,1294,0.744,1346,2.07,1348,0.474,1357,1.567,1361,0.669,1377,0.94,1406,1.18,1408,1.557,1417,3.473,1423,0.683,1435,2.761,1436,3.091,1438,2.231,1439,4.086,1442,3.375,1444,2.193,1445,1.18,1471,2.09,1473,1.986,1474,1.703,1478,1.095,1495,1.851,1496,1.851,1499,2.595,1501,3.473,1503,0.213,1504,1.041,1513,1.242,1523,0.412,1525,0.722,1526,1.654,1528,1.567,1529,1.748,1540,1.683,1541,2.31,1547,1.654,1550,2.107,1552,2.466,1565,1.748,1572,1.683,1573,1.567,1577,0.763,1606,1.008,1619,1.18,1621,1.172,1622,2.185,1627,2.587,1628,1.851,1633,1.654,1634,0.763,1635,1.654,1666,2.318,1667,0.901,1677,0.43,1694,0.758,1696,1.008,1713,1.411,1714,1.34,1764,1.964,1777,1.654,1782,2.31,1784,1.274,1786,0.722,1792,1.282,1793,2.109,1795,2.587,1885,1.62,1886,1.151,1892,1.864,1921,1.211,1951,1.242,1952,1.567,1953,2.185,1956,0.954,1961,2.231,1966,1.486,1967,1.12,2008,0.776,2012,2.634,2013,1.486,2015,2.948,2017,1.391,2028,0.959,2031,1.654,2044,1.486,2045,2.595,2047,1.274,2052,2.595,2057,1.095,2061,2.466,2072,3.093,2095,1.454,2102,1.654,2107,4.086,2109,0.989,2110,0.54,2130,2.913,2203,1.521,2210,2.808,2214,2.393,2215,2.199,2223,1.884,2224,1.567,2233,2.31,2249,1.654,2255,1.567,2329,2.231,2332,1.008,2399,1.851,2429,1.654,2432,1.411,2433,2.752,2444,0.609,2460,3.093,2473,2.231,2476,0.848,2478,3.092,2551,1.748,2573,2.445,2583,1.34,2593,2.808,2633,2.184,2645,2.185,2686,0.683,2687,1.34,2694,0.893,2745,2.231,2752,2.09,2815,1.486,2831,2.582,2832,2.808,2833,2.948,2837,3.411,2854,2.339,2864,2.09,2868,1.963,2887,2.808,2890,2.808,2894,1.964,2976,1.748,3011,2.582,3036,2.141,3039,0.683,3096,2.393,3122,0.722,3138,3.473,3145,3.864,3146,3.473,3218,2.28,3219,3.473,3221,1.521,3237,1.851,3256,2.231,3275,1.748,3288,1.77,3289,2.393,3291,1.654,3297,1.54,3313,1.654,3317,3.473,3336,1.274,3361,2.231,3366,2.393,3379,3.473,3399,1.748,3401,1.75,3407,2.231,3476,2.808,3500,1.486,3503,1.748,3536,1.964,3540,2.087,3545,2.808,3579,2.09,3603,1.274,3606,0.989,3611,2.808,3620,2.582,3644,3.473,3691,2.595,3772,4.086,3781,2.231,3849,1.19,3854,2.447,3867,1.851,3870,1.851,3883,3.473,3885,3.473,3890,1.095,3898,2.595,3910,2.231,4004,1.255,4039,2.595,4118,3.093,4169,1.654,4171,1.654,4263,3.411,4281,1.486,4297,2.808,4362,2.582,4418,2.808,4436,2.707,4437,1.851,4442,1.748,4611,2.808,4703,3.093,4724,3.092,4736,2.808,4738,2.185,4740,2.808,4790,2.231,4861,3.473,4936,4.086,4938,3.473,4959,4.722,5094,2.582,5168,2.582,5181,2.582,5182,2.445,5355,4.156,5357,4.341,5362,4.064,5365,3.473,5391,3.473,5531,2.582,5540,3.093,5574,1.654,5587,1.567,5634,4.588,5635,4.086,5778,3.093,6133,2.445,6183,3.82,6184,2.09,6271,3.093,6346,3.411,6350,1.851,6577,2.231,6654,3.473,6803,3.473,6913,2.393,7022,3.093,7212,3.473,7283,2.582,7408,3.411,7475,4.156,7501,3.093,7654,2.582,7676,2.808,7679,3.289,7727,3.473,7753,2.906,7770,3.411,7778,4.588,7781,3.473,7782,3.473,7783,3.473,7784,4.588,7795,2.808,7801,2.231,7805,1.964,7808,3.473,7870,4.086,7871,3.411,7880,1.274,7916,3.473,7981,2.318,7990,3.473,8069,5.499,8078,4.588,8114,3.473,8144,3.093,8171,5.383,8172,4.588,8233,5.993,8234,3.473,8235,4.05,8236,4.05,8237,5.993,8238,5.993,8239,4.05,8240,4.086,8241,4.05,8242,4.05,8243,4.05,8244,5.993,8245,3.473,8246,4.05,8247,3.473,8248,3.473,8249,4.05,8250,4.05,8251,4.05,8252,4.05,8253,4.05,8254,4.05,8255,4.05,8256,4.05,8257,4.05,8258,4.05,8259,4.05,8260,5.351,8261,4.05,8262,4.05,8263,5.351,8264,4.05,8265,3.473,8266,4.05,8267,3.473,8268,4.05,8269,4.05,8270,3.473,8271,4.05,8272,3.473,8273,4.05,8274,3.473,8275,3.473,8276,4.05,8277,4.05,8278,4.05,8279,4.05,8280,3.093,8281,3.473,8282,4.05]],["title/general/shared-responsibility.html",[2,4.693,3,4.342,4,4.651,5,3.077,511,2.473,702,3.984,992,0.885]],["breadcrumb/general/shared-responsibility.html",[6,0.178,110,1.029,511,0.998,702,1.608,992,0.357]],["description/general/shared-responsibility.html",[2,2.565,3,3.153,71,6.939,209,1.202,351,0.373,511,1.351,686,1.464,872,1.472,903,2.997,1018,1.202,1185,9.661,1606,3.752,1794,3.553,1795,8.599,3868,11.771,7918,13.815]],["body/general/shared-responsibility.html",[0,0.126,2,0.982,3,0.919,4,0.886,5,0.497,11,0.143,13,0.55,16,0.513,17,0.748,20,1.035,26,0.516,27,0.543,28,0.497,29,0.183,30,0.884,33,0.273,34,0.156,35,0.281,40,0.281,41,0.172,42,2.774,43,0.122,44,0.154,47,0.156,48,0.062,49,1.759,50,1.591,51,0.34,52,0.443,53,0.187,54,0.314,56,0.513,65,0.443,66,0.318,67,0.268,71,2.61,74,3.585,75,3.585,79,0.377,80,0.355,83,0.143,85,0.246,86,0.13,88,0.035,90,0.588,92,1.025,96,1.09,97,1.085,98,0.843,99,0.665,102,0.078,103,0.246,104,0.36,105,2.239,106,0.938,110,0.522,111,0.643,113,0.55,114,0.885,115,0.461,116,0.253,119,0.748,121,0.442,122,1.035,124,0.792,125,1.269,126,0.089,127,0.736,129,0.495,130,0.449,131,0.495,133,0.097,134,0.759,135,0.706,136,1.85,137,0.789,138,1.09,139,1.298,140,0.654,142,1.403,143,0.834,145,0.607,146,0.443,148,0.145,149,0.736,151,0.837,153,0.643,154,0.45,156,0.407,159,0.665,160,0.196,161,0.246,162,0.168,173,0.224,176,0.472,178,0.599,183,0.478,189,0.513,192,0.196,194,0.347,197,1.917,198,0.283,199,0.626,206,1.05,209,0.465,211,1.232,212,0.268,218,0.345,222,0.345,223,0.626,225,1.147,227,0.114,239,0.513,244,0.51,253,0.885,254,0.556,262,0.314,265,0.513,271,0.318,273,0.432,274,0.168,276,0.472,277,0.562,278,0.562,279,0.224,280,0.495,287,0.938,288,0.189,292,0.41,293,0.587,299,0.556,300,0.514,302,2.159,303,0.241,311,0.388,312,0.626,316,0.599,318,0.983,321,2.277,322,1.366,323,0.514,327,0.834,333,1.232,339,0.196,346,0.14,351,0.141,353,0.176,365,0.55,370,1.476,400,0.748,410,0.248,414,0.193,415,0.12,416,0.114,417,0.141,432,1.269,433,0.665,440,1.476,444,0.643,446,0.224,482,1.09,485,0.804,504,0.856,507,0.933,511,0.517,512,0.078,522,0.443,523,0.443,532,1.09,543,0.938,544,0.983,551,0.296,554,1.476,557,1.723,560,0.938,563,1.334,564,0.404,566,0.607,568,1.553,572,0.393,580,0.224,610,1.553,624,2.54,628,0.314,630,1.044,634,0.41,637,0.706,640,0.626,649,0.686,653,0.626,656,0.347,672,1.108,684,1.85,686,0.432,691,1.947,696,1.673,702,0.835,708,0.993,709,1.723,736,1.476,739,2.422,745,1.298,753,1.635,756,0.377,773,2.277,774,2.277,775,0.748,779,0.748,790,1.035,792,2.021,807,0.561,845,0.299,850,0.196,852,2.487,868,2.026,872,0.566,873,0.196,877,0.748,878,2.774,889,0.837,891,1.334,895,0.792,899,0.748,903,1.044,909,0.837,913,1.553,914,1.553,918,0.834,919,0.689,920,1.438,926,2.277,928,0.599,954,0.689,984,2.145,992,0.184,1001,0.856,1002,0.419,1004,1.238,1006,0.472,1007,1.553,1010,1.553,1019,1.553,1050,1.816,1054,1.003,1080,0.792,1103,1.562,1107,1.732,1116,1.298,1122,1.57,1123,0.433,1142,2.159,1165,0.911,1177,0.885,1181,1.09,1185,2.277,1186,0.513,1213,0.588,1254,2.689,1270,1.476,1279,0.884,1294,0.478,1348,0.689,1361,0.843,1406,1.035,1408,1.147,1444,2.127,1447,2.625,1474,1.334,1503,0.217,1509,2.774,1518,1.334,1525,1.146,1527,2.145,1530,1.403,1538,1.723,1541,2.026,1547,2.403,1548,2.127,1550,1.922,1552,1.816,1572,1.476,1606,1.21,1621,0.792,1669,1.925,1677,0.377,1690,1.403,1694,0.834,1696,1.108,1699,1.759,1765,2.145,1786,0.837,1792,0.884,1793,1.947,1794,0.837,1795,2.996,1860,3.256,1866,0.804,1881,2.277,1914,3.242,1933,2.021,1945,3.242,1953,2.403,1954,1.723,1960,1.723,2000,2.277,2008,0.829,2028,0.885,2030,1.635,2039,2.159,2047,1.85,2062,3.036,2065,1.403,2066,1.723,2090,1.673,2095,1.505,2102,2.752,2127,1.635,2130,2.689,2200,2.625,2213,1.635,2215,1.723,2224,1.816,2231,3.242,2249,2.752,2323,2.774,2332,0.884,2412,1.723,2416,2.277,2417,3.41,2444,1.014,2467,1.09,2563,2.422,2682,2.993,2687,1.553,2813,3.585,2830,2.586,2867,2.026,2869,2.277,2902,1.553,2958,2.993,2967,2.586,2976,2.026,3029,2.586,3039,0.792,3107,1.922,3214,2.145,3221,1.673,3242,4.026,3280,3.585,3297,1.732,3310,2.277,3403,2.422,3404,2.586,3462,2.422,3464,1.531,3537,1.73,3539,1.917,3556,2.586,3606,1.73,3607,3.585,3775,2.586,3834,3.585,3849,0.933,3861,1.334,3868,4.184,3888,2.689,3890,1.737,3989,3.256,4021,2.774,4105,1.147,4108,4.081,4109,3.541,4340,3.256,4418,3.256,4421,3.585,4434,1.553,4437,2.145,4527,3.585,4594,4.494,4654,2.993,4738,1.917,4786,2.422,4790,2.586,4860,1.476,4930,3.751,5029,3.256,5061,3.256,5168,2.993,5363,2.993,5477,2.993,5549,2.422,5551,3.585,5748,2.993,5789,2.774,5790,2.277,5963,3.751,6348,5.046,6565,3.585,6584,2.586,6587,4.026,6592,4.026,6731,2.774,7625,2.993,7633,4.026,7650,3.256,7652,2.774,7661,4.026,7722,5.046,7723,3.256,7753,2.277,7786,4.026,7790,3.256,7821,4.026,7838,4.026,7861,2.993,7880,1.85,7902,4.494,7917,4.026,7918,4.813,7919,6.072,7920,4.908,7924,3.256,7930,3.256,7933,3.585,7936,4.026,7984,3.585,8009,4.026,8011,4.026,8028,5.046,8053,3.585,8158,4.026,8160,5.779,8171,5.146,8174,3.585,8280,3.585,8283,4.026,8284,6.428,8285,4.026,8286,4.026,8287,4.695,8288,4.695,8289,4.695,8290,4.695,8291,5.885,8292,4.695,8293,5.885,8294,4.695,8295,4.695,8296,4.695,8297,4.695,8298,4.695,8299,4.695,8300,4.695,8301,4.695,8302,4.695,8303,4.695,8304,6.739,8305,4.695,8306,4.695,8307,4.695,8308,4.695,8309,4.026,8310,6.428,8311,4.695,8312,4.695,8313,4.695,8314,4.695,8315,3.256,8316,4.695,8317,4.695,8318,3.585,8319,4.695,8320,4.695,8321,4.695,8322,4.695]],["title/general/threat-model.html",[2,4.693,3,5.939,4,4.651,5,3.077,992,0.885,1002,2.199]],["breadcrumb/general/threat-model.html",[3,1.753,6,0.178,110,1.029,992,0.357,1002,0.888]],["description/general/threat-model.html",[2,2.673,3,2.473,67,0.739,287,3.309,303,0.743,329,1.253,330,1.253,444,2.269,891,5.901,903,3.123,1002,1.253,1638,3.309,2008,2.43,3120,8.96,8323,20.76]],["body/general/threat-model.html",[0,0.118,2,0.986,3,0.901,5,0.574,7,0.778,9,0.209,11,0.176,13,0.659,17,0.992,19,0.881,20,0.965,26,0.452,27,0.405,28,0.482,29,0.177,30,1.237,32,0.178,33,0.273,34,0.177,35,0.314,43,0.116,44,0.14,45,0.413,47,0.106,48,0.058,50,1.681,51,0.335,52,0.413,53,0.153,54,0.376,56,0.478,58,0.658,59,2.584,60,0.314,65,0.587,66,0.236,67,0.271,68,0.821,69,0.587,71,1.523,80,0.339,82,0.778,84,1.003,85,0.235,86,0.13,88,0.049,89,0.049,94,0.633,97,0.738,98,0.547,102,0.079,104,0.353,105,1.523,107,0.382,110,0.501,111,0.478,112,0.824,114,0.547,115,0.431,116,0.157,118,0.452,119,0.697,121,0.42,122,1.241,124,0.738,126,0.09,127,0.547,129,0.306,130,0.306,131,0.306,133,0.072,134,0.718,135,0.846,137,0.728,140,0.445,145,0.531,148,0.139,151,0.78,154,0.376,156,0.339,159,1.015,160,0.183,162,0.243,164,1.786,165,0.543,172,0.916,173,0.269,178,0.573,180,0.769,183,0.691,185,2.297,187,0.583,188,0.829,189,0.718,192,0.274,193,0.512,194,0.375,197,1.786,198,0.427,199,0.926,200,1.236,204,3.099,205,2.166,207,0.445,209,0.446,212,0.302,213,1.604,216,0.583,223,0.964,227,0.165,235,1.888,240,1.243,241,0.382,244,0.447,250,1.016,252,0.499,253,1.111,258,0.697,262,0.416,264,0.375,265,0.615,271,0.355,273,0.499,274,0.223,275,0.75,276,0.351,277,0.558,278,0.558,279,0.346,280,0.413,281,0.532,286,3.209,287,1.142,288,0.234,289,1.888,299,0.62,300,0.382,303,0.273,304,0.376,308,0.76,311,0.264,312,0.75,315,1.931,318,1.178,319,1.212,320,2.41,322,1.016,323,0.543,327,0.62,328,0.849,329,0.437,330,0.432,339,0.26,344,0.249,346,0.116,351,0.137,353,0.186,365,0.512,374,1.002,376,1.448,385,1.52,400,0.897,410,0.268,414,0.204,415,0.127,441,0.881,444,0.835,446,0.297,447,3.033,450,1.308,463,2.257,481,2.54,484,0.824,485,0.849,486,2.41,496,0.769,501,0.62,504,0.583,507,0.869,510,2.297,511,0.501,512,0.094,513,0.531,517,2.177,518,1.308,520,1.109,521,0.445,524,1.049,527,0.116,531,0.72,533,2.584,536,3.033,537,2.121,539,0.445,540,0.965,542,1.375,543,1.047,544,1.178,550,0.443,551,0.283,554,1.375,558,1.308,559,3.324,561,1.888,562,1.681,564,0.391,566,0.676,568,1.862,572,0.376,580,0.314,587,1.447,596,1.375,628,0.292,629,0.955,630,1.022,631,1.372,633,2.297,637,0.936,649,0.587,653,0.583,656,0.236,657,0.545,672,1.059,675,1.692,685,1.375,686,0.321,687,0.573,691,1.862,699,1.069,702,0.718,703,1.124,707,3.34,713,1.182,717,0.491,738,1.016,741,2.571,744,0.916,756,0.351,760,1.446,764,1.237,765,0.897,767,1.692,773,1.692,775,0.897,776,1.446,779,0.697,782,1.069,790,0.965,799,1.308,813,1.888,816,1.349,845,0.36,856,0.78,863,0.936,872,0.523,873,0.317,876,2.788,880,2.41,884,2.41,885,0.78,888,1.866,891,2.01,894,1.306,895,0.738,902,2.079,903,0.846,905,0.62,906,0.445,918,0.62,920,1.069,921,1.862,928,0.691,954,0.854,988,2.41,989,0.547,992,0.18,1002,0.453,1004,1.003,1006,0.413,1007,1.862,1010,1.447,1018,0.375,1039,2.166,1046,1.688,1080,1.049,1103,0.965,1107,1.746,1108,1.243,1116,1.241,1119,1.118,1123,0.344,1143,1.96,1147,0.965,1148,1.999,1159,1.96,1166,1.016,1168,1.109,1177,0.658,1186,0.68,1233,1.375,1235,1.016,1238,0.62,1254,1.999,1255,1.306,1261,1.308,1262,2.297,1287,1.888,1288,0.445,1291,4.296,1294,0.668,1334,0.769,1351,3.751,1359,2.121,1373,1.375,1380,1.888,1386,1.682,1388,2.788,1392,1.118,1408,1.069,1412,3.34,1424,2.297,1433,1.605,1442,2.571,1444,1.862,1446,1.447,1503,0.193,1504,1.599,1513,1.577,1522,2.257,1523,0.573,1527,1.999,1528,2.406,1529,2.428,1541,2.428,1552,1.692,1563,3.033,1566,1.016,1569,3.34,1571,2.257,1575,2.257,1577,1.059,1606,0.824,1616,0.965,1619,0.965,1624,1.692,1626,1.375,1627,1.888,1629,3.033,1633,2.774,1634,1.237,1635,2.54,1638,0.897,1640,3.033,1667,0.846,1677,0.527,1687,3.033,1694,0.797,1695,2.257,1696,0.824,1700,0.965,1704,3.586,1707,3.902,1708,3.033,1709,1.375,1710,1.605,1757,1.96,1785,1.999,1786,1.212,1791,2.681,1792,0.824,1794,0.78,1853,1.999,1866,0.884,1872,2.788,1876,1.599,1883,1.523,1886,1.768,1888,3.033,1928,3.34,1931,2.728,1933,1.375,1945,3.617,1949,0.583,1957,1.069,1959,2.584,1960,1.605,1961,2.41,1962,2.282,1966,1.605,2007,3.324,2008,0.769,2009,1.447,2012,2.177,2018,2.121,2028,0.658,2031,1.786,2039,2.409,2046,2.257,2049,2.121,2052,2.121,2057,1.182,2064,1.692,2066,1.605,2073,2.121,2074,1.888,2084,1.999,2089,2.41,2090,1.599,2095,1.302,2098,2.788,2099,2.177,2100,3.053,2104,0.965,2108,1.447,2111,1.523,2115,1.279,2118,3.831,2119,3.831,2123,3.902,2130,2.842,2203,1.599,2223,1.769,2235,3.099,2255,1.692,2417,1.999,2442,1.692,2444,0.658,2457,3.033,2476,0.916,2477,1.375,2478,2.257,2583,1.447,2592,3.675,2619,2.257,2632,3.372,2687,1.447,2690,2.257,2694,1.241,2739,1.999,2760,3.033,2765,3.34,2766,3.34,2810,3.586,2860,3.902,2883,2.685,2968,4.014,2980,3.751,2982,2.428,2985,2.54,3037,3.34,3041,2.41,3107,2.031,3122,1.003,3125,3.34,3143,2.788,3220,2.584,3232,2.584,3240,3.751,3278,2.257,3304,1.96,3308,3.751,3313,1.786,3500,1.605,3501,3.34,3522,4.824,3536,2.121,3537,1.375,3538,1.862,3540,1.523,3544,1.447,3554,3.34,3569,2.788,3579,2.257,3580,3.751,3617,3.426,3781,2.41,3828,1.599,3849,1.45,3861,1.243,3870,1.999,3888,1.999,3890,1.182,3908,3.033,4021,2.584,4026,2.788,4028,2.121,4036,3.34,4105,1.069,4417,3.742,4426,4.296,4428,2.788,4430,3.232,4434,1.447,4437,1.999,4446,3.34,4448,3.586,4524,1.786,4611,3.033,4651,5.333,4654,3.965,4701,2.903,4710,3.751,4712,3.34,4729,3.388,4738,1.786,4740,3.902,4786,2.257,4787,4.824,4795,3.34,4799,1.182,4801,2.788,4860,1.769,5130,1.888,5182,2.571,5332,2.903,5550,3.033,5683,3.033,5737,3.751,5748,2.788,5782,4.186,5797,2.728,5801,2.121,5811,2.788,5883,2.428,6084,3.033,6133,1.999,6519,2.788,6574,4.313,6584,2.41,6589,4.824,6992,3.965,7196,3.751,7406,3.902,7578,4.824,7634,3.751,7652,2.584,7654,3.586,7723,3.902,7805,2.121,7866,4.296,7867,4.296,7868,5.014,7880,1.375,7910,4.822,7921,4.749,7922,3.751,7924,3.033,7930,3.033,7931,4.313,7958,3.751,7984,3.34,7986,4.749,8031,4.313,8032,4.711,8053,3.34,8104,3.751,8155,5.014,8173,3.751,8174,3.34,8213,3.751,8226,3.751,8234,3.751,8265,3.751,8275,4.824,8280,3.34,8286,3.751,8309,3.751,8324,5.626,8325,4.374,8326,4.374,8327,4.313,8328,4.374,8329,4.374,8330,4.374,8331,4.374,8332,5.626,8333,5.626,8334,4.374,8335,3.751,8336,4.824,8337,4.374,8338,5.626,8339,4.374,8340,6.566,8341,4.374,8342,4.374,8343,5.626,8344,4.824,8345,4.374,8346,3.751,8347,4.374,8348,5.626,8349,4.824,8350,4.824,8351,5.626,8352,5.626,8353,4.374,8354,4.374,8355,4.374,8356,4.374,8357,4.374,8358,4.374,8359,5.626,8360,4.374,8361,4.374,8362,4.374,8363,4.374,8364,4.374,8365,4.374,8366,4.374,8367,3.751,8368,4.374,8369,4.374,8370,4.374,8371,5.626,8372,5.626,8373,4.374,8374,4.374,8375,4.374,8376,4.374,8377,4.374,8378,4.374,8379,4.374,8380,3.751,8381,4.374,8382,4.374,8383,4.374,8384,5.626,8385,4.374,8386,4.374,8387,4.374,8388,4.374,8389,4.374,8390,4.374]],["title/general/workloads.html",[2,4.693,3,4.342,4,4.651,5,3.077,104,1.752,110,2.549,1123,2.227]],["breadcrumb/general/workloads.html",[6,0.224,110,1.296,1123,1.132]],["description/general/workloads.html",[4,2.444,104,0.92,110,1.339,116,0.685,444,2.093,512,0.253,872,1.415,918,2.713,1122,6.297,1123,1.17,1213,1.671,1343,6.67,1523,1.949,3464,4.223,3537,4.678,3606,4.678,5515,10.549,5797,9.286]],["body/general/workloads.html",[0,0.123,2,0.982,3,0.884,4,0.934,5,0.499,7,0.492,9,0.251,11,0.153,13,0.82,14,0.558,16,0.646,17,0.627,19,0.744,20,1.448,24,2.167,26,0.506,27,0.536,28,0.443,29,0.112,32,0.096,33,0.264,34,0.153,35,0.33,37,0.574,41,0.096,43,0.149,44,0.136,45,0.289,47,0.096,48,0.083,49,1.569,51,0.33,52,0.371,53,0.188,54,0.439,56,0.646,58,0.592,60,0.188,65,0.371,66,0.34,67,0.27,68,0.656,69,0.496,70,1.703,71,1.37,73,1.908,76,0.316,77,0.526,79,0.542,80,0.237,81,0.43,82,0.492,83,0.179,86,0.136,88,0.039,89,0.056,90,0.573,94,0.4,98,0.492,99,0.977,100,0.43,101,1.219,102,0.076,104,0.361,110,0.512,111,0.574,113,0.791,114,0.656,115,0.444,116,0.254,117,0.496,121,0.356,123,0.451,126,0.083,127,0.492,129,0.514,130,0.459,131,0.512,133,0.116,134,0.718,138,0.913,139,0.868,140,0.601,143,0.557,145,0.496,148,0.167,149,0.821,150,0.43,154,0.421,156,0.396,160,0.282,161,0.288,162,0.242,165,0.458,167,1.371,172,0.824,173,0.314,178,0.641,180,0.461,182,0.263,184,0.614,185,1.606,187,0.524,188,0.699,189,0.43,192,0.219,194,0.355,198,0.423,199,0.699,200,1.252,204,2.167,209,0.432,212,0.274,213,0.961,214,0.421,218,0.463,219,0.739,221,0.386,222,0.289,223,0.9,225,0.961,226,2.266,227,0.174,233,0.888,237,3.373,239,0.43,241,0.55,242,1.063,244,0.556,247,1.237,249,0.395,252,0.527,255,3.373,258,0.627,259,1.828,262,0.351,263,0.434,264,0.356,265,0.574,270,0.4,271,0.212,273,0.289,274,0.211,276,0.316,277,0.521,278,0.526,279,0.282,280,0.289,281,0.386,282,0.4,287,0.837,288,0.19,292,0.515,293,0.739,299,0.371,301,2.167,303,0.259,304,0.263,305,0.371,308,0.43,310,1.698,311,0.396,312,0.524,313,0.886,315,1.92,317,0.664,319,0.702,320,3.254,322,0.913,323,0.343,326,0.868,328,0.656,329,0.38,330,0.38,339,0.164,340,0.386,341,0.34,344,0.226,346,0.131,349,1.908,351,0.14,353,0.177,363,0.371,365,0.614,374,0.744,376,0.868,385,1.282,410,0.247,411,0.4,412,0.4,413,0.4,414,0.218,415,0.136,416,0.153,417,0.189,418,0.251,419,0.164,420,0.164,426,0.524,430,0.601,431,1.118,434,1.791,439,1.37,440,1.651,441,0.557,442,0.524,444,0.816,446,0.282,451,0.371,453,1.237,472,2.285,473,0.515,482,0.913,484,0.988,485,0.656,487,0.317,491,1.606,496,0.614,498,0.461,501,0.893,504,0.524,505,3.64,506,1.011,507,0.782,509,1.302,510,1.606,511,0.458,512,0.101,516,0.782,517,1.522,518,1.176,519,1.219,520,0.936,521,0.534,522,0.371,523,0.595,524,0.886,527,0.11,529,1.54,531,0.4,539,0.702,542,1.237,543,0.942,546,1.766,547,0.592,550,0.408,551,0.263,554,1.237,560,0.942,564,0.394,565,0.824,566,0.638,568,1.302,572,0.421,580,0.188,582,0.868,626,1.237,628,0.351,631,1.158,636,0.627,637,0.888,647,0.886,649,0.371,651,1.237,653,0.875,655,0.936,656,0.365,657,0.554,659,0.627,660,1.448,661,0.492,672,0.741,673,0.741,681,2.55,685,0.824,686,0.482,689,2.728,690,0.913,691,1.737,693,0.316,702,0.43,708,0.664,717,0.343,738,1.219,756,0.584,760,1.011,761,1.798,765,0.837,769,0.627,771,1.304,772,2.324,776,1.011,779,1.152,782,1.282,783,0.988,790,0.868,793,1.237,794,1.176,799,1.176,804,2.728,807,0.343,816,1.043,845,0.384,850,0.164,852,1.522,864,1.302,868,1.698,872,0.562,873,0.282,877,0.837,882,1.063,884,2.167,889,0.936,891,1.679,899,1.005,900,1.444,902,1.884,909,0.702,912,1.158,913,1.302,918,1.092,920,0.961,921,1.302,922,2.143,928,0.534,936,1.908,954,0.769,985,1.775,987,1.282,989,0.788,992,0.153,1001,0.945,1002,0.423,1004,0.702,1006,0.434,1009,1.569,1010,1.302,1018,0.436,1019,1.737,1020,0.739,1034,1.237,1036,0.702,1039,1.828,1040,1.737,1041,2.03,1043,2.508,1046,1.011,1048,1.908,1049,1.011,1050,1.522,1054,0.893,1055,2.438,1080,0.886,1103,1.158,1108,1.118,1116,1.158,1122,1.819,1123,0.462,1126,1.444,1141,0.913,1142,1.926,1146,1.282,1147,0.868,1158,1.908,1163,2.266,1166,1.219,1167,0.289,1173,0.913,1175,1.522,1177,0.988,1181,0.913,1186,0.766,1193,2.324,1200,2.209,1203,1.791,1212,2.892,1213,0.589,1227,1.908,1228,1.679,1229,2.324,1230,1.163,1235,0.913,1257,2.399,1269,0.601,1271,0.936,1275,1.524,1276,1.884,1279,1.391,1281,2.324,1283,1.011,1286,1.884,1288,0.4,1289,1.063,1294,0.534,1315,1.908,1334,0.461,1335,2.167,1336,2.031,1343,2.287,1361,0.821,1363,1.698,1373,1.237,1377,1.219,1378,2.708,1380,1.698,1384,1.908,1385,1.597,1392,1.043,1405,1.798,1406,0.868,1408,1.282,1416,2.728,1423,0.664,1433,1.926,1435,2.03,1445,1.39,1447,1.606,1448,2.324,1474,1.118,1503,0.206,1504,1.62,1509,2.324,1513,0.913,1516,2.728,1520,2.324,1523,0.766,1525,0.936,1526,1.606,1527,1.798,1539,1.173,1540,1.651,1541,1.698,1547,1.606,1550,1.884,1557,0.627,1564,1.031,1577,0.988,1606,1.112,1621,0.664,1624,2.285,1625,1.444,1634,1.112,1638,1.047,1639,1.518,1680,1.118,1683,0.913,1685,1.954,1692,1.908,1694,0.893,1710,1.444,1713,2.057,1769,2.892,1770,2.88,1782,1.698,1786,0.936,1787,1.173,1789,2.324,1792,0.988,1793,1.302,1856,1.118,1861,2.681,1865,2.508,1883,2.195,1889,2.892,1892,2.195,1897,1.908,1914,2.167,1915,1.237,1921,1.176,1930,3.485,1949,0.9,1950,1.857,1951,1.647,1954,2.167,1957,0.961,1959,2.324,1962,1.926,1965,3.254,1974,0.492,2006,0.741,2008,0.614,2009,1.302,2017,1.463,2019,2.699,2028,0.948,2031,1.606,2046,2.03,2057,1.063,2060,2.399,2061,1.522,2062,3.048,2073,2.864,2081,0.988,2092,2.167,2095,1.513,2099,2.54,2104,1.622,2110,0.9,2112,1.522,2115,0.988,2126,1.926,2128,2.508,2200,1.606,2203,1.118,2209,1.606,2213,2.44,2215,1.444,2223,2.064,2224,2.031,2225,1.908,2233,1.698,2244,1.698,2250,3.346,2332,1.319,2357,1.522,2399,2.399,2413,1.522,2422,2.508,2439,2.324,2444,0.592,2452,1.606,2467,0.913,2472,4.096,2476,1.375,2477,1.237,2479,2.324,2541,3.252,2566,2.508,2575,2.057,2576,1.954,2577,1.828,2580,2.55,2583,1.302,2585,2.864,2593,2.728,2679,2.03,2686,1.063,2689,1.698,2694,1.58,2828,2.167,2830,2.167,2867,1.698,2902,1.737,2958,2.508,2962,1.522,2976,2.72,2982,2.55,2985,2.143,3038,2.728,3085,1.569,3122,1.249,3135,2.03,3141,1.492,3145,2.708,3149,1.444,3153,2.508,3210,2.508,3218,1.176,3232,2.324,3275,1.698,3291,1.606,3297,1.736,3314,2.54,3336,1.237,3400,2.324,3462,2.03,3464,1.659,3536,1.908,3537,1.812,3538,1.302,3539,2.412,3540,1.37,3543,2.412,3549,2.03,3564,3.101,3571,1.37,3603,1.237,3606,1.65,3609,2.324,3611,2.728,3613,1.908,3617,2.167,3682,3.254,3685,2.728,3697,3.004,3704,2.167,3775,2.892,3797,3.004,3824,3.64,3825,2.324,3828,1.62,3861,1.118,3867,1.798,3898,1.908,3905,1.798,4025,1.908,4028,1.908,4033,1.798,4104,2.545,4105,1.604,4171,2.143,4285,4.19,4299,3.346,4300,3.004,4302,3.373,4362,2.508,4385,2.728,4422,3.004,4430,1.798,4436,1.606,4437,1.798,4514,1.798,4524,2.412,4577,2.728,4691,3.048,4703,3.004,4738,2.143,4792,2.03,4794,3.056,4799,1.063,4800,3.004,4860,1.237,4868,2.86,4930,3.765,4942,2.708,4999,3.765,5064,3.118,5065,5.63,5089,2.508,5093,4.008,5098,4.37,5100,2.86,5129,3.004,5168,2.508,5355,2.728,5356,1.606,5450,4.008,5513,2.399,5515,3.254,5516,3.004,5530,3.373,5531,4.465,5533,3.004,5538,2.167,5540,3.004,5547,4.008,5549,2.03,5550,2.728,5552,2.167,5565,3.373,5638,3.373,5719,3.004,5748,2.508,5772,2.508,5778,4.008,5792,2.728,5797,3.597,5801,1.908,5963,4.185,6079,4.008,6094,4.501,6163,2.728,6184,2.03,6235,1.908,6271,3.004,6350,2.399,6572,3.004,6577,2.167,6724,2.508,6731,2.324,6775,3.373,6905,2.728,6906,3.004,7010,3.004,7149,3.373,7398,3.004,7399,5.912,7400,4.501,7401,5.63,7404,3.373,7408,3.346,7475,2.728,7565,3.373,7625,3.346,7646,2.728,7654,2.508,7655,1.798,7675,3.373,7676,2.728,7679,3.252,7706,3.004,7707,3.004,7745,3.373,7753,2.545,7790,2.728,7795,2.728,7801,2.892,7805,1.908,7837,2.728,7912,3.004,7920,4.008,7941,2.728,7943,3.373,7954,3.004,7967,3.373,7981,1.522,7989,4.501,8023,4.008,8031,3.64,8032,3.64,8047,3.373,8069,3.004,8107,3.373,8153,3.373,8245,3.373,8270,3.373,8285,3.373,8346,3.373,8349,4.501,8350,5.065,8391,3.934,8392,5.249,8393,3.934,8394,3.934,8395,3.934,8396,3.934,8397,3.934,8398,3.934,8399,3.934,8400,3.373,8401,3.934,8402,3.373,8403,3.934,8404,3.934,8405,3.934,8406,3.934,8407,3.934,8408,3.934,8409,3.934,8410,3.934,8411,6.895,8412,3.934,8413,3.934,8414,3.934,8415,5.249,8416,3.934,8417,3.934,8418,5.249,8419,3.934,8420,3.934,8421,3.934,8422,3.934,8423,5.249,8424,3.934,8425,3.934,8426,3.934,8427,3.934,8428,3.934,8429,5.907,8430,3.934,8431,5.907,8432,5.065,8433,5.065,8434,3.373,8435,3.934,8436,3.934,8437,3.934,8438,3.934,8439,5.249,8440,3.934,8441,3.934,8442,3.934,8443,3.934,8444,5.249,8445,5.249,8446,5.249,8447,3.934,8448,3.934,8449,3.934,8450,3.934,8451,3.934,8452,3.934,8453,3.934,8454,3.934,8455,3.934,8456,3.934,8457,3.934,8458,3.934,8459,3.934,8460,3.934,8461,3.934]],["title/index.html",[2,4.213,3,5.509,4,4.176,5,2.763,89,0.257,299,3.089,872,2.418,1852,9.301]],["breadcrumb/index.html",[]],["description/index.html",[0,0.304,3,2.196,4,2.352,27,1.326,48,0.244,83,0.448,86,0.345,87,3.471,88,0.137,89,0.145,129,1.289,130,1.289,131,1.289,299,1.74,415,0.345,416,0.448,872,1.362,1546,11.751,1685,6.099,1852,5.24,8462,18.435]],["body/index.html",[0,0.094,2,1.001,3,0.834,4,0.846,5,0.483,12,3.382,13,0.67,20,1.463,27,0.504,28,0.436,29,0.163,31,0.421,32,0.139,33,0.249,37,0.626,40,0.239,43,0.137,44,0.145,48,0.076,51,0.258,66,0.309,67,0.266,83,0.161,85,0.239,86,0.124,87,1.249,88,0.054,89,0.045,90,0.579,102,0.069,103,0.239,104,0.275,106,0.913,110,0.4,111,0.626,115,0.421,126,0.088,129,0.464,130,0.464,131,0.49,133,0.109,134,0.725,137,0.67,148,0.173,150,0.626,161,0.239,180,0.67,184,0.776,188,0.763,212,0.239,218,0.421,223,0.763,227,0.161,244,0.556,252,0.533,253,0.861,265,0.626,288,0.184,299,0.541,305,0.541,311,0.423,339,0.239,340,0.421,341,0.309,344,0.205,346,0.107,351,0.14,360,1.137,380,2.776,414,0.199,415,0.124,416,0.161,417,0.199,427,1.137,434,1.627,487,0.345,511,0.388,512,0.088,527,0.107,547,0.861,564,0.393,569,3.97,629,0.763,630,0.861,671,2.215,675,2.566,686,0.421,690,1.329,745,1.263,758,1.471,759,2.776,807,0.5,845,0.337,850,0.239,863,0.861,868,2.471,872,0.518,885,1.021,889,1.021,894,1.329,917,0.421,918,0.811,983,1.329,1000,2.338,1002,0.345,1004,1.021,1010,1.894,1015,3.654,1123,0.428,1213,0.5,1253,1.627,1279,1.078,1444,1.894,1503,0.163,1525,1.183,1546,4.228,1634,1.078,1685,2.195,1696,1.078,1852,1.627,1949,0.763,2008,0.776,2009,1.894,2012,2.215,2020,1.894,2030,1.994,2046,2.954,2052,2.776,2104,1.263,2319,3.649,2463,2.954,2627,3.97,2686,1.119,2694,1.263,2902,1.894,3122,1.021,3130,2.954,3288,1.894,3401,1.705,3500,2.101,3539,2.338,3542,3.97,3826,2.776,3948,2.776,4005,2.101,4724,2.954,4860,1.8,5787,2.338,5789,3.382,5827,2.776,5975,4.6,6570,3.382,7501,4.371,7753,2.776,8182,4.909,8274,4.909,8463,6.005,8464,5.725,8465,5.725,8466,5.725,8467,5.725,8468,5.725,8469,5.725,8470,5.725]],["title/oci/data.html",[2,4.44,3,4.108,4,6.123,5,2.912,28,2.265,29,0.982,131,2.411]],["breadcrumb/oci/data.html",[6,0.198,28,1.077,29,0.467,131,1.147]],["description/oci/data.html",[2,2.247,28,1.589,29,0.497,31,1.283,40,0.728,44,0.361,45,1.283,52,2.285,131,1.692,275,3.224,685,3.655,805,7.978,1165,2.474,1345,11.128,1405,7.978,2103,6.753,2686,4.083,5787,7.128,8471,17.457]],["body/oci/data.html",[0,0.117,2,1.011,3,0.826,4,0.758,7,0.799,9,0.267,10,1.77,11,0.155,14,0.482,16,0.557,19,0.723,26,0.24,27,0.494,28,0.507,29,0.169,30,0.563,31,0.545,32,0.171,33,0.264,35,0.305,37,0.807,38,1.855,40,0.311,41,0.168,43,0.161,44,0.15,45,0.455,47,0.105,48,0.057,51,0.33,52,0.703,53,0.19,54,0.427,55,0.808,56,0.327,57,2.81,58,0.767,59,1.766,60,0.296,61,0.694,62,0.718,65,0.528,66,0.353,67,0.256,68,0.374,69,0.561,70,1.892,71,2.39,76,0.544,77,0.481,78,1.29,79,0.348,80,0.422,81,0.698,82,0.542,83,0.177,84,0.533,85,0.318,86,0.111,87,0.563,88,0.046,89,0.049,90,0.445,91,0.659,92,0.691,93,0.768,94,0.304,96,0.694,97,0.504,98,0.374,99,0.424,101,0.694,102,0.083,103,0.125,104,0.285,105,1.776,106,0.691,107,0.445,108,2.92,110,0.503,111,0.649,112,1.053,113,0.507,115,0.275,116,0.155,117,0.375,119,0.691,121,0.374,123,0.437,124,0.504,126,0.057,127,0.638,128,0.477,129,0.48,130,0.474,131,0.544,133,0.108,134,0.474,135,0.45,137,0.597,138,1.006,139,0.659,140,0.304,141,0.659,142,1.296,143,0.614,144,0.808,145,0.561,146,0.282,148,0.18,149,0.542,150,0.327,151,0.533,152,0.86,153,0.327,154,0.29,156,0.18,158,1.366,159,1.08,160,0.248,161,0.283,162,0.265,165,0.445,169,0.894,170,1.438,173,0.207,176,0.24,178,0.441,180,0.35,181,1.367,182,0.414,183,0.569,184,0.597,187,0.398,189,0.327,191,0.793,192,0.316,193,0.35,194,0.412,195,1.871,197,2.529,198,0.308,207,0.441,209,0.449,211,0.626,212,0.125,213,1.367,214,0.24,216,0.679,217,1.45,218,0.533,219,0.542,221,0.375,222,0.436,223,0.872,226,1.29,227,0.105,230,1.549,232,1.013,233,0.45,234,0.563,239,0.611,241,0.591,242,1.172,244,0.576,245,0.766,247,0.626,249,0.437,250,1.379,251,0.731,252,0.535,254,0.618,256,1.059,258,0.477,260,2.202,261,1.23,262,0.2,263,0.318,264,0.374,265,0.557,270,0.604,271,0.234,273,0.469,274,0.155,275,1.011,276,0.409,277,0.514,278,0.531,279,0.296,281,0.411,282,0.569,287,0.477,290,0.989,294,0.652,298,0.91,299,0.561,300,0.378,303,0.213,304,0.374,305,0.697,308,0.327,311,0.422,312,0.851,313,0.86,314,1.604,316,0.519,317,0.504,323,0.378,324,1.156,326,0.659,327,0.424,328,0.374,329,0.374,330,0.374,332,0.944,333,0.626,335,0.594,336,1.766,339,0.292,340,0.498,341,0.4,342,0.953,343,0.984,344,0.229,346,0.116,348,1.647,350,0.872,351,0.137,352,1.234,353,0.222,354,2.179,363,0.528,365,0.725,370,0.94,384,0.504,385,1.059,394,0.424,395,0.424,397,1.028,400,0.691,410,0.2,411,0.569,412,0.569,413,0.604,414,0.168,415,0.105,416,0.136,417,0.168,418,0.313,419,0.233,420,0.233,424,0.691,425,0.695,426,0.398,427,1.23,428,2.073,429,2.073,430,0.519,434,1.232,441,0.723,442,0.679,443,0.85,444,0.715,446,0.284,451,0.679,454,2.207,473,0.445,475,1.714,484,0.563,485,0.638,487,0.308,488,0.679,496,0.35,498,0.341,501,0.793,504,0.578,506,0.768,507,0.594,508,3.173,511,0.346,513,0.482,514,0.563,516,0.594,517,1.156,521,0.304,522,0.282,523,0.603,524,0.504,525,2.073,527,0.136,528,0.96,531,0.519,532,1.006,539,0.569,540,0.956,543,0.691,544,0.908,550,0.386,551,0.181,556,1.677,558,0.894,560,0.813,564,0.381,572,0.374,580,0.324,582,1.53,583,1.097,587,0.989,611,2.282,619,1.542,620,2.073,621,2.073,627,1.366,628,0.464,630,0.45,631,0.956,633,1.77,634,0.445,635,1.905,647,0.504,653,0.903,656,0.234,657,0.525,659,0.477,663,2.073,666,0.85,670,0.86,673,1.118,675,2.472,680,3.808,681,1.29,682,0.793,685,1.604,687,0.753,688,0.626,690,0.694,693,0.409,694,1.965,696,1.232,702,0.729,703,0.768,706,1.542,708,0.86,717,0.54,725,0.841,726,1.156,733,1.156,734,2.073,738,0.694,745,0.659,746,1.166,747,1.125,755,2.708,758,0.768,759,1.45,762,1.766,765,0.477,768,1.438,769,0.477,771,0.861,775,0.947,777,4.373,782,1.773,784,1.727,790,0.659,792,2.181,799,1.296,802,0.768,803,1.29,805,3.286,807,0.445,808,1.838,813,1.871,814,3.013,816,1.013,826,3.377,845,0.152,849,0.85,850,0.311,862,4.073,863,1.069,871,1.29,872,0.458,873,0.181,877,0.947,878,1.766,895,0.504,897,0.528,899,0.813,900,1.097,912,0.659,913,0.989,914,1.434,918,0.424,919,0.35,926,2.102,985,1.512,989,0.743,990,0.908,992,0.073,1000,1.77,1004,1.059,1006,0.318,1007,0.989,1009,0.894,1011,0.768,1018,0.374,1020,0.638,1033,1.363,1039,1.041,1049,1.311,1054,0.878,1056,1.299,1080,1.17,1092,1.297,1111,1.363,1123,0.4,1130,0.989,1141,1.483,1147,1.234,1156,0.894,1158,2.102,1165,0.793,1166,1.299,1167,0.22,1168,1.105,1170,1.409,1177,0.45,1186,0.715,1188,2.282,1203,0.85,1213,0.261,1233,1.604,1251,0.989,1252,0.73,1253,1.232,1258,1.156,1259,1.677,1261,0.894,1269,0.604,1275,1.006,1276,1.672,1286,0.894,1288,0.304,1333,0.947,1334,0.655,1343,1.51,1345,4.627,1348,0.35,1350,0.731,1360,1.041,1361,0.542,1363,1.29,1373,0.94,1375,0.694,1380,1.29,1385,0.808,1386,1.525,1389,1.29,1408,1.059,1423,0.504,1437,0.956,1463,2.201,1464,3.31,1473,1.172,1518,0.85,1523,0.304,1525,0.998,1530,0.894,1539,1.18,1550,1.994,1553,2.388,1555,1.296,1557,1.14,1560,1.948,1564,0.424,1571,1.542,1572,1.867,1603,1.29,1615,2.473,1616,1.234,1622,1.77,1626,1.363,1628,1.366,1632,2.532,1634,0.563,1639,1.526,1667,0.767,1669,1.526,1677,0.544,1680,0.85,1688,2.282,1690,0.894,1699,1.672,1700,0.956,1711,1.29,1774,2.282,1786,0.91,1787,1.269,1792,0.563,1794,0.533,1856,1.232,1859,1.366,1866,0.743,1871,1.542,1874,1.647,1876,0.85,1885,1.172,1892,1.041,1897,1.45,1932,1.45,1933,0.94,1938,2.083,1956,0.773,1957,0.73,1964,2.237,1967,0.626,2000,2.88,2006,1.292,2008,0.597,2028,0.841,2047,2.249,2069,2.073,2078,1.775,2099,1.156,2103,2.396,2104,0.659,2108,0.989,2109,0.73,2122,2.472,2127,2.225,2130,2.331,2133,1.77,2141,2.458,2163,1.956,2203,0.85,2208,1.766,2212,0.94,2225,1.45,2229,2.102,2233,1.29,2255,1.156,2307,1.905,2309,1.905,2321,1.647,2328,0.989,2337,1.221,2338,1.221,2339,1.542,2416,1.45,2418,0.894,2422,1.905,2432,1.041,2442,2.297,2455,2.556,2467,1.184,2539,1.948,2629,3.317,2633,0.94,2656,1.171,2686,1.303,2687,0.989,2744,2.763,2779,2.414,2830,1.647,2867,1.29,2875,0.94,2883,1.29,2962,1.973,2983,1.542,3107,1.956,3118,2.425,3123,2.81,3124,1.647,3128,1.647,3129,1.905,3130,1.542,3220,2.561,3221,0.85,3238,2.073,3243,1.29,3279,2.414,3288,0.989,3297,1.948,3304,1.041,3311,1.542,3401,1.114,3404,1.647,3464,0.659,3500,1.097,3502,1.981,3507,1.766,3537,1.367,3538,1.851,3540,1.948,3543,1.77,3544,2.049,3555,1.605,3571,1.041,3587,1.766,3603,1.604,3606,1.513,3674,3.509,3704,1.647,3769,2.073,3770,2.282,3846,4.43,3848,1.981,3849,0.861,3856,4.36,3859,0.894,3861,0.85,3862,0.94,3867,1.981,3869,2.282,3880,2.282,3884,2.282,3903,2.388,3917,3.013,3971,0.956,3972,0.989,4004,1.068,4018,1.766,4024,2.282,4025,1.45,4029,3.879,4031,3.775,4032,1.647,4033,1.366,4038,2.763,4113,2.282,4170,2.282,4265,2.164,4434,0.989,4442,2.414,4524,1.221,4525,2.282,4691,1.542,4701,1.542,4737,1.542,4762,3.879,4786,2.237,4799,1.512,4860,1.363,4868,1.221,4999,3.566,5098,2.073,5130,1.871,5162,1.647,5166,1.905,5332,2.886,5356,1.221,5362,4.422,5364,3.894,5402,1.766,5508,4.373,5513,2.991,5515,1.647,5552,1.647,5587,1.677,5787,2.529,5791,1.766,5797,3.328,5816,3.31,5826,1.766,5883,1.29,5933,3.305,6002,2.073,6006,2.563,6040,2.073,6184,1.542,6345,1.871,6597,2.714,6646,4.373,6730,2.073,6801,1.45,6905,2.073,7433,2.563,7617,2.282,7655,2.556,7729,2.563,7751,3.717,7754,4.535,7759,5.719,7771,2.563,7861,1.905,7880,2.321,7921,2.282,7932,2.563,7933,3.31,7981,2.164,7988,3.894,8024,2.563,8119,2.563,8240,2.282,8327,2.073,8336,2.563,8380,2.563,8472,3.305,8473,1.905,8474,2.989,8475,1.905,8476,2.563,8477,2.989,8478,6.166,8479,2.989,8480,3.717,8481,2.989,8482,5.1,8483,4.335,8484,5.173,8485,2.282,8486,2.237,8487,3.064,8488,3.064,8489,2.237,8490,1.542,8491,1.542,8492,4.335,8493,6.389,8494,5.939,8495,6.004,8496,5.1,8497,4.797,8498,4.335,8499,2.563,8500,2.989,8501,2.989,8502,3.566,8503,4.373,8504,2.989,8505,2.563,8506,2.989,8507,2.989,8508,2.282,8509,2.989,8510,4.335,8511,3.541,8512,1.905,8513,2.073,8514,5.24,8515,2.989,8516,2.989,8517,2.989,8518,2.073,8519,2.989,8520,2.989,8521,3.064,8522,3.377,8523,2.886,8524,2.886,8525,2.886,8526,2.886,8527,2.886,8528,2.886,8529,2.886,8530,3.377,8531,2.886,8532,2.886,8533,2.886,8534,1.542,8535,1.542,8536,1.542,8537,2.886,8538,1.905,8539,4.335,8540,2.989,8541,2.989,8542,2.989,8543,2.989,8544,2.989,8545,2.989,8546,4.335,8547,2.989,8548,2.282,8549,2.989,8550,2.989,8551,5.594,8552,4.335,8553,5.1,8554,2.631,8555,2.989,8556,2.631,8557,2.989,8558,4.335,8559,2.989,8560,2.989,8561,2.989,8562,2.989,8563,2.989,8564,2.989,8565,3.717,8566,5.1,8567,2.563,8568,2.989,8569,2.989,8570,5.1,8571,2.989,8572,5.594,8573,2.989,8574,4.729,8575,4.335,8576,4.335,8577,2.989,8578,2.989,8579,2.989,8580,2.989,8581,2.989,8582,2.989,8583,4.271,8584,2.989,8585,4.271,8586,5.594,8587,4.271,8588,4.535,8589,2.989,8590,2.989,8591,2.563,8592,2.989,8593,2.989,8594,2.989,8595,5.1,8596,2.886,8597,2.989,8598,2.989,8599,2.989,8600,2.989,8601,3.717,8602,3.31,8603,1.766,8604,4.373,8605,2.989,8606,2.563,8607,2.989,8608,2.989,8609,2.989,8610,2.989,8611,4.373,8612,4.335,8613,2.989,8614,3.717,8615,2.989,8616,3.31,8617,2.989,8618,2.989,8619,2.989,8620,4.335,8621,2.563,8622,2.989,8623,2.989,8624,2.989,8625,2.989,8626,2.989,8627,2.563,8628,3.31,8629,4.335,8630,2.989,8631,4.335,8632,2.563,8633,2.563,8634,2.563,8635,2.563,8636,2.563,8637,2.563,8638,1.905,8639,2.563,8640,2.989,8641,4.335,8642,4.335,8643,2.989,8644,1.647,8645,2.989,8646,3.717,8647,3.717,8648,5.311,8649,4.335,8650,2.563,8651,2.563,8652,2.563,8653,2.989,8654,2.563,8655,3.717,8656,2.989,8657,2.989,8658,2.989,8659,2.989,8660,2.989,8661,2.989,8662,2.563,8663,2.563,8664,2.563,8665,2.563,8666,2.563,8667,2.563,8668,2.989,8669,2.282,8670,2.989,8671,2.989,8672,2.989]],["title/oci/genai.html",[2,4.44,3,4.108,4,6.123,5,2.912,110,2.411,131,2.411,1014,12.653]],["breadcrumb/oci/genai.html",[6,0.224,131,1.296,983,4.302]],["description/oci/genai.html",[4,2.189,38,4.636,44,0.355,110,1.2,131,1.2,148,0.423,227,0.417,244,1.362,365,2.008,527,0.321,564,0.964,779,2.735,850,0.716,872,1.268,984,7.839,1014,10.096,1111,3.408,1179,10.135,2028,3.596,2686,2.894,3036,5.394,7880,5.394]],["body/oci/genai.html",[0,0.114,2,1.011,3,0.514,4,0.55,7,0.539,9,0.295,11,0.172,13,0.347,14,0.407,16,0.471,19,0.421,25,1.034,27,0.493,28,0.455,29,0.085,31,0.518,32,0.17,33,0.249,34,0.123,35,0.318,40,0.124,41,0.123,43,0.061,44,0.154,45,0.317,47,0.072,48,0.039,51,0.343,52,0.654,53,0.189,54,0.198,58,0.446,60,0.295,62,0.302,66,0.353,67,0.241,68,0.539,69,0.28,76,0.496,77,0.468,80,0.433,81,0.675,82,0.817,83,0.184,84,0.529,85,0.319,86,0.126,88,0.046,89,0.047,90,0.635,99,0.421,100,0.471,102,0.077,103,0.124,104,0.143,106,0.473,107,0.259,110,0.541,111,0.324,115,0.422,116,0.154,117,0.373,118,0.238,121,0.425,123,0.437,129,0.479,130,0.479,131,0.545,132,0.763,133,0.108,137,0.347,140,0.302,141,0.655,145,0.28,146,0.28,148,0.187,150,0.324,154,0.288,156,0.336,159,0.72,160,0.233,161,0.266,162,0.265,168,0.763,170,0.763,171,1.427,173,0.206,178,0.302,180,0.595,181,0.725,182,0.396,183,0.517,189,0.555,191,0.79,192,0.317,193,0.505,194,0.415,195,3.064,196,3.294,199,0.923,200,1.227,201,2.155,203,1.588,207,0.439,209,0.307,212,0.18,214,0.448,216,0.395,218,0.537,220,1.115,221,0.41,222,0.435,227,0.135,230,1.624,232,1.266,236,2.706,239,0.675,241,0.633,242,0.802,244,0.609,245,0.779,248,1.892,249,0.396,250,1.48,251,1.042,252,0.524,254,0.602,256,1.056,258,0.473,260,1.597,261,1.227,262,0.339,263,0.317,264,0.357,270,0.302,271,0.233,273,0.489,274,0.234,275,0.923,276,0.55,277,0.435,278,0.435,279,0.283,280,0.218,281,0.454,282,0.603,288,0.163,289,1.861,290,1.427,292,0.259,293,0.772,294,0.839,298,0.994,300,0.647,303,0.234,304,0.413,305,0.71,306,2.192,308,0.609,311,0.307,313,0.728,315,0.844,316,0.603,317,0.728,322,0.689,323,0.61,324,2.291,326,0.655,327,0.421,329,0.385,330,0.385,332,0.501,335,0.857,336,1.754,339,0.303,340,0.509,341,0.407,342,0.983,343,1.042,344,0.221,346,0.135,350,0.923,351,0.141,352,1.363,353,0.223,354,1.089,363,0.602,365,0.845,368,1.305,369,1.427,370,2.054,374,0.421,384,1.102,394,0.421,395,0.421,397,0.421,400,0.81,410,0.212,411,0.603,412,0.603,413,0.603,414,0.178,415,0.111,416,0.144,417,0.178,418,0.323,419,0.247,420,0.247,424,0.985,425,0.347,426,0.575,427,0.59,430,0.603,432,1.373,433,0.79,438,0.763,441,0.79,442,0.677,446,0.318,451,0.682,454,2.238,459,0.395,468,0.529,473,0.376,475,1.761,477,2.266,479,2.058,480,1.67,483,1.531,485,0.539,487,0.357,488,0.823,496,0.505,498,0.413,500,0.621,501,0.421,509,1.427,511,0.459,512,0.074,513,0.559,514,0.559,516,0.59,521,0.567,522,0.48,523,0.526,524,0.728,527,0.143,528,1.115,531,0.567,538,0.933,539,0.517,541,1.635,543,0.889,547,0.649,550,0.307,551,0.124,554,0.933,556,1.148,557,1.582,560,0.944,563,0.844,564,0.407,565,1.167,572,0.339,580,0.353,582,1.642,589,1.754,628,0.339,630,0.446,631,0.951,634,0.443,637,0.649,640,0.395,647,0.501,651,0.933,653,0.932,656,0.274,657,0.408,659,0.473,661,0.635,662,0.802,670,0.501,678,2.991,679,2.058,682,0.79,686,0.317,687,0.75,693,0.346,697,2.091,699,1.054,702,0.714,706,1.531,708,0.501,713,1.373,716,2.044,717,0.581,725,0.903,738,1.001,744,1.064,745,0.951,746,1.05,747,1.23,755,2.783,758,0.763,760,0.763,768,1.305,769,0.688,774,2.091,775,1.041,776,1.433,779,1.161,783,0.559,787,1.754,790,1.12,799,0.887,807,0.598,808,1.108,812,4.107,845,0.314,850,0.286,853,2.266,856,0.529,863,0.764,871,1.281,872,0.438,873,0.18,877,0.688,885,0.529,888,0.844,890,0.933,891,1.444,897,0.559,899,0.81,900,1.089,903,0.446,906,0.302,909,1.222,917,0.373,919,0.347,925,1.754,927,1.148,928,0.649,932,1.034,933,1.769,934,3.404,954,0.746,982,1.439,983,1.795,984,3.245,985,1.828,986,3.064,987,1.054,991,4.182,992,0.174,999,1.892,1000,2.074,1001,0.677,1002,0.26,1003,3.188,1004,0.769,1005,1.281,1006,0.41,1008,2.058,1010,0.982,1011,0.763,1012,1.531,1013,1.439,1014,2.854,1015,1.635,1016,1.892,1017,1.861,1018,0.179,1020,0.539,1021,1.281,1034,0.933,1042,3.554,1043,2.749,1044,2.225,1045,2.749,1046,1.305,1047,2.058,1049,1.108,1050,1.668,1052,1.597,1054,0.421,1056,1.001,1092,1.24,1102,2.872,1103,1.306,1104,3.056,1105,3.499,1106,3.499,1107,1.522,1108,1.756,1109,3.499,1110,2.836,1111,1.508,1112,1.034,1113,2.225,1114,2.225,1115,2.058,1116,1.306,1117,3.499,1118,3.775,1119,1.176,1123,0.445,1141,1.179,1147,1.363,1150,2.058,1152,1.531,1155,1.281,1156,0.887,1159,1.034,1160,2.225,1165,0.903,1167,0.218,1168,0.906,1170,1.406,1172,1.892,1173,0.689,1174,2.556,1175,2.157,1176,1.754,1177,0.839,1179,4.048,1180,3.65,1181,0.689,1183,2.749,1186,0.764,1192,2.798,1193,1.754,1194,1.089,1199,3.879,1203,1.226,1218,2.545,1228,1.444,1229,1.754,1242,0.621,1252,0.725,1253,1.226,1258,2.527,1269,0.517,1271,0.529,1287,1.281,1288,0.302,1289,0.802,1294,0.302,1334,0.653,1350,0.501,1360,1.502,1361,0.371,1364,3.293,1365,2.058,1366,3.293,1369,2.749,1375,1.546,1376,1.892,1379,2.749,1380,1.281,1381,2.058,1382,3.698,1384,1.439,1386,1.518,1388,1.892,1404,2.058,1405,1.356,1423,0.501,1433,1.582,1435,2.225,1436,2.463,1438,2.376,1440,3.775,1441,1.971,1478,0.802,1494,1.439,1495,1.356,1496,1.356,1499,1.439,1503,0.193,1525,1.102,1533,3.238,1535,1.439,1539,1.009,1548,2.203,1557,1.169,1572,0.933,1603,1.281,1615,2.872,1616,1.306,1621,0.728,1622,1.212,1632,2.68,1638,0.473,1639,1.638,1667,0.649,1676,0.887,1677,0.574,1680,0.844,1683,0.689,1684,1.212,1699,1.847,1717,1.281,1776,3.262,1777,1.761,1786,0.529,1794,0.529,1832,1.518,1854,0.887,1856,0.844,1866,0.797,1869,1.281,1885,1.373,1915,0.933,1933,1.862,1938,1.212,1939,2.266,1962,1.582,1967,0.621,1974,0.371,2000,1.439,2017,1.001,2020,0.982,2028,1.06,2047,2.312,2078,1.906,2079,2.548,2083,1.226,2102,1.212,2108,1.427,2109,0.725,2110,0.395,2111,1.034,2112,1.668,2127,1.502,2130,1.971,2133,1.212,2141,2.413,2163,1.847,2220,1.089,2243,1.635,2309,1.892,2328,0.982,2332,0.559,2337,2.074,2338,1.761,2339,2.225,2433,1.861,2434,1.753,2442,2.466,2473,1.635,2476,0.903,2571,2.548,2578,1.635,2590,0.802,2620,2.266,2656,1.335,2676,2.266,2691,2.798,2692,1.439,2730,1.089,2731,1.635,2732,1.635,2733,1.635,2745,1.635,2779,2.667,2822,1.861,2859,1.531,2862,1.861,2864,1.531,2865,2.266,2902,0.982,2962,1.148,3011,3.938,3036,0.933,3069,2.058,3085,0.887,3107,2.022,3116,2.548,3118,2.603,3149,1.089,3215,1.531,3279,2.667,3288,0.982,3297,1.588,3393,2.376,3394,1.531,3399,1.281,3400,1.754,3404,2.376,3409,1.531,3540,2.152,3544,2.044,3555,0.802,3567,0.933,3587,1.754,3603,0.933,3606,0.725,3618,1.754,3828,0.763,3849,1.376,3854,1.212,3882,4.529,3884,2.266,3902,1.212,3917,2.548,3960,1.356,3971,0.951,3972,0.982,4004,1.335,4014,2.266,4022,1.892,4025,2.872,4027,2.058,4043,1.754,4118,3.293,4169,1.761,4205,2.548,4265,2.466,4281,1.089,4298,2.545,4363,2.749,4442,2.667,4451,2.621,4701,1.531,4728,1.502,4730,1.635,4734,1.531,4790,1.635,4799,1.67,5182,1.356,5198,1.754,5483,2.545,5549,1.531,5552,1.635,5574,2.277,5755,2.545,6235,1.439,6291,2.266,6345,1.861,6519,1.892,6597,2.913,6652,4.987,6801,1.439,6907,3.293,6945,2.991,7009,2.991,7020,3.001,7346,2.058,7655,2.706,7750,2.545,7753,1.439,7880,2.419,7956,2.545,7981,2.291,8062,2.266,8484,2.266,8486,2.225,8487,3.289,8488,3.289,8489,2.225,8490,1.531,8491,1.531,8508,2.266,8511,3.608,8512,2.749,8513,2.058,8518,3.522,8521,3.188,8522,3.783,8523,3.188,8524,3.188,8525,3.188,8526,3.188,8527,3.188,8528,3.188,8529,3.188,8530,3.49,8531,3.188,8532,3.056,8533,3.056,8534,1.531,8535,1.531,8536,1.531,8537,2.225,8548,2.266,8554,3.056,8556,3.056,8596,3.056,8602,2.266,8603,3.294,8644,1.635,8673,2.968,8674,4.313,8675,4.313,8676,4.313,8677,2.968,8678,2.968,8679,2.968,8680,2.968,8681,4.313,8682,4.313,8683,2.968,8684,5.08,8685,2.968,8686,2.968,8687,2.968,8688,2.968,8689,2.968,8690,2.968,8691,4.313,8692,2.968,8693,5.08,8694,2.968,8695,2.968,8696,4.313,8697,4.313,8698,5.576,8699,3.866,8700,4.313,8701,2.968,8702,2.968,8703,2.968,8704,2.968,8705,2.968,8706,2.968,8707,2.968,8708,2.968,8709,3.698,8710,2.968,8711,6.852,8712,2.968,8713,2.968,8714,2.968,8715,2.545,8716,5.576,8717,2.968,8718,2.968,8719,2.968,8720,2.968,8721,2.968,8722,2.968,8723,2.968,8724,2.968,8725,2.968,8726,2.968,8727,2.968,8728,4.313,8729,5.576,8730,4.313,8731,4.313,8732,4.313,8733,2.968,8734,4.313,8735,2.968,8736,2.968,8737,2.968,8738,3.293,8739,4.313,8740,2.968,8741,2.968,8742,2.968,8743,2.968,8744,2.968,8745,2.968,8746,2.545,8747,2.545,8748,2.968,8749,2.968,8750,5.08,8751,4.313,8752,2.968,8753,2.968,8754,2.968,8755,2.968,8756,2.968,8757,2.968,8758,4.313,8759,2.545,8760,2.266,8761,2.266,8762,2.266,8763,2.545,8764,2.968,8765,2.545,8766,2.545,8767,2.545,8768,2.968,8769,2.968,8770,4.356,8771,2.545,8772,4.313,8773,2.968,8774,2.545,8775,4.313,8776,5.08,8777,2.968,8778,2.968,8779,2.968,8780,2.968,8781,2.968,8782,2.968,8783,2.968,8784,2.968,8785,2.968,8786,2.968,8787,2.968,8788,2.968,8789,2.968,8790,2.968,8791,4.313]],["title/oci/iam.html",[2,4.693,3,4.342,4,6.362,5,3.077,131,2.549,564,2.048]],["breadcrumb/oci/iam.html",[6,0.224,131,1.296,564,1.041]],["description/oci/iam.html",[4,2.397,43,0.388,44,0.388,45,1.38,131,1.314,192,0.784,214,1.508,223,2.503,227,0.456,253,2.826,271,1.014,274,0.672,564,1.055,897,2.402,1503,0.535,2008,2.199,3107,5.616,6345,8.108,7880,5.907]],["body/oci/iam.html",[0,0.116,1,1.557,2,1.011,3,0.809,4,0.557,6,0.053,7,0.641,9,0.314,11,0.17,14,0.285,16,0.614,20,0.666,23,0.902,27,0.518,28,0.337,31,0.505,32,0.125,33,0.256,34,0.167,35,0.245,41,0.169,43,0.156,44,0.151,45,0.505,47,0.136,48,0.074,51,0.319,52,0.605,53,0.188,54,0.376,56,0.33,58,0.964,60,0.306,61,1.014,62,0.652,65,0.484,66,0.361,67,0.263,68,0.546,69,0.285,70,0.816,73,1.464,76,0.499,77,0.222,79,0.451,80,0.415,81,0.614,82,0.641,83,0.179,84,0.538,85,0.318,86,0.111,87,0.568,88,0.044,89,0.049,90,0.263,94,0.522,97,0.509,98,0.546,100,0.561,101,1.014,102,0.075,103,0.126,104,0.21,106,0.696,107,0.542,109,1.233,110,0.459,111,0.477,114,0.546,115,0.191,116,0.108,118,0.242,121,0.387,122,0.666,123,0.464,124,0.737,125,0.816,126,0.068,127,0.546,128,0.991,129,0.498,130,0.498,131,0.545,132,1.122,133,0.098,134,0.477,136,0.949,140,0.444,145,0.412,146,0.285,148,0.185,150,0.652,151,0.915,152,0.509,153,0.33,154,0.398,156,0.309,160,0.249,161,0.295,162,0.266,165,0.52,168,0.776,170,1.444,172,0.632,173,0.306,176,0.451,178,0.522,181,0.737,182,0.398,183,0.444,187,0.749,189,0.33,191,0.881,192,0.319,193,0.353,194,0.413,195,1.884,196,2.579,198,0.415,199,0.683,205,1.051,209,0.182,211,0.632,212,0.283,214,0.527,216,0.582,218,0.536,219,0.377,220,0.822,221,0.511,222,0.457,223,0.683,224,1.924,227,0.136,230,1.552,233,0.657,238,1.233,239,0.7,241,0.559,244,0.596,245,0.658,246,0.776,249,0.343,250,1.443,251,0.509,252,0.479,253,1.134,254,0.587,258,0.818,259,1.051,261,1.184,262,0.343,263,0.377,264,0.387,265,0.33,270,0.691,271,0.322,272,1.373,273,0.482,274,0.265,275,0.874,276,0.621,277,0.499,278,0.505,279,0.269,281,0.438,282,0.572,285,1.168,288,0.18,292,0.49,293,0.641,294,0.657,299,0.656,300,0.666,303,0.229,304,0.398,305,0.705,308,0.561,311,0.339,312,0.749,314,1.613,316,0.444,318,0.914,320,1.663,323,0.381,329,0.375,330,0.375,335,0.6,339,0.299,340,0.457,341,0.404,342,0.972,343,1.006,344,0.249,346,0.123,350,0.905,351,0.14,352,1.315,353,0.219,363,0.412,368,0.776,370,2.063,373,0.858,374,0.727,376,0.666,384,1.16,394,0.619,395,0.619,397,0.796,400,0.818,410,0.201,411,0.572,412,0.572,413,0.572,414,0.168,415,0.111,416,0.145,417,0.179,418,0.314,419,0.234,420,0.234,424,0.696,425,0.353,426,0.402,430,0.607,433,0.908,434,1.458,440,0.949,441,0.947,442,0.683,446,0.209,451,0.699,453,0.949,454,2.321,459,0.402,463,1.557,466,1.995,472,1.168,473,0.381,475,1.803,479,2.093,480,0.816,481,1.168,482,0.701,485,0.86,487,0.36,488,0.749,490,0.481,496,0.727,497,1.303,498,0.343,500,1.177,504,0.749,510,1.233,511,0.404,512,0.04,513,0.686,514,0.568,518,0.902,522,0.285,523,0.587,527,0.116,528,1.058,529,0.737,531,0.307,532,0.701,533,2.579,539,0.307,540,0.666,541,1.663,542,0.949,544,0.914,546,1.305,547,0.454,550,0.36,551,0.126,552,0.858,557,1.602,561,1.303,562,1.386,564,0.432,566,0.484,568,0.999,572,0.415,580,0.356,582,1.596,583,1.882,584,3.333,585,3.027,586,2.725,588,1.663,591,1.924,596,1.067,628,0.428,629,0.874,633,1.783,634,0.49,637,0.771,639,2.783,647,0.737,650,1.168,653,0.935,655,0.915,656,0.322,657,0.242,658,1.924,659,0.481,661,0.546,664,1.464,666,1.458,670,0.865,671,1.168,673,0.822,675,1.168,682,0.845,684,1.613,686,0.413,687,0.752,693,0.412,696,0.858,698,1.233,699,0.737,702,0.717,705,1.783,709,2.062,715,1.884,716,1.697,717,0.49,725,0.796,726,1.689,736,0.949,738,1.191,739,2.899,744,1.074,745,0.666,746,1.058,755,2.711,756,0.35,758,0.776,760,1.122,761,1.379,762,1.783,767,1.689,769,0.818,771,0.6,773,1.168,775,0.95,776,1.444,780,0.902,783,1.058,784,1.732,791,0.867,798,1.783,799,0.902,803,1.884,807,0.381,814,1.783,816,1.414,845,0.261,850,0.182,852,1.168,853,2.305,856,1.063,863,0.897,864,0.999,872,0.474,873,0.299,877,0.481,885,1.002,888,1.93,894,1.488,895,1.252,897,0.728,898,1.663,899,1.022,905,0.428,906,0.307,912,0.666,917,0.321,918,0.428,919,0.353,921,0.999,926,2.117,928,0.307,929,2.305,954,0.353,984,1.379,985,1.519,987,0.737,992,0.145,999,1.924,1000,1.233,1004,0.915,1006,0.377,1007,1.444,1010,0.999,1018,0.339,1034,0.949,1036,0.779,1038,2.093,1046,0.776,1049,1.122,1054,0.428,1056,1.014,1092,1.422,1107,1.318,1108,0.858,1111,0.6,1112,1.957,1123,0.267,1124,2.113,1125,1.303,1141,0.701,1145,1.168,1147,1.239,1165,0.428,1166,0.701,1167,0.222,1168,1.108,1170,1.644,1173,0.701,1186,0.717,1190,1.783,1194,1.108,1213,0.381,1233,0.949,1235,1.014,1238,0.796,1240,2.783,1244,2.093,1252,1.067,1253,1.241,1258,1.168,1261,0.902,1269,0.572,1271,0.538,1278,0.902,1279,0.568,1286,0.902,1288,0.572,1289,0.816,1294,0.444,1333,0.818,1334,0.658,1343,1.521,1348,0.727,1349,3.03,1350,0.737,1360,1.521,1361,0.377,1362,2.825,1373,2.135,1375,1.014,1377,0.701,1384,2.891,1392,0.6,1408,0.737,1437,1.131,1447,1.233,1503,0.219,1506,2.825,1507,1.783,1508,1.924,1509,2.579,1513,1.443,1519,2.093,1522,1.557,1523,0.572,1525,1.108,1526,1.783,1527,1.379,1528,1.984,1529,1.303,1530,0.902,1531,1.303,1532,2.588,1533,1.924,1534,2.305,1535,2.117,1538,1.108,1539,0.867,1540,0.949,1543,0.949,1544,0.902,1545,2.305,1546,1.924,1547,1.233,1549,2.766,1551,3.53,1552,1.984,1555,1.305,1556,1.786,1557,1.142,1560,1.521,1561,2.725,1564,1.047,1565,3.072,1566,1.523,1571,1.557,1573,2.538,1574,3.916,1577,0.568,1594,2.305,1597,2.093,1603,2.213,1612,1.689,1614,1.924,1615,2.117,1616,1.315,1618,1.884,1619,1.315,1620,2.588,1621,0.865,1626,1.373,1627,1.884,1632,2.587,1634,1.058,1635,2.434,1638,0.481,1639,1.532,1640,2.093,1645,1.663,1662,2.588,1665,0.858,1667,0.771,1669,1.318,1676,0.902,1677,0.586,1683,0.701,1684,1.783,1691,2.093,1692,1.464,1693,3.269,1694,1.034,1695,2.899,1696,0.568,1699,1.68,1700,0.666,1701,1.557,1703,3.027,1704,2.783,1705,2.588,1707,2.093,1708,4.134,1709,1.373,1710,1.882,1713,1.957,1714,0.999,1748,2.305,1749,2.093,1769,1.663,1772,2.252,1777,1.233,1779,5.495,1781,3.306,1784,0.949,1785,1.379,1786,1.002,1791,1.233,1792,0.568,1793,0.999,1794,0.779,1795,1.303,1796,0.999,1801,1.557,1832,1.305,1846,2.093,1847,2.305,1856,0.858,1859,1.995,1864,2.682,1866,0.703,1869,1.303,1870,1.663,1884,1.924,1885,0.816,1886,0.858,1891,1.464,1892,1.051,1893,1.783,1896,2.783,1897,1.464,1898,1.663,1915,0.949,1921,0.902,1928,2.305,1932,2.117,1933,1.373,1935,1.464,1956,0.538,1966,1.602,1967,0.632,1974,0.641,1999,2.305,2008,0.901,2009,1.444,2017,0.701,2020,0.999,2025,1.233,2044,1.108,2047,2.264,2050,1.663,2057,0.816,2065,0.902,2075,1.379,2078,1.782,2081,0.568,2084,1.379,2090,0.858,2094,2.093,2100,2.682,2117,3.423,2122,1.168,2124,1.557,2126,1.602,2127,2.165,2141,2.329,2145,1.783,2163,0.902,2166,1.663,2215,1.108,2216,0.6,2231,2.405,2235,3.423,2243,1.663,2247,1.379,2255,1.168,2304,1.557,2328,1.444,2397,1.783,2400,1.663,2418,0.902,2436,1.984,2442,2.538,2444,0.454,2539,2.077,2574,1.924,2577,1.051,2583,1.697,2585,2.117,2619,1.557,2656,1.177,2668,2.093,2686,1.081,2779,2.425,2858,2.305,2875,1.613,2902,0.999,2967,1.663,2979,1.663,2985,1.233,3036,1.373,3039,0.509,3090,1.663,3107,2.287,3118,2.538,3129,2.783,3141,0.858,3220,1.783,3278,1.557,3279,2.425,3288,0.999,3297,1.647,3336,1.373,3404,2.405,3407,1.663,3409,1.557,3464,0.666,3539,1.233,3540,1.957,3544,2.056,3555,0.816,3567,2.102,3659,2.305,3691,2.487,3704,1.663,3823,1.663,3849,0.867,3858,1.783,3890,0.816,3902,1.233,3971,1.239,3972,1.444,4004,1.374,4006,1.783,4007,2.305,4018,1.783,4181,2.093,4215,2.252,4265,2.174,4281,1.108,4358,2.305,4387,1.783,4419,1.884,4432,4.397,4442,2.425,4449,3.027,4510,2.588,4514,2.568,4518,3.333,4604,3.556,4606,2.093,4620,2.093,4647,2.579,4654,1.924,4684,3.743,4728,1.051,4799,1.519,4860,0.949,4868,1.233,5361,2.588,5449,2.093,5552,1.663,5574,2.094,5855,2.093,6233,2.588,6345,1.303,6349,2.588,6380,2.588,6536,2.305,6578,2.588,6597,2.725,6801,1.464,6828,2.588,6945,3.556,7021,2.588,7396,2.588,7407,2.588,7474,2.588,7625,1.924,7654,2.783,7655,2.568,7690,2.093,7705,2.093,7775,3.743,7829,2.305,7874,3.743,7880,2.367,7881,2.588,7898,3.743,7900,2.588,7931,2.093,7999,2.588,8144,2.305,8145,3.333,8315,3.027,8402,2.588,8434,5.495,8472,3.32,8486,2.252,8487,3.076,8488,3.076,8489,2.252,8490,1.557,8491,1.557,8499,2.588,8511,3.206,8512,3.961,8518,3.027,8521,2.899,8522,3.386,8523,2.899,8524,2.899,8525,2.899,8526,2.899,8527,2.899,8528,2.899,8529,2.899,8530,3.386,8531,2.899,8532,2.899,8533,2.899,8534,2.252,8535,2.252,8536,2.252,8537,1.557,8554,2.899,8556,2.252,8567,2.588,8591,2.588,8596,3.206,8621,2.588,8644,1.663,8699,3.556,8709,2.588,8715,4.397,8792,3.019,8793,2.305,8794,3.019,8795,3.019,8796,6.562,8797,5.129,8798,3.019,8799,3.019,8800,3.019,8801,3.019,8802,3.019,8803,3.743,8804,3.019,8805,3.019,8806,3.019,8807,3.019,8808,5.129,8809,3.019,8810,3.019,8811,3.019,8812,3.333,8813,2.305,8814,3.019,8815,3.019,8816,3.019,8817,3.019,8818,3.019,8819,3.019,8820,3.019,8821,5.129,8822,3.019,8823,5.129,8824,3.019,8825,3.019,8826,3.019,8827,3.019,8828,3.019,8829,6.214,8830,3.019,8831,5.129,8832,4.366,8833,5.62,8834,4.366,8835,3.019,8836,3.019,8837,3.019,8838,2.588,8839,3.019,8840,3.019,8841,3.019,8842,3.019,8843,3.019,8844,5.62,8845,4.366,8846,5.129,8847,6.214,8848,3.019,8849,3.019,8850,3.019,8851,4.366,8852,3.019,8853,3.019,8854,3.019,8855,5.129,8856,3.019,8857,5.62,8858,2.588,8859,4.366,8860,3.019,8861,3.019,8862,4.366,8863,3.019,8864,3.019,8865,4.366,8866,3.019,8867,3.019,8868,3.019,8869,3.019,8870,3.019,8871,3.019,8872,3.019,8873,3.019,8874,3.019,8875,3.019,8876,4.397,8877,3.019,8878,3.019,8879,3.019,8880,3.019,8881,3.019,8882,3.019,8883,3.019,8884,3.019,8885,3.019,8886,3.019,8887,3.019,8888,3.019,8889,4.366,8890,4.366,8891,3.019,8892,3.019,8893,3.019,8894,3.019,8895,3.019,8896,3.019,8897,3.019,8898,4.366,8899,3.019,8900,3.019,8901,3.743,8902,3.019,8903,5.962,8904,3.019,8905,3.019,8906,3.019,8907,3.019,8908,3.019,8909,3.019,8910,3.019,8911,3.019,8912,3.019,8913,3.019,8914,3.019,8915,3.019,8916,3.019,8917,3.019,8918,3.019,8919,4.366,8920,4.366,8921,4.366,8922,3.019,8923,4.366,8924,3.019,8925,3.019,8926,3.019,8927,3.019,8928,3.019,8929,3.019,8930,3.019,8931,3.019,8932,3.019,8933,3.019,8934,3.019,8935,4.397,8936,4.366,8937,3.019,8938,3.019,8939,3.019,8940,3.019,8941,3.019,8942,3.019,8943,3.019,8944,3.019,8945,3.019,8946,3.019,8947,3.019,8948,3.019,8949,3.019]],["title/oci/index.html",[2,4.976,3,4.605,4,6.619,5,3.263,131,2.703]],["breadcrumb/oci/index.html",[6,0.257,131,1.489]],["description/oci/index.html",[3,2.526,4,2.706,28,1.393,29,0.604,89,0.167,115,1.345,244,1.684,288,0.681,511,1.438,564,1.191,872,1.567,1004,3.782,1123,1.296,3297,5.45]],["body/oci/index.html",[0,0.11,2,0.985,3,0.838,4,0.949,17,0.923,20,1.552,28,0.462,29,0.19,31,0.425,38,1.805,40,0.242,41,0.141,44,0.15,47,0.141,48,0.088,51,0.326,52,0.547,53,0.165,88,0.043,102,0.07,103,0.242,104,0.278,107,0.505,110,0.405,111,0.633,115,0.446,116,0.207,117,0.425,126,0.077,131,0.506,148,0.174,153,0.633,154,0.387,176,0.465,201,1.821,223,0.772,227,0.162,244,0.59,247,1.212,249,0.387,253,0.871,261,1.15,271,0.313,275,0.772,288,0.214,300,0.505,339,0.242,346,0.108,365,0.824,434,1.898,511,0.453,527,0.125,564,0.413,580,0.277,685,1.212,688,1.212,736,1.821,779,1.064,791,1.15,805,2.646,845,0.34,850,0.279,872,0.543,897,0.547,905,1.024,906,0.589,917,0.425,918,0.946,983,1.344,984,2.646,1004,1.033,1010,1.916,1014,2.45,1054,0.82,1111,1.15,1123,0.43,1165,0.82,1179,3.421,1213,0.505,1279,1.257,1288,0.589,1345,3.691,1356,3.691,1445,1.277,1473,1.565,1503,0.19,1538,2.125,1564,0.82,1566,1.344,1949,0.772,1974,0.724,2008,0.824,2009,1.916,2010,3.421,2012,2.24,2017,1.344,2025,2.365,2028,1.004,2103,2.24,2332,1.09,2418,1.731,2451,2.1,2577,2.451,2686,1.187,3036,2.1,3107,1.731,3122,1.033,3297,1.488,3336,2.1,3401,1.716,3555,1.565,3606,1.631,3680,2.988,3849,1.15,4004,1.212,4007,4.422,5574,2.365,6345,2.499,6350,2.646,7880,2.1,7981,2.24,8950,5.791,8951,5.791]],["title/oci/ir.html",[2,4.44,3,4.108,4,6.123,5,2.912,131,2.411,288,1.107,511,2.339]],["breadcrumb/oci/ir.html",[6,0.198,131,1.147,288,0.527,511,1.113]],["description/oci/ir.html",[2,2.134,3,1.975,31,1.218,43,0.343,52,1.565,131,1.159,148,0.409,219,2.073,223,2.209,274,0.593,275,2.209,288,0.532,314,5.213,339,0.692,434,4.712,511,1.125,540,3.656,629,2.209,685,3.471,696,4.712,894,3.849,917,1.218,1165,2.349,2028,2.494,2066,6.083,2076,8.039,3849,3.293]],["body/oci/ir.html",[0,0.12,2,1.011,3,0.908,4,0.392,5,0.26,7,0.384,9,0.299,10,1.255,11,0.16,13,0.518,14,0.535,19,0.851,23,2.085,26,0.416,27,0.483,28,0.423,29,0.126,30,0.833,31,0.539,32,0.107,33,0.25,34,0.152,35,0.147,37,0.566,38,1.196,40,0.128,41,0.138,43,0.152,44,0.136,45,0.441,47,0.075,48,0.079,51,0.291,52,0.685,53,0.183,54,0.418,55,1.196,56,0.483,60,0.308,61,0.714,62,0.577,65,0.29,66,0.356,67,0.263,68,0.384,76,0.482,77,0.226,79,0.455,80,0.421,81,0.619,82,0.709,83,0.168,84,0.548,85,0.316,86,0.106,87,1.067,88,0.047,89,0.045,90,0.452,91,0.678,92,0.705,93,0.79,94,0.577,96,0.714,97,0.519,98,0.648,99,0.436,100,0.336,101,0.714,102,0.073,103,0.128,104,0.213,106,0.903,107,0.524,108,2.858,110,0.309,111,0.483,113,0.732,116,0.11,118,0.455,119,0.826,120,1.017,121,0.405,122,0.678,123,0.418,124,0.519,125,0.831,126,0.069,127,0.384,128,0.705,129,0.483,130,0.483,131,0.542,132,0.79,133,0.103,134,0.483,135,0.462,137,0.518,138,0.714,139,0.678,140,0.577,143,0.436,145,0.29,146,0.59,148,0.178,149,0.384,152,0.519,153,0.336,154,0.346,156,0.185,159,1.032,160,0.251,161,0.275,162,0.262,165,0.268,170,0.79,171,1.017,176,0.247,178,0.45,180,0.663,181,1.528,182,0.456,183,0.671,184,0.36,187,0.858,189,0.336,191,0.436,192,0.317,193,0.606,194,0.412,198,0.313,206,0.548,207,0.671,209,0.405,211,1.085,212,0.269,213,1.081,214,0.565,216,0.41,218,0.501,219,0.945,220,0.579,221,0.473,222,0.473,223,0.92,227,0.107,230,1.496,231,1.693,232,0.611,233,0.462,234,0.833,239,0.619,241,0.614,244,0.57,245,0.772,246,1.137,247,0.644,249,0.346,250,1.316,251,0.956,252,0.482,253,0.462,254,0.658,256,0.548,258,0.705,261,1.126,262,0.505,263,0.416,264,0.342,265,0.483,270,0.671,271,0.239,273,0.381,274,0.252,275,0.978,276,0.597,277,0.507,278,0.493,279,0.308,280,0.226,281,0.381,282,0.45,284,0.79,287,0.49,288,0.238,294,0.779,297,2.452,299,0.418,300,0.575,303,0.254,304,0.346,305,0.682,310,1.327,311,0.267,312,0.589,314,1.782,316,0.527,317,0.874,320,1.693,322,0.714,323,0.575,326,0.678,327,0.886,328,0.384,329,0.377,330,0.377,332,0.519,334,1.959,335,0.879,339,0.307,340,0.484,341,0.395,342,0.938,343,0.941,344,0.185,346,0.112,350,0.833,351,0.136,352,1.143,353,0.211,363,0.59,366,1.909,370,0.967,374,0.997,376,1.379,384,1.177,385,0.751,394,0.627,395,0.627,397,0.627,400,0.49,410,0.158,411,0.45,412,0.45,413,0.527,414,0.155,415,0.097,416,0.107,417,0.133,418,0.271,419,0.185,420,0.185,424,0.705,425,0.703,430,0.45,431,1.777,433,0.627,434,2.148,435,2.236,441,0.436,442,0.8,444,0.734,446,0.315,450,1.322,451,0.634,453,1.391,454,1.875,459,0.755,468,0.548,473,0.575,475,1.607,484,1.067,485,0.751,487,0.313,488,0.589,490,0.957,496,0.518,498,0.205,501,0.966,504,0.41,506,0.79,507,0.879,511,0.484,512,0.094,513,0.59,514,0.579,516,1.029,521,0.671,522,0.418,523,0.59,524,0.874,527,0.12,528,0.833,529,0.751,531,0.45,538,1.629,539,0.611,540,1.503,542,1.391,546,1.549,547,0.462,550,0.405,551,0.128,552,0.874,560,1.071,564,0.377,570,0.874,572,0.346,580,0.248,582,1.379,610,1.463,628,0.205,629,1.007,630,0.462,637,0.462,647,0.519,648,3.061,649,0.418,653,0.895,655,0.548,656,0.396,657,0.247,659,0.705,660,0.975,661,0.782,670,0.519,671,1.189,672,0.976,673,0.579,680,1.586,682,0.966,684,1.391,685,1.519,686,0.416,687,0.757,688,1.406,690,0.714,693,0.554,696,2.016,708,0.746,710,2.818,713,0.831,717,0.494,725,0.803,726,1.189,745,1.538,746,0.833,747,0.678,755,2.661,756,0.455,759,2.512,764,0.579,767,1.189,771,0.879,775,0.957,776,1.332,780,1.869,783,0.976,784,0.831,790,0.678,791,1.28,792,2.213,802,1.456,807,0.268,815,1.959,816,0.879,826,1.586,845,0.335,863,1.086,872,0.504,873,0.185,894,1.756,895,0.956,897,0.7,899,1.027,903,0.462,905,0.436,906,0.527,912,0.975,913,1.463,914,1.017,917,0.56,918,0.627,919,0.816,920,0.751,921,1.463,927,1.711,932,1.541,985,1.4,989,0.553,992,0.107,1002,0.185,1004,0.924,1006,0.441,1018,0.362,1019,1.017,1020,0.648,1034,0.967,1036,0.548,1040,1.017,1050,2.004,1054,0.851,1056,1.027,1092,1.46,1103,0.678,1111,1.242,1119,0.879,1124,1.971,1126,1.623,1130,1.463,1141,1.496,1147,1.143,1152,1.586,1155,2.236,1156,1.694,1157,2.132,1163,1.327,1165,1.046,1167,0.325,1168,0.548,1170,1.522,1175,1.189,1186,0.683,1191,1.189,1228,0.874,1230,0.519,1233,1.629,1251,1.017,1252,0.751,1253,1.707,1257,1.405,1258,1.189,1261,0.919,1262,1.806,1269,0.527,1271,0.548,1275,0.714,1276,0.919,1278,1.694,1279,1.344,1283,1.332,1286,1.322,1288,0.313,1294,0.527,1333,1.027,1334,0.732,1336,1.189,1346,1.189,1348,0.798,1350,0.746,1361,0.384,1362,1.693,1373,1.782,1375,1.027,1384,1.491,1385,0.831,1408,1.081,1409,1.693,1423,0.519,1478,1.532,1503,0.215,1507,2.613,1518,1.257,1523,0.45,1525,1.071,1531,1.327,1538,1.128,1539,0.611,1540,0.967,1544,0.919,1548,1.987,1549,2.846,1552,1.711,1556,1.071,1557,1.112,1560,1.071,1564,0.966,1565,1.327,1566,1.634,1573,2.323,1577,1.213,1606,0.833,1612,1.189,1613,1.693,1615,2.145,1616,0.975,1619,1.143,1621,0.874,1626,0.967,1627,1.909,1628,1.405,1632,2.419,1639,1.456,1645,1.693,1667,0.779,1669,1.752,1677,0.539,1678,1.541,1680,1.874,1683,1.027,1690,0.919,1694,1.032,1695,2.282,1696,0.833,1699,1.549,1714,1.463,1717,2.446,1757,1.071,1765,1.405,1772,1.586,1776,2.437,1784,0.967,1787,1.029,1790,1.017,1796,1.017,1801,2.673,1832,0.919,1854,1.795,1859,2.368,1866,0.782,1870,1.693,1875,2.132,1876,0.874,1885,1.4,1886,0.874,1891,1.491,1915,1.391,1921,0.919,1932,2.748,1953,1.255,1956,0.548,1958,4.121,1966,1.128,1974,0.553,2006,0.976,2008,0.862,2009,1.017,2017,1.027,2020,1.875,2026,1.843,2028,0.941,2029,2.339,2030,2.652,2036,2.512,2037,1.816,2040,1.959,2041,3.348,2042,1.816,2043,1.586,2044,1.128,2047,2.193,2051,2.132,2061,1.189,2064,1.711,2065,1.549,2066,2.813,2075,2.021,2076,2.145,2078,1.694,2082,0.967,2084,1.405,2090,1.473,2093,1.491,2094,2.132,2095,0.644,2096,1.189,2100,3.081,2101,2.636,2102,1.255,2103,2.192,2104,0.678,2106,3.612,2108,1.017,2109,1.081,2110,0.589,2111,1.071,2112,1.189,2113,1.959,2114,2.636,2115,0.976,2116,2.132,2117,2.437,2118,1.693,2119,1.693,2120,2.347,2121,2.347,2122,1.189,2123,2.132,2124,1.586,2125,2.347,2126,1.128,2127,1.071,2128,1.959,2129,2.636,2130,1.405,2131,3.377,2133,1.255,2136,2.636,2141,2.374,2145,1.816,2151,2.347,2153,2.636,2156,2.437,2162,1.959,2163,1.869,2166,2.437,2172,2.636,2197,2.132,2198,2.132,2199,2.132,2209,2.314,2214,1.816,2216,0.611,2218,2.636,2220,1.901,2223,0.967,2225,1.491,2228,2.132,2229,1.491,2231,2.854,2232,2.132,2233,1.327,2238,3.067,2239,3.377,2240,2.819,2241,3.067,2242,2.347,2243,2.854,2244,1.327,2247,2.368,2249,1.806,2251,2.347,2252,1.693,2255,1.711,2270,2.347,2300,1.959,2301,2.132,2302,2.132,2328,1.987,2329,1.693,2331,1.491,2334,2.636,2412,1.128,2418,2.038,2429,1.255,2442,2.323,2461,1.017,2467,1.203,2539,1.974,2632,1.491,2656,1.085,2668,3.067,2686,1.087,2701,1.586,2779,2.236,2815,1.128,2854,1.128,2861,1.959,2875,1.391,2884,1.959,2962,2.004,3019,1.491,3031,2.613,3069,3.593,3107,2.256,3118,2.314,3122,0.548,3131,3.694,3237,1.405,3278,1.586,3279,2.236,3291,1.255,3297,1.656,3336,0.967,3401,1.332,3406,2.282,3500,1.128,3540,1.805,3543,1.255,3544,1.714,3555,0.831,3567,1.629,3606,1.081,3845,1.714,3848,2.021,3849,1.126,3859,0.919,3861,0.874,3862,0.967,3888,1.405,3890,1.532,3960,1.629,3971,1.25,3972,1.463,3994,1.816,4004,0.926,4025,2.145,4037,1.959,4169,1.255,4213,2.132,4214,1.816,4265,2.004,4303,1.693,4397,1.959,4434,1.017,4442,2.236,4449,2.132,4451,2.924,4577,3.593,4606,2.132,4620,2.132,4691,1.586,4728,1.805,4736,2.132,4768,2.636,4769,3.067,4799,1.4,4838,2.636,4864,5.149,4865,4.859,4868,1.255,4997,3.377,5162,2.854,5342,2.636,5356,2.314,5450,3.956,5477,3.986,5513,2.021,5574,1.806,5735,2.132,5894,2.347,6133,1.405,6346,1.959,6539,1.959,6597,2.59,6647,4.661,6730,2.132,6801,1.491,6913,1.816,6990,2.636,7014,2.347,7020,2.613,7129,1.959,7296,2.347,7510,1.959,7630,2.636,7655,2.368,7742,2.347,7880,2.321,7903,2.636,8014,2.636,8247,3.793,8315,2.132,8327,2.132,8472,3.061,8473,1.959,8475,1.959,8484,3.377,8485,4.327,8486,2.282,8487,2.924,8488,2.924,8489,2.282,8490,1.586,8491,1.586,8502,3.303,8511,3.561,8512,4.107,8513,2.132,8521,2.673,8522,3.226,8523,2.673,8524,2.673,8525,2.673,8526,2.673,8527,2.673,8528,2.673,8529,2.673,8530,3.226,8531,2.673,8532,2.673,8533,2.673,8534,2.282,8535,2.282,8536,2.282,8537,2.673,8538,1.959,8554,2.282,8556,1.586,8596,3.324,8603,1.816,8604,3.793,8611,2.636,8644,1.693,8699,2.132,8759,2.636,8760,2.347,8761,2.347,8762,2.347,8803,2.636,8812,3.377,8813,2.347,8838,2.636,8876,2.636,8935,2.636,8952,4.423,8953,5.149,8954,5.181,8955,3.074,8956,3.074,8957,3.074,8958,4.423,8959,3.074,8960,5.149,8961,3.074,8962,3.074,8963,3.074,8964,3.074,8965,3.074,8966,3.074,8967,3.074,8968,3.074,8969,3.074,8970,3.074,8971,3.074,8972,4.423,8973,3.074,8974,3.074,8975,4.423,8976,3.074,8977,4.423,8978,3.074,8979,5.181,8980,4.423,8981,3.074,8982,3.074,8983,3.074,8984,3.074,8985,3.074,8986,3.074,8987,3.074,8988,3.074,8989,4.423,8990,3.074,8991,3.074,8992,3.074,8993,3.074,8994,3.074,8995,3.074,8996,3.074,8997,3.074,8998,3.074,8999,3.793,9000,3.074,9001,3.074,9002,3.074,9003,3.074,9004,4.423,9005,3.074,9006,3.074,9007,6.005,9008,4.423,9009,2.347,9010,2.347,9011,3.074,9012,3.074,9013,5.181,9014,3.074,9015,3.793,9016,3.074,9017,3.074,9018,3.074,9019,3.074,9020,5.181,9021,3.074,9022,4.423,9023,3.074,9024,2.636,9025,3.074,9026,2.636,9027,3.074,9028,3.074,9029,3.074,9030,3.074,9031,3.074,9032,3.074,9033,3.074,9034,3.074,9035,4.423,9036,3.074,9037,3.074,9038,3.074,9039,2.636,9040,2.636,9041,2.636,9042,2.636,9043,2.636,9044,3.074,9045,3.074,9046,6.005,9047,3.074,9048,3.074,9049,3.074,9050,3.074,9051,3.074,9052,3.074,9053,3.074,9054,3.074,9055,4.423,9056,3.074,9057,3.074,9058,3.074,9059,3.074,9060,3.074,9061,3.074,9062,3.074,9063,2.636,9064,3.074,9065,5.667,9066,4.423,9067,3.793,9068,3.074,9069,3.074,9070,4.423,9071,3.074,9072,3.074,9073,3.074,9074,3.074,9075,3.074,9076,3.074,9077,4.423,9078,3.074,9079,4.423,9080,3.074,9081,3.074,9082,3.074,9083,5.181,9084,5.181,9085,5.181,9086,3.074,9087,3.074,9088,3.074,9089,3.074,9090,3.074,9091,3.074,9092,2.636,9093,3.074,9094,3.074,9095,3.074,9096,3.074,9097,3.074,9098,3.074]],["title/oci/kubernetes.html",[2,4.693,3,4.342,4,6.362,5,3.077,131,2.549,2577,12.696]],["breadcrumb/oci/kubernetes.html",[6,0.224,131,1.296,1949,2.469]],["description/oci/kubernetes.html",[2,1.66,4,1.646,38,3.486,40,0.538,41,0.313,44,0.402,115,0.818,131,1.359,148,0.48,176,1.035,227,0.313,244,1.024,274,0.462,292,1.125,300,1.125,512,0.171,527,0.241,564,0.725,779,2.056,850,0.538,872,0.953,918,1.827,1123,0.788,1167,0.948,1444,4.267,1503,0.367,1523,1.312,1949,2.589,1951,2.994,2451,4.055,2577,6.769,2686,2.176,3297,3.315,3401,3.315,3680,6.654,4169,5.266,5574,5.266,6350,5.894,7013,8.943]],["body/oci/kubernetes.html",[0,0.118,2,1.012,3,0.706,4,0.941,5,0.591,7,0.54,9,0.296,11,0.164,13,0.506,14,0.408,21,1.444,23,0.89,27,0.427,28,0.367,29,0.123,31,0.514,32,0.164,33,0.247,34,0.105,35,0.207,37,0.715,38,1.725,40,0.303,41,0.144,43,0.156,44,0.149,45,0.374,47,0.072,48,0.039,51,0.321,52,0.584,53,0.189,54,0.413,58,0.765,60,0.312,65,0.408,66,0.353,67,0.268,68,0.372,76,0.525,77,0.436,79,0.239,80,0.431,81,0.648,82,0.741,83,0.175,85,0.318,86,0.133,88,0.044,89,0.051,90,0.62,91,0.657,92,0.475,93,1.64,96,0.691,98,0.372,99,0.422,102,0.075,103,0.124,104,0.143,106,0.689,107,0.26,112,0.561,114,0.372,115,0.451,116,0.2,117,0.436,118,0.476,121,0.385,123,0.445,126,0.039,127,0.54,129,0.415,130,0.415,131,0.544,133,0.098,134,0.325,137,0.506,140,0.303,141,0.657,143,0.613,145,0.408,146,0.281,148,0.18,150,0.472,154,0.199,156,0.307,159,0.422,160,0.124,161,0.294,162,0.267,165,0.26,167,0.691,171,0.985,173,0.207,176,0.239,178,0.44,180,0.654,181,1.364,182,0.396,183,0.568,184,0.506,189,0.325,191,0.904,192,0.317,193,0.349,194,0.413,198,0.402,199,0.85,200,1.229,201,1.359,202,1.898,206,0.771,207,0.303,209,0.394,211,0.624,212,0.266,214,0.497,221,0.469,222,0.514,223,0.79,225,1.243,227,0.072,230,1.592,233,0.448,234,0.561,239,0.648,241,0.54,244,0.591,245,0.78,249,0.34,250,1.482,252,0.577,254,0.408,256,0.908,258,0.689,261,1.39,262,0.289,263,0.436,264,0.414,270,0.568,271,0.345,273,0.454,274,0.262,275,0.871,276,0.512,277,0.436,278,0.514,279,0.207,280,0.318,281,0.454,285,1.152,288,0.096,292,0.598,293,0.741,294,0.84,298,0.771,299,0.56,300,0.557,303,0.239,304,0.413,305,0.713,311,0.337,312,0.397,313,1,314,0.936,316,0.303,317,0.502,322,0.691,326,0.657,328,0.636,329,0.402,330,0.394,332,0.859,339,0.304,340,0.436,341,0.408,342,0.985,343,0.892,344,0.248,346,0.132,350,0.914,351,0.142,352,0.657,353,0.223,363,0.692,368,1.111,369,0.985,370,1.359,376,0.657,383,1.586,384,0.729,385,1.056,394,0.613,395,0.613,397,0.613,400,0.689,414,0.213,415,0.133,416,0.144,417,0.178,418,0.324,419,0.247,420,0.247,424,0.689,425,0.506,426,0.678,427,0.859,430,0.629,431,0.846,432,0.805,433,1.006,434,1.686,441,0.876,442,0.79,443,0.846,444,0.472,446,0.283,451,0.671,454,2.239,468,0.771,473,0.377,475,1.739,480,0.805,481,1.152,482,1.004,483,1.536,484,0.561,485,0.698,486,1.64,487,0.358,488,0.79,490,0.475,496,0.596,498,0.437,500,1.066,501,0.422,504,0.678,507,0.859,511,0.402,512,0.092,513,0.56,514,0.561,518,1.292,519,1.296,520,0.771,521,0.518,523,0.56,527,0.138,528,1.051,529,0.728,531,0.44,539,0.649,541,1.64,542,0.936,543,0.689,544,0.905,546,1.521,550,0.358,551,0.258,558,1.292,560,0.475,563,0.846,564,0.38,565,0.624,572,0.373,577,2.096,580,0.318,582,1.493,627,1.975,628,0.396,629,0.397,634,0.26,636,0.811,637,0.84,647,0.502,649,0.603,653,0.924,654,1.64,655,0.996,656,0.275,657,0.347,659,0.689,661,0.372,663,2.065,666,1.447,670,0.729,672,0.561,673,1.051,680,1.536,681,1.285,682,0.876,687,0.754,693,0.409,698,1.216,702,0.325,705,1.759,708,0.729,709,1.093,717,0.26,725,0.876,733,1.152,738,0.691,744,0.624,747,1.122,753,1.037,755,2.742,756,0.535,760,1.435,765,0.689,771,0.859,772,1.759,775,1.017,776,0.765,779,1.235,782,1.056,785,1.536,787,1.759,799,1.521,802,0.765,807,0.26,814,1.759,816,0.592,826,2.626,845,0.152,849,1.229,850,0.294,862,3.559,872,0.483,873,0.212,881,1.64,882,0.805,889,0.908,890,0.936,892,2.065,894,0.691,895,0.729,897,0.281,906,0.629,909,0.531,913,0.985,918,1.065,919,0.349,928,0.303,933,1.037,954,0.506,985,1.603,989,0.372,992,0.072,1001,0.576,1002,0.18,1005,1.866,1006,0.219,1007,0.985,1018,0.18,1019,0.985,1020,0.372,1021,1.285,1025,2.554,1033,1.359,1039,1.506,1056,1.004,1080,1.077,1092,1.477,1110,2.653,1112,1.773,1113,1.536,1114,1.536,1123,0.455,1124,0.89,1141,1.004,1146,0.728,1147,1.364,1155,1.285,1158,1.444,1167,0.318,1168,1.103,1169,3.688,1170,1.364,1173,1.004,1182,1.285,1186,0.749,1194,1.093,1200,0.89,1212,1.64,1213,0.487,1228,1.229,1230,0.502,1238,0.422,1239,2.468,1252,0.728,1255,0.691,1259,1.152,1264,1.444,1265,1.898,1269,0.603,1270,0.936,1271,0.531,1287,1.285,1288,0.44,1289,1.375,1294,0.303,1315,1.444,1334,0.724,1343,1.037,1348,0.349,1350,0.502,1361,0.698,1377,1.004,1392,0.592,1394,2.065,1406,0.953,1408,1.056,1423,0.859,1437,0.657,1442,1.975,1444,1.43,1445,0.953,1463,1.866,1473,1.906,1474,0.846,1478,0.805,1479,1.216,1480,1.898,1484,2.096,1494,1.444,1495,1.361,1496,1.361,1503,0.212,1513,0.691,1523,0.723,1525,1.058,1531,1.285,1540,0.936,1557,1.165,1564,0.982,1603,1.285,1615,2.875,1616,1.407,1619,0.657,1621,0.502,1632,2.653,1634,0.814,1638,0.475,1639,1.64,1666,1.672,1667,0.765,1677,0.566,1681,0.985,1683,1.004,1685,0.985,1694,0.791,1699,1.773,1700,1.231,1710,1.093,1757,1.037,1764,2.096,1770,1.975,1776,2.381,1777,1.216,1782,1.285,1787,0.859,1799,1.898,1852,0.846,1853,1.361,1856,0.846,1861,1.216,1866,0.741,1870,2.381,1892,1.037,1894,1.361,1946,1.64,1949,1.011,1950,1.6,1951,1.735,1956,1.058,1957,0.728,1958,1.64,1965,1.64,1966,1.093,1974,0.894,1988,2.803,2006,0.814,2022,1.866,2031,1.765,2047,2.299,2048,1.64,2065,0.89,2078,1.849,2082,0.936,2099,1.152,2104,1.122,2110,0.79,2111,1.037,2115,1.117,2126,1.586,2141,2.388,2163,1.773,2201,2.096,2203,0.846,2208,1.759,2213,1.037,2223,0.936,2304,1.536,2328,0.985,2332,0.561,2357,1.672,2416,1.444,2418,1.292,2436,1.152,2442,2.393,2451,2.331,2454,1.898,2458,1.64,2461,0.985,2463,3.907,2468,3.943,2469,3.559,2474,3.244,2476,1.066,2477,0.936,2479,2.554,2486,2.274,2539,2.065,2540,4.694,2541,3.492,2542,3.503,2543,3.267,2544,3.999,2545,3.999,2546,2.875,2547,2.065,2571,3.654,2575,1.945,2576,1.684,2577,2.684,2580,2.196,2581,3.937,2590,1.509,2600,3.707,2601,4.528,2606,2.065,2621,1.444,2629,1.361,2630,3.729,2633,0.936,2645,1.216,2646,1.536,2647,1.898,2648,2.065,2656,1.242,2670,4.788,2676,3.301,2684,1.285,2686,1.206,2688,1.759,2752,1.536,2779,2.559,2805,2.998,2815,1.093,2828,2.381,2830,1.64,2868,1.093,3039,0.502,3085,1.292,3107,0.89,3118,2.526,3131,2.554,3141,1.686,3145,2.23,3275,1.285,3279,2.559,3297,1.879,3336,1.6,3399,1.285,3401,1.856,3405,2.274,3465,0.657,3501,2.274,3537,1.056,3540,2.065,3544,1.962,3555,0.805,3606,0.728,3613,1.444,3670,1.759,3674,3.299,3680,3.899,3822,2.553,3823,1.64,3828,1.111,3856,3.007,3862,0.936,3864,3.076,3960,0.936,3971,1.231,3972,1.43,4004,1.242,4006,3.007,4018,2.554,4029,2.065,4033,1.361,4038,1.898,4042,2.274,4104,1.444,4169,2.88,4265,2.294,4285,3.007,4430,1.361,4442,2.559,4475,4.723,4604,2.065,4645,1.898,4691,1.536,4701,2.626,4726,1.759,4762,2.998,4794,1.444,4799,1.603,4826,2.065,4870,2.065,5029,2.065,5057,2.553,5064,2.41,5093,2.274,5100,1.216,5124,2.998,5402,2.554,5425,2.274,5538,1.64,5544,2.553,5549,1.536,5574,2.421,5683,2.065,5797,1.444,5856,1.444,5933,2.554,6002,2.065,6184,1.536,6229,2.998,6345,1.285,6350,3.223,6392,2.065,6597,2.827,6647,1.898,6725,2.553,6728,2.553,6801,3.42,6848,5.804,6865,2.553,6908,2.553,6913,1.759,6942,2.553,6943,3.301,6981,2.553,6989,2.553,7013,2.998,7392,2.553,7655,2.71,7754,2.274,7834,2.553,7880,2.336,7981,2.807,8071,3.707,8081,2.553,8103,2.553,8248,2.553,8281,2.553,8318,2.274,8432,2.553,8433,2.553,8480,2.553,8486,2.23,8487,3.191,8488,3.191,8489,2.23,8490,1.536,8491,3.492,8511,3.538,8518,2.065,8521,3.06,8522,3.492,8523,3.06,8524,3.06,8525,3.06,8526,3.06,8527,3.06,8528,3.06,8529,3.06,8530,3.492,8531,3.06,8532,3.06,8533,3.06,8534,2.23,8535,2.23,8536,2.23,8537,3.191,8538,2.756,8554,3.06,8556,3.06,8565,2.553,8583,3.301,8585,3.301,8587,3.301,8588,3.301,8596,3.758,8601,2.553,8628,2.274,8638,1.898,8644,3.076,8738,4.723,8858,2.553,9009,2.274,9099,7.054,9100,4.323,9101,2.553,9102,2.553,9103,2.978,9104,2.978,9105,2.978,9106,2.978,9107,2.978,9108,2.978,9109,4.323,9110,5.584,9111,6.857,9112,5.584,9113,6.382,9114,6.185,9115,2.978,9116,2.978,9117,2.978,9118,4.323,9119,6.185,9120,6.664,9121,2.978,9122,4.788,9123,3.707,9124,5.089,9125,2.978,9126,4.323,9127,2.978,9128,2.978,9129,3.707,9130,4.323,9131,4.323,9132,4.323,9133,5.089,9134,2.978,9135,2.978,9136,2.978,9137,2.978,9138,2.978,9139,4.323,9140,2.978,9141,6.382,9142,2.978,9143,4.323,9144,4.323,9145,2.978,9146,5.584,9147,5.089,9148,2.978,9149,2.978,9150,4.323,9151,2.978,9152,2.978,9153,2.978,9154,2.978,9155,2.978,9156,2.978,9157,2.978,9158,2.978,9159,2.978,9160,2.978,9161,2.978,9162,2.978,9163,2.978,9164,4.323,9165,2.978,9166,2.978,9167,2.978,9168,2.978,9169,4.323,9170,2.978,9171,5.93,9172,5.089,9173,2.978,9174,2.553,9175,2.978,9176,2.978,9177,2.978,9178,4.323,9179,5.089,9180,5.089,9181,4.323,9182,2.978,9183,2.978,9184,2.978,9185,4.323,9186,2.978,9187,2.978,9188,2.978,9189,2.978,9190,2.978,9191,2.978,9192,2.978,9193,2.978,9194,4.323,9195,2.978,9196,2.978,9197,2.978,9198,2.978,9199,2.978,9200,2.978,9201,2.978,9202,2.978,9203,2.978,9204,4.323,9205,4.528,9206,2.978,9207,2.553,9208,2.553,9209,2.553,9210,2.978,9211,2.553,9212,2.553,9213,2.978,9214,2.978,9215,5.089,9216,2.978,9217,2.978,9218,2.978,9219,2.978,9220,2.978,9221,3.707,9222,2.553,9223,2.978,9224,2.553,9225,2.978,9226,2.978,9227,2.553,9228,2.978,9229,2.978,9230,2.978,9231,2.978,9232,2.978]],["title/oci/logging.html",[2,5.954,3,3.898,4,5.902,5,2.763,131,2.288,244,2.599,845,1.665]],["breadcrumb/oci/logging.html",[2,1.895,6,0.178,131,1.029,244,1.169,845,0.749]],["description/oci/logging.html",[2,2.373,3,2.196,51,1.134,131,1.289,148,0.62,244,2.269,434,5.24,845,0.938,872,1.362,885,3.288,1156,5.511,1165,2.612,2332,3.471,2418,5.511,3036,5.797,3122,3.288,7981,7.132]],["body/oci/logging.html",[0,0.12,2,1.011,3,0.917,4,0.384,6,0.036,7,0.702,9,0.285,10,1.23,11,0.173,13,0.782,14,0.284,19,0.427,23,1.531,24,1.659,25,1.049,26,0.451,27,0.515,28,0.495,29,0.086,30,0.821,31,0.499,32,0.151,33,0.257,34,0.073,35,0.297,37,0.679,40,0.214,41,0.155,43,0.15,44,0.144,45,0.376,47,0.124,48,0.068,49,1.303,51,0.348,52,0.705,53,0.188,54,0.487,55,0.814,56,0.56,58,0.77,60,0.347,61,0.699,62,0.707,65,0.284,66,0.354,67,0.257,68,0.377,69,0.284,76,0.498,77,0.376,79,0.35,80,0.403,81,0.614,83,0.175,84,0.537,85,0.314,86,0.105,87,0.567,88,0.044,89,0.047,90,0.447,91,0.664,92,0.695,93,0.774,94,0.306,96,0.699,97,0.508,98,0.545,99,0.618,100,0.56,101,1.012,102,0.082,103,0.126,104,0.246,106,0.48,108,1.376,110,0.393,111,0.476,112,0.821,113,0.657,116,0.156,117,0.376,118,0.498,119,0.48,120,0.996,121,0.375,122,0.664,123,0.453,124,0.735,125,0.814,126,0.074,127,0.545,128,0.695,129,0.498,130,0.498,131,0.543,132,1.531,133,0.117,134,0.476,135,0.453,137,0.352,138,0.699,139,0.664,140,0.443,141,0.664,142,0.9,143,0.427,144,0.814,145,0.562,146,0.484,148,0.19,149,0.801,151,1.107,152,0.735,153,0.614,156,0.339,158,1.376,159,1.049,160,0.249,161,0.295,162,0.264,165,0.542,167,1.189,169,0.9,170,0.774,173,0.208,180,0.599,181,0.736,182,0.375,183,0.724,184,0.352,189,0.476,191,0.88,192,0.312,193,0.697,194,0.413,198,0.339,199,0.401,206,0.537,207,0.443,209,0.423,212,0.214,214,0.526,216,0.401,218,0.519,219,0.877,221,0.412,222,0.544,223,0.874,225,1.065,229,2.091,230,1.487,232,0.598,233,0.656,234,0.567,235,1.3,236,1.376,239,0.679,240,1.456,241,0.66,244,0.618,245,0.768,246,0.774,247,1.373,249,0.447,250,1.383,251,0.735,252,0.478,253,0.656,254,0.586,256,0.537,257,2.088,258,0.816,260,1.37,261,1.115,262,0.476,263,0.456,264,0.339,270,0.68,271,0.277,273,0.376,274,0.251,275,0.998,276,0.451,277,0.51,278,0.523,279,0.268,280,0.456,281,0.376,282,0.521,288,0.218,292,0.542,293,0.377,294,0.77,300,0.621,303,0.246,304,0.342,305,0.68,307,1.659,308,0.651,311,0.438,313,0.864,314,0.947,316,0.443,317,0.864,318,0.631,319,0.913,323,0.625,326,1.369,327,0.427,329,0.309,330,0.309,332,0.508,335,0.598,339,0.3,340,0.456,341,0.395,342,0.934,343,0.934,344,0.222,346,0.138,350,0.827,351,0.137,352,1.13,353,0.224,354,1.879,360,0.598,363,0.562,365,0.51,370,0.947,384,0.508,385,1.065,394,0.427,395,0.427,397,0.427,400,0.895,410,0.201,411,0.521,412,0.521,413,0.667,414,0.154,415,0.096,416,0.124,417,0.154,418,0.297,419,0.214,420,0.214,425,0.697,426,0.827,430,0.521,431,1.456,433,0.427,434,2.174,438,1.12,439,1.518,442,0.581,444,0.329,446,0.328,451,0.641,454,2.054,473,0.263,475,1.596,483,1.554,484,0.821,485,0.545,487,0.359,488,0.682,490,0.48,493,1.779,496,0.599,498,0.415,500,0.913,510,1.23,511,0.466,512,0.092,513,0.53,514,0.567,516,0.598,520,0.777,521,0.521,522,0.484,523,0.619,525,3.022,527,0.081,528,0.964,531,0.571,538,1.61,539,0.306,541,1.659,544,0.913,546,1.678,547,0.453,550,0.375,551,0.303,556,1.686,558,1.303,564,0.36,565,1.072,569,2.088,570,0.856,572,0.398,580,0.285,582,1.369,583,1.105,589,1.779,596,1.065,626,1.37,628,0.375,629,0.401,631,0.664,634,0.52,636,0.48,637,0.453,647,0.508,649,0.284,653,0.89,656,0.322,657,0.411,660,1.516,661,0.702,673,0.567,682,0.907,684,0.947,685,0.913,686,0.526,687,0.762,688,0.631,693,0.545,694,1.442,697,1.46,698,1.23,699,1.065,706,1.554,709,1.105,717,0.52,725,0.844,739,2.249,746,1.206,747,1.13,754,1.049,755,2.654,756,0.242,765,0.95,768,0.774,769,0.48,775,0.895,783,0.964,802,1.316,803,1.3,807,0.263,808,1.316,813,1.3,826,1.554,845,0.383,851,2.088,852,1.165,856,0.777,863,1.034,872,0.547,873,0.182,885,1.062,894,0.699,897,0.562,899,1.158,905,0.929,906,0.306,908,1.105,909,0.537,914,0.996,917,0.412,918,0.726,919,0.352,921,1.442,954,0.352,985,1.806,987,0.736,992,0.106,1000,1.23,1001,0.682,1002,0.339,1004,1.062,1006,0.376,1011,1.12,1018,0.263,1019,1.695,1020,0.545,1040,0.996,1049,0.774,1054,0.844,1056,1.012,1092,1.3,1111,1.183,1123,0.424,1130,0.996,1141,1.303,1146,0.736,1147,1.13,1152,2.249,1153,1.554,1156,2.208,1164,1.105,1165,1.044,1167,0.221,1168,1.107,1170,1.369,1177,0.656,1181,1.551,1186,0.679,1189,1.92,1191,1.165,1200,1.531,1203,1.239,1213,0.263,1227,1.46,1228,0.856,1230,1.005,1233,0.947,1242,0.631,1251,1.442,1252,0.736,1254,2.341,1258,1.165,1261,0.9,1263,3.797,1268,2.088,1269,0.652,1271,0.537,1275,0.699,1278,1.303,1279,1.331,1286,0.9,1288,0.306,1289,0.814,1334,0.51,1346,1.165,1348,0.657,1350,0.508,1361,0.377,1363,1.3,1377,0.699,1385,0.814,1386,0.9,1392,0.598,1408,0.736,1423,0.508,1425,1.879,1426,2.299,1428,1.779,1430,3.204,1445,0.961,1446,0.996,1473,0.814,1503,0.177,1504,1.316,1513,0.699,1518,1.239,1523,0.306,1525,1.001,1539,1.017,1544,0.9,1557,1.107,1577,0.821,1603,2.21,1606,0.567,1615,2.484,1616,1.13,1622,2.292,1623,1.92,1624,1.686,1626,1.765,1632,2.402,1638,0.48,1639,1.443,1645,1.659,1665,1.239,1667,0.896,1669,1.443,1676,1.303,1677,0.578,1681,0.996,1683,1.012,1685,0.996,1694,0.795,1699,1.531,1700,0.664,1709,0.947,1712,2.091,1717,1.881,1776,2.401,1777,1.23,1784,1.37,1787,1.272,1796,0.996,1801,1.554,1832,1.678,1852,1.239,1854,1.531,1856,1.239,1866,0.82,1883,1.049,1890,2.088,1894,1.376,1897,1.46,1898,2.401,1921,1.531,1922,1.992,1926,2.582,1930,1.554,1931,1.46,1933,1.37,1938,1.23,1958,3.893,1962,1.879,1988,1.659,2006,0.964,2008,0.51,2017,1.383,2019,1.992,2020,1.442,2026,1.178,2029,1.049,2030,2.075,2047,2.184,2049,1.46,2065,0.9,2066,2.593,2078,1.678,2081,0.567,2082,1.765,2083,1.82,2084,1.992,2093,1.46,2110,0.682,2111,1.784,2112,1.165,2126,1.879,2127,1.049,2141,2.442,2163,2.028,2200,1.23,2201,1.46,2203,0.856,2209,1.23,2212,0.947,2215,2.06,2216,0.598,2220,1.105,2225,2.484,2247,2.838,2304,1.554,2309,2.778,2324,2.582,2327,1.92,2328,0.996,2332,1.294,2357,2.304,2400,1.659,2412,1.105,2418,1.856,2421,1.46,2423,3.578,2434,1.61,2436,1.165,2442,2.172,2455,2.565,2461,1.442,2467,1.189,2539,2.23,2583,0.996,2623,1.659,2656,1.175,2657,1.554,2659,1.92,2673,3.022,2686,1.215,2688,1.779,2692,1.46,2694,1.314,2696,2.088,2701,3.672,2779,2.21,2854,1.879,2862,1.3,2866,2.299,2868,1.879,2869,2.722,2870,1.554,2872,2.088,2875,0.947,2876,1.779,2887,2.088,2940,2.299,2947,2.088,2962,1.165,2972,4.286,2977,2.088,2982,1.3,2983,1.554,3011,1.92,3014,2.088,3031,3.519,3033,3.911,3036,2.184,3069,3.551,3085,1.303,3107,2.302,3118,2.292,3120,2.21,3122,1.321,3131,4.427,3141,0.856,3220,1.779,3227,2.088,3243,1.3,3279,2.21,3288,0.996,3297,1.867,3313,1.23,3314,2.585,3401,0.774,3404,2.401,3405,2.299,3406,2.643,3459,1.779,3464,0.664,3465,0.664,3500,1.105,3540,1.784,3543,1.78,3544,1.695,3555,1.178,3571,1.518,3599,2.088,3606,1.564,3682,2.401,3683,2.575,3823,2.401,3854,1.23,3858,2.091,3859,0.9,3861,0.856,3862,0.947,3890,1.178,3960,1.37,3971,0.961,3972,0.996,4004,1.3,4006,1.779,4037,1.92,4171,1.78,4265,1.981,4281,1.105,4397,1.92,4420,3.265,4434,0.996,4442,2.21,4451,2.643,4519,2.088,4591,4.082,4609,2.088,4645,1.92,4658,1.992,4691,1.554,4728,2.163,4730,2.401,4799,1.384,4931,2.582,5090,2.299,5100,2.091,5160,3.328,5162,1.659,5166,1.92,5181,1.92,5203,3.737,5287,2.582,5366,2.088,5397,3.892,5773,2.582,5788,1.105,5887,2.582,6051,2.582,6241,3.328,6252,3.551,6270,2.088,6345,1.3,6597,2.565,6647,4.79,6726,3.328,6731,1.779,6801,1.46,6992,1.92,7009,2.088,7039,3.737,7128,3.737,7129,3.578,7246,2.582,7393,4.392,7510,1.92,7571,3.737,7655,2.341,7770,3.265,7798,2.088,7800,2.299,7816,2.582,7865,2.582,7880,2.375,7941,3.022,7981,1.686,8108,2.582,8116,3.737,8318,2.299,8335,2.582,8344,2.582,8472,3.026,8473,1.92,8475,1.92,8485,3.328,8486,2.643,8487,2.896,8488,2.896,8489,2.249,8490,1.554,8491,1.554,8495,2.582,8502,3.265,8503,3.737,8511,3.501,8512,4.18,8513,2.088,8521,2.643,8522,3.204,8523,2.643,8524,2.643,8525,2.643,8526,2.643,8527,2.643,8528,2.643,8529,2.643,8530,3.204,8531,2.643,8532,2.643,8533,2.643,8534,1.554,8535,1.554,8536,1.554,8537,2.249,8548,5.102,8554,2.643,8556,2.643,8596,2.249,8603,1.779,8638,3.265,8644,1.659,8699,4.13,8760,2.299,8761,2.299,8762,2.299,8763,2.582,8765,2.582,8766,4.813,8767,3.737,8770,3.737,8771,3.737,8774,2.582,8793,2.299,8812,4.286,8813,2.299,8953,4.813,8960,4.813,9009,2.299,9010,5.353,9015,3.737,9024,2.582,9026,2.582,9039,2.582,9040,2.582,9041,2.582,9042,2.582,9043,2.582,9063,2.582,9067,2.582,9092,2.582,9205,3.328,9233,3.011,9234,4.358,9235,3.011,9236,3.011,9237,2.582,9238,3.011,9239,3.011,9240,3.011,9241,5.122,9242,3.737,9243,3.011,9244,3.011,9245,3.011,9246,3.011,9247,3.011,9248,3.011,9249,3.011,9250,3.011,9251,5.122,9252,4.358,9253,3.011,9254,3.011,9255,3.011,9256,3.011,9257,3.011,9258,3.011,9259,3.011,9260,3.011,9261,5.122,9262,3.011,9263,3.011,9264,3.011,9265,3.011,9266,3.011,9267,3.011,9268,4.286,9269,6.404,9270,3.011,9271,3.011,9272,3.011,9273,3.011,9274,3.011,9275,3.011,9276,5.956,9277,4.358,9278,3.011,9279,3.011,9280,3.011,9281,4.358,9282,3.011,9283,3.011,9284,3.011,9285,3.011,9286,5.122,9287,4.358,9288,3.011,9289,3.011,9290,5.122,9291,3.011,9292,5.122,9293,4.358,9294,3.011,9295,3.011,9296,3.011,9297,3.011,9298,4.358,9299,3.011,9300,4.358,9301,3.011,9302,3.011,9303,3.011,9304,3.011,9305,3.011,9306,3.011,9307,4.358,9308,4.358,9309,3.011,9310,3.011,9311,3.011,9312,3.011,9313,4.358,9314,3.011,9315,4.358,9316,3.011,9317,3.011,9318,3.011,9319,3.011,9320,3.011,9321,4.358,9322,4.358,9323,3.011,9324,3.011,9325,3.011,9326,3.011,9327,3.011,9328,3.011,9329,3.011,9330,3.011,9331,3.011,9332,4.358,9333,3.011,9334,3.011,9335,2.582,9336,3.011]],["title/oci/network.html",[2,4.693,3,4.342,4,6.362,5,3.077,115,2.312,131,2.549]],["breadcrumb/oci/network.html",[6,0.224,115,1.175,131,1.296]],["description/oci/network.html",[4,2.397,51,0.848,115,1.191,131,1.314,153,2.053,201,8.001,527,0.351,580,0.898,850,0.784,872,1.388,882,5.077,889,3.35,1499,9.109,2012,7.267,2015,10.349,3401,4.828,3555,5.077,4724,9.693,7981,7.267]],["body/oci/network.html",[0,0.119,2,1.011,3,0.843,4,0.558,7,0.379,9,0.297,10,1.237,11,0.172,14,0.62,16,0.68,19,0.429,26,0.243,27,0.5,28,0.457,29,0.086,31,0.499,32,0.184,33,0.256,35,0.209,37,0.331,40,0.126,41,0.174,43,0.063,44,0.133,47,0.074,48,0.058,50,0.818,51,0.349,52,0.694,53,0.188,54,0.493,55,0.818,56,0.331,58,0.773,60,0.335,61,0.703,62,0.74,65,0.485,66,0.355,67,0.265,68,0.802,69,0.286,76,0.499,77,0.413,79,0.243,80,0.404,81,0.615,83,0.174,84,0.54,85,0.317,86,0.105,87,0.57,88,0.044,89,0.053,90,0.448,91,0.668,92,0.698,93,0.778,94,0.308,96,0.703,97,0.511,98,0.379,99,0.429,100,0.331,101,1.016,102,0.079,103,0.126,104,0.287,110,0.459,111,0.652,112,0.967,113,0.699,114,0.379,115,0.485,116,0.235,117,0.377,118,0.412,119,0.483,120,1.002,121,0.387,122,0.668,123,0.439,124,0.738,125,0.818,126,0.074,127,0.547,128,0.992,129,0.475,130,0.475,131,0.544,132,0.778,133,0.098,134,0.478,135,0.455,137,0.512,138,0.703,139,0.668,140,0.308,141,1.415,142,1.784,143,0.429,144,1.521,145,0.657,146,0.286,148,0.172,149,0.379,150,0.478,151,0.54,152,0.738,153,0.718,154,0.376,156,0.183,159,0.429,160,0.183,161,0.308,162,0.264,164,2.437,170,1.534,172,0.634,173,0.246,176,0.527,180,0.512,181,0.74,182,0.376,183,0.573,184,0.354,187,0.403,190,2.98,191,0.728,192,0.311,193,0.512,194,0.409,196,1.789,197,1.787,198,0.34,200,1.468,201,2.364,202,1.93,203,1.842,206,0.54,207,0.607,209,0.31,212,0.29,216,0.403,217,1.468,218,0.523,219,0.379,220,0.967,221,0.471,223,0.979,225,1.069,227,0.106,230,1.489,232,1.021,233,0.658,234,0.57,235,1.889,239,0.652,241,0.56,244,0.575,245,0.728,247,1.076,249,0.416,250,1.307,251,0.867,252,0.412,254,0.485,256,0.54,258,1.023,261,1.021,262,0.497,263,0.321,264,0.34,270,0.653,273,0.377,274,0.108,275,0.976,276,0.412,277,0.511,278,0.511,279,0.145,280,0.321,281,0.413,282,0.523,284,0.778,287,0.483,290,1.002,292,0.264,293,0.379,294,0.936,298,1.004,299,0.286,300,0.6,301,1.111,303,0.223,304,0.376,305,0.68,308,0.615,312,0.403,313,1.173,314,1.615,316,0.445,317,0.867,318,0.634,322,0.703,324,1.171,326,1.372,328,0.802,329,0.387,330,0.387,335,0.602,337,1.468,339,0.287,340,0.483,341,0.395,342,0.942,343,0.965,344,0.201,346,0.123,348,1.668,349,1.468,350,0.855,351,0.135,352,1.133,353,0.224,354,1.885,365,0.512,373,1.244,384,0.949,385,0.74,394,0.429,395,0.429,397,0.429,400,0.698,404,0.634,410,0.184,411,0.523,412,0.523,413,0.573,414,0.154,415,0.096,416,0.125,417,0.154,418,0.297,419,0.214,420,0.214,424,0.483,425,0.728,426,0.75,427,1.118,430,0.523,434,0.861,435,1.307,439,1.055,441,0.975,442,0.685,446,0.314,450,0.905,451,0.663,454,2.214,459,0.75,468,1.004,473,0.448,475,1.599,480,0.818,483,1.562,485,0.837,487,0.31,488,0.685,490,0.819,494,1.668,496,0.512,497,1.307,498,0.292,501,0.429,506,0.778,507,1.329,511,0.349,512,0.068,513,0.485,516,0.869,520,0.54,521,0.308,523,0.485,524,0.867,527,0.142,528,0.967,531,0.573,539,0.573,542,1.376,543,0.698,544,0.916,550,0.31,551,0.293,552,0.861,557,1.885,558,1.682,564,0.35,566,0.413,572,0.343,580,0.36,582,1.448,583,1.111,587,1.448,628,0.292,629,0.583,630,0.455,631,0.668,634,0.448,640,0.583,647,0.867,649,0.286,653,0.855,654,2.41,656,0.277,657,0.452,659,0.483,661,0.379,662,1.809,670,0.511,672,0.57,673,0.57,682,0.881,685,0.634,686,0.439,687,0.763,688,0.634,694,1.002,697,1.468,699,1.255,702,0.331,703,0.778,708,1.129,709,1.111,716,1.448,717,0.573,725,0.797,744,1.178,747,0.965,755,2.656,761,1.384,769,0.698,771,0.869,775,0.897,779,0.483,782,1.776,783,0.57,784,1.389,790,0.668,794,0.905,805,2.728,807,0.6,808,1.787,812,3.902,816,0.869,845,0.154,849,0.861,850,0.321,855,2.729,863,1.064,864,1.7,867,2.312,868,1.889,872,0.562,873,0.235,877,1.023,881,2.41,882,1.88,885,1.109,887,2.217,888,1.46,889,1.285,890,2.33,895,0.511,897,0.692,900,1.111,906,0.308,908,2.065,909,1.321,912,0.668,917,0.222,919,0.512,922,1.787,928,0.308,954,0.354,980,1.562,985,1.389,990,0.916,992,0.145,1001,0.795,1004,1.171,1006,0.471,1009,0.905,1011,0.778,1018,0.264,1020,0.547,1036,0.54,1049,1.125,1051,1.562,1054,0.429,1056,1.016,1080,1.221,1092,1.343,1111,0.869,1123,0.462,1130,1.002,1145,1.171,1147,1.133,1158,1.468,1166,1.016,1167,0.222,1168,1.27,1170,1.241,1177,0.455,1186,0.701,1191,1.171,1200,0.905,1230,0.511,1238,0.62,1242,0.634,1251,1.448,1252,1.069,1253,1.244,1254,1.384,1257,1.384,1269,0.633,1271,0.54,1276,1.536,1288,0.573,1294,0.523,1333,0.897,1334,0.512,1344,1.562,1345,4.433,1346,1.988,1348,0.354,1350,0.738,1360,1.524,1361,0.379,1377,0.703,1385,0.818,1394,3.563,1406,0.668,1408,1.069,1423,0.738,1424,1.237,1428,1.789,1429,2.597,1433,1.111,1435,2.904,1436,2.729,1437,0.668,1438,2.41,1441,1.384,1444,1.448,1445,0.668,1447,1.787,1463,1.307,1471,2.904,1473,2.051,1474,2.082,1478,1.521,1479,2.682,1480,3.587,1499,3.295,1503,0.125,1513,1.193,1518,1.244,1525,0.916,1539,0.602,1550,1.308,1556,1.055,1557,1.128,1560,1.789,1561,1.468,1564,0.429,1566,1.554,1577,0.57,1615,2.491,1616,1.241,1621,0.738,1622,1.237,1625,2.19,1632,2.407,1635,1.237,1638,0.483,1639,1.446,1665,1.244,1667,1.114,1669,1.534,1677,0.563,1681,1.448,1689,1.307,1694,0.429,1699,1.536,1710,1.111,1714,1.002,1772,2.651,1776,2.41,1782,1.307,1784,1.77,1786,0.78,1787,0.602,1792,0.57,1852,0.861,1853,1.384,1866,0.746,1871,1.562,1885,0.818,1892,1.055,1914,1.668,1915,0.952,1921,0.905,1956,0.54,1967,0.634,1974,0.642,2006,0.967,2008,0.354,2012,1.693,2017,1.554,2026,0.818,2028,0.455,2047,2.187,2049,1.468,2057,0.818,2059,2.312,2078,1.682,2093,1.468,2109,0.74,2122,2.177,2127,1.524,2133,1.237,2141,2.481,2163,2,2203,0.861,2223,1.376,2229,2.122,2233,2.217,2237,1.562,2265,1.111,2321,1.668,2328,1.002,2331,1.468,2346,1.668,2413,1.171,2429,1.787,2436,1.171,2442,2.177,2444,0.455,2476,0.634,2477,0.952,2478,1.562,2539,2.079,2551,3.124,2577,1.96,2582,1.668,2589,1.668,2620,2.312,2621,1.468,2623,1.668,2627,3.034,2656,1.375,2677,1.307,2686,0.511,2745,1.668,2779,2.217,2837,2.789,2854,2.678,2864,2.651,2867,1.307,2868,1.111,2878,1.93,2962,1.171,2967,1.668,2977,3.034,2979,2.41,3017,2.585,3031,2.585,3034,2.122,3036,1.77,3039,0.738,3085,0.905,3107,2,3118,2.298,3123,1.668,3124,2.41,3128,2.83,3130,1.562,3144,1.889,3145,1.562,3149,1.111,3210,3.275,3211,2.1,3215,1.562,3218,1.917,3221,0.861,3225,3.587,3226,2.1,3232,3.527,3234,2.597,3243,2.217,3256,1.668,3264,3.341,3271,2.1,3272,3.563,3278,1.562,3279,2.217,3288,1.7,3289,3.035,3291,2.908,3292,3.65,3293,2.585,3294,3.527,3295,2.1,3296,2.1,3297,1.904,3298,2.312,3299,3.563,3300,1.789,3301,3.563,3302,2.1,3303,1.93,3304,1.055,3306,1.468,3309,2.1,3310,1.468,3311,2.258,3312,1.668,3313,1.237,3314,1.171,3320,1.789,3336,2.224,3344,2.312,3365,2.585,3366,1.789,3367,2.1,3375,2.1,3393,2.41,3399,2.768,3400,2.585,3401,1.961,3403,1.562,3404,1.668,3409,1.562,3441,2.1,3465,0.668,3476,2.1,3500,1.111,3540,1.789,3544,1.7,3555,0.818,3570,2.312,3571,1.524,3572,3.034,3587,1.789,3603,0.952,3613,1.468,3618,1.789,3766,2.585,3778,1.789,3854,1.787,3859,0.905,3861,0.861,3862,0.952,3903,1.668,3904,2.312,3916,3.902,3917,4.065,3971,0.965,3972,1.002,4004,1.076,4043,2.585,4104,2.122,4105,1.069,4171,1.237,4215,2.651,4265,1.988,4281,1.111,4434,1.002,4442,2.217,4587,1.668,4591,1.93,4645,3.275,4658,1.384,4701,2.651,4724,1.562,4786,1.562,4799,1.389,4826,2.1,4959,3.902,5100,1.237,5130,2.429,5173,3.034,5228,4.558,5266,1.93,5337,3.752,5357,3.587,5362,2.789,5363,1.93,5366,2.1,5383,2.597,5397,2.1,5401,2.312,5402,1.789,5425,2.312,5433,3.752,5474,3.341,5509,2.1,5513,1.384,5549,1.562,5574,2.098,5688,4.297,5923,2.312,6040,3.034,6133,1.384,6235,1.468,6345,2.217,6597,2.572,6801,1.468,7009,2.1,7014,2.312,7346,3.034,7655,2.348,7807,2.312,7833,2.597,7880,2.37,7981,2.969,7988,4.75,8177,2.597,8191,2.597,8204,2.597,8240,2.312,8267,2.597,8272,4.405,8327,4.139,8472,3.325,8473,1.93,8475,1.93,8476,3.752,8478,5.9,8486,2.258,8487,2.904,8488,2.904,8489,2.258,8490,1.562,8491,1.562,8497,2.597,8502,3.587,8505,2.597,8511,3.388,8514,4.898,8521,2.651,8522,3.21,8523,2.651,8524,2.651,8525,2.651,8526,2.651,8527,2.651,8528,2.651,8529,2.651,8530,3.21,8531,2.651,8532,2.651,8533,2.651,8534,1.562,8535,1.562,8536,1.562,8537,2.651,8538,1.93,8554,2.651,8556,2.651,8574,4.75,8596,1.562,8602,3.341,8603,1.789,8606,4.405,8616,3.341,8627,2.597,8638,1.93,8644,1.668,8646,2.597,8647,2.597,8648,2.597,8650,2.597,8651,2.597,8652,2.597,8654,4.405,8655,2.597,8662,2.597,8663,2.597,8664,2.597,8665,2.597,8666,2.597,8667,2.597,8669,3.341,8738,4.558,8746,2.597,8747,3.752,8901,3.752,9122,3.752,9123,2.597,9129,2.597,9174,2.597,9221,3.752,9222,2.597,9224,2.597,9237,6.319,9268,3.341,9337,4.826,9338,6.881,9339,5.138,9340,3.028,9341,3.028,9342,3.028,9343,4.376,9344,2.597,9345,3.028,9346,4.376,9347,3.028,9348,3.028,9349,5.628,9350,6.221,9351,4.376,9352,4.376,9353,4.376,9354,4.376,9355,4.376,9356,3.028,9357,3.028,9358,5.138,9359,4.376,9360,3.028,9361,5.969,9362,3.028,9363,3.028,9364,3.028,9365,3.028,9366,3.028,9367,3.028,9368,4.376,9369,5.138,9370,3.028,9371,5.138,9372,5.138,9373,4.376,9374,4.376,9375,3.028,9376,3.028,9377,3.028,9378,4.376,9379,3.028,9380,3.028,9381,5.628,9382,3.028,9383,3.028,9384,3.028,9385,4.376,9386,4.376,9387,3.028,9388,3.028,9389,3.028,9390,3.028,9391,3.028,9392,3.028,9393,3.028,9394,3.028,9395,3.028,9396,3.028,9397,3.028,9398,3.028,9399,3.028,9400,3.028,9401,4.376,9402,3.028,9403,3.028,9404,3.028,9405,3.028,9406,3.028,9407,3.028,9408,3.028,9409,4.376,9410,3.028,9411,3.028,9412,4.376,9413,4.376,9414,3.028,9415,3.028,9416,3.028,9417,3.028,9418,3.028,9419,3.028,9420,2.597,9421,3.028,9422,3.028,9423,4.376,9424,4.376,9425,3.028,9426,3.028,9427,4.376,9428,3.028,9429,5.138,9430,3.028,9431,4.376,9432,3.028,9433,3.028,9434,6.414,9435,3.028,9436,3.028,9437,3.028,9438,3.028,9439,3.028,9440,3.028,9441,3.028,9442,3.028,9443,3.028,9444,3.028]],["title/oci/workloads.html",[2,4.693,3,4.342,4,6.362,5,3.077,131,2.549,1123,2.227]],["breadcrumb/oci/workloads.html",[6,0.224,131,1.296,1123,1.132]],["description/oci/workloads.html",[2,2,51,1.006,53,0.383,131,1.086,173,0.742,194,0.839,271,0.839,512,0.205,918,3.158,1001,2.07,1054,2.201,1123,1.362,1200,4.644,1279,2.925,1503,0.442,1564,2.201,2017,3.607,2018,7.533,2104,3.426,2110,2.07,2332,2.925,2577,5.411,3119,8.015,3122,3.975,3336,4.885,3464,3.426,3606,3.795]],["body/oci/workloads.html",[0,0.12,2,1.011,3,0.829,4,0.854,7,0.379,9,0.298,10,1.239,11,0.137,13,0.355,14,0.486,16,0.562,19,0.621,23,0.907,25,1.792,26,0.244,27,0.53,28,0.199,31,0.492,32,0.173,33,0.258,34,0.074,35,0.298,37,0.479,40,0.127,41,0.145,43,0.151,44,0.141,45,0.223,47,0.106,48,0.079,51,0.341,52,0.564,53,0.188,54,0.479,55,0.82,56,0.479,60,0.314,61,0.705,62,0.573,65,0.532,66,0.367,67,0.263,68,0.548,69,0.287,70,1.185,76,0.452,77,0.439,79,0.352,80,0.427,81,0.616,82,0.643,83,0.177,84,0.917,85,0.316,86,0.105,87,0.572,88,0.044,89,0.05,90,0.521,91,0.669,92,0.484,93,0.78,94,0.523,96,1.194,97,0.512,98,0.643,99,0.621,100,0.562,101,0.705,102,0.078,103,0.127,104,0.271,106,0.484,110,0.435,113,0.769,114,0.379,115,0.357,116,0.184,117,0.414,118,0.413,119,0.484,121,0.387,123,0.429,124,0.739,125,0.82,126,0.079,127,0.379,128,0.699,129,0.512,130,0.512,131,0.543,132,1.448,133,0.103,134,0.479,135,0.457,137,0.729,138,0.705,139,0.669,140,0.446,141,1.242,142,1.538,143,0.43,144,0.82,145,0.62,146,0.606,148,0.179,149,0.778,150,0.332,151,0.917,152,0.739,153,0.332,154,0.293,156,0.361,160,0.235,161,0.284,162,0.27,164,1.79,165,0.265,169,0.907,170,1.448,173,0.32,176,0.452,181,1.071,182,0.439,183,0.733,184,0.602,185,1.79,186,1.935,187,0.751,189,0.479,190,1.79,191,0.847,192,0.312,193,0.602,194,0.411,195,1.31,198,0.387,200,0.871,201,0.954,203,0.78,209,0.183,211,0.635,212,0.284,213,0.741,214,0.48,216,0.404,218,0.52,219,0.548,220,1.125,221,0.492,222,0.472,223,1.029,225,1.521,228,2.105,230,1.49,232,1.022,233,0.774,234,0.969,238,1.239,239,0.702,241,0.573,244,0.569,245,0.769,249,0.416,250,1.554,251,0.868,252,0.452,254,0.287,256,1.11,258,1.023,261,1.187,262,0.429,263,0.506,264,0.361,270,0.725,271,0.389,273,0.414,274,0.202,275,0.83,276,0.48,277,0.516,278,0.532,279,0.246,280,0.378,281,0.439,282,0.523,285,1.696,286,1.566,287,0.699,289,1.31,291,1.239,292,0.265,293,0.379,294,0.774,298,0.541,299,0.62,300,0.56,303,0.249,304,0.344,305,0.689,308,0.332,311,0.264,313,0.739,314,1.378,315,0.863,316,0.523,317,1.008,318,0.635,323,0.265,324,1.696,327,0.798,328,0.548,329,0.34,330,0.34,332,0.512,333,0.918,335,0.603,339,0.301,340,0.457,341,0.396,342,0.935,343,0.936,344,0.23,346,0.125,350,0.83,351,0.135,352,1.135,353,0.217,354,1.888,363,0.564,365,0.602,368,0.78,369,1.004,384,0.739,385,0.741,388,0.705,394,0.43,395,0.43,397,0.43,400,0.484,404,0.635,410,0.184,411,0.523,412,0.523,413,0.573,414,0.154,415,0.105,416,0.125,417,0.154,418,0.298,419,0.215,420,0.215,424,0.82,425,0.796,427,0.603,430,0.523,432,0.82,433,0.986,434,1.246,440,1.378,441,0.882,443,0.863,444,0.718,446,0.307,451,0.668,453,0.954,454,2.06,463,1.566,468,0.541,473,0.492,475,1.65,480,0.82,483,1.566,485,0.379,487,0.31,488,0.685,496,0.602,497,1.31,498,0.429,501,0.931,506,0.78,510,1.239,511,0.349,512,0.098,513,0.532,514,0.572,516,0.603,517,1.174,520,0.541,521,0.309,523,0.532,524,0.868,527,0.131,528,0.825,529,0.741,532,0.705,538,0.954,539,0.523,542,0.954,543,0.484,544,0.918,546,1.684,550,0.376,551,0.215,558,1.31,563,0.863,564,0.369,566,0.287,568,1.45,572,0.416,580,0.341,582,1.499,583,1.114,591,1.935,592,1.472,627,1.387,628,0.429,631,0.669,634,0.449,637,0.457,639,1.935,640,0.404,647,0.512,648,2.589,649,0.564,653,0.855,655,0.917,656,0.362,657,0.528,659,0.699,661,0.548,670,0.512,672,0.572,673,0.825,681,1.892,682,0.949,686,0.223,687,0.748,690,1.018,691,1.45,693,0.352,694,2.278,698,2.44,708,0.512,717,0.449,725,0.847,736,0.954,738,1.194,747,0.669,755,2.679,756,0.5,760,0.78,761,2.003,765,0.699,767,1.174,769,0.484,775,0.993,776,1.126,779,1.048,782,0.741,783,0.825,784,0.82,799,0.907,802,0.78,807,0.265,808,1.769,816,0.603,826,1.566,845,0.346,849,1.246,850,0.183,855,2.125,856,0.541,863,0.965,868,1.31,872,0.442,873,0.268,877,0.484,887,1.31,888,1.462,890,2.018,899,0.484,900,1.114,902,0.907,905,0.43,906,0.309,918,1.082,920,0.741,928,0.309,934,1.672,935,3.758,954,0.355,985,1.39,987,1.071,989,0.379,992,0.137,1001,0.855,1004,1.172,1006,0.414,1017,1.31,1018,0.361,1020,0.548,1036,0.917,1050,1.174,1054,1.05,1055,2.59,1056,1.308,1080,1.05,1092,1.344,1103,0.669,1107,0.78,1111,1.022,1122,1.521,1123,0.457,1146,1.071,1147,1.571,1156,0.907,1157,2.105,1167,0.472,1168,1.066,1169,2.907,1170,1.242,1174,1.31,1175,1.174,1182,1.31,1186,0.718,1191,1.174,1197,2.317,1200,2.001,1213,0.521,1227,1.472,1228,0.863,1235,0.705,1251,1.004,1253,1.601,1254,2.575,1255,0.705,1264,2.125,1265,1.935,1269,0.681,1271,0.541,1274,1.004,1275,0.705,1276,0.907,1278,0.907,1279,1.209,1282,2.317,1288,0.309,1294,0.573,1333,0.82,1334,0.602,1336,1.174,1348,0.602,1350,0.512,1358,1.672,1361,0.822,1375,0.705,1377,1.018,1385,0.82,1408,1.521,1423,0.739,1430,1.566,1432,3.039,1433,1.888,1437,0.967,1463,1.31,1472,1.472,1473,1.615,1474,0.863,1478,0.82,1479,2.621,1484,1.472,1503,0.177,1510,3.104,1518,1.462,1523,0.608,1525,1.356,1530,0.907,1539,1.022,1543,0.954,1544,1.31,1550,0.907,1555,0.907,1556,1.057,1557,1.109,1564,1.041,1566,1.748,1573,1.99,1577,0.825,1606,0.572,1615,2.495,1616,1.242,1618,1.31,1619,1.135,1621,0.512,1632,2.409,1633,2.811,1634,1.322,1635,1.239,1639,1.448,1645,1.672,1666,1.174,1667,1.046,1669,0.78,1677,0.553,1683,0.705,1685,1.45,1690,0.907,1694,0.43,1699,1.538,1702,2.317,1709,0.954,1710,1.114,1713,1.057,1717,1.31,1770,2.003,1776,3.62,1781,2.261,1784,0.954,1785,2.003,1786,1.241,1787,1.187,1790,1.45,1792,0.572,1794,0.541,1801,2.261,1852,0.863,1856,1.246,1866,0.704,1871,1.566,1886,0.863,1889,1.672,1892,2.236,1893,1.793,1897,2.125,1898,2.414,1921,1.919,1922,1.387,1945,1.672,1946,1.672,1949,0.404,1950,0.954,1951,0.705,1953,1.239,1956,0.541,1958,2.834,1964,1.566,1966,1.114,1974,0.704,2000,3.187,2006,0.825,2008,0.513,2009,1.004,2013,1.608,2017,1.526,2018,3.374,2019,1.387,2020,1.004,2028,0.457,2047,2.188,2061,1.174,2065,1.31,2078,1.786,2083,0.863,2104,1.373,2108,1.004,2109,0.741,2110,0.83,2111,1.057,2115,1.209,2126,2.457,2141,2.368,2163,1.919,2201,1.472,2203,1.246,2209,1.239,2211,2.602,2213,1.057,2215,1.114,2230,3.279,2255,1.696,2265,1.114,2325,2.105,2328,1.004,2332,1.38,2412,1.608,2413,1.174,2429,1.79,2442,2.179,2451,1.378,2467,1.554,2470,1.935,2473,2.834,2476,1.077,2477,1.771,2480,2.105,2539,1.962,2551,2.77,2575,1.057,2576,1.004,2577,2.423,2578,1.672,2580,1.31,2588,1.935,2590,0.82,2633,0.954,2656,1.077,2659,1.935,2678,1.31,2686,1.083,2694,0.669,2737,4.317,2752,3.312,2771,2.602,2773,2.317,2779,2.22,2810,3.969,2824,2.105,2854,2.192,2870,2.261,2881,3.279,2886,1.793,2888,3.567,2902,1.702,2962,1.174,2966,2.317,2976,1.31,3034,1.472,3039,0.512,3085,0.907,3107,1.786,3118,2.3,3119,2.261,3122,1.371,3129,1.935,3135,2.907,3140,1.672,3144,2.22,3149,1.114,3218,0.907,3221,1.246,3238,3.567,3243,2.22,3275,1.31,3279,2.22,3291,2.992,3292,3.552,3293,1.793,3294,1.793,3297,1.842,3298,2.317,3304,1.057,3306,2.125,3311,2.261,3312,1.672,3314,2.824,3336,2.371,3401,1.535,3406,1.566,3458,3.758,3464,1.416,3500,1.114,3502,1.387,3503,1.31,3536,2.125,3537,1.521,3538,1.004,3540,1.962,3541,2.317,3542,2.105,3543,1.79,3544,1.864,3545,2.105,3555,1.615,3557,3.279,3558,2.105,3559,2.317,3560,2.317,3561,2.317,3562,2.317,3563,2.317,3564,1.793,3568,3.347,3571,1.792,3572,4.317,3576,2.602,3577,2.317,3579,1.566,3587,2.589,3600,2.105,3601,2.105,3603,1.618,3606,1.761,3628,1.239,3645,2.602,3660,2.105,3661,2.105,3662,2.105,3676,2.105,3680,2.907,3682,3.104,3683,3.039,3704,1.672,3747,1.935,3748,2.105,3749,2.105,3776,1.793,3824,3.039,3826,1.472,3845,1.004,3856,1.793,3859,0.907,3861,0.863,3862,0.954,3870,1.387,3971,0.967,3972,1.004,4004,1.077,4018,2.589,4033,2.575,4042,2.317,4105,1.521,4210,3.758,4243,2.317,4265,1.99,4285,3.53,4328,1.793,4397,1.935,4419,1.31,4429,1.935,4434,1.004,4436,1.239,4442,2.22,4493,3.567,4524,1.239,4609,3.039,4645,2.794,4658,1.387,4701,1.566,4737,1.566,4762,2.105,4782,2.589,4789,2.317,4794,2.125,4799,1.39,4868,1.239,4877,2.602,4942,3.212,5029,3.907,5064,2.432,5100,1.239,5402,1.793,5498,2.602,5513,2.003,5538,2.414,5549,1.566,5550,3.907,5552,1.672,5574,2.621,5684,2.602,5685,2.602,5686,2.317,5797,1.472,5894,2.317,5933,2.589,6040,3.039,6235,1.472,6345,1.892,6597,2.575,6647,4.189,6801,1.472,6827,2.602,7283,1.935,7299,2.317,7346,2.105,7475,3.039,7532,2.602,7564,2.602,7566,2.602,7570,2.602,7601,3.758,7655,2.351,7861,1.935,7880,2.311,7911,2.602,7981,1.174,8211,2.602,8212,2.602,8225,2.602,8283,4.831,8315,2.105,8400,3.758,8472,3.039,8473,1.935,8475,1.935,8486,2.261,8487,2.907,8488,2.907,8489,2.261,8490,1.566,8491,1.566,8502,3.279,8508,2.317,8511,3.507,8514,4.901,8521,2.654,8522,3.212,8523,2.654,8524,2.654,8525,2.654,8526,2.654,8527,2.654,8528,2.654,8529,2.654,8530,3.212,8531,2.654,8532,2.654,8533,2.654,8534,1.566,8535,1.566,8536,1.566,8537,2.654,8538,1.935,8554,2.654,8556,2.907,8574,4.562,8583,2.317,8585,2.317,8587,2.317,8588,2.317,8596,2.261,8603,3.039,8614,2.602,8616,3.347,8628,2.317,8632,2.602,8633,2.602,8634,4.411,8635,2.602,8636,2.602,8637,2.602,8638,1.935,8639,2.602,8669,2.317,8793,2.317,8999,3.758,9010,5.256,9205,4.901,9207,2.602,9208,2.602,9209,2.602,9211,2.602,9212,2.602,9227,4.411,9242,2.602,9268,2.317,9335,2.602,9337,2.602,9344,2.602,9420,3.758,9445,3.035,9446,3.035,9447,3.035,9448,5.634,9449,5.144,9450,3.035,9451,3.035,9452,3.035,9453,4.383,9454,5.144,9455,4.383,9456,4.383,9457,3.035,9458,3.035,9459,3.035,9460,3.035,9461,3.035,9462,3.035,9463,3.035,9464,4.383,9465,3.035,9466,3.035,9467,4.383,9468,3.035,9469,3.035,9470,3.035,9471,3.035,9472,3.035,9473,4.383,9474,3.035,9475,4.383,9476,3.035,9477,4.383,9478,3.035,9479,3.035,9480,3.035,9481,3.035,9482,3.035,9483,3.035,9484,3.035,9485,3.035,9486,3.035,9487,3.035,9488,3.035,9489,3.035,9490,3.035,9491,3.035,9492,3.035,9493,3.035,9494,3.035,9495,3.035,9496,3.035,9497,3.035,9498,3.035,9499,4.383,9500,3.035,9501,4.383,9502,4.383,9503,4.383,9504,3.035,9505,3.035,9506,3.035,9507,3.035,9508,3.035,9509,3.035,9510,3.035,9511,3.035,9512,3.035,9513,5.975,9514,3.035,9515,4.383,9516,3.035,9517,3.035,9518,3.035,9519,3.035,9520,4.383,9521,3.035,9522,3.035,9523,3.035,9524,3.035,9525,3.035,9526,3.035,9527,3.035,9528,3.035,9529,3.035,9530,3.035,9531,3.035,9532,3.035,9533,3.035,9534,3.035,9535,3.035,9536,3.035,9537,3.035,9538,4.383,9539,3.035,9540,3.035,9541,3.035,9542,3.035,9543,3.035,9544,3.035,9545,3.035,9546,3.035,9547,3.035,9548,3.035,9549,3.035,9550,3.035,9551,3.035,9552,3.035,9553,3.035,9554,3.035,9555,3.035,9556,4.383,9557,3.035,9558,5.144,9559,4.383,9560,3.035,9561,3.035,9562,4.383,9563,3.035,9564,4.383,9565,3.035,9566,3.035,9567,5.144,9568,4.383,9569,3.035,9570,3.035,9571,5.144,9572,3.035,9573,5.144,9574,4.383,9575,3.035,9576,4.383,9577,3.035,9578,3.035,9579,3.035,9580,3.035,9581,3.035,9582,4.383,9583,3.035,9584,3.035,9585,3.035,9586,3.035,9587,3.035,9588,3.035,9589,5.144,9590,3.035,9591,3.035,9592,3.035,9593,3.035,9594,3.035,9595,3.035,9596,3.035,9597,3.035,9598,3.035,9599,3.035,9600,3.035,9601,3.035,9602,3.035,9603,3.035,9604,3.035,9605,3.035,9606,3.035,9607,3.035,9608,4.383,9609,3.035,9610,3.035,9611,3.035,9612,3.035,9613,4.383,9614,3.035,9615,3.035,9616,3.035,9617,3.035,9618,3.035,9619,3.035,9620,3.035]],["title/search.html",[2,5.297,3,4.901,4,5.25,5,3.473,314,12.936]],["breadcrumb/search.html",[6,0.257,314,6.695]],["description/search.html",[2,2.918,3,2.7,4,2.892,5,1.914,51,1.023,67,0.807,88,0.169,133,0.374,314,7.127,442,3.02,583,8.317]],["body/search.html",[0,0.098,2,0.938,3,0.846,4,0.757,5,0.501,10,2.765,11,0.144,19,0.841,21,3.284,48,0.079,51,0.268,67,0.241,133,0.098,165,0.518,189,0.649,192,0.248,214,0.476,265,0.649,311,0.358,314,2.326,318,1.243,344,0.212,351,0.127,363,0.639,442,0.791,446,0.324,451,0.688,459,0.791,686,0.436,690,1.378,756,0.544,1146,1.736,1238,0.841,1269,0.604,1333,0.946,1525,1.058,2008,0.695,2017,1.378,2444,0.893,2451,1.866,3118,2.423,3539,2.423,4451,3.062,5770,5.089,7914,5.089,8035,4.532,8205,5.807,8367,5.089,8463,5.089,9101,5.807,9102,5.089,9621,5.935,9622,5.935,9623,5.935,9624,5.935,9625,5.935,9626,5.935,9627,5.935,9628,5.935,9629,7.106,9630,5.935,9631,5.935,9632,5.935,9633,5.935,9634,5.935,9635,5.935,9636,5.935,9637,5.935,9638,5.935,9639,5.935,9640,5.935]]],"invertedIndex":[["",{"_index":2,"title":{"404.html":{},"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}},"breadcrumb":{"aws/logging.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/logging.html":{},"oci/logging.html":{}},"description":{"aws/index.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/index.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{},"search.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["0",{"_index":1864,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"oci/iam.html":{}}}],["0.0.0.0/0",{"_index":2551,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/network.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["0.0.0.0/0\"</code",{"_index":7282,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["0.5",{"_index":7232,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["0000",{"_index":4501,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["00000000",{"_index":4500,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["000000000001",{"_index":4502,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["000000000002",{"_index":4503,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["0001",{"_index":5588,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["001",{"_index":4134,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/ir.html":{}}}],["01",{"_index":182,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["01\",\"breakglass",{"_index":8966,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["01'",{"_index":9619,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["01..10",{"_index":2456,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["01/workflowdefinition.json",{"_index":4849,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["012177145e10",{"_index":4461,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["012177145e10/members/\\$ref",{"_index":4750,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["0123456789abcdef0",{"_index":3511,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["0142",{"_index":9070,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["01</code",{"_index":4309,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["01@contoso.onmicrosoft.com",{"_index":4746,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["01@example.com",{"_index":6600,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["01–02",{"_index":2870,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/workloads.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["01–03",{"_index":6349,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"oci/iam.html":{}}}],["01–04",{"_index":217,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/network.html":{},"oci/data.html":{},"oci/network.html":{}}}],["02",{"_index":245,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["02.</code",{"_index":9555,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["02:00",{"_index":6051,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"oci/logging.html":{}}}],["02@example.com",{"_index":6604,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["02–04",{"_index":3891,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["03",{"_index":682,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["03:00",{"_index":2055,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{}}}],["03–04",{"_index":3558,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"oci/workloads.html":{}}}],["03–05",{"_index":5172,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"gcp/logging.html":{}}}],["03–08",{"_index":3563,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"oci/workloads.html":{}}}],["04",{"_index":191,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["04'",{"_index":8957,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["04:00",{"_index":9282,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["04–06",{"_index":2070,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{}}}],["04–07",{"_index":6353,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["05",{"_index":278,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["0558",{"_index":2121,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"oci/ir.html":{}}}],["05–06",{"_index":224,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/iam.html":{}}}],["05–08",{"_index":1536,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{}}}],["06",{"_index":256,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["06'",{"_index":8956,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["06–07",{"_index":3235,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["07",{"_index":232,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["07'",{"_index":8224,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["07–08",{"_index":7407,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"oci/iam.html":{}}}],["08",{"_index":251,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["09",{"_index":383,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"general/genai.html":{},"oci/kubernetes.html":{}}}],["09:00",{"_index":2445,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["09–10",{"_index":1542,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["0\\.0\\.0\\.0\\/0",{"_index":3385,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["0aaa",{"_index":3513,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["0abc123",{"_index":2792,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["0abc123def4567890",{"_index":3326,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"aws/workloads.html":{}}}],["0abc123def4567890</cod",{"_index":3254,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["0bbb",{"_index":3514,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["0endpoint",{"_index":3515,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["0s",{"_index":6635,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["1",{"_index":717,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["1.0",{"_index":3644,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"general/network.html":{}}}],["1.0.0.0",{"_index":4851,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["1.1",{"_index":7654,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{}}}],["1.1.1",{"_index":7689,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["1.1.2",{"_index":4648,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/methodology.html":{}}}],["1.1.5",{"_index":4704,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["1.10",{"_index":1788,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/methodology.html":{}}}],["1.101.1.21.21.7",{"_index":1846,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"gcp/iam.html":{},"oci/iam.html":{}}}],["1.11",{"_index":8077,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["1.14",{"_index":8932,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["1.141.1.61.41.14",{"_index":1909,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["1.2",{"_index":2645,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/methodology.html":{},"general/network.html":{},"oci/kubernetes.html":{}}}],["1.2.22",{"_index":2729,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/kubernetes.html":{}}}],["1.211.1.4best",{"_index":1748,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"oci/iam.html":{}}}],["1.24",{"_index":8084,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["1.25",{"_index":8082,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["1.28",{"_index":5030,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["1.3",{"_index":7778,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/network.html":{}}}],["1.30",{"_index":2483,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["1.30</code",{"_index":2500,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["1.31",{"_index":2507,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["1.4",{"_index":6396,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["1.4.1",{"_index":3699,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["1.41.1.31.11.1",{"_index":1662,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"oci/iam.html":{}}}],["1.41.1.31.41.14",{"_index":6421,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["1.41.1.3best",{"_index":4574,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["1.5",{"_index":6541,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"general/compliance-frameworks.html":{}}}],["1.5.x",{"_index":8526,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["1.51.1.11.11.1",{"_index":1594,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"oci/iam.html":{}}}],["1.51.1.1best",{"_index":6378,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["1.6",{"_index":6568,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["1.7",{"_index":7690,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/iam.html":{},"general/methodology.html":{},"oci/iam.html":{}}}],["1.km",{"_index":3512,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["1.s3",{"_index":3509,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["10",{"_index":368,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/network.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["10.0.0.0/16",{"_index":5383,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"oci/network.html":{}}}],["10.0.0.0/8",{"_index":6827,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"oci/workloads.html":{}}}],["10.0.0.0/8\",\"192.0.2.0/24",{"_index":9512,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["10.0.16.0/20",{"_index":7333,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["10.0.255.0/26",{"_index":5644,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["10.0.32.0/20",{"_index":7374,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["10.0.99.0/24",{"_index":9403,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["10.40.0.0/16",{"_index":3264,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"oci/network.html":{}}}],["10.40.0.0/22",{"_index":7226,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["10.40.10.0/24",{"_index":9351,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["10.40.20.0/24",{"_index":9353,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["10.40.255.10",{"_index":7352,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["10.40.255.2",{"_index":7365,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["10.x",{"_index":5474,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["100",{"_index":813,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/logging.html":{}}}],["1000",{"_index":5340,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["10000",{"_index":4178,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["100</code",{"_index":469,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/kubernetes.html":{}}}],["100m",{"_index":3581,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["101",{"_index":7610,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["1024",{"_index":4139,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["1025",{"_index":7855,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["10250",{"_index":8043,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["10800",{"_index":9513,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["10:2025",{"_index":1104,"title":{},"breadcrumb":{},"description":{"general/genai.html":{}},"body":{"aws/genai.html":{},"azure/genai.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"general/genai.html":{},"general/index.html":{},"oci/genai.html":{}}}],["10–60",{"_index":7573,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["11",{"_index":2085,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"general/kubernetes.html":{}}}],["110",{"_index":5434,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["111",{"_index":7762,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["111122223333",{"_index":345,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{},"aws/workloads.html":{}}}],["114",{"_index":7668,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["11a.8.15",{"_index":9275,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["11a.8.8",{"_index":3748,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"oci/workloads.html":{}}}],["12",{"_index":2730,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/genai.html":{}}}],["12,000",{"_index":5235,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["12.0",{"_index":4189,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["120",{"_index":6705,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["12a.8.15cld.12.4.5",{"_index":3014,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/logging.html":{},"gcp/logging.html":{},"oci/logging.html":{}}}],["13",{"_index":619,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/data.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"oci/data.html":{}}}],["13a.8.24n/a",{"_index":734,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/data.html":{},"gcp/data.html":{},"oci/data.html":{}}}],["14",{"_index":1019,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"azure/genai.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["140",{"_index":4019,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{},"general/data.html":{}}}],["1433",{"_index":3375,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["145",{"_index":8291,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["15",{"_index":1152,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"gcp/genai.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["150",{"_index":6297,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"general/data.html":{}}}],["1500",{"_index":3541,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"oci/workloads.html":{}}}],["1521",{"_index":3298,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["154",{"_index":8389,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["15–45",{"_index":2242,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"oci/ir.html":{}}}],["16",{"_index":3238,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/kubernetes.html":{},"oci/data.html":{},"oci/workloads.html":{}}}],["16.3",{"_index":810,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["160.103",{"_index":7744,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["164.316(b)(2",{"_index":8122,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["165",{"_index":8343,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["169.254.169.254",{"_index":2760,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"general/threat-model.html":{}}}],["169.254.169.254/32",{"_index":2814,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["169.254.169.254/opc/v2",{"_index":9450,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["17",{"_index":369,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["17(3",{"_index":3660,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"oci/workloads.html":{}}}],["171",{"_index":7749,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["172.16.0.0/28",{"_index":6811,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["172.31.0.0/16",{"_index":3239,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["175b",{"_index":7763,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["1798.140",{"_index":7741,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["18.04",{"_index":3615,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["180",{"_index":1926,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"oci/logging.html":{}}}],["190",{"_index":2541,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/kubernetes.html":{}}}],["192.0.2.0/24",{"_index":9539,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["192.0.2.0/24</code",{"_index":3440,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["195",{"_index":8149,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["1974",{"_index":8033,"title":{},"breadcrumb":{},"description":{"general/kubernetes.html":{}},"body":{"general/kubernetes.html":{}}}],["198.51.100.0/24",{"_index":3416,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["199",{"_index":7752,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["199.36.153.10",{"_index":7329,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["199.36.153.11",{"_index":7330,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["199.36.153.4/30",{"_index":7191,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["199.36.153.8",{"_index":7327,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["199.36.153.8/30",{"_index":7190,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["199.36.153.9",{"_index":7328,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["19fc36ad61bd",{"_index":4376,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["1:1",{"_index":5475,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"gcp/network.html":{}}}],["1:111111111111:function:gd",{"_index":2258,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["1:111111111111:rule/guardduti",{"_index":2262,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["1:111122223333:function:publ",{"_index":2995,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["1:111122223333:key/<cmk",{"_index":2893,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["1:111122223333:key/<id",{"_index":3707,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["1:111122223333:key/abcd1234",{"_index":578,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["1:111122223333:secret:db/ord",{"_index":3838,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["1::foundat",{"_index":1026,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["1</code",{"_index":718,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{}}}],["1==\"<root_account",{"_index":1649,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["1h",{"_index":4586,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["1password",{"_index":8830,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["1y",{"_index":9079,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["1–10",{"_index":2227,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["1–8",{"_index":4592,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["2",{"_index":249,"title":{},"breadcrumb":{},"description":{"azure/workloads.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["2'",{"_index":8952,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["2(1",{"_index":1595,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/iam.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/methodology.html":{}}}],["2(1)a.5.17",{"_index":1847,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"oci/iam.html":{}}}],["2(2",{"_index":7691,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/iam.html":{},"general/methodology.html":{}}}],["2(2)a.5.17",{"_index":6460,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["2(7)a.5.15n/a",{"_index":4630,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["2(8",{"_index":2197,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"oci/ir.html":{}}}],["2.0",{"_index":2044,"title":{},"breadcrumb":{},"description":{"general/compliance-frameworks.html":{}},"body":{"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/network.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["2.1",{"_index":5509,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"oci/network.html":{}}}],["2.1.1",{"_index":549,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"general/compliance-frameworks.html":{}}}],["2.1.13.x",{"_index":618,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["2.1.21",{"_index":7703,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["2.1.4",{"_index":283,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["2.1.43.x",{"_index":421,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["2.16",{"_index":7704,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["2.2",{"_index":3365,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"oci/network.html":{}}}],["2.2.1",{"_index":695,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["2.2.17.x",{"_index":732,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["2.23.1",{"_index":2945,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["2.24.x",{"_index":9274,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["2.3",{"_index":7033,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["2.3.1",{"_index":789,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["2.3.14.x",{"_index":840,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["2.3n/a",{"_index":7085,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["2.50",{"_index":4477,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["2.x",{"_index":3910,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"general/network.html":{}}}],["20",{"_index":2724,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/genai.html":{}}}],["200",{"_index":3431,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"general/logging.html":{}}}],["2006",{"_index":7987,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["200</code",{"_index":1609,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["2010",{"_index":382,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["2012",{"_index":367,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"general/ir.html":{}}}],["2013",{"_index":7631,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/methodology.html":{}}}],["2013→2022",{"_index":8190,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["2014'",{"_index":3550,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["2015",{"_index":7678,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["2016",{"_index":3616,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["2017",{"_index":2543,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/kubernetes.html":{}}}],["2018",{"_index":3317,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/network.html":{}}}],["2019",{"_index":3579,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/data.html":{},"gcp/logging.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/workloads.html":{}}}],["2020",{"_index":4740,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"gcp/logging.html":{},"general/network.html":{},"general/threat-model.html":{}}}],["2021",{"_index":8446,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["2022",{"_index":1692,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/iam.html":{}}}],["2022)januari",{"_index":7715,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["2022/2023",{"_index":2114,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"oci/ir.html":{}}}],["2022–2023",{"_index":4702,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["2023",{"_index":537,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/threat-model.html":{}}}],["2024",{"_index":1107,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["2024/1689",{"_index":1109,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["20241022",{"_index":1029,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["2025",{"_index":1119,"title":{},"breadcrumb":{},"description":{"general/kubernetes.html":{}},"body":{"aws/genai.html":{},"aws/ir.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/threat-model.html":{},"oci/genai.html":{},"oci/ir.html":{}}}],["2026",{"_index":277,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["2027",{"_index":8203,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["2028",{"_index":5529,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["203.0.113.0/24",{"_index":4951,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["2048",{"_index":5041,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["204d",{"_index":8439,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["207",{"_index":8172,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{},"general/network.html":{}}}],["218",{"_index":8349,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{},"general/workloads.html":{}}}],["21vianet",{"_index":3852,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["22",{"_index":3292,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["22/3389",{"_index":3344,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/workloads.html":{},"oci/network.html":{}}}],["22/3389/5985/5986",{"_index":5448,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["2204",{"_index":7420,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["222233334444",{"_index":3154,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/workloads.html":{}}}],["22_04",{"_index":5590,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["23",{"_index":4877,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"oci/workloads.html":{}}}],["2379",{"_index":8041,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["24",{"_index":1830,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{}}}],["24/7",{"_index":3228,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["24h",{"_index":1613,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"oci/ir.html":{}}}],["25",{"_index":4438,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/workloads.html":{}}}],["2555",{"_index":2378,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["2557",{"_index":2420,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["256",{"_index":6730,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"general/data.html":{},"oci/data.html":{},"oci/ir.html":{}}}],["26",{"_index":4920,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/workloads.html":{},"general/genai.html":{}}}],["26a93ef643f9",{"_index":5309,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["27",{"_index":7649,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["27001",{"_index":5163,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/kubernetes.html":{},"general/methodology.html":{}}}],["27001/27017",{"_index":1546,"title":{},"breadcrumb":{},"description":{"index.html":{}},"body":{"aws/iam.html":{},"gcp/iam.html":{},"index.html":{},"oci/iam.html":{}}}],["27001:2013",{"_index":7643,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["27001:2022",{"_index":419,"title":{},"breadcrumb":{},"description":{"compliance-matrix.html":{},"general/compliance-frameworks.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["27001:2022octob",{"_index":7717,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["27002",{"_index":5786,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"general/compliance-frameworks.html":{}}}],["27017",{"_index":3300,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/methodology.html":{},"oci/network.html":{}}}],["27017:2015",{"_index":420,"title":{},"breadcrumb":{},"description":{"compliance-matrix.html":{},"general/compliance-frameworks.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["27017:2015decemb",{"_index":7719,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["28",{"_index":733,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["28a.8.24",{"_index":620,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/data.html":{},"gcp/data.html":{},"oci/data.html":{}}}],["2>/dev/nul",{"_index":588,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/iam.html":{}}}],["2a.5.15",{"_index":4509,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["2a.5.16",{"_index":1750,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["2a.5.16n/a",{"_index":8843,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["2a.5.29",{"_index":4575,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["2a.8.20",{"_index":3271,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["2a.8.5",{"_index":3661,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"oci/workloads.html":{}}}],["2fa",{"_index":7466,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["2fa=true,block",{"_index":7481,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["2nd",{"_index":7390,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["2sv",{"_index":6435,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/ir.html":{}}}],["2sv_disabl",{"_index":6470,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["2y",{"_index":7039,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"oci/logging.html":{}}}],["2–4",{"_index":4469,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["3",{"_index":425,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["3!=\"true",{"_index":7426,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["3.0",{"_index":3926,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["3.1",{"_index":2940,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"general/compliance-frameworks.html":{},"oci/logging.html":{}}}],["3.14",{"_index":7702,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["3.2",{"_index":2941,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"general/compliance-frameworks.html":{}}}],["3.25.1.x2.1",{"_index":9273,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["3.4",{"_index":2942,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["3.55.1",{"_index":2943,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["3.6",{"_index":3320,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/data.html":{},"azure/network.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"oci/network.html":{}}}],["3.7",{"_index":7249,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{},"general/compliance-frameworks.html":{}}}],["3.72.1",{"_index":3364,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{}}}],["3.x",{"_index":3011,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/network.html":{},"general/network.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["3.x5.x2.x4.x",{"_index":9297,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["3/4",{"_index":8279,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["30",{"_index":596,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/logging.html":{}}}],["300",{"_index":2722,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["300s\"</code",{"_index":7611,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["31536000",{"_index":6757,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["31557600",{"_index":6581,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["31_557_600",{"_index":6739,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["32",{"_index":4029,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/iam.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["33",{"_index":7966,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["3306",{"_index":3295,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["336h",{"_index":9254,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["3389",{"_index":3294,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/network.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["3389'))].{nsg:'$nsg_id",{"_index":5643,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["35",{"_index":5754,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["35.235.240.0/20",{"_index":7284,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{},"gcp/workloads.html":{}}}],["36",{"_index":8059,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["3600",{"_index":1990,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{}}}],["365",{"_index":2701,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/logging.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"general/logging.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["365d",{"_index":9260,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["37",{"_index":8462,"title":{},"breadcrumb":{},"description":{"index.html":{}},"body":{}}],["37page",{"_index":8464,"title":{},"breadcrumb":{},"description":{},"body":{"index.html":{}}}],["3a.8.9cld.12.4.5",{"_index":3086,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/logging.html":{},"gcp/logging.html":{}}}],["3complianc",{"_index":8467,"title":{},"breadcrumb":{},"description":{},"body":{"index.html":{}}}],["4",{"_index":1020,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["4!=\"true",{"_index":7427,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["4(1",{"_index":2300,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/data.html":{},"oci/ir.html":{}}}],["4(2",{"_index":3194,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["4(4)a.8.16cld.12.4.5",{"_index":3195,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["4(7",{"_index":2301,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"oci/ir.html":{}}}],["4(7)a.5.26cld.12.4.5",{"_index":2302,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"oci/ir.html":{}}}],["4.0",{"_index":4030,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{}}}],["4.1",{"_index":6943,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"oci/kubernetes.html":{}}}],["4.13",{"_index":7700,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["4.2",{"_index":2803,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"general/compliance-frameworks.html":{}}}],["4.3.2",{"_index":2648,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"oci/kubernetes.html":{}}}],["4.4",{"_index":6981,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"oci/kubernetes.html":{}}}],["4.4.1",{"_index":2547,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"oci/kubernetes.html":{}}}],["4.4.2",{"_index":2606,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"oci/kubernetes.html":{}}}],["4.4.3",{"_index":2734,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/kubernetes.html":{}}}],["4.4.4",{"_index":2806,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{}}}],["4.6",{"_index":7692,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["4.8",{"_index":7455,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"general/compliance-frameworks.html":{}}}],["4.9",{"_index":7699,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["4.x",{"_index":3599,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/data.html":{},"azure/network.html":{},"oci/logging.html":{}}}],["40",{"_index":5763,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["400",{"_index":5896,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/iam.html":{}}}],["403",{"_index":2712,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["409",{"_index":4034,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["4096",{"_index":4042,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["42",{"_index":6093,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["4237",{"_index":4459,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["42b8ef37",{"_index":5119,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["43",{"_index":9623,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["443",{"_index":1476,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{}}}],["4457",{"_index":5307,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["45",{"_index":7742,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/logging.html":{},"oci/ir.html":{}}}],["48",{"_index":4747,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["48h",{"_index":6170,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["4a.8.20",{"_index":3441,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["4a.8.8cld.12.4.5",{"_index":3798,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/workloads.html":{}}}],["4a.8.9",{"_index":9329,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["4c46",{"_index":5458,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["4cloud",{"_index":8465,"title":{},"breadcrumb":{},"description":{},"body":{"index.html":{}}}],["4dc4",{"_index":5150,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["4e24",{"_index":5121,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["4f28",{"_index":4374,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["4o",{"_index":4330,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["4xx",{"_index":9235,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["5",{"_index":906,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["5!=\"true",{"_index":7428,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["5(1",{"_index":6422,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["5(1)(e",{"_index":7789,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["5(1)a.5.17",{"_index":1663,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["5(7",{"_index":1995,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/iam.html":{}}}],["5(7)a.5.17",{"_index":6423,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["5.0",{"_index":352,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["5.1",{"_index":5819,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["5.1.1",{"_index":7694,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["5.1.2",{"_index":7695,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["5.2",{"_index":3361,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/network.html":{}}}],["5.2.0",{"_index":7647,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["5.22.1",{"_index":2944,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["5.2n/a",{"_index":5869,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["5.3",{"_index":7696,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["5.36.1",{"_index":3362,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{}}}],["5.4",{"_index":8109,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["5.5",{"_index":4940,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["5.60.0",{"_index":1202,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["5.x",{"_index":3270,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["5.xn/an/a",{"_index":5217,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["50",{"_index":1266,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{},"aws/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/logging.html":{}}}],["500",{"_index":2655,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{}}}],["50</code",{"_index":1140,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["512",{"_index":9208,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["512m",{"_index":6703,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["53",{"_index":416,"title":{},"breadcrumb":{},"description":{"compliance-matrix.html":{},"general/compliance-frameworks.html":{},"index.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["53nist",{"_index":7714,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["5432",{"_index":3296,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["55",{"_index":1118,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["57",{"_index":7772,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/methodology.html":{}}}],["5985",{"_index":3372,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{}}}],["5986",{"_index":3373,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{}}}],["5e0bd9bd",{"_index":4372,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["5th",{"_index":4478,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["6",{"_index":426,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["6(1",{"_index":4628,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/iam.html":{}}}],["6(2",{"_index":4629,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["6(2)a.5.15cld.6.3.1",{"_index":6553,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["6(7",{"_index":4508,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["6(7)a.5.15",{"_index":6380,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"oci/iam.html":{}}}],["6(7)a.5.17",{"_index":1596,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["6.0",{"_index":6801,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["6.1",{"_index":5410,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"general/compliance-frameworks.html":{}}}],["6.2",{"_index":7697,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["6.2.</code",{"_index":5411,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["6.23.6",{"_index":3363,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{}}}],["6.x",{"_index":8281,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{},"oci/kubernetes.html":{}}}],["60",{"_index":1935,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"general/data.html":{},"oci/iam.html":{}}}],["600",{"_index":1105,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["61",{"_index":2040,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/ir.html":{},"oci/ir.html":{}}}],["62e90394",{"_index":4491,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["63072000",{"_index":7029,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["63072000000",{"_index":7059,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["6379",{"_index":3302,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["6387",{"_index":9509,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["63b",{"_index":7888,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/methodology.html":{}}}],["6443",{"_index":8071,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{},"oci/kubernetes.html":{}}}],["65534",{"_index":7280,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["65535",{"_index":2847,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["69f5",{"_index":4458,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["6a.5.15",{"_index":1996,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/iam.html":{}}}],["6a.5.24",{"_index":2198,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"oci/ir.html":{}}}],["6secur",{"_index":8466,"title":{},"breadcrumb":{},"description":{},"body":{"index.html":{}}}],["7",{"_index":1423,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["7(5",{"_index":3366,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/network.html":{},"oci/network.html":{}}}],["7(8",{"_index":3531,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{}}}],["7.3",{"_index":8413,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["7.4",{"_index":8414,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["7.6",{"_index":7698,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["72",{"_index":4788,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["72h",{"_index":4590,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["730",{"_index":5203,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"oci/logging.html":{}}}],["731",{"_index":831,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["7494",{"_index":3315,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["7600",{"_index":3318,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["768",{"_index":6295,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["7680",{"_index":6018,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["7776000",{"_index":5931,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{}}}],["78",{"_index":8176,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["7a.5.10",{"_index":428,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/data.html":{},"gcp/data.html":{},"oci/data.html":{}}}],["7a.5.28",{"_index":2393,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{}}}],["7a.8.20",{"_index":3367,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["7a7708edfe00",{"_index":5123,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["7b93",{"_index":4373,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["7yr",{"_index":9264,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["8",{"_index":2082,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/logging.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["8.0",{"_index":9108,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["8.5p1–9.7p1",{"_index":9511,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["8.xn/an/a",{"_index":4089,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["800",{"_index":415,"title":{},"breadcrumb":{},"description":{"compliance-matrix.html":{},"general/compliance-frameworks.html":{},"index.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["814e",{"_index":5459,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["8446",{"_index":7783,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/network.html":{}}}],["86",{"_index":7985,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["8601",{"_index":9066,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["8601=seconds)\"</cod",{"_index":9081,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["8693973ce19b",{"_index":5152,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["8a.5.17n/a",{"_index":8918,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["8a.8.20",{"_index":3600,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"oci/workloads.html":{}}}],["8a.8.24n/a",{"_index":6069,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["8a4e",{"_index":5149,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["8eb5",{"_index":5151,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["9",{"_index":2084,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"azure/ir.html":{},"gcp/iam.html":{},"general/genai.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["90",{"_index":1832,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/logging.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["900",{"_index":2189,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["90d",{"_index":1906,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["9190",{"_index":4460,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["92",{"_index":8106,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{},"general/methodology.html":{}}}],["93",{"_index":7661,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/shared-responsibility.html":{}}}],["9a.8.15",{"_index":2946,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/logging.html":{},"gcp/logging.html":{}}}],["_2_",{"_index":1913,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["_audit",{"_index":8767,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/logging.html":{}}}],["_default",{"_index":7031,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["_requir",{"_index":7030,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["_table_suffix",{"_index":6789,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["a.5",{"_index":7663,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["a.5.15",{"_index":1113,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}}}],["a.5.16cld.6.3.1",{"_index":1997,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/iam.html":{}}}],["a.5.16n/a",{"_index":4510,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"oci/iam.html":{}}}],["a.5.17",{"_index":4238,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/methodology.html":{}}}],["a.5.18",{"_index":1114,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}}}],["a.5.18cld.6.3.1",{"_index":6381,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["a.5.18n/a",{"_index":1751,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["a.5.24",{"_index":2086,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{}}}],["a.5.26",{"_index":2087,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"general/compliance-frameworks.html":{}}}],["a.5.26cld.9.5.1",{"_index":2199,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"oci/ir.html":{}}}],["a.5.28",{"_index":2088,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{}}}],["a.5.28cld.12.4.5",{"_index":2947,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/logging.html":{},"gcp/logging.html":{},"oci/logging.html":{}}}],["a.5.29",{"_index":8027,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["a.5.34",{"_index":1402,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{}}}],["a.5.34n/a",{"_index":621,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/data.html":{},"gcp/data.html":{},"oci/data.html":{}}}],["a.5.37",{"_index":9198,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["a.6",{"_index":7665,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["a.7",{"_index":7666,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["a.7.8",{"_index":6980,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["a.8",{"_index":7667,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["a.8.10",{"_index":2647,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"oci/kubernetes.html":{}}}],["a.8.13cld.12.4.5",{"_index":2394,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{}}}],["a.8.15",{"_index":2731,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/genai.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/logging.html":{},"oci/genai.html":{}}}],["a.8.15cld.9.5.1",{"_index":3662,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"oci/workloads.html":{}}}],["a.8.16",{"_index":2732,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"oci/genai.html":{}}}],["a.8.16cld.12.4.5",{"_index":9330,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["a.8.20",{"_index":1494,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}}}],["a.8.22",{"_index":1495,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/network.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}}}],["a.8.22cld.9.5.1",{"_index":3272,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["a.8.23",{"_index":8282,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["a.8.24",{"_index":2646,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/methodology.html":{},"oci/kubernetes.html":{}}}],["a.8.25cld.9.5.1",{"_index":3601,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"oci/workloads.html":{}}}],["a.8.28",{"_index":1229,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"general/workloads.html":{},"oci/genai.html":{}}}],["a.8.29",{"_index":6942,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"oci/kubernetes.html":{}}}],["a.8.29cld.12.4.5",{"_index":3749,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"oci/workloads.html":{}}}],["a.8.2cld.6.3.1",{"_index":6424,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["a.8.2n/a",{"_index":1664,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["a.8.30",{"_index":8459,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["a.8.3cld.9.5.1",{"_index":429,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/data.html":{},"gcp/data.html":{},"oci/data.html":{}}}],["a.8.5",{"_index":4239,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"general/compliance-frameworks.html":{}}}],["a.8.5n/a",{"_index":1597,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"gcp/iam.html":{},"oci/iam.html":{}}}],["a.8.7",{"_index":5081,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["a.8.8",{"_index":7701,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["a.8.9",{"_index":5124,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"oci/kubernetes.html":{}}}],["a.9.4.2",{"_index":7669,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["a854",{"_index":5306,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["a></cod",{"_index":8198,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["aaa,subnet",{"_index":2497,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aaaac3nzac1lzdi1nte5aaaa",{"_index":9518,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["aad",{"_index":5131,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"general/kubernetes.html":{}}}],["aad1c0e84f3c",{"_index":5460,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["aadprofil",{"_index":4974,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["aal1",{"_index":7889,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["aal2",{"_index":7890,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["aal3",{"_index":7891,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/methodology.html":{}}}],["abac",{"_index":2827,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"general/iam.html":{}}}],["abbrevi",{"_index":7635,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["abil",{"_index":4215,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"gcp/iam.html":{},"gcp/network.html":{},"general/data.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["abnorm",{"_index":7827,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["abov",{"_index":775,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["abpa:allowblobpublicaccess",{"_index":3923,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["abruptli",{"_index":5086,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/workloads.html":{}}}],["absenc",{"_index":558,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/logging.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["absent",{"_index":3275,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/data.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["absorb",{"_index":3229,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"general/iam.html":{}}}],["abstract",{"_index":7920,"title":{},"breadcrumb":{},"description":{},"body":{"general/index.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{}}}],["abus",{"_index":1046,"title":{},"breadcrumb":{},"description":{"azure/genai.html":{}},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{}}}],["ac",{"_index":424,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["acc_id",{"_index":5264,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["acc_nam",{"_index":5263,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["accept",{"_index":1377,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["access",{"_index":33,"title":{},"breadcrumb":{},"description":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/iam.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["access:\"access",{"_index":8507,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["access</cod",{"_index":7215,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["access=='allow",{"_index":5404,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"azure/workloads.html":{}}}],["access\\\":\\\"allow",{"_index":5443,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["access_config",{"_index":2487,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/workloads.html":{}}}],["access_control_transl",{"_index":2371,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["access_key_1_act",{"_index":1670,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["access_key_1_active=fals",{"_index":1651,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["access_key_1_last_rot",{"_index":1912,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["access_key_1_last_used_d",{"_index":1917,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["access_key_2_act",{"_index":1671,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["access_key_2_active=fals",{"_index":1652,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["access_keys_rot",{"_index":1901,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["access_scop",{"_index":2844,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["access_typ",{"_index":8759,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/ir.html":{}}}],["accesscontextmanager.cnrm.cloud.google.com/v1beta1",{"_index":6147,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["accesscontextmanager.googleapis.com",{"_index":6153,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["accesscontextmanagerserviceperimet",{"_index":6148,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["accesscustomercustomercustom",{"_index":8301,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["accessdeni",{"_index":325,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["accessdeniedalarm",{"_index":2719,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["accessdeniedmetricfilt",{"_index":2707,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["accesskeyid",{"_index":8373,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["accesskeymetadata[?createdate<=`'\"$(d",{"_index":1895,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["accesskeyrotationrul",{"_index":1905,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["accesspolicies/${google_access_context_manager_access_policy.org_policy.nam",{"_index":6143,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["accesspolicies/${google_access_context_manager_access_policy.org_policy.name}/serviceperimeters/vertexaiperimet",{"_index":6144,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["accesspolicies/policy_id",{"_index":6149,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["accesssecretvers",{"_index":7096,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["accesstyp",{"_index":8545,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["accid",{"_index":215,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["accident",{"_index":914,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/network.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/data.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["accompani",{"_index":853,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"oci/genai.html":{},"oci/iam.html":{}}}],["account",{"_index":34,"title":{},"breadcrumb":{},"description":{"aws/data.html":{},"azure/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/workloads.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["account'",{"_index":296,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/logging.html":{}}}],["account.json",{"_index":6397,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["account:enableregion",{"_index":3281,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["account=\"$sa",{"_index":6407,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["account=app_sa@project_id.iam.gserviceaccount.com</cod",{"_index":6864,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["account=sa",{"_index":7422,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["account=scc",{"_index":6668,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["account_en",{"_index":4552,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["account_id",{"_index":3787,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{}}}],["account_replication_typ",{"_index":3932,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/ir.html":{},"azure/network.html":{}}}],["account_service_pair",{"_index":5261,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["account_ti",{"_index":3931,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/ir.html":{},"azure/network.html":{}}}],["accountbpa",{"_index":386,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["accountcontact",{"_index":1568,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["accountid",{"_index":389,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/genai.html":{}}}],["accountnam",{"_index":4230,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["accountname}/prompt",{"_index":4270,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["accounts.iam.gserviceaccount.com",{"_index":5917,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["accounts3bpastack",{"_index":401,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["accounts[].[accountid,state.status]'</cod",{"_index":3785,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["acct",{"_index":515,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["accumul",{"_index":1701,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"general/data.html":{},"oci/iam.html":{}}}],["accuraci",{"_index":3768,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["achiev",{"_index":174,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"gcp/ir.html":{}}}],["ack_deadline_second",{"_index":6690,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["acknowledg",{"_index":1923,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["acl",{"_index":197,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/network.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/network.html":{}}}],["acl_id",{"_index":3413,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["acl_id=$(aw",{"_index":3411,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["acquir",{"_index":1148,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/ir.html":{},"general/threat-model.html":{}}}],["acquisit",{"_index":7984,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{}}}],["acr",{"_index":5002,"title":{},"breadcrumb":{},"description":{"azure/workloads.html":{}},"body":{"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{}}}],["acrnam",{"_index":5715,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["acrprodweu",{"_index":5690,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["act",{"_index":1108,"title":{},"breadcrumb":{},"description":{"general/genai.html":{}},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/logging.html":{},"azure/genai.html":{},"azure/ir.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{}}}],["action",{"_index":374,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["action\":\"sts:assumerol",{"_index":1972,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["action'",{"_index":9011,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["action=accept",{"_index":2816,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["action=adminassign",{"_index":4599,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["action=block",{"_index":1411,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["action=deni",{"_index":7253,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["action=non",{"_index":1410,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["action_playbook",{"_index":4843,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["action_typ",{"_index":8986,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["actiongroupexecutor.lambda",{"_index":1332,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["actions\":[{\"actiontype\":\"ons\",\"topicid\":\"'\"$ir_notifications_topic_ocid\"'\",\"isenabled\":tru",{"_index":8967,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["actions/auth",{"_index":6476,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["actions</cod",{"_index":6103,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["actiontype\":\"runplaybook\",\"order\":1,\"actionconfiguration\":{\"logicappresourceid\":\"/subscriptions/'\"$sub_id\"'/resourcegroups/rg",{"_index":4818,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["activ",{"_index":693,"title":{},"breadcrumb":{},"description":{"azure/logging.html":{},"gcp/logging.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["activekey",{"_index":4149,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["activity_clon",{"_index":9317,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["activity_log_to_law",{"_index":5205,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["activitydisplaynam",{"_index":4632,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["activitystatusvalu",{"_index":4516,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{}}}],["actor",{"_index":2632,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/ir.html":{},"general/threat-model.html":{},"oci/ir.html":{}}}],["actor@example.com",{"_index":6793,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["actual",{"_index":440,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["ad",{"_index":3039,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["ad_nam",{"_index":8612,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["adapt",{"_index":4792,"title":{},"breadcrumb":{},"description":{"gcp/network.html":{}},"body":{"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/network.html":{},"general/data.html":{},"general/ir.html":{},"general/workloads.html":{}}}],["adb",{"_index":8478,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["adb_admin_pw",{"_index":8652,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["adb_cmk",{"_index":8672,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["adb_cmk_ocid",{"_index":8653,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["adb_ocid",{"_index":8655,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["add",{"_index":1974,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{},"azure/kubernetes.html":{}},"body":{"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["added_igw",{"_index":9374,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["addit",{"_index":562,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["addition",{"_index":3096,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/ir.html":{},"azure/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/network.html":{}}}],["additionalconfigur",{"_index":3188,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["additionaleventdata.mfaus",{"_index":1600,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["addon",{"_index":2601,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"oci/kubernetes.html":{}}}],["addon_nam",{"_index":2600,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"oci/kubernetes.html":{}}}],["addonnam",{"_index":9195,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["addonprofil",{"_index":5113,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["address",{"_index":647,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["address=psc",{"_index":7355,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["address_prefix",{"_index":5652,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["address_spac",{"_index":5375,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["address_typ",{"_index":7364,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["addresses=10.40.255.2",{"_index":7354,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["addressprefix",{"_index":5382,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["addressspac",{"_index":5385,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["addusertogroup",{"_index":8846,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["adequ",{"_index":7844,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"general/logging.html":{}}}],["adjac",{"_index":851,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/kubernetes.html":{},"general/methodology.html":{},"oci/logging.html":{}}}],["admin",{"_index":897,"title":{},"breadcrumb":{},"description":{"azure/iam.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"oci/iam.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["admin'",{"_index":4449,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/iam.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["admin/usag",{"_index":955,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["admin:deletepermissionset",{"_index":1756,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["admin_account_id",{"_index":3171,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["admin_en",{"_index":5698,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["admin_group_id",{"_index":8941,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["admin_group_id=$(oci",{"_index":8940,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["admin_group_object_id",{"_index":5137,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["admin_password",{"_index":8666,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["admin_read",{"_index":6991,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["admin_ssh_key",{"_index":5581,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["admin_us",{"_index":6450,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["admin_usernam",{"_index":5576,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["adminassign",{"_index":4603,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["admincidr",{"_index":3345,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["admincidr</cod",{"_index":3353,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["administ",{"_index":5167,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"general/logging.html":{}}}],["administr",{"_index":895,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["administrator'",{"_index":3808,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/iam.html":{},"general/compliance-frameworks.html":{}}}],["administrator_login",{"_index":4190,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["administrator_login_password",{"_index":4192,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["administratoraccess",{"_index":1567,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{}}}],["adminplan",{"_index":960,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["adminpublickey",{"_index":5595,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["adminrolearn",{"_index":950,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["admins@${var.workspace_domain",{"_index":6371,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["admins@example.com",{"_index":6365,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/ir.html":{}}}],["admins@example.com</cod",{"_index":6375,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["adminsafesg",{"_index":3346,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["adminsafesgprop",{"_index":3354,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["adminsafesgstack",{"_index":3355,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["adminuseren",{"_index":5717,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["adminusernam",{"_index":5608,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["admiss",{"_index":5064,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["admissioncontrolleropt",{"_index":9137,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["admissionwhitelistpattern",{"_index":6916,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["admit",{"_index":4104,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/ir.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["adopt",{"_index":1769,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/workloads.html":{},"oci/iam.html":{}}}],["advanc",{"_index":2894,"title":{},"breadcrumb":{},"description":{"aws/network.html":{}},"body":{"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/network.html":{}}}],["advanced_datapath",{"_index":6815,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["advanced_event_selector",{"_index":2913,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["advancedeventselector",{"_index":3005,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["adversari",{"_index":891,"title":{},"breadcrumb":{},"description":{"general/threat-model.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/genai.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{}}}],["adversary'",{"_index":7945,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["advisor",{"_index":7881,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"oci/iam.html":{}}}],["advisori",{"_index":7931,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["ae",{"_index":7754,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["ae30",{"_index":5308,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["aes256",{"_index":625,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["af87",{"_index":4375,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["affect",{"_index":769,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/ir.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["afterward",{"_index":7785,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["ag",{"_index":1925,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"azure/logging.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{}}}],["ag_id",{"_index":1292,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["again",{"_index":436,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/iam.html":{},"gcp/logging.html":{}}}],["against",{"_index":198,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["agenc",{"_index":1044,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/iam.html":{},"gcp/genai.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"oci/genai.html":{}}}],["agent",{"_index":987,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{}},"body":{"aws/genai.html":{},"aws/index.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["agent'",{"_index":1282,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"general/genai.html":{},"oci/workloads.html":{}}}],["agent.amazonaws.com",{"_index":1341,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["agent:createag",{"_index":1328,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["agent:updateactiongroup",{"_index":1331,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["agent:updateag",{"_index":1327,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["agent_config",{"_index":9464,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["agent_execution_role_nam",{"_index":1295,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["agent_id",{"_index":1290,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["agent_lambda_scop",{"_index":1301,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["agent_nam",{"_index":1306,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["agent_resource_role_arn",{"_index":1308,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["agentexecpolici",{"_index":1320,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["agentexecutionrol",{"_index":1314,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["agentexecutionrolestack",{"_index":1323,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["agentless",{"_index":3121,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/workloads.html":{},"azure/workloads.html":{}}}],["agentnam",{"_index":1313,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["agentpoolprofil",{"_index":4976,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["agentresourcerolearn",{"_index":1355,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["agentroleprop",{"_index":1322,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["aggreg",{"_index":2862,"title":{},"breadcrumb":{},"description":{"gcp/logging.html":{}},"body":{"aws/logging.html":{},"aws/workloads.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/logging.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["aggregation_interv",{"_index":7229,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["aggress",{"_index":8419,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["ago",{"_index":1896,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/workloads.html":{},"oci/iam.html":{}}}],["ago(30m",{"_index":5224,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["agre",{"_index":901,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"general/compliance-frameworks.html":{}}}],["ahead",{"_index":3765,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/logging.html":{}}}],["ai",{"_index":1014,"title":{"gcp/genai.html":{},"oci/genai.html":{}},"breadcrumb":{},"description":{"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}},"body":{"aws/genai.html":{},"azure/genai.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/index.html":{},"general/genai.html":{},"general/index.html":{},"oci/genai.html":{},"oci/index.html":{}}}],["aicompartmentinventori",{"_index":8703,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["aid",{"_index":8022,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["aim",{"_index":8105,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["aiplatform",{"_index":8704,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["aiplatform.googleapis.com",{"_index":6086,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["aiplatform.iam.gserviceaccount.com",{"_index":6327,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["aiplatform.us",{"_index":6231,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["aiplatform.user/admin",{"_index":6130,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["aiplatform>=1.38.0",{"_index":6190,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["air",{"_index":5791,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{}}}],["aitm",{"_index":4598,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["ak",{"_index":2576,"title":{"azure/kubernetes.html":{}},"breadcrumb":{},"description":{"azure/kubernetes.html":{},"azure/workloads.html":{}},"body":{"aws/kubernetes.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["aka.ms/mysecurityinfo",{"_index":4753,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["akia...></cod",{"_index":1653,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["aks_etcd",{"_index":5039,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["aks_km",{"_index":5034,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["aks_rbac_admin",{"_index":5140,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["aksauditadmin",{"_index":5024,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["al2",{"_index":8088,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["al2023",{"_index":2450,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{}},"body":{"aws/workloads.html":{},"general/kubernetes.html":{}}}],["alarm",{"_index":1859,"title":{},"breadcrumb":{},"description":{"aws/logging.html":{}},"body":{"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/ir.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["alarm_act",{"_index":2183,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["alarm_nam",{"_index":2174,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["alarmact",{"_index":2727,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["alarmnam",{"_index":2721,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["alarmtopicarn",{"_index":2706,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["alarmtopicarn</cod",{"_index":2728,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["alert",{"_index":487,"title":{},"breadcrumb":{},"description":{"azure/logging.html":{},"general/logging.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["alertnam",{"_index":5729,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["alertnotif",{"_index":5318,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["algorithm",{"_index":5933,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"general/data.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["algorithm\":\"aes\",\"length\":32",{"_index":8575,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["alia",{"_index":635,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"gcp/kubernetes.html":{},"oci/data.html":{}}}],["alias/data",{"_index":599,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["alias/eb",{"_index":714,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["alias/ek",{"_index":2635,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["alic",{"_index":8833,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["alice.exampl",{"_index":8832,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["alice@${var.workspace_domain",{"_index":6453,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["alice@contoso.com",{"_index":4601,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["alice@corp.exampl",{"_index":8834,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["alice_security_admin",{"_index":8839,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["alice_to_app_prod_01",{"_index":7496,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["align",{"_index":741,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/ir.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/network.html":{},"general/threat-model.html":{}}}],["aligned)n/an/an/a",{"_index":3193,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["alik",{"_index":8278,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["all_memb",{"_index":3783,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["all_servic",{"_index":7104,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["all_support",{"_index":3058,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["allauthenticatedus",{"_index":5805,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"gcp/workloads.html":{}}}],["allianc",{"_index":8028,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/shared-responsibility.html":{}}}],["alllog",{"_index":4406,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["allmetr",{"_index":4407,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["alloc",{"_index":812,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/workloads.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["allocated_storag",{"_index":824,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["allocation_method",{"_index":5654,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["allow",{"_index":441,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["allow/deni",{"_index":7185,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["allow_bastion_admin",{"_index":5419,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["allow_blob_public_access",{"_index":3876,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["allow_blob_public_access=fals",{"_index":3946,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["allow_nested_items_to_be_publ",{"_index":3878,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/ir.html":{},"azure/network.html":{}}}],["allow_users_to_change_password",{"_index":1828,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["allowalloutbound",{"_index":3357,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["allowbastiontoadmin",{"_index":5420,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["allowblobpublicaccess",{"_index":3915,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["allowblobpublicaccess==\\`true\\`].{sub:'$sub",{"_index":3919,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["allowblobpublicaccess=fals",{"_index":4009,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["allowblobpublicaccess\\\":tru",{"_index":3998,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["allowed.port",{"_index":7290,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["allowed_audi",{"_index":6534,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["allowed_valu",{"_index":5946,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["allowedcontentlevel",{"_index":4311,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["allowedcontentlevel\\\":\\\"high",{"_index":4335,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["allowedcontentlevel\\\":\\\"medium",{"_index":4336,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["allowedmodelid",{"_index":1075,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["allowedvalu",{"_index":5902,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["allowlist",{"_index":6006,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"oci/data.html":{}}}],["allowlist.tsv",{"_index":2610,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["allowonlyourbucket",{"_index":3520,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["allowscopedbedrockinvok",{"_index":1064,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["allowselfservicemfamanag",{"_index":1835,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["allowsharedkeyaccess",{"_index":3966,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{}}}],["allowunencrypt",{"_index":5386,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["allservic",{"_index":7026,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["allsupport",{"_index":3079,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["allsupported\":tru",{"_index":3047,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["allus",{"_index":5804,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"gcp/workloads.html":{}}}],["allusers/allauthenticatedus",{"_index":5886,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/logging.html":{}}}],["allusers:objectview",{"_index":5820,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["alon",{"_index":1182,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/genai.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/network.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["alongsid",{"_index":1954,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{}}}],["alpha",{"_index":6605,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["alphanumer",{"_index":3953,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["alreadi",{"_index":1876,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/ir.html":{}}}],["alter",{"_index":6536,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/logging.html":{},"oci/iam.html":{}}}],["altern",{"_index":855,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"azure/network.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/genai.html":{},"general/iam.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["alto",{"_index":9342,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["alway",{"_index":1259,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/genai.html":{},"general/network.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["always_allow",{"_index":6910,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["amazon",{"_index":49,"title":{},"breadcrumb":{},"description":{"aws/workloads.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/logging.html":{}}}],["amazonaw",{"_index":3212,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["amazonec2containerregistryreadonli",{"_index":2762,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["amazoneks_cni_polici",{"_index":2763,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["amazoneksworkernodepolici",{"_index":2761,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["amazonssmmanagedinstancecor",{"_index":3612,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ambient",{"_index":1968,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["ambigu",{"_index":7632,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/ir.html":{},"general/methodology.html":{}}}],["amd",{"_index":7410,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["amd_vm",{"_index":9492,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["ami",{"_index":689,"title":{},"breadcrumb":{},"description":{"aws/workloads.html":{}},"body":{"aws/data.html":{},"aws/workloads.html":{},"general/workloads.html":{}}}],["ami'",{"_index":3774,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["amortis",{"_index":5689,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["amplifi",{"_index":7834,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"oci/kubernetes.html":{}}}],["amsterdam",{"_index":8902,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["analog",{"_index":3406,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/ir.html":{},"general/genai.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["analogu",{"_index":3129,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["analys",{"_index":3127,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"general/ir.html":{}}}],["analysi",{"_index":3120,"title":{},"breadcrumb":{},"description":{"general/threat-model.html":{}},"body":{"aws/logging.html":{},"aws/network.html":{},"azure/ir.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/logging.html":{},"oci/logging.html":{}}}],["analyst",{"_index":6588,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{}}}],["analyt",{"_index":4004,"title":{},"breadcrumb":{},"description":{"azure/kubernetes.html":{}},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["analyz",{"_index":1505,"title":{},"breadcrumb":{},"description":{"aws/iam.html":{}},"body":{"aws/iam.html":{},"aws/index.html":{},"aws/logging.html":{},"general/iam.html":{},"general/logging.html":{}}}],["anchor",{"_index":2455,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/logging.html":{}}}],["anchors.tsv",{"_index":7393,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"oci/logging.html":{}}}],["and/or",{"_index":8117,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["annex",{"_index":7618,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/genai.html":{}}}],["annot",{"_index":93,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["announc",{"_index":1554,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/ir.html":{},"gcp/iam.html":{},"general/iam.html":{}}}],["annual",{"_index":231,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/ir.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/ir.html":{}}}],["anomal",{"_index":3823,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/data.html":{},"azure/logging.html":{},"gcp/logging.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["anomali",{"_index":1931,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/genai.html":{},"general/threat-model.html":{},"oci/logging.html":{}}}],["anomalous_sa_key_cr",{"_index":7170,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["anonym",{"_index":508,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"oci/data.html":{}}}],["anoth",{"_index":6133,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["ansi",{"_index":2430,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["answer",{"_index":1883,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/logging.html":{}}}],["anthrop",{"_index":993,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["anthropic.claud",{"_index":1076,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["anti",{"_index":141,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["anticip",{"_index":6732,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["antipattern",{"_index":904,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["antiviru",{"_index":8420,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["anycast",{"_index":7192,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["anyobjectread",{"_index":8553,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["anyon",{"_index":320,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/data.html":{},"general/iam.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["anyth",{"_index":2749,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/logging.html":{}}}],["anywher",{"_index":2478,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/network.html":{},"gcp/iam.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/network.html":{}}}],["aoai",{"_index":4222,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["aoai_account",{"_index":4219,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["aoai_diag",{"_index":4396,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["aoai_p",{"_index":4344,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["aoai_priv",{"_index":4342,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["aoai_resource_id",{"_index":4392,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["aoai_us",{"_index":4367,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["aoairesourceid",{"_index":4352,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["apach",{"_index":2427,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["api",{"_index":274,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["api/v1/nodes/node/proxy/configz",{"_index":8064,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["api://azureadtokenexchang",{"_index":5008,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["api</cod",{"_index":7361,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["api_and_config_map",{"_index":2838,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["api_ingress_mgmt",{"_index":9223,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["api_server_access_profil",{"_index":4949,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["apiconnectionwebhook",{"_index":4853,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["apikey",{"_index":4247,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["apinsgocid",{"_index":9126,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["apiserv",{"_index":2469,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/kubernetes.html":{}}}],["apiserveraccessprofil",{"_index":4939,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["apiserveraccessprofile.enableprivateclust",{"_index":4987,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["apisubnetocid",{"_index":9185,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["apivers",{"_index":6303,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["app",{"_index":1080,"title":{},"breadcrumb":{},"description":{"azure/iam.html":{}},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["app'",{"_index":4805,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["app/api",{"_index":3703,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["app:{{.run.id",{"_index":5693,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["app_api",{"_index":3717,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["app_imag",{"_index":7531,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["app_nsg_ocid",{"_index":8654,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["app_pga",{"_index":7313,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["app_prod",{"_index":6040,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"oci/data.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["app_prod_01",{"_index":7433,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"oci/data.html":{}}}],["app_prod_boot",{"_index":5980,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["app_prod_data",{"_index":8627,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["app_prod_euw1",{"_index":5925,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["app_prod_priv",{"_index":9360,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["app_prod_regul",{"_index":5850,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["app_runtim",{"_index":1976,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["app_sa@project_id.iam.gserviceaccount.com",{"_index":6860,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["app_subnet",{"_index":5412,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["app_tier",{"_index":9394,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["appcmk",{"_index":952,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["appcmkprop",{"_index":981,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["appdisplaynam",{"_index":4583,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["appear",{"_index":1009,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/ir.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/network.html":{}}}],["append",{"_index":4875,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"gcp/logging.html":{}}}],["appendix",{"_index":7624,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/methodology.html":{}}}],["appli",{"_index":80,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["applianc",{"_index":8245,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{},"general/workloads.html":{}}}],["applic",{"_index":954,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["application'",{"_index":876,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/network.html":{},"general/iam.html":{},"general/network.html":{},"general/threat-model.html":{}}}],["application_id",{"_index":9049,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["applicationcustomercustomercsp",{"_index":8299,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["applicationmanag",{"_index":5025,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["apply_server_side_encryption_by_default",{"_index":605,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{}}}],["applyserversideencryptionbydefault",{"_index":573,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["appnsg",{"_index":9404,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["appnsg.id",{"_index":9409,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["appprincipalarn",{"_index":1074,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["appprincipalid",{"_index":4370,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["appprod",{"_index":9349,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["appproddata",{"_index":9354,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["appprodpriv",{"_index":9352,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["appread",{"_index":8520,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["approach",{"_index":3035,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["approleencryptdecrypt",{"_index":941,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["appropri",{"_index":8119,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{},"oci/data.html":{}}}],["approv",{"_index":1034,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"azure/iam.html":{},"azure/network.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["approxim",{"_index":2457,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"general/iam.html":{},"general/threat-model.html":{}}}],["approximate_neighbors_count",{"_index":6296,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["appservic",{"_index":5348,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["apr",{"_index":8250,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["april",{"_index":2042,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"general/ir.html":{},"oci/ir.html":{}}}],["apt",{"_index":7578,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"general/threat-model.html":{}}}],["apt29",{"_index":8359,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["aqua",{"_index":8095,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["arbitrari",{"_index":1966,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/logging.html":{},"gcp/iam.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["arc",{"_index":8418,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["architect",{"_index":8160,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{},"general/shared-responsibility.html":{}}}],["architectur",{"_index":3221,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["archiv",{"_index":1156,"title":{},"breadcrumb":{},"description":{"oci/logging.html":{}},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/iam.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["archivetyp",{"_index":7579,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["are_legacy_imds_endpoints_dis",{"_index":9448,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["area",{"_index":3564,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/workloads.html":{},"oci/workloads.html":{}}}],["arelegacyimdsendpointsdis",{"_index":9454,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["arelegacyimdsendpointsdisabled\":tru",{"_index":9506,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["arg",{"_index":5011,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["argu",{"_index":8412,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["argument",{"_index":1199,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"oci/genai.html":{}}}],["aris",{"_index":6587,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"general/shared-responsibility.html":{}}}],["arm",{"_index":3886,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{}}}],["arm/terraform",{"_index":5692,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["armor",{"_index":6183,"title":{},"breadcrumb":{},"description":{"gcp/network.html":{}},"body":{"gcp/genai.html":{},"gcp/index.html":{},"gcp/network.html":{},"general/network.html":{}}}],["arn",{"_index":545,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["arn:aws:bedrock:${aws::region}:${aws::accountid}:ag",{"_index":1319,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["arn:aws:bedrock:${aws::region}::found",{"_index":1088,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["arn:aws:bedrock:${this.region}:${this.account}:ag",{"_index":1326,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["arn:aws:bedrock:${this.region}::found",{"_index":1096,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["arn:aws:bedrock:${var.region}::found",{"_index":1065,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["arn:aws:bedrock:u",{"_index":1024,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["arn:aws:ec2:*:*:inst",{"_index":3593,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["arn:aws:eks::aws:clust",{"_index":2842,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["arn:aws:events:eu",{"_index":2261,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["arn:aws:iam::${aws::accountid}:root",{"_index":959,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["arn:aws:iam::${aws::accountid}:user/${!aws:usernam",{"_index":1837,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/app",{"_index":948,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",{"_index":947,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["arn:aws:iam::${this.account}:user/\\${aws:usernam",{"_index":1844,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["arn:aws:iam::${trustedaccountid}:root",{"_index":1991,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["arn:aws:iam::${var.platform_account_id}:role/platformdataadmin",{"_index":379,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["arn:aws:iam::${var.platform_account_id}:role/platformnetworkadmin",{"_index":3475,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["arn:aws:iam::(?<acct>\\d+):role\\/(?<rol",{"_index":2616,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["arn:aws:iam::*:root",{"_index":1583,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["arn:aws:iam::*:root'</cod",{"_index":1588,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["arn:aws:iam::111122223333:role/app",{"_index":942,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["arn:aws:iam::111122223333:role/lambda",{"_index":3836,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["arn:aws:iam::111122223333:root",{"_index":940,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["arn:aws:iam::<account_id>:policy/app",{"_index":1973,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["arn:aws:iam::account:role/clusteradmin",{"_index":2851,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["arn:aws:iam::account:role/ek",{"_index":2495,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["arn:aws:iam::aws:policy/administratoraccess",{"_index":2138,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["arn:aws:iam::aws:policy/administratoraccess</cod",{"_index":2190,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["arn:aws:iam::aws:policy/amazonssmmanagedinstancecor",{"_index":3638,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["arn:aws:iam::aws:policy/amazonssmmanagedinstancecore</cod",{"_index":3634,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["arn:aws:iam::aws:policy/awsdenyal",{"_index":2219,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["arn:aws:iam::aws:policy/readonlyaccess",{"_index":1729,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["arn:aws:iam::aws:policy/readonlyaccess</cod",{"_index":1720,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["arn:aws:iam::aws:policy/securityaudit</cod",{"_index":1993,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["arn:aws:kms:eu",{"_index":576,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{}}}],["arn:aws:lambda:eu",{"_index":2994,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["arn:aws:s3",{"_index":3018,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/workloads.html":{}}}],["arn:aws:s3:::${var.workload_bucket",{"_index":3523,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["arn:aws:s3:::audit",{"_index":2992,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["arn:aws:s3:::pii",{"_index":2991,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["arn:aws:ssm:${aws::region}:${aws::accountid}:autom",{"_index":2296,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["arn:aws:sso:::instance/<ssoins_id",{"_index":1715,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["arn:aws:sso:::permissionset/<ps_id",{"_index":1719,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["arnlik",{"_index":1317,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["around",{"_index":6346,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/network.html":{},"oci/ir.html":{}}}],["array",{"_index":3017,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"oci/network.html":{}}}],["arriv",{"_index":2025,"title":{},"breadcrumb":{},"description":{},"body":{"aws/index.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/index.html":{},"gcp/index.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/index.html":{},"general/kubernetes.html":{},"oci/iam.html":{},"oci/index.html":{}}}],["art",{"_index":1117,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/data.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["artefact",{"_index":4868,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["articl",{"_index":4028,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/iam.html":{},"compliance-matrix.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{}}}],["artifact",{"_index":4942,"title":{},"breadcrumb":{},"description":{"gcp/workloads.html":{}},"body":{"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/workloads.html":{},"oci/workloads.html":{}}}],["artifactregistry.cnrm.cloud.google.com/v1beta1",{"_index":7552,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["artifactregistry.googleapis.com",{"_index":7517,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["artifactregistry.writ",{"_index":7562,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["artifactregistryrepositori",{"_index":7553,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["ascend",{"_index":3446,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["asg",{"_index":5418,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["ashburn",{"_index":9307,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["asid",{"_index":8226,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{},"general/threat-model.html":{}}}],["ask",{"_index":7617,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/index.html":{},"oci/data.html":{}}}],["asn",{"_index":5337,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"oci/network.html":{}}}],["aspir",{"_index":8012,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["assembl",{"_index":7119,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["assert",{"_index":726,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["assertion.ref",{"_index":6504,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["assertion.repositori",{"_index":6502,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["assertion.repository_own",{"_index":6506,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["assertion.sub",{"_index":6500,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["assess",{"_index":3538,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/workloads.html":{}}}],["assessmentmetadata/writ",{"_index":5327,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["asset",{"_index":5883,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/index.html":{},"general/threat-model.html":{},"oci/data.html":{}}}],["assign",{"_index":119,"title":{},"breadcrumb":{},"description":{"azure/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["assign_public_ip",{"_index":9463,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["assignable_to_rol",{"_index":4615,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["assigne",{"_index":4049,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/ir.html":{},"azure/kubernetes.html":{}}}],["assigner'",{"_index":4642,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["assignment_typ",{"_index":4621,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["assignmentnam",{"_index":5454,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["assignpublicip",{"_index":9487,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["assignsr",{"_index":5153,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["associ",{"_index":2582,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"gcp/network.html":{},"general/data.html":{},"oci/network.html":{}}}],["assum",{"_index":920,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["assume_role_polici",{"_index":1299,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["assumedbi",{"_index":1099,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{}}}],["assumedrol",{"_index":1753,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["assumerol",{"_index":2206,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"general/ir.html":{}}}],["assumerolepolicydocu",{"_index":1081,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{}}}],["assumerolewithsaml",{"_index":2147,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["assumpt",{"_index":1541,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/iam.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{}}}],["assur",{"_index":5790,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{}}}],["asymmetr",{"_index":6949,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["asymmetri",{"_index":8303,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["asynchron",{"_index":6575,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["athena",{"_index":2441,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["att&ck",{"_index":8032,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/logging.html":{},"general/threat-model.html":{},"general/workloads.html":{}}}],["attach",{"_index":313,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["attach/detach",{"_index":4812,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["attachment=projects/vendor",{"_index":7358,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["attachment_target",{"_index":7274,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["attachuserpolicy\",\"attachrolepolicy\",\"putrolepolicy\",\"putuserpolici",{"_index":1138,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["attack",{"_index":303,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{},"general/threat-model.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["attacker'",{"_index":1363,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/genai.html":{},"general/genai.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/logging.html":{}}}],["attempt",{"_index":1173,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/network.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{}}}],["attent",{"_index":7122,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"general/logging.html":{}}}],["attest",{"_index":681,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["attestation_author",{"_index":7536,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["attestation_authority_not",{"_index":6927,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["attestor",{"_index":6906,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/workloads.html":{}}}],["attestor</cod",{"_index":6922,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["attribut",{"_index":2127,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/genai.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/iam.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["attribute.ref",{"_index":6503,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["attribute.repositori",{"_index":6501,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["attribute_condit",{"_index":6505,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["attribute_map",{"_index":6498,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["attributes.categori",{"_index":6689,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["attributes=tru",{"_index":7576,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["au",{"_index":2083,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/logging.html":{},"oci/genai.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["audienc",{"_index":5007,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["audit",{"_index":148,"title":{},"breadcrumb":{},"description":{"aws/iam.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/logging.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["audit</cod",{"_index":8756,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["audit_arch",{"_index":9250,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["audit_log",{"_index":8757,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["audit_log_config",{"_index":6251,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["audit_to_arch",{"_index":9255,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["audit_to_object_storag",{"_index":8764,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["auditarchivegroup",{"_index":9262,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["auditarchivegroup.id",{"_index":9267,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["auditconfig",{"_index":6240,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["auditconfigs.exemptedmemb",{"_index":7111,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["auditconfigs.servic",{"_index":7112,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["auditd",{"_index":7565,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"general/workloads.html":{}}}],["auditev",{"_index":4097,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["auditlog",{"_index":4519,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"oci/logging.html":{}}}],["auditlog.id",{"_index":9272,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["auditlogconfig",{"_index":6239,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/logging.html":{}}}],["auditloggroupnam",{"_index":2705,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["auditlogocid",{"_index":9271,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["auditor",{"_index":1988,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"compliance-matrix.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["auditretent",{"_index":9258,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["aug",{"_index":8078,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{},"general/network.html":{}}}],["augment",{"_index":7169,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{}}}],["august",{"_index":7648,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/ir.html":{}}}],["aurora",{"_index":778,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{}}}],["auth",{"_index":990,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{},"azure/genai.html":{},"azure/iam.html":{},"gcp/genai.html":{}},"body":{"aws/index.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/kubernetes.html":{},"oci/data.html":{},"oci/network.html":{}}}],["auth0",{"_index":8895,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["auth=fals",{"_index":8044,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["auth=tru",{"_index":8042,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["authent",{"_index":299,"title":{"index.html":{}},"breadcrumb":{},"description":{"index.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["authentication.anonymous.en",{"_index":8045,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["authentication_factor_setting_id",{"_index":8864,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["authentication_mod",{"_index":2488,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["authenticationfactorset",{"_index":8857,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["authenticationfail",{"_index":5280,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["authenticationmode=api,bootstrapclustercreatoradminpermissions=fals",{"_index":2499,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["authenticationrequir",{"_index":4687,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["authenticationtyp",{"_index":3993,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["authmethod",{"_index":4246,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["authn",{"_index":6024,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["author",{"_index":117,"title":{},"breadcrumb":{},"description":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["authoris",{"_index":568,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["authorit",{"_index":3237,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"oci/ir.html":{}}}],["authorization.enforcementmode.default",{"_index":5464,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["authorization.policyassignment(\"deni",{"_index":5462,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["authorization.roleassignment(`ga",{"_index":4505,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["authorization.roleeligibilityschedulerequest(\"ga",{"_index":4626,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["authorized_ip_rang",{"_index":4950,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["authorized_key",{"_index":7472,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["authorizediprang",{"_index":4988,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["authorizesecuritygroupingress",{"_index":3384,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["authtyp",{"_index":3820,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["auto",{"_index":2026,"title":{},"breadcrumb":{},"description":{"aws/ir.html":{},"azure/data.html":{}},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["auto_create_subnetwork",{"_index":7221,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["auto_en",{"_index":3789,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["auto_enable_organization_memb",{"_index":3152,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["autoact",{"_index":9007,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["autocomplet",{"_index":5506,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["autodiscov",{"_index":4719,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["autoen",{"_index":3804,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["autoenable=fals",{"_index":3813,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["autoenable=tru",{"_index":3817,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["autoenrollemailfactordis",{"_index":8885,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["autom",{"_index":791,"title":{},"breadcrumb":{},"description":{"azure/ir.html":{},"gcp/ir.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{}}}],["automat",{"_index":230,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["automl",{"_index":6088,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["automount",{"_index":8065,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["automountserviceaccounttoken",{"_index":8048,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["autonom",{"_index":1345,"title":{},"breadcrumb":{},"description":{"oci/data.html":{}},"body":{"aws/genai.html":{},"oci/data.html":{},"oci/index.html":{},"oci/network.html":{}}}],["autonomi",{"_index":7845,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["autopilot",{"_index":6799,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{}}}],["autopilot/standard",{"_index":6800,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["autoprov",{"_index":5310,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["autoprovis",{"_index":5312,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["autoprovision=on",{"_index":5328,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["autoprovision\\\":\\\"off",{"_index":5325,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["autopsi",{"_index":7992,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["autoscal",{"_index":5176,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["autoti",{"_index":8549,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["avail",{"_index":1056,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["availability_domain",{"_index":8628,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["availability_typ",{"_index":6044,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["availabilitydomain",{"_index":9481,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["available_memori",{"_index":6702,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["averag",{"_index":1934,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["avoid",{"_index":1767,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"gcp/genai.html":{},"general/compliance-frameworks.html":{},"general/data.html":{}}}],["aw",{"_index":27,"title":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}},"breadcrumb":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}},"description":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"index.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["awar",{"_index":349,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/network.html":{},"general/workloads.html":{},"oci/network.html":{}}}],["away",{"_index":3902,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{}}}],["awk",{"_index":1646,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"gcp/data.html":{},"gcp/workloads.html":{}}}],["aws'",{"_index":1511,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"gcp/iam.html":{},"general/iam.html":{}}}],["aws.guardduti",{"_index":2254,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws.workload",{"_index":2363,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws/credenti",{"_index":1637,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["aws/data.html",{"_index":3546,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"general/data.html":{}}}],["aws/eb",{"_index":683,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws/eks/harden",{"_index":2698,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws/eks/{cluster}/clust",{"_index":2552,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws/genai.html",{"_index":5756,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["aws/iam.html",{"_index":2459,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws/kubernetes.html",{"_index":5764,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["aws/logging.html",{"_index":2462,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"general/logging.html":{}}}],["aws/network.html",{"_index":2460,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{},"general/network.html":{}}}],["aws/s3",{"_index":535,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws/workloads.html",{"_index":8393,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["aws::accountid",{"_index":391,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{}}}],["aws::bedrock::guardrail",{"_index":1215,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["aws::cloudtrail::trail",{"_index":2922,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws::cloudwatch::alarm",{"_index":2720,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws::config::configrul",{"_index":728,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{}}}],["aws::config::configurationrecord",{"_index":3078,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws::config::deliverychannel",{"_index":3082,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws::ec2::launchtempl",{"_index":2795,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["aws::ec2::networkacl",{"_index":3433,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["aws::ec2::networkaclentri",{"_index":3435,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["aws::ec2::securitygroup",{"_index":2857,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{}}}],["aws::ec2::securitygroup::id",{"_index":1487,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{}}}],["aws::ec2::securitygroup</cod",{"_index":3269,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["aws::ec2::vpc::id",{"_index":1483,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{}}}],["aws::ec2::vpcblockpublicaccessopt",{"_index":3480,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["aws::ec2::vpcendpoint",{"_index":1489,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{}}}],["aws::ecr::repositori",{"_index":3738,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws::eks::clust",{"_index":2506,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws::eks::cluster</cod",{"_index":2643,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws::eks::podidentityassoci",{"_index":2604,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws::events::rul",{"_index":2293,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws::guardduty::detector",{"_index":3185,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws::iam::managedpolici",{"_index":1085,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{}}}],["aws::iam::rol",{"_index":1078,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{}}}],["aws::inspectorv2::filt",{"_index":3794,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws::kms::key",{"_index":953,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws::lambda::funct",{"_index":2918,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws::logs::metricfilt",{"_index":2708,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws::organizations::polici",{"_index":1586,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["aws::rds::dbinstance</cod",{"_index":839,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws::s3::accountpublicaccessblock",{"_index":387,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws::s3::bucket",{"_index":614,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["aws::s3::object",{"_index":2917,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws::ssm::docu",{"_index":3656,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws::sso::permissionset",{"_index":1744,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["aws:km",{"_index":534,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{}}}],["aws:multifactorauthag",{"_index":2188,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws:multifactorauthpres",{"_index":1581,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{}}}],["aws:principalaccount",{"_index":923,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{}}}],["aws:principalarn",{"_index":378,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/network.html":{}}}],["aws:principalorgid",{"_index":449,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"general/logging.html":{}}}],["aws:sourceaccount",{"_index":1316,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["aws:sourcearn",{"_index":1318,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["aws:sourceip",{"_index":448,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws:sourcevpc",{"_index":447,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/network.html":{},"general/threat-model.html":{}}}],["aws_access_key",{"_index":1374,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["aws_account",{"_index":1740,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["aws_bedrock",{"_index":1224,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["aws_bedrock_guardrail",{"_index":1204,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["aws_bedrockagent_ag",{"_index":1305,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["aws_caller_ident",{"_index":946,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws_cloudtrail",{"_index":2907,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_cloudwatch_event_rul",{"_index":2279,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_cloudwatch_event_rule.gd_critical.arn",{"_index":2290,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_cloudwatch_event_rule.gd_critical.nam",{"_index":2283,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_cloudwatch_event_target",{"_index":2282,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_cloudwatch_log_group",{"_index":2697,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_cloudwatch_log_group.sessions.nam",{"_index":3649,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws_cloudwatch_log_metric_filt",{"_index":2168,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_cloudwatch_metric_alarm",{"_index":2173,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_config_config_rul",{"_index":1900,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{}}}],["aws_config_configuration_record",{"_index":3055,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_config_configuration_recorder.thi",{"_index":3066,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_config_configuration_recorder.this.nam",{"_index":3068,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_config_configuration_recorder_statu",{"_index":3067,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_config_delivery_channel",{"_index":3060,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_config_delivery_channel.thi",{"_index":3070,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_config_organization_conformance_pack",{"_index":3071,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_db_inst",{"_index":820,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws_default_vpc",{"_index":3261,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["aws_ebs_default_kms_key",{"_index":722,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws_ebs_encryption_by_default",{"_index":721,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws_ec2",{"_index":2517,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["aws_ecr_lifecycle_polici",{"_index":3725,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws_ecr_registry_scanning_configur",{"_index":3710,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws_ecr_repositori",{"_index":3716,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws_ecr_repository.app_api.nam",{"_index":3726,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws_ek",{"_index":2516,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_eks_access_entri",{"_index":2829,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_eks_access_policy_associ",{"_index":2841,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_eks_addon",{"_index":2598,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_eks_clust",{"_index":2481,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_eks_cluster.hardened.nam",{"_index":2596,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_eks_cluster.hardened.vpc_config[0].cluster_security_group_id",{"_index":2850,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_eks_node_group",{"_index":2778,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_eks_pod_identity_associ",{"_index":1979,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{}}}],["aws_guardduti",{"_index":3190,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_guardduty_detector",{"_index":3173,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_guardduty_detector.this.id",{"_index":3176,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_guardduty_detector_featur",{"_index":3175,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_guardduty_organization_admin_account",{"_index":3170,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_guardduty_organization_configur",{"_index":3183,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_iam",{"_index":979,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["aws_iam_account_password_polici",{"_index":1821,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["aws_iam_group.console_users.nam",{"_index":1810,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["aws_iam_group_polici",{"_index":1808,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["aws_iam_instance_profil",{"_index":1977,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/workloads.html":{}}}],["aws_iam_polici",{"_index":1061,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["aws_iam_policy.bedrock_invoke_scoped.arn",{"_index":1073,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["aws_iam_rol",{"_index":1297,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["aws_iam_role.app.arn",{"_index":2597,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_iam_role.app_role.nam",{"_index":1071,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["aws_iam_role.app_runtime.arn",{"_index":1983,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["aws_iam_role.app_runtime.nam",{"_index":1978,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["aws_iam_role.bedrock_agent_role.arn",{"_index":1309,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["aws_iam_role.bedrock_agent_role.id",{"_index":1302,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["aws_iam_role.cluster_admin.arn",{"_index":2840,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_iam_role.config.arn",{"_index":3056,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_iam_role.ec2_workload.nam",{"_index":3637,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws_iam_role.eks_cluster.arn",{"_index":2482,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_iam_role.gd_quarantine.arn",{"_index":2269,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_iam_role.node.arn",{"_index":2783,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_iam_role.replication.arn",{"_index":2365,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_iam_role_polici",{"_index":1300,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["aws_iam_role_policy_attach",{"_index":1069,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/workloads.html":{}}}],["aws_identitystore_us",{"_index":2155,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_inspector2_delegated_admin_account",{"_index":3786,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws_inspector2_enabl",{"_index":3790,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws_inspector2_organization_configur",{"_index":3788,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws_inst",{"_index":3588,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws_km",{"_index":978,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{}}}],["aws_kms_alia",{"_index":598,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{}}}],["aws_kms_key",{"_index":593,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/logging.html":{}}}],["aws_kms_key.data_bucket.arn",{"_index":608,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws_kms_key.data_bucket.key_id",{"_index":601,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws_kms_key.ebs_default.arn",{"_index":724,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws_kms_key.ebs_default.key_id",{"_index":720,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws_kms_key.ecr.arn",{"_index":3723,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws_kms_key.eks_secrets.arn",{"_index":2493,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_kms_key.eks_secrets.key_id",{"_index":2636,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_kms_key.logs.arn",{"_index":2702,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_kms_key.rds.arn",{"_index":827,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws_kms_key.sessions.arn",{"_index":3651,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws_kms_key.trail.arn",{"_index":2906,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_lambda_funct",{"_index":2266,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_lambda_function.action_group_handler.arn",{"_index":1304,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["aws_lambda_function.gd_quarantine.arn",{"_index":2284,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_lambda_function.gd_quarantine.function_nam",{"_index":2288,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_lambda_permiss",{"_index":2285,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_launch_templ",{"_index":2769,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_launch_template.nodes.id",{"_index":2785,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_launch_template.nodes.latest_vers",{"_index":2786,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_network_acl",{"_index":3418,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["aws_network_acl.private.id",{"_index":3425,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["aws_network_acl_rul",{"_index":3421,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["aws_organ",{"_index":1589,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["aws_organizations_polici",{"_index":361,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["aws_route_table.private[*].id",{"_index":3519,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["aws_s3",{"_index":398,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{}}}],["aws_s3_account_public_access_block",{"_index":355,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws_s3_bucket",{"_index":602,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{}}}],["aws_s3_bucket.config.id",{"_index":3061,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_s3_bucket.evidence.arn",{"_index":2367,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_s3_bucket.evidence.id",{"_index":2355,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_s3_bucket.regulated.id",{"_index":604,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["aws_s3_bucket.session_logs.id",{"_index":3647,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws_s3_bucket.trail.id",{"_index":2905,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["aws_s3_bucket.workload_cloudtrail.id",{"_index":2364,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_s3_bucket_object_lock_configur",{"_index":2358,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{}}}],["aws_s3_bucket_public_access_block",{"_index":2360,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_s3_bucket_replication_configur",{"_index":2361,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_s3_bucket_server_side_encryption_configur",{"_index":603,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{}}}],["aws_s3_bucket_vers",{"_index":2354,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_security_group",{"_index":1469,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{}}}],["aws_security_group.app.id",{"_index":3332,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["aws_security_group.bastion.id",{"_index":3334,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["aws_security_group.bedrock_endpoint_sg.id",{"_index":1466,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["aws_security_group.endpoint.id",{"_index":3526,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["aws_security_group.nodes.id",{"_index":2848,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_security_group.quarantine.id",{"_index":2278,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_security_group_rul",{"_index":2845,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["aws_sns_topic.security_oncall.arn",{"_index":2184,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_ssm_docu",{"_index":3639,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws_ssoadmin_account_assign",{"_index":1732,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["aws_ssoadmin_inst",{"_index":1721,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["aws_ssoadmin_managed_policy_attach",{"_index":1727,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{}}}],["aws_ssoadmin_permission_set",{"_index":1722,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{}}}],["aws_ssoadmin_permission_set.break_glass.arn",{"_index":2154,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["aws_ssoadmin_permission_set.read_only.arn",{"_index":1731,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["aws_subnet.private[*].id",{"_index":3419,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["aws_subnet.private[0].id",{"_index":3590,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["aws_vpc",{"_index":3263,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["aws_vpc.workload.id",{"_index":2264,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{}}}],["aws_vpc_block_public_access_opt",{"_index":3469,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["aws_vpc_endpoint",{"_index":1456,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{}}}],["aws_vpc_security_group_ingress_rul",{"_index":3330,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["awsregion",{"_index":748,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/network.html":{}}}],["ax",{"_index":3305,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["axi",{"_index":8283,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{},"oci/workloads.html":{}}}],["az",{"_index":3214,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"general/shared-responsibility.html":{}}}],["az.resourceid('microsoft.cognitiveservices/account",{"_index":4403,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["azopenai",{"_index":7862,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["azur",{"_index":129,"title":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}},"breadcrumb":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}},"description":{"azure/data.html":{},"azure/genai.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"index.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["azure.github.io/azur",{"_index":8086,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["azure.workload.identity/cli",{"_index":4996,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azure/data.html",{"_index":5518,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"general/data.html":{}}}],["azure/genai.html",{"_index":5757,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["azure/iam.html",{"_index":4739,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{}}}],["azure/kubernetes.html",{"_index":5765,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["azure/logging.html",{"_index":4796,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/kubernetes.html":{},"general/logging.html":{}}}],["azure/network.html",{"_index":4938,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"general/network.html":{}}}],["azure/workloads.html",{"_index":8394,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["azure_active_directory_role_based_access_control",{"_index":5136,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azure_policy_en",{"_index":5101,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azure_rbac_en",{"_index":5139,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azureact",{"_index":3987,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["azuread",{"_index":4474,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["azuread_administr",{"_index":4194,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azuread_conditional_access_polici",{"_index":4669,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["azuread_directory_rol",{"_index":4479,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["azuread_directory_role_assign",{"_index":4481,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["azuread_group",{"_index":4553,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["azuread_group.emergency_access.object_id",{"_index":4766,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["azuread_group.emergency_access_exclusions.object_id",{"_index":4560,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["azuread_group.ga_eligible.object_id",{"_index":4617,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["azuread_group.sql_admins.object_id",{"_index":4197,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azuread_group_memb",{"_index":4556,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["azuread_privileged_access_group_",{"_index":4613,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["azuread_privileged_access_group_eligibility_schedul",{"_index":4618,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["azuread_us",{"_index":4545,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["azuread_user.break_glass",{"_index":4765,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["azuread_user.breakglass",{"_index":4558,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["azurebastionsubnet",{"_index":5527,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["azurediagnost",{"_index":4096,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["azurekeyvault",{"_index":3889,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azurekeyvaultkm",{"_index":5053,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurekeyvaultkms\\\":{\\\"enabled\\\":fals",{"_index":5059,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurepolici",{"_index":5114,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurepolicy\\\":{\\\"enabled\\\":fals",{"_index":5128,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurerm",{"_index":3925,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["azurerm_application_security_group.bastion.id",{"_index":5422,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["azurerm_bastion_host",{"_index":5655,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["azurerm_cognitive_account",{"_index":4221,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["azurerm_cognitive_account.aoai.id",{"_index":4317,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["azurerm_cognitive_account.aoai_private.id",{"_index":4349,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["azurerm_cognitive_account_rai_polici",{"_index":4301,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["azurerm_container_registri",{"_index":5697,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["azurerm_container_registry.prod.id",{"_index":5704,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["azurerm_container_registry_task",{"_index":5702,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["azurerm_disk_encryption_set",{"_index":4126,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azurerm_disk_encryption_set.app.id",{"_index":4141,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azurerm_disk_encryption_set.app.identity[0].principal_id",{"_index":4132,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azurerm_federated_identity_credenti",{"_index":5004,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurerm_key_vault",{"_index":5033,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/network.html":{}}}],["azurerm_key_vault.aks_kms.id",{"_index":5040,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurerm_key_vault.app.id",{"_index":4058,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azurerm_key_vault_key",{"_index":4055,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{}}}],["azurerm_key_vault_key.aks_etcd.id",{"_index":5043,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurerm_key_vault_key.cmk_disks.versionless_id",{"_index":4130,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azurerm_key_vault_key.cmk_storage.nam",{"_index":4076,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azurerm_kubernetes_clust",{"_index":4943,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurerm_kubernetes_cluster.hardened.id",{"_index":5141,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurerm_kubernetes_cluster.hardened.oidc_issuer_url",{"_index":5009,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurerm_linux_virtual_machin",{"_index":5575,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["azurerm_log_analytics_workspac",{"_index":5068,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/logging.html":{}}}],["azurerm_log_analytics_workspace.aks.id",{"_index":5071,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurerm_log_analytics_workspace.central.id",{"_index":5207,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["azurerm_log_analytics_workspace.security.id",{"_index":4770,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["azurerm_logic_app_trigger_http_request",{"_index":4833,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["azurerm_logic_app_workflow",{"_index":4831,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["azurerm_logic_app_workflow.isolate_vm.id",{"_index":4835,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["azurerm_managed_disk",{"_index":4133,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azurerm_management_group_policy_assign",{"_index":3939,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["azurerm_monitor_diagnostic_set",{"_index":4395,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/logging.html":{}}}],["azurerm_mssql_serv",{"_index":4188,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azurerm_mssql_server.app.id",{"_index":4202,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azurerm_mssql_server.app.identity[0].principal_id",{"_index":4199,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azurerm_mssql_server_transparent_data_encrypt",{"_index":4200,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azurerm_network_interfac",{"_index":5567,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["azurerm_network_interface.vm.id",{"_index":5578,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["azurerm_network_security_group",{"_index":4821,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/network.html":{}}}],["azurerm_network_security_group.app_subnet.id",{"_index":5426,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["azurerm_network_security_group.app_subnet.nam",{"_index":5416,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["azurerm_network_security_rul",{"_index":5413,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["azurerm_policy_set_definit",{"_index":5102,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurerm_private_dns_zon",{"_index":5486,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["azurerm_private_dns_zone.blob.id",{"_index":5496,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["azurerm_private_dns_zone.blob.nam",{"_index":5490,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["azurerm_private_dns_zone_virtual_network_link",{"_index":5487,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["azurerm_private_endpoint",{"_index":4343,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/network.html":{}}}],["azurerm_public_ip",{"_index":5653,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["azurerm_public_ip.bastion.id",{"_index":5664,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["azurerm_resource_group",{"_index":5371,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"azure/workloads.html":{}}}],["azurerm_resource_group.aks.id",{"_index":5106,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurerm_resource_group.aks.nam",{"_index":4944,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurerm_resource_group.app.loc",{"_index":5569,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["azurerm_resource_group.app.nam",{"_index":5568,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["azurerm_resource_group.compute.loc",{"_index":4128,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azurerm_resource_group.compute.nam",{"_index":4127,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azurerm_resource_group.data.loc",{"_index":3930,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["azurerm_resource_group.data.nam",{"_index":3929,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["azurerm_resource_group.forensic.nam",{"_index":4888,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["azurerm_resource_group.net.loc",{"_index":5374,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"azure/workloads.html":{}}}],["azurerm_resource_group.net.nam",{"_index":5373,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"azure/workloads.html":{}}}],["azurerm_resource_group.security.nam",{"_index":4822,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["azurerm_resource_group_policy_assign",{"_index":5104,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurerm_role_assign",{"_index":4068,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{}}}],["azurerm_security_center_subscription_pr",{"_index":5072,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{}}}],["azurerm_sentinel_alert_rule_schedul",{"_index":4767,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["azurerm_sentinel_automation_rul",{"_index":4836,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["azurerm_storage_account",{"_index":3927,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/ir.html":{},"azure/network.html":{}}}],["azurerm_storage_account.app.id",{"_index":4074,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["azurerm_storage_account.app.identity[0].principal_id",{"_index":4071,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azurerm_storage_account.forensic.id",{"_index":4904,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["azurerm_storage_account.forensic.nam",{"_index":4895,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["azurerm_storage_account_customer_managed_key",{"_index":4072,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["azurerm_storage_contain",{"_index":4892,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["azurerm_storage_container.ir_evidence.resource_manager_id",{"_index":4900,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["azurerm_storage_container_immutability_polici",{"_index":4898,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["azurerm_subnet",{"_index":5649,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["azurerm_subnet.app.id",{"_index":5424,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["azurerm_subnet.bastion.id",{"_index":5662,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["azurerm_subnet.pe_data.id",{"_index":3936,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["azurerm_subnet_network_security_group_associ",{"_index":5423,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["azurerm_user_assigned_ident",{"_index":5003,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurerm_user_assigned_identity.aks_cluster.id",{"_index":4957,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurerm_user_assigned_identity.app.id",{"_index":5006,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["azurerm_virtual_network",{"_index":5372,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["azurerm_virtual_network.hub.nam",{"_index":5651,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["azurerm_virtual_network.workload.id",{"_index":5492,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["azureservic",{"_index":3914,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{},"azure/network.html":{}}}],["azureus",{"_index":5565,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"general/workloads.html":{}}}],["b",{"_index":587,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/network.html":{}}}],["b.get('memb",{"_index":6281,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["b.get('members',[])]\"</cod",{"_index":6282,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["b.members.exists(m",{"_index":7140,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["b1ff04bb",{"_index":5148,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["b2b",{"_index":4432,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"oci/iam.html":{}}}],["b724",{"_index":5120,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["b7a1",{"_index":5457,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["back",{"_index":628,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["backbon",{"_index":1435,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/logging.html":{},"azure/network.html":{},"gcp/iam.html":{},"general/network.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["backdoor",{"_index":3135,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/workloads.html":{}}}],["backdoor:ec2/c&cactivity.b!dn",{"_index":2246,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["backdrop",{"_index":8323,"title":{},"breadcrumb":{},"description":{"general/threat-model.html":{}},"body":{}}],["backend",{"_index":5361,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"oci/iam.html":{}}}],["backfil",{"_index":6726,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{},"oci/logging.html":{}}}],["background",{"_index":6645,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["backlog",{"_index":2326,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"general/ir.html":{}}}],["backstop",{"_index":492,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["backup",{"_index":792,"title":{},"breadcrumb":{},"description":{"general/data.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/iam.html":{},"general/data.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/ir.html":{}}}],["backup_configur",{"_index":6049,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["backup_retention_period",{"_index":833,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["backupconfigur",{"_index":6080,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["backupconfiguration.backupretentionsettings.retainedbackup",{"_index":6072,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["backward",{"_index":2832,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/network.html":{},"general/kubernetes.html":{},"general/network.html":{}}}],["bad",{"_index":3094,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"gcp/ir.html":{},"gcp/logging.html":{}}}],["bafin",{"_index":8562,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["bak",{"_index":4175,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["bake",{"_index":1946,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"gcp/iam.html":{},"gcp/network.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["balanc",{"_index":3289,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/network.html":{},"oci/network.html":{}}}],["ban",{"_index":3476,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/methodology.html":{},"general/network.html":{},"oci/network.html":{}}}],["band",{"_index":1932,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/logging.html":{},"general/ir.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["bandwidth",{"_index":8501,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["bank",{"_index":8024,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"oci/data.html":{}}}],["bar",{"_index":5525,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/methodology.html":{}}}],["bare",{"_index":7861,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/workloads.html":{}}}],["barrier",{"_index":2475,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{}}}],["base",{"_index":989,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{},"gcp/logging.html":{}},"body":{"aws/genai.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["base64",{"_index":1644,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"azure/ir.html":{}}}],["base_image_trigg",{"_index":5711,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["baselin",{"_index":1213,"title":{},"breadcrumb":{},"description":{"general/kubernetes.html":{},"general/workloads.html":{}},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["baseline.yaml",{"_index":3073,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["baseline.yaml</cod",{"_index":3054,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["bash",{"_index":343,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["bash\">aw",{"_index":2494,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["bash\">az",{"_index":4958,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["bash\">gcloud",{"_index":6816,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["bash\">key_id=$(az",{"_index":5045,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["bash\">law_id=$(az",{"_index":5073,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["bash\">oci",{"_index":9119,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["basi",{"_index":1390,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/data.html":{},"azure/workloads.html":{},"general/data.html":{}}}],["basic",{"_index":1169,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/workloads.html":{},"gcp/network.html":{},"general/ir.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["basic_clust",{"_index":9100,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["bastion",{"_index":3336,"title":{},"breadcrumb":{},"description":{"azure/workloads.html":{},"oci/workloads.html":{}},"body":{"aws/network.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/network.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["bastion'",{"_index":9558,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["bastion/jump",{"_index":3329,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["bastion/jumpbox",{"_index":9135,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["bastion_id",{"_index":9544,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["bastion_nsg_ocid",{"_index":9384,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["bastion_ocid",{"_index":9514,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["bastion_ti",{"_index":9395,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["bastion_typ",{"_index":9536,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["bastioncidr",{"_index":9401,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["bastionnam",{"_index":5666,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["bastionsubnetid",{"_index":5667,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["batch",{"_index":1679,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"gcp/logging.html":{}}}],["batch@${var.batch_project_id}.iam.gserviceaccount.com",{"_index":7106,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["batch@project.iam.gserviceaccount.com",{"_index":7101,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["bbb",{"_index":2498,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["bbb,endpointpublicaccess=false,endpointprivateaccess=tru",{"_index":2638,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["bbc8",{"_index":5122,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["be",{"_index":439,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["beacon",{"_index":8277,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["bear",{"_index":4281,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/genai.html":{},"general/iam.html":{},"general/network.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["bearer",{"_index":4941,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"gcp/iam.html":{}}}],["beat",{"_index":5178,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["bec",{"_index":4710,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/threat-model.html":{}}}],["becom",{"_index":385,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/kubernetes.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["bedrock",{"_index":982,"title":{"aws/genai.html":{}},"breadcrumb":{},"description":{"aws/genai.html":{}},"body":{"aws/genai.html":{},"aws/index.html":{},"azure/genai.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["bedrock.amazonaws.com",{"_index":1248,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrock.cfnguardrail(thi",{"_index":1226,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrock:deleteguardrail",{"_index":1231,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrock:deleteguardrailvers",{"_index":1407,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrock:inferenceprofilearn",{"_index":1032,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrock:invokemodel",{"_index":1022,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrock:invokemodelwithresponsestream",{"_index":1023,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrock:modelid",{"_index":1031,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrock:updateguardrail",{"_index":1236,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrock_agent_rol",{"_index":1298,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrock_control",{"_index":1468,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrock_endpoint_sg",{"_index":1470,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrock_invoke_attach",{"_index":1070,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrock_invoke_scop",{"_index":1062,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrock_runtim",{"_index":1457,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrockfullaccess",{"_index":1139,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrockinvokeonemodel",{"_index":1094,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrockinvokeonlypolici",{"_index":1084,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrockinvokerprop",{"_index":1090,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrockinvokerrol",{"_index":1077,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrockinvokerstack",{"_index":1091,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["bedrockruntimeendpoint",{"_index":1488,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["befor",{"_index":79,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["began",{"_index":7895,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["begin",{"_index":2413,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"azure/data.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["behalf",{"_index":4934,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"gcp/kubernetes.html":{}}}],["behav",{"_index":7810,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"general/kubernetes.html":{}}}],["behavior",{"_index":5066,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["behaviour",{"_index":1930,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"azure/logging.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/logging.html":{}}}],["behind",{"_index":1914,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"gcp/network.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/network.html":{}}}],["belief",{"_index":8011,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/shared-responsibility.html":{}}}],["believ",{"_index":667,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/kubernetes.html":{}}}],["belong",{"_index":5778,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"general/network.html":{},"general/workloads.html":{}}}],["below",{"_index":26,"title":{},"breadcrumb":{},"description":{},"body":{"404.html":{},"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["bench",{"_index":8076,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["benchmark",{"_index":90,"title":{},"breadcrumb":{},"description":{"general/compliance-frameworks.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["benchmark.git",{"_index":7131,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["beneath",{"_index":8225,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{},"oci/workloads.html":{}}}],["benefit",{"_index":4861,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"general/network.html":{}}}],["besid",{"_index":4633,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["best",{"_index":97,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["beta",{"_index":4656,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["better",{"_index":4302,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"general/workloads.html":{}}}],["between",{"_index":1606,"title":{},"breadcrumb":{},"description":{"general/shared-responsibility.html":{}},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["beyond",{"_index":563,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["bg",{"_index":4567,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["bg.id",{"_index":4573,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["bg01",{"_index":4884,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["bg01@contoso.onmicrosoft.com",{"_index":4771,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["bg02",{"_index":2158,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{}}}],["bg02@contoso.onmicrosoft.com",{"_index":4772,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["bg_in_exclus",{"_index":4557,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["bg_user_id",{"_index":4537,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["bg_user_id=$(az",{"_index":4535,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["bg_user_ocid",{"_index":8962,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["bgp",{"_index":7212,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{},"general/network.html":{}}}],["bicep",{"_index":3948,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"index.html":{}}}],["bicep\">targetscop",{"_index":3949,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["bicep/terraform",{"_index":4414,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["bidirect",{"_index":3460,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/ir.html":{},"azure/workloads.html":{},"general/compliance-frameworks.html":{}}}],["bidirectional</cod",{"_index":3482,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["biggest",{"_index":1532,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"oci/iam.html":{}}}],["bigqueri",{"_index":5788,"title":{},"breadcrumb":{},"description":{"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{}},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"oci/logging.html":{}}}],["bigquery.googleapis.com",{"_index":5905,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/logging.html":{}}}],["bigquery.googleapis.com/projects/${var.sec_project_id}/datasets/${google_bigquery_dataset.org_audit.dataset_id",{"_index":7066,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["bigquery.googleapis.com/projects/sec",{"_index":7047,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["bigquery/cloud",{"_index":7116,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["bigquery_opt",{"_index":7067,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["bigquerydatasetref",{"_index":6996,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["bill",{"_index":2976,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/iam.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/workloads.html":{}}}],["billing/sla",{"_index":9446,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["billion",{"_index":2431,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["binari",{"_index":1861,"title":{},"breadcrumb":{},"description":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}},"body":{"aws/iam.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/kubernetes.html":{}}}],["binary_author",{"_index":6930,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["binaryauthorization.cnrm.cloud.google.com/v1beta1",{"_index":6935,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["binaryauthorization.googleapis.com",{"_index":6944,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["binaryauthorizationpolici",{"_index":6936,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["binauthz",{"_index":6915,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["bind",{"_index":2006,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["bindings.memb",{"_index":6276,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["bindings.members:${project_numb",{"_index":6547,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["bio",{"_index":5542,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["birth",{"_index":8799,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["bit",{"_index":9209,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["bitcoin",{"_index":6655,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["bite",{"_index":5682,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["bitlocker/dm",{"_index":4110,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["blackout",{"_index":7011,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["blade",{"_index":4640,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/logging.html":{}}}],["blank",{"_index":5749,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["blanket",{"_index":2977,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["blast",{"_index":329,"title":{},"breadcrumb":{},"description":{"general/threat-model.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["bless",{"_index":8397,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["blind",{"_index":2886,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/workloads.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/logging.html":{},"oci/workloads.html":{}}}],["blizzard",{"_index":2119,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/ir.html":{}}}],["blob",{"_index":3848,"title":{},"breadcrumb":{},"description":{"azure/data.html":{},"azure/ir.html":{}},"body":{"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/ir.html":{},"oci/data.html":{},"oci/ir.html":{}}}],["blob/file/queue/t",{"_index":3863,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["blob/queue/table/fil",{"_index":5271,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["blob</cod",{"_index":5485,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["blob_app",{"_index":5488,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["blob_properti",{"_index":4890,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["blobservic",{"_index":5257,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["blobsvc",{"_index":5273,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["block",{"_index":31,"title":{},"breadcrumb":{},"description":{"aws/data.html":{},"aws/network.html":{},"azure/iam.html":{},"oci/data.html":{},"oci/ir.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["block_low_and_abov",{"_index":6217,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["block_medium_and_abov",{"_index":6172,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"general/genai.html":{}}}],["block_non",{"_index":1376,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["block_only_high",{"_index":6216,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["block_public_acl",{"_index":356,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["block_public_polici",{"_index":357,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["blocked_input_messag",{"_index":1207,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["blocked_outputs_messag",{"_index":1208,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["blockedinputmessag",{"_index":1216,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["blockedoutputsmessag",{"_index":1217,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["blockedport1",{"_index":3339,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["blockedport2",{"_index":3340,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["blockedport3",{"_index":3341,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["blockedport4",{"_index":3342,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["blockedport5",{"_index":3343,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["blocking_en",{"_index":4320,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["blocklist",{"_index":2617,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["blockpublicaccess",{"_index":2391,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["blockpublicacl",{"_index":266,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["blockpublicacls\":fals",{"_index":464,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["blockpublicacls=true,ignorepublicacls=true,blockpublicpolicy=true,restrictpublicbuckets=tru",{"_index":347,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["blockpublicpolici",{"_index":268,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["blockvol",{"_index":8625,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["blog",{"_index":1558,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"general/compliance-frameworks.html":{},"general/kubernetes.html":{},"general/methodology.html":{}}}],["blue",{"_index":8021,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["blueprint",{"_index":8312,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["blur",{"_index":5159,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["board",{"_index":7620,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/iam.html":{},"general/index.html":{}}}],["bodi",{"_index":2656,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["bolt",{"_index":8408,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["bool",{"_index":1580,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{}}}],["boolean",{"_index":483,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/iam.html":{},"gcp/network.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["boolifexist",{"_index":1820,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["boot",{"_index":5513,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["boot_disk",{"_index":7437,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["bootdisk",{"_index":7449,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["bootkit",{"_index":5537,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["bootload",{"_index":5523,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["bootstrap",{"_index":4604,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/kubernetes.html":{},"oci/iam.html":{},"oci/kubernetes.html":{}}}],["bootstrap_cluster_creator_admin_permiss",{"_index":2489,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["bot",{"_index":5238,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"azure/network.html":{},"gcp/network.html":{}}}],["botch",{"_index":2125,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"oci/ir.html":{}}}],["both",{"_index":145,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["bottlerocket",{"_index":2449,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{}},"body":{"aws/kubernetes.html":{},"general/kubernetes.html":{}}}],["bottlerocket/al2023",{"_index":2024,"title":{},"breadcrumb":{},"description":{},"body":{"aws/index.html":{}}}],["bottom",{"_index":125,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["bound",{"_index":1334,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["boundari",{"_index":630,"title":{},"breadcrumb":{},"description":{"aws/iam.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["box",{"_index":4799,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["bpa",{"_index":155,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/network.html":{},"gcp/data.html":{}}}],["bq",{"_index":6781,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{}}}],["branch",{"_index":3279,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/iam.html":{},"gcp/logging.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["brand",{"_index":3769,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/data.html":{},"gcp/logging.html":{},"oci/data.html":{}}}],["breach",{"_index":1794,"title":{},"breadcrumb":{},"description":{"general/shared-responsibility.html":{}},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["breadth",{"_index":7815,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["break",{"_index":629,"title":{},"breadcrumb":{},"description":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"oci/ir.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/threat-model.html":{},"index.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["break_glass",{"_index":2151,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"oci/ir.html":{}}}],["break_glass_admin",{"_index":2153,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"oci/ir.html":{}}}],["break_glass_in_exclus",{"_index":4764,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["break_glass_signin",{"_index":4768,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"oci/ir.html":{}}}],["break_glass_us",{"_index":2169,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["break_glass_user_ocid",{"_index":9004,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["breakglass",{"_index":2166,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["breakglass01@${tenant_domain",{"_index":4532,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["breakglass02",{"_index":4547,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["breakglass_01_org_admin",{"_index":6614,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["breakglass_02_org_admin",{"_index":6617,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["breakglass_signin",{"_index":6619,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["breakglass_signin_alert",{"_index":6627,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["breakglassadmin",{"_index":2136,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"oci/ir.html":{}}}],["breakglassassumerol",{"_index":2146,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["breakglassdomainocid",{"_index":8987,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["breakglassexclusiongroupid",{"_index":4678,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["breakglassidcsendpoint",{"_index":8989,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["breakglassobjectid",{"_index":4572,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["breakglasspolici",{"_index":8994,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["breakglassprop",{"_index":2191,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["breakglassrol",{"_index":2186,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["breakglassrolestack",{"_index":2192,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["breakglassrost",{"_index":4783,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["breakglassupn",{"_index":4564,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["breakglassus",{"_index":2172,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"oci/ir.html":{}}}],["breakglassuser.id",{"_index":8998,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["breakglassuserocid",{"_index":8997,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["bridg",{"_index":2824,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/methodology.html":{},"oci/workloads.html":{}}}],["brief",{"_index":5549,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"general/genai.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["briefli",{"_index":6905,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"general/iam.html":{},"general/workloads.html":{},"oci/data.html":{}}}],["bring",{"_index":5816,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/kubernetes.html":{},"oci/data.html":{}}}],["broad",{"_index":699,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["broadcast",{"_index":8249,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["broaden",{"_index":6132,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/network.html":{}}}],["broader",{"_index":664,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"compliance-matrix.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"oci/iam.html":{}}}],["broadest",{"_index":7878,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["broadli",{"_index":2588,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/compliance-frameworks.html":{},"oci/workloads.html":{}}}],["broke",{"_index":9062,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["broken",{"_index":2739,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/methodology.html":{},"general/threat-model.html":{}}}],["broker",{"_index":5634,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"general/network.html":{}}}],["bronze_policy_ocid\"</cod",{"_index":8623,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["brown",{"_index":5545,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["brows",{"_index":7914,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"search.html":{}}}],["browsabl",{"_index":3907,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["browser",{"_index":8367,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{},"search.html":{}}}],["brute",{"_index":3144,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["bsi",{"_index":7644,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["bu",{"_index":4803,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/logging.html":{},"gcp/ir.html":{}}}],["bucket",{"_index":159,"title":{},"breadcrumb":{},"description":{"gcp/data.html":{},"gcp/ir.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["bucket\"</cod",{"_index":6760,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["bucket'",{"_index":493,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"gcp/data.html":{},"gcp/ir.html":{},"oci/logging.html":{}}}],["bucket.nam",{"_index":8550,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["bucket_cmk",{"_index":8584,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["bucket_cmk_ocid",{"_index":8504,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["bucket_key_en",{"_index":609,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["bucket_nam",{"_index":8768,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["bucket_ocid",{"_index":9287,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["bucket_read_onli",{"_index":8519,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["bucket_sa_encrypt",{"_index":5939,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["bucketencrypt",{"_index":615,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["bucketkeyen",{"_index":579,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["bucketnam",{"_index":611,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"oci/data.html":{}}}],["buckets.lockretentionpolici",{"_index":6765,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["buckets.upd",{"_index":5872,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["buckets[].nam",{"_index":581,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["budget",{"_index":7657,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["buffer",{"_index":9064,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["bug",{"_index":3568,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"general/compliance-frameworks.html":{},"oci/workloads.html":{}}}],["buggi",{"_index":2251,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"oci/ir.html":{}}}],["build",{"_index":2104,"title":{},"breadcrumb":{},"description":{"oci/workloads.html":{}},"body":{"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/index.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["build/check",{"_index":8207,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["build/gd",{"_index":2274,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["build/mak",{"_index":5770,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"search.html":{}}}],["build_attestor",{"_index":6926,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["build_config",{"_index":6692,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["build_spec",{"_index":9599,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["builder",{"_index":3534,"title":{},"breadcrumb":{},"description":{"aws/workloads.html":{}},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/workloads.html":{}}}],["built",{"_index":690,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/workloads.html":{},"search.html":{}}}],["built_by_prod_ci",{"_index":7539,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["built_by_prod_ci_not",{"_index":7535,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["built_in_control",{"_index":4676,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["builtincontrol",{"_index":4664,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["bulk",{"_index":8327,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["bullet",{"_index":8162,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["bump",{"_index":7627,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/methodology.html":{}}}],["bundl",{"_index":307,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/network.html":{},"oci/logging.html":{}}}],["bundle=al",{"_index":7356,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["burden",{"_index":7389,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["busi",{"_index":1446,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/logging.html":{}}}],["button",{"_index":8469,"title":{},"breadcrumb":{},"description":{},"body":{"index.html":{}}}],["buy",{"_index":4179,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["bv",{"_index":8611,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/ir.html":{}}}],["by=us",{"_index":6408,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["byok",{"_index":680,"title":{},"breadcrumb":{},"description":{"azure/data.html":{}},"body":{"aws/data.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"general/data.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["byok/hyok",{"_index":8471,"title":{},"breadcrumb":{},"description":{"oci/data.html":{}},"body":{}}],["byok_prod",{"_index":8589,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["bypass",{"_index":856,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["bypasscodeen",{"_index":8886,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["byte",{"_index":2737,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/data.html":{},"general/data.html":{},"oci/workloads.html":{}}}],["c",{"_index":2007,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"general/threat-model.html":{}}}],["c.get('service')=='aiplatform.googleapis.com']\"</cod",{"_index":6248,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["c2",{"_index":3146,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"general/network.html":{}}}],["ca",{"_index":4423,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["ca001",{"_index":4659,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["ca002",{"_index":4721,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["cabl",{"_index":7976,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["cach",{"_index":2624,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/workloads.html":{},"general/iam.html":{}}}],["cadenc",{"_index":1343,"title":{},"breadcrumb":{},"description":{"general/workloads.html":{}},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/data.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/kubernetes.html":{}}}],["caexclud",{"_index":4569,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["caexclusiongroupid",{"_index":4566,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["caexclusiongroupid}/${bg.id",{"_index":4571,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["calendar",{"_index":6728,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"oci/kubernetes.html":{}}}],["calibr",{"_index":1614,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"gcp/iam.html":{},"general/data.html":{},"oci/iam.html":{}}}],["calico",{"_index":7013,"title":{},"breadcrumb":{},"description":{"oci/kubernetes.html":{}},"body":{"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/kubernetes.html":{}}}],["calicoaddon",{"_index":9191,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["call",{"_index":323,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["callback",{"_index":8260,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["caller",{"_index":509,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"general/genai.html":{},"general/iam.html":{},"general/network.html":{},"general/workloads.html":{},"oci/genai.html":{}}}],["calleripaddress",{"_index":4515,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/kubernetes.html":{}}}],["callout",{"_index":124,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["campaign",{"_index":3617,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"general/genai.html":{},"general/threat-model.html":{},"general/workloads.html":{}}}],["cancel",{"_index":2676,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}}}],["candid",{"_index":530,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/methodology.html":{}}}],["canon",{"_index":113,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["canonical:0001",{"_index":5560,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["cap",{"_index":2888,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"oci/workloads.html":{}}}],["capabl",{"_index":1039,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["capac",{"_index":781,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"azure/genai.html":{},"azure/logging.html":{}}}],["capit",{"_index":286,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/workloads.html":{},"gcp/logging.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/workloads.html":{}}}],["captur",{"_index":919,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["capture_timestamp",{"_index":9065,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["capture_timestamp\":\"'\"$now",{"_index":9076,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["captured_at",{"_index":4866,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["captured_at=$(d",{"_index":4885,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["captured_bi",{"_index":4865,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"oci/ir.html":{}}}],["captured_by\":\"'\"$responder_ocid",{"_index":9075,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["captured_by=respond",{"_index":4883,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["car",{"_index":2812,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["card",{"_index":4793,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"general/data.html":{}}}],["cardhold",{"_index":7747,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["care",{"_index":2866,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/logging.html":{},"oci/logging.html":{}}}],["careless",{"_index":1850,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["carelessli",{"_index":2835,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["carequiremfa",{"_index":4679,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["carri",{"_index":137,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["carrier'",{"_index":7960,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["carv",{"_index":3489,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["cascad",{"_index":8573,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["case",{"_index":516,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/logging.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["cat",{"_index":936,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/iam.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/workloads.html":{}}}],["catalog",{"_index":3866,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{},"gcp/iam.html":{},"general/compliance-frameworks.html":{},"general/data.html":{}}}],["catalogu",{"_index":204,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/logging.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"general/iam.html":{},"general/threat-model.html":{},"general/workloads.html":{}}}],["catastroph",{"_index":3197,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["catch",{"_index":472,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/workloads.html":{},"oci/iam.html":{}}}],["categori",{"_index":1181,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["category\":\"administrative\",\"enabled\":tru",{"_index":5190,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["category\":\"alert\",\"enabled\":tru",{"_index":5193,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["category\":\"audit\",\"enabled\":true},{\"category\":\"requestresponse\",\"enabled\":true}]'</cod",{"_index":4394,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["category\":\"autoscale\",\"enabled\":tru",{"_index":5196,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["category\":\"policy\",\"enabled\":tru",{"_index":5195,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["category\":\"recommendation\",\"enabled\":tru",{"_index":5194,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["category\":\"resourcehealth\",\"enabled\":tru",{"_index":5197,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["category\":\"security\",\"enabled\":tru",{"_index":5191,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["category\":\"servicehealth\",\"enabled\":tru",{"_index":5192,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["category\":\"storagedelete\",\"enabled\":tru",{"_index":5249,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["category\":\"storageread\",\"enabled\":tru",{"_index":5247,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["category\":\"storagewrite\",\"enabled\":tru",{"_index":5248,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["category\":\"transaction\",\"enabled\":true},{\"category\":\"capacity\",\"enabled\":tru",{"_index":5250,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["category=\"min",{"_index":6662,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["category=(\"cryptomin",{"_index":6648,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["category=\\\"min",{"_index":6686,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["category=harmcategory.harm_category_dangerous_cont",{"_index":6201,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["category=harmcategory.harm_category_harass",{"_index":6202,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["category=harmcategory.harm_category_hate_speech",{"_index":6199,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["category=harmcategory.harm_category_sexually_explicit",{"_index":6203,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["categorygroup",{"_index":4405,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["caught",{"_index":879,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["caus",{"_index":1185,"title":{},"breadcrumb":{},"description":{"general/shared-responsibility.html":{}},"body":{"aws/genai.html":{},"aws/ir.html":{},"azure/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/ir.html":{},"general/shared-responsibility.html":{}}}],["caveat",{"_index":78,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/logging.html":{},"oci/data.html":{}}}],["cbl",{"_index":8060,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["ccpa",{"_index":7740,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["cdk",{"_index":393,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["cdk.duration.hours(1",{"_index":2193,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["cdk.stack",{"_index":402,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["cdk.stackprop",{"_index":406,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["ce",{"_index":9120,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["cef",{"_index":5165,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["ceil",{"_index":3822,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"oci/kubernetes.html":{}}}],["cel",{"_index":6533,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"general/iam.html":{}}}],["cell",{"_index":1547,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"compliance-matrix.html":{},"gcp/iam.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/iam.html":{}}}],["center",{"_index":1504,"title":{},"breadcrumb":{},"description":{"aws/iam.html":{},"gcp/logging.html":{}},"body":{"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/logging.html":{}}}],["center'",{"_index":1698,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["centr",{"_index":4418,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/data.html":{},"general/network.html":{},"general/shared-responsibility.html":{}}}],["central",{"_index":2868,"title":{},"breadcrumb":{},"description":{"azure/logging.html":{}},"body":{"aws/logging.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/logging.html":{},"general/network.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["central1",{"_index":5861,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["central1/keyrings/comput",{"_index":5991,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["central1/keyrings/data",{"_index":5949,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["central1/keyrings/gk",{"_index":6888,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["central1/keyrings/sql",{"_index":6062,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["centralis",{"_index":4171,"title":{},"breadcrumb":{},"description":{"general/logging.html":{}},"body":{"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/network.html":{},"general/iam.html":{},"general/index.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["centric",{"_index":8390,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["ceremoni",{"_index":8567,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/iam.html":{}}}],["cert",{"_index":4993,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["certainti",{"_index":7093,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["certif",{"_index":2573,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/ir.html":{},"general/network.html":{}}}],["certifi",{"_index":7128,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"oci/logging.html":{}}}],["certmanag",{"_index":9200,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["cfg",{"_index":8535,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["cfg.require(\"administratorsgroupocid",{"_index":8815,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["cfg.require(\"apinsgocid",{"_index":9127,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["cfg.require(\"apisubnetocid",{"_index":9186,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["cfg.require(\"availabilitydomain",{"_index":9482,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["cfg.require(\"bastioncidr",{"_index":9402,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["cfg.require(\"breakglassidcsendpoint",{"_index":8990,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["cfg.require(\"breakglassidentitydomainocid",{"_index":8988,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["cfg.require(\"compartmentocid",{"_index":8538,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["cfg.require(\"forensickmskeyocid",{"_index":9096,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["cfg.require(\"idcsendpoint",{"_index":8877,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["cfg.require(\"identitydomainocid",{"_index":8879,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["cfg.require(\"imageocid",{"_index":9476,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["cfg.require(\"kmskeyocid",{"_index":8540,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["cfg.require(\"parentcompartmentocid",{"_index":8685,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["cfg.require(\"privateapisubnetocid",{"_index":9125,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["cfg.require(\"sourcevolumeocid",{"_index":9094,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["cfg.require(\"sshauthorizedkey",{"_index":9478,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["cfg.require(\"subnetocid",{"_index":9474,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["cfg.require(\"tenancyocid",{"_index":8813,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["cfg.require(\"vcnocid",{"_index":9123,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{},"oci/network.html":{}}}],["cfr",{"_index":7743,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/logging.html":{}}}],["cg_problem",{"_index":9045,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["cg_statu",{"_index":9332,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["cg_topic_ocid",{"_index":9021,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["chain",{"_index":444,"title":{},"breadcrumb":{},"description":{"gcp/data.html":{},"general/threat-model.html":{},"general/workloads.html":{}},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["challeng",{"_index":1640,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["chang",{"_index":634,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["channel",{"_index":1885,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["channels=projects/project_id/notificationchannels/pd_channel_id",{"_index":6606,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["characteris",{"_index":8354,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["charg",{"_index":4253,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["chargeabl",{"_index":7025,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["chart",{"_index":8068,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["chat",{"_index":7956,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"oci/genai.html":{}}}],["chatbot",{"_index":1418,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["cheap",{"_index":8128,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["cheaper",{"_index":5341,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["cheapest",{"_index":7989,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/workloads.html":{}}}],["check",{"_index":565,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["checkbox",{"_index":7771,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"oci/data.html":{}}}],["checklist",{"_index":7902,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/logging.html":{},"general/shared-responsibility.html":{}}}],["checkout",{"_index":3002,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["cherri",{"_index":8194,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["children",{"_index":7045,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["china",{"_index":64,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["choic",{"_index":3556,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{}}}],["choos",{"_index":2627,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"index.html":{},"oci/network.html":{}}}],["chose",{"_index":6313,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/network.html":{}}}],["chosen",{"_index":1353,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/network.html":{},"general/index.html":{},"general/methodology.html":{}}}],["chronicl",{"_index":8131,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["chunk",{"_index":7821,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"general/shared-responsibility.html":{}}}],["churn",{"_index":2565,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["ci",{"_index":83,"title":{},"breadcrumb":{},"description":{"compliance-matrix.html":{},"general/compliance-frameworks.html":{},"index.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["ci/cd",{"_index":2982,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/logging.html":{}}}],["ci/diagnost",{"_index":2791,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["ci_",{"_index":8949,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["cidr",{"_index":890,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/kubernetes.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["cidr>\",\"maxrequestaccessduration\":\"pt3h\"}]}]'</cod",{"_index":5648,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["cidr_block",{"_index":1480,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{},"gcp/kubernetes.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["cidrblock",{"_index":3439,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"gcp/kubernetes.html":{}}}],["cidrblock=0.0.0.0/0",{"_index":3456,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["cidrip",{"_index":3352,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["cidrip=0.0.0.0/0",{"_index":3371,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["cilium",{"_index":4971,"title":{},"breadcrumb":{},"description":{"azure/workloads.html":{}},"body":{"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{}}}],["cipher",{"_index":7784,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/network.html":{}}}],["ciphertext",{"_index":924,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/data.html":{},"gcp/data.html":{}}}],["circia",{"_index":7968,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["circia'",{"_index":8010,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["circleci",{"_index":8347,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["circuit",{"_index":9347,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["cis_azure_v3",{"_index":5301,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["cis_azure_v3_policy_set_definition_id",{"_index":5300,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["cis_set_id",{"_index":5294,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["cis_set_id=\"/providers/microsoft.authorization/policysetdefinitions/<ci",{"_index":5292,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["cisa",{"_index":4437,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{}}}],["cisa'",{"_index":7795,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/ir.html":{},"general/network.html":{},"general/workloads.html":{}}}],["cisecurity.org/benchmark/kubernet",{"_index":8090,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["citat",{"_index":7650,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/index.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{}}}],["citations.sh",{"_index":8208,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["cite",{"_index":4434,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/ir.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["civilian",{"_index":4650,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["claim",{"_index":711,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"azure/network.html":{},"gcp/iam.html":{},"general/index.html":{},"general/methodology.html":{}}}],["clarifi",{"_index":1545,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/iam.html":{},"oci/iam.html":{}}}],["class",{"_index":287,"title":{},"breadcrumb":{},"description":{"general/threat-model.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["class=\"callout",{"_index":9102,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{},"search.html":{}}}],["class=\"compli",{"_index":8188,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["class=\"control",{"_index":5772,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/workloads.html":{}}}],["class=\"languag",{"_index":342,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["class=\"sourc",{"_index":8206,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["class=\"threat",{"_index":8385,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["class=standard",{"_index":5838,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["classic",{"_index":8213,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{},"general/threat-model.html":{}}}],["classif",{"_index":105,"title":{},"breadcrumb":{},"description":{"general/data.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/logging.html":{},"azure/data.html":{},"gcp/data.html":{},"general/data.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{}}}],["classifi",{"_index":774,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"azure/data.html":{},"azure/logging.html":{},"gcp/genai.html":{},"general/data.html":{},"general/genai.html":{},"general/shared-responsibility.html":{},"oci/genai.html":{}}}],["claus",{"_index":7659,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["cld",{"_index":7673,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["cld.10.1.1",{"_index":7693,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["cld.10.1.2",{"_index":7804,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["cld.12.1.5",{"_index":1115,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"general/compliance-frameworks.html":{},"oci/genai.html":{}}}],["cld.12.4.1",{"_index":8159,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["cld.12.4.5",{"_index":2733,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"oci/genai.html":{}}}],["cld.13.1.4",{"_index":1496,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/network.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}}}],["cld.6.3.1",{"_index":1403,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{}}}],["cld.8.1.5",{"_index":7674,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["cld.9.5.1",{"_index":7675,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/workloads.html":{}}}],["cld.9.5.2",{"_index":2805,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"oci/kubernetes.html":{}}}],["cld.x.y.z",{"_index":8189,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["clean",{"_index":5735,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"oci/ir.html":{}}}],["cleanest",{"_index":9234,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["cleanli",{"_index":2046,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/ir.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{}}}],["cleanup",{"_index":3498,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["clear",{"_index":3115,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/methodology.html":{}}}],["clearer",{"_index":5399,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["clearest",{"_index":8341,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["cleartext",{"_index":4020,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{},"general/iam.html":{}}}],["cli",{"_index":340,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["click",{"_index":2319,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"compliance-matrix.html":{},"gcp/ir.html":{},"general/methodology.html":{},"index.html":{}}}],["client",{"_index":3603,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/iam.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["client_app_typ",{"_index":4671,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["client_cidr_block_allow_list",{"_index":9538,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["clientapptyp",{"_index":4662,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["clientappus",{"_index":4584,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["clientcidrblockallowlist",{"_index":9559,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["clock",{"_index":1937,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"general/ir.html":{}}}],["clone",{"_index":7129,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"gcp/workloads.html":{},"general/ir.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["close",{"_index":233,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["closest",{"_index":3405,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["closur",{"_index":3811,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/logging.html":{},"general/ir.html":{}}}],["cloud",{"_index":3,"title":{"404.html":{},"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}},"breadcrumb":{"general/threat-model.html":{}},"description":{"azure/logging.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/index.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"index.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{},"search.html":{}},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["cloud'",{"_index":5168,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"general/iam.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{}}}],["cloud.google.com",{"_index":5793,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["cloud.google.com/kubernet",{"_index":8098,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["cloud/debian",{"_index":5983,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["cloud/global/images/family/debian",{"_index":7453,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["cloud/global/images/family/ubuntu",{"_index":7440,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["cloudaudit.googleapis.com/act",{"_index":6382,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["cloudaudit_googleapis_com_",{"_index":6784,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["cloudflar",{"_index":8253,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["cloudform",{"_index":380,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"index.html":{}}}],["cloudfunctions.googleapis.com",{"_index":6714,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["cloudident",{"_index":6454,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["cloudidentity.googleapis.com/groups.discussion_forum",{"_index":6448,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["cloudidentity.googleapis.com/groups.secur",{"_index":6459,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["cloudidentity.group(\"admin",{"_index":6456,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["cloudkms.googleapis.com",{"_index":6892,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["cloudpostur",{"_index":5334,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["cloudresourcemanager.googleapis.com",{"_index":7109,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["cloudsql",{"_index":6004,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["cloudsql.iam_authent",{"_index":6055,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["cloudtrail",{"_index":240,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/logging.html":{}}}],["cloudtrail.amazonaws.com",{"_index":2955,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["cloudtrail:deletetrail",{"_index":2954,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["cloudtrail:stoplog",{"_index":2948,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["cloudtrail:updatetrail",{"_index":2951,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["cloudwatch",{"_index":470,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{},"aws/logging.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"general/genai.html":{},"general/logging.html":{}}}],["cloudwatchencryptionen",{"_index":3650,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["cloudwatchencryptionenabled=tru",{"_index":3632,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["cloudwatchloggroupnam",{"_index":3631,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["cluster",{"_index":779,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["cluster'",{"_index":2571,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}}}],["cluster.id",{"_index":9140,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["cluster/audit",{"_index":8101,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["cluster/clust",{"_index":2699,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["cluster</cod",{"_index":5144,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["cluster</div",{"_index":9104,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["cluster=cluster_nam",{"_index":6970,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["cluster_id",{"_index":9179,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["cluster_nam",{"_index":1980,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"gcp/kubernetes.html":{}}}],["cluster_ocid",{"_index":8781,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["cluster_pod_network_opt",{"_index":9176,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["clusteradminroleid",{"_index":5147,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["clusteradmissionrul",{"_index":6920,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["clusterautoscal",{"_index":9201,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["clusterid",{"_index":9193,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["clusterkmskey",{"_index":2532,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["clusterkmskeyarn",{"_index":2503,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["clusterlog",{"_index":2513,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["clusterlogging\":[{\"types\":[\"api\",\"audit\",\"authenticator\",\"controllermanager\",\"scheduler\"],\"enabled\":tru",{"_index":2748,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["clusterlogging\":[{\"types\":[\"api\",\"audit\",\"authenticator\",\"controllermanager\",\"scheduler\"],\"enabled\":true}]}'</cod",{"_index":2703,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["clusternam",{"_index":2501,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{}}}],["clusterocid",{"_index":9139,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["clusterpodnetworkopt",{"_index":9189,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["clusterref",{"_index":6973,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["clusterrol",{"_index":8049,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["clusterrolearn",{"_index":2502,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["clusterrolebind",{"_index":8050,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["clustersecuritygroupid",{"_index":2855,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["cluster→km",{"_index":6903,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["cm",{"_index":3085,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["cmek",{"_index":5787,"title":{},"breadcrumb":{},"description":{"gcp/data.html":{},"gcp/genai.html":{},"oci/data.html":{}},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/data.html":{},"index.html":{},"oci/data.html":{}}}],["cmek_endpoint",{"_index":6328,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["cmk",{"_index":38,"title":{},"breadcrumb":{},"description":{"aws/data.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"gcp/ir.html":{},"general/data.html":{},"general/kubernetes.html":{},"oci/data.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["cmk_storag",{"_index":4056,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["cmmc",{"_index":7642,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["cnapp",{"_index":6573,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{}}}],["cncf",{"_index":8425,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["cni",{"_index":4726,"title":{},"breadcrumb":{},"description":{"azure/kubernetes.html":{}},"body":{"azure/index.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/kubernetes.html":{}}}],["cni_typ",{"_index":9177,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["cnityp",{"_index":9190,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["cnrm.cloud.google.com/project",{"_index":5859,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["co",{"_index":3574,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/network.html":{},"gcp/iam.html":{}}}],["coarser",{"_index":3885,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"general/network.html":{}}}],["code",{"_index":341,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["codifi",{"_index":101,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["coerc",{"_index":7767,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["coexist",{"_index":7350,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["cognit",{"_index":4255,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["cognitive_account_id",{"_index":4316,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["cognitiveservic",{"_index":4216,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["coher",{"_index":2882,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["cold",{"_index":7912,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/logging.html":{},"general/workloads.html":{}}}],["coldlin",{"_index":8127,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["collabor",{"_index":4433,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["collaps",{"_index":3278,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"gcp/iam.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["collater",{"_index":7732,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["collect",{"_index":2089,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/threat-model.html":{}}}],["color",{"_index":3698,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"general/methodology.html":{}}}],["colors.j",{"_index":3700,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["colour",{"_index":8158,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{},"general/shared-responsibility.html":{}}}],["column",{"_index":139,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["columnar",{"_index":2426,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["com",{"_index":5561,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/network.html":{}}}],["com.amazonaws.${aws::region}.bedrock",{"_index":1491,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["com.amazonaws.${aws::region}.km",{"_index":3528,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["com.amazonaws.${aws::region}.ssm",{"_index":3530,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["com.amazonaws.${region}.bedrock",{"_index":1454,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["com.amazonaws.${var.region}.bedrock",{"_index":1461,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["com.amazonaws.${var.region}.km",{"_index":3525,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["com.amazonaws.${var.region}.s3",{"_index":3517,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["com.amazonaws.<region>.bedrock",{"_index":1434,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["com.amazonaws.eu",{"_index":3508,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["com.amazonaws.{region}.bedrock",{"_index":1498,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["com.amazonaws.{region}.s3",{"_index":3532,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["com.oraclecloud.identitycontrolplane.signin",{"_index":8958,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["combin",{"_index":1957,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["come",{"_index":7925,"title":{},"breadcrumb":{},"description":{},"body":{"general/index.html":{},"general/methodology.html":{}}}],["command",{"_index":167,"title":{},"breadcrumb":{},"description":{"gcp/logging.html":{}},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["comment",{"_index":1016,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"general/methodology.html":{},"oci/genai.html":{}}}],["commerci",{"_index":61,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["commit",{"_index":773,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"azure/genai.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/iam.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["commod",{"_index":8336,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{},"oci/data.html":{}}}],["common",{"_index":903,"title":{},"breadcrumb":{},"description":{"general/genai.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/genai.html":{},"oci/ir.html":{}}}],["commonli",{"_index":2323,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{}}}],["commun",{"_index":310,"title":{},"breadcrumb":{},"description":{"general/ir.html":{}},"body":{"aws/data.html":{},"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/ir.html":{}}}],["compani",{"_index":7474,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"oci/iam.html":{}}}],["companion",{"_index":7625,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/iam.html":{}}}],["compar",{"_index":1531,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/kubernetes.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["comparison",{"_index":3797,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/ir.html":{},"general/workloads.html":{}}}],["comparison=comparison_gt",{"_index":6611,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["comparison_gt",{"_index":6633,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["comparison_oper",{"_index":2175,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["comparisonoper",{"_index":2725,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["compart",{"_index":7880,"title":{},"breadcrumb":{},"description":{"oci/genai.html":{},"oci/iam.html":{}},"body":{"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["compartment'",{"_index":9068,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["compartment_id",{"_index":8511,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["compartment_ocid",{"_index":8522,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["compartment_ok",{"_index":8700,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["compartmentid",{"_index":8537,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["compartmentid\":\"'\"$workload_compartment_ocid",{"_index":9579,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["compartmentnam",{"_index":8792,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["compat",{"_index":2833,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/data.html":{},"azure/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/network.html":{}}}],["compel",{"_index":7802,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["compens",{"_index":1378,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"general/genai.html":{},"general/workloads.html":{}}}],["competit",{"_index":7734,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["compil",{"_index":8402,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{},"oci/iam.html":{}}}],["complement",{"_index":1853,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/network.html":{},"general/ir.html":{},"general/threat-model.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["complementari",{"_index":3034,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/network.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["complet",{"_index":1375,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["complianc",{"_index":133,"title":{"compliance-matrix.html":{},"general/compliance-frameworks.html":{}},"breadcrumb":{"compliance-matrix.html":{},"general/compliance-frameworks.html":{}},"description":{"compliance-matrix.html":{},"gcp/logging.html":{},"general/index.html":{},"general/kubernetes.html":{},"search.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["complianceresourcetyp",{"_index":838,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/network.html":{}}}],["compliant",{"_index":1922,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/logging.html":{},"general/methodology.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["compon",{"_index":4299,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/workloads.html":{}}}],["compos",{"_index":5894,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["composit",{"_index":9030,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["compositeoper",{"_index":9031,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["compound",{"_index":3243,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/genai.html":{},"oci/data.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["compress",{"_index":2067,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"azure/ir.html":{}}}],["compromis",{"_index":550,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["compromised_volume_ocid",{"_index":9073,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["compuls",{"_index":555,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["comput",{"_index":1054,"title":{},"breadcrumb":{},"description":{"gcp/ir.html":{},"oci/workloads.html":{}},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["compute.cnrm.cloud.google.com/v1beta1",{"_index":5986,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["compute.diskcreateoption.copi",{"_index":4922,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["compute.diskcreateoptiontypes.fromimag",{"_index":5626,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["compute.googleapis.com",{"_index":5903,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["compute.googleapis.com/disk",{"_index":6000,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["compute.googleapis.com/inst",{"_index":6562,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["compute.googleapis.com/integr",{"_index":6984,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["compute.googleapis.com/serviceattach",{"_index":7343,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["compute.networkaccesspolicy.denyal",{"_index":4924,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["compute.networkus",{"_index":7344,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["compute.publicnetworkaccess.dis",{"_index":4925,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["compute.resourceidentitytype.systemassign",{"_index":5624,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["compute.securitytypes.trustedlaunch",{"_index":5625,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["compute.skipdefaultnetworkcr",{"_index":7239,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["compute.snapshot(\"forens",{"_index":4919,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["compute.snapshots.usereadonli",{"_index":5964,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["compute.snapshotstorageaccounttypes.standard_zr",{"_index":4921,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["compute.storageaccounttypes.premium_lr",{"_index":5627,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["compute.virtualmachine(\"vm",{"_index":5623,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["compute@developer.gserviceaccount.com",{"_index":6090,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{}}}],["computedisk",{"_index":5987,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["computefirewal",{"_index":7279,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["computeinst",{"_index":7446,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["computernam",{"_index":5607,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["computesubnetwork",{"_index":7331,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["conced",{"_index":7728,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["concentr",{"_index":8144,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{},"general/network.html":{},"oci/iam.html":{}}}],["concept",{"_index":5363,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/shared-responsibility.html":{},"oci/network.html":{}}}],["conceptu",{"_index":6348,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"general/shared-responsibility.html":{}}}],["concern",{"_index":2830,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["concret",{"_index":2052,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"index.html":{}}}],["concurr",{"_index":2669,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/iam.html":{}}}],["condit",{"_index":376,"title":{},"breadcrumb":{},"description":{"azure/iam.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["condition='assertion.repository_own",{"_index":6486,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["condition='expression=resource.name.startswith(\"projects/svc",{"_index":6673,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["condition_json",{"_index":4837,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["condition_threshold",{"_index":6630,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["conditionalaccesspolici",{"_index":4682,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["conditionalaccesspolicyevalu",{"_index":4685,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["conditionalaccessstatu",{"_index":4585,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["conditiongroup",{"_index":9016,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["conditionproperti",{"_index":4839,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["conditiontyp",{"_index":4838,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"oci/ir.html":{}}}],["conduct",{"_index":8384,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["confid",{"_index":1675,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"aws/workloads.html":{},"gcp/ir.html":{}}}],["confidenti",{"_index":1441,"title":{},"breadcrumb":{},"description":{"gcp/workloads.html":{}},"body":{"aws/genai.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["config",{"_index":725,"title":{},"breadcrumb":{},"description":{"aws/logging.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["config)2.x",{"_index":9326,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["config.amazonaws.com",{"_index":3103,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["config:deleteconfigurationrecord",{"_index":3091,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["config:deletedeliverychannel",{"_index":3092,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["config:putconfigurationrecord",{"_index":3097,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["config:stopconfigurationrecord",{"_index":3087,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["config_clon",{"_index":9314,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["config_id",{"_index":6680,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{}}}],["config_src_provider_ocid",{"_index":8523,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["configbucketnam",{"_index":3076,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["configbucketname</cod",{"_index":3083,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["configdeliverychannel",{"_index":3081,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["configmap",{"_index":2681,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"general/kubernetes.html":{}}}],["configrecord",{"_index":3077,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["configrolearn",{"_index":3075,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["configrulenam",{"_index":729,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{}}}],["configrulename\":\"restrict",{"_index":3327,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["configs.get('auditconfig",{"_index":6247,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["configs=json.load(sys.stdin",{"_index":6245,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["configs=tcp:22,tcp:3389,tcp:1433,tcp:3306,tcp:5432,tcp:27017,tcp:6379",{"_index":7256,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["configservic",{"_index":3042,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{}}}],["configservicev2.updatesink",{"_index":7001,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["configsnapshotdeliveryproperties\":{\"deliveryfrequency\":\"one_hour",{"_index":3050,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["configur",{"_index":346,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["configurationitem.resourcenam",{"_index":1919,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["confin",{"_index":9220,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["confirm",{"_index":670,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/genai.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["conflat",{"_index":142,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["conflict",{"_index":9236,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["confluenc",{"_index":3307,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["conform",{"_index":3032,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["confus",{"_index":158,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/network.html":{},"oci/data.html":{},"oci/logging.html":{}}}],["conjunct",{"_index":7297,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["connect",{"_index":877,"title":{},"breadcrumb":{},"description":{"gcp/network.html":{},"general/network.html":{}},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["connectionlost",{"_index":3666,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["connectionst",{"_index":5503,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["connector",{"_index":4728,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/logging.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["conscious",{"_index":2878,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["consecut",{"_index":1672,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"gcp/ir.html":{}}}],["consensu",{"_index":6591,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["consent",{"_index":4417,"title":{},"breadcrumb":{},"description":{"azure/iam.html":{}},"body":{"azure/iam.html":{},"azure/logging.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/threat-model.html":{}}}],["consequ",{"_index":7723,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/genai.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{}}}],["consequenti",{"_index":8324,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["consid",{"_index":5286,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"azure/network.html":{},"compliance-matrix.html":{}}}],["consider",{"_index":7934,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["consist",{"_index":3500,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/kubernetes.html":{},"gcp/network.html":{},"general/data.html":{},"general/iam.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"index.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["consol",{"_index":1170,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["console'",{"_index":6776,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["consolelogin",{"_index":1598,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{}}}],["consolesignonpolici",{"_index":8880,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["consolesignonpolicy.id",{"_index":8888,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["consolid",{"_index":5811,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/threat-model.html":{}}}],["const",{"_index":1092,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["constant",{"_index":6223,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["constitut",{"_index":3392,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/methodology.html":{}}}],["constrain",{"_index":3507,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"oci/data.html":{}}}],["constraint",{"_index":1191,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["constraints/compute.requireoslogin",{"_index":7465,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["constraints/compute.requireshieldedvm",{"_index":7388,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["constraints/compute.skipdefaultnetworkcr",{"_index":7203,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["constraints/compute.vmexternalipaccess",{"_index":7298,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["constraints/gcp.restrictnoncmekservic",{"_index":5891,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["constraints/storage.publicaccessprevent",{"_index":5800,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["constrainttempl",{"_index":5095,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["construct",{"_index":399,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"general/ir.html":{}}}],["constructor(scop",{"_index":403,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["consul",{"_index":8239,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["consult",{"_index":1939,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"general/methodology.html":{},"oci/genai.html":{}}}],["consum",{"_index":1276,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["consumer'",{"_index":1277,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/network.html":{}}}],["consumpt",{"_index":4845,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"gcp/network.html":{},"general/genai.html":{}}}],["contact",{"_index":4736,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"general/ir.html":{},"general/network.html":{},"oci/ir.html":{}}}],["contain",{"_index":512,"title":{},"breadcrumb":{},"description":{"aws/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["container",{"_index":2759,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["container.cnrm.cloud.google.com/v1beta1",{"_index":6819,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["container.googleapis.com",{"_index":6838,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["container.googleapis.com/clust",{"_index":6846,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["container/blob",{"_index":3877,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["container_access_typ",{"_index":4896,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["container_registry_id",{"_index":5703,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["container_scan_recipe_id",{"_index":9595,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["container_threat_detect",{"_index":7161,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["containeranalysis.googleapis.com",{"_index":6947,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["containerclust",{"_index":6820,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["containerd",{"_index":6966,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["containerengin",{"_index":9141,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["containerinsight",{"_index":2738,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["containernodepool",{"_index":6972,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["containerregistryloginev",{"_index":5726,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["containerregistryrepositoryev",{"_index":5723,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["containersensor",{"_index":5080,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["containment_sa",{"_index":6712,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["containmentrolearn",{"_index":2291,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["containmentrolearn</cod",{"_index":2299,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["contains(\"gen",{"_index":8755,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["contains(destinationportrang",{"_index":5642,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["contains(displaynam",{"_index":5289,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["contamin",{"_index":6315,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"general/ir.html":{}}}],["content",{"_index":365,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{},"azure/genai.html":{},"oci/genai.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/index.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["content_filt",{"_index":4318,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["content_moderation_config",{"_index":8728,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["content_policy_config",{"_index":1398,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["contentfilt",{"_index":4271,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["contentfilterguardrail",{"_index":1401,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["contentfilterpolici",{"_index":4325,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["contentfilterresult",{"_index":4333,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["contentfilterresults.jailbreak",{"_index":4282,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["contentmoderationconfig.isen",{"_index":8730,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["contentpolici",{"_index":1391,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["contentpolicyconfig",{"_index":1219,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["contentpolicyconfig.filtersconfig",{"_index":1237,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["contents_delta_uri",{"_index":6292,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["contentvers",{"_index":4850,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["contest",{"_index":8230,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["context",{"_index":1052,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"oci/genai.html":{}}}],["context_access_token",{"_index":5708,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["context_path",{"_index":5707,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["conting",{"_index":8026,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["continu",{"_index":1543,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["continuous_scan",{"_index":3713,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["contract",{"_index":2962,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["contractor",{"_index":1707,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"general/data.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["contractor'",{"_index":8899,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["contractu",{"_index":4026,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{},"gcp/ir.html":{},"general/data.html":{},"general/threat-model.html":{}}}],["contradict",{"_index":2334,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"oci/ir.html":{}}}],["contrari",{"_index":7811,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["contribut",{"_index":5769,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"general/methodology.html":{}}}],["contributor",{"_index":4114,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"general/genai.html":{}}}],["control",{"_index":67,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{},"aws/network.html":{},"azure/network.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"general/compliance-frameworks.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"search.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["control'",{"_index":5683,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/kubernetes.html":{}}}],["controllermanag",{"_index":2491,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["conveni",{"_index":2682,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/iam.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{}}}],["convent",{"_index":1232,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"azure/iam.html":{},"general/genai.html":{},"general/ir.html":{}}}],["converg",{"_index":3881,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["convers",{"_index":3397,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/genai.html":{},"azure/workloads.html":{},"general/genai.html":{}}}],["convert",{"_index":4422,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/logging.html":{},"general/workloads.html":{}}}],["cooki",{"_index":4446,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/network.html":{},"general/threat-model.html":{}}}],["coordin",{"_index":1687,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/genai.html":{},"general/ir.html":{},"general/threat-model.html":{}}}],["copi",{"_index":675,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/network.html":{},"general/data.html":{},"general/ir.html":{},"general/threat-model.html":{},"index.html":{},"oci/data.html":{},"oci/iam.html":{}}}],["copy_paste_en",{"_index":5657,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["copyright",{"_index":7853,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["copyvolumebackup",{"_index":8643,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["cordon",{"_index":6989,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"oci/kubernetes.html":{}}}],["core",{"_index":7988,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"oci/data.html":{},"oci/network.html":{}}}],["core/v1/serviceaccount",{"_index":6874,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["coredn",{"_index":9171,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["corner",{"_index":8569,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["corollari",{"_index":8102,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["corp",{"_index":6828,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"oci/iam.html":{}}}],["corp.exampl",{"_index":8925,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["corpor",{"_index":888,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/threat-model.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["corpu",{"_index":1385,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"azure/genai.html":{},"azure/iam.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["corpus'",{"_index":8458,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["correct",{"_index":337,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/methodology.html":{},"oci/network.html":{}}}],["correctli",{"_index":2887,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"general/kubernetes.html":{},"general/network.html":{},"oci/logging.html":{}}}],["correl",{"_index":1681,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/logging.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["correspond",{"_index":1274,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/workloads.html":{}}}],["corrupt",{"_index":7788,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/genai.html":{}}}],["cos_containerd",{"_index":6968,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["cosign",{"_index":7399,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"general/workloads.html":{}}}],["cosmo",{"_index":3865,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{},"azure/network.html":{}}}],["cost",{"_index":1049,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["costli",{"_index":931,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/genai.html":{}}}],["counsel",{"_index":7964,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["counsel'",{"_index":7953,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["count",{"_index":1616,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["count</cod",{"_index":8850,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["count=$(az",{"_index":5183,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["counter",{"_index":1857,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/kubernetes.html":{}}}],["countnumb",{"_index":3732,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["counttyp",{"_index":3730,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["countunit",{"_index":3734,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["coupl",{"_index":2618,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/data.html":{}}}],["cours",{"_index":9285,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["cover",{"_index":48,"title":{},"breadcrumb":{},"description":{"index.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["coverag",{"_index":1392,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["cp",{"_index":676,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/iam.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/ir.html":{}}}],["cpu",{"_index":8650,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["cpu_core_count",{"_index":8664,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["cr",{"_index":7197,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["craft",{"_index":1184,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"general/genai.html":{}}}],["crawler",{"_index":7909,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["crd",{"_index":6210,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{}}}],["creat",{"_index":687,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["create/modify/delet",{"_index":8708,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["create_opt",{"_index":4137,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["create_vnic_detail",{"_index":8636,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/workloads.html":{}}}],["createaccesskey",{"_index":1654,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{}}}],["createaccesskey\",\"updateaccesskey",{"_index":1674,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["createapikey",{"_index":9000,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["createbucket",{"_index":2969,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["createclust",{"_index":9143,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["createcontainerimagesignatur",{"_index":9611,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["created",{"_index":1911,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["created\"<=`'\"$(d",{"_index":8938,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["createdbclust",{"_index":865,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["createdbinst",{"_index":857,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{}}}],["createdbinstance\",\"createdbcluster\",\"restoredbinstancefromdbsnapshot\",\"modifydbinst",{"_index":860,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["creatededicatedaiclust",{"_index":8696,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["createdefaultvpc",{"_index":3255,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["createdefaultvpc\",\"createvpc",{"_index":3277,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["createendpoint",{"_index":8698,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["createfunct",{"_index":2974,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["createidentityprovid",{"_index":8919,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["createimagepolicyconfig",{"_index":9217,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["createinternetgateway",{"_index":9371,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["createkey",{"_index":8592,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["createkey','updatekey','importkey",{"_index":8598,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["createmodel",{"_index":8697,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["createnodepool",{"_index":6983,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["createoauth2clientcredenti",{"_index":9002,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["createopt",{"_index":4913,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/workloads.html":{}}}],["createpodidentityassoci",{"_index":2615,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["createpolici",{"_index":8715,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/iam.html":{}}}],["createpreauthenticatedrequest",{"_index":8555,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["createserviceaccountkey",{"_index":6433,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["createsess",{"_index":9556,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["createus",{"_index":8844,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["createvcn",{"_index":9369,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["createvnicdetail",{"_index":9486,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["createvolum",{"_index":737,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["createworkloadidentitypoolprovid",{"_index":6520,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["creation",{"_index":746,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/logging.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["creation.yaml",{"_index":6401,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["creationdata",{"_index":4912,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["creator",{"_index":1940,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"azure/kubernetes.html":{}}}],["credenti",{"_index":873,"title":{},"breadcrumb":{},"description":{"aws/iam.html":{},"aws/ir.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["credential'",{"_index":4593,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["credentialexfiltr",{"_index":8375,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["credentials/<rol",{"_index":3580,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"general/threat-model.html":{}}}],["credibl",{"_index":5530,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"general/workloads.html":{}}}],["creep",{"_index":4386,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"general/data.html":{}}}],["crimin",{"_index":8338,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["criteria",{"_index":7952,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/methodology.html":{}}}],["criterion",{"_index":7024,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"general/methodology.html":{}}}],["critic",{"_index":263,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["critical/high",{"_index":7396,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"oci/iam.html":{}}}],["crm_servic",{"_index":7108,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["cron",{"_index":6001,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/iam.html":{}}}],["cross",{"_index":102,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{},"compliance-matrix.html":{},"general/genai.html":{},"general/index.html":{},"general/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["crossaccountauditorrol",{"_index":1987,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["crosswalk",{"_index":3861,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/index.html":{},"general/ir.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["crypt",{"_index":4111,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["cryptanalyt",{"_index":7776,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["crypto",{"_index":4048,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{}}}],["crypto_key_id",{"_index":5940,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{}}}],["cryptocurr",{"_index":3138,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"general/network.html":{}}}],["cryptograph",{"_index":3867,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{}}}],["cryptographi",{"_index":7803,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["cryptokey.upd",{"_index":6894,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["cryptokeyencrypterdecrypt",{"_index":5808,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["cryptokeyversion.dis",{"_index":6893,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["cryptomin",{"_index":3143,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/kubernetes.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/threat-model.html":{}}}],["cryptoshr",{"_index":8572,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["cryptoshred",{"_index":8570,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["cs",{"_index":4233,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/kubernetes.html":{}}}],["cs.account(\"aoai",{"_index":4236,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["cs.agentpoolmode.system",{"_index":4985,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["cs.loadbalancersku.standard",{"_index":4984,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["cs.managedcluster(\"ak",{"_index":4982,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["cs.networkplugin.azur",{"_index":4983,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["cs.raipolicy(\"prompt",{"_index":4275,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["cs.resourceidentitytype.systemassign",{"_index":4237,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/kubernetes.html":{}}}],["csa",{"_index":8009,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/shared-responsibility.html":{}}}],["cse",{"_index":7758,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["csf",{"_index":2043,"title":{},"breadcrumb":{},"description":{"general/compliance-frameworks.html":{}},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/index.html":{},"general/ir.html":{},"oci/ir.html":{}}}],["csp",{"_index":8284,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["cspm",{"_index":5160,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"gcp/logging.html":{},"oci/logging.html":{}}}],["cspm/cwpp",{"_index":5155,"title":{},"breadcrumb":{},"description":{"azure/logging.html":{}},"body":{"gcp/logging.html":{}}}],["csr",{"_index":9574,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["csr_ocid",{"_index":9577,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["csrc",{"_index":5785,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"general/methodology.html":{}}}],["csrc.nist.gov/pubs/sp/800/190/fin",{"_index":8092,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["css",{"_index":8182,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{},"index.html":{}}}],["cst",{"_index":9576,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["cst_ocid",{"_index":9583,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["csv",{"_index":1686,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/data.html":{}}}],["ct",{"_index":2366,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{}}}],["ct.trail(thi",{"_index":2938,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["ct_to_evid",{"_index":2362,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["cui",{"_index":7748,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["cultur",{"_index":8178,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["curat",{"_index":3125,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/genai.html":{},"general/threat-model.html":{}}}],["curl",{"_index":6440,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["currenc",{"_index":8209,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["current",{"_index":100,"title":{},"breadcrumb":{},"description":{"general/methodology.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["current_d",{"_index":6792,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["custodi",{"_index":108,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"azure/data.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/data.html":{},"general/ir.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["custom",{"_index":209,"title":{},"breadcrumb":{},"description":{"general/shared-responsibility.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["custom_config",{"_index":7138,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["custom_recipe_ocid",{"_index":9014,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["customconfig",{"_index":7180,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["customer'",{"_index":2130,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/data.html":{},"gcp/genai.html":{},"general/data.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{}}}],["customers/${customerid",{"_index":6457,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["customers/${var.workspace_customer_id",{"_index":6446,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["customis",{"_index":7392,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"oci/kubernetes.html":{}}}],["custommodul",{"_index":7177,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["customsubdomainnam",{"_index":4232,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["cut",{"_index":103,"title":{},"breadcrumb":{},"description":{"general/genai.html":{},"general/index.html":{},"general/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["cutov",{"_index":1942,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["cve",{"_index":3314,"title":{},"breadcrumb":{},"description":{"general/kubernetes.html":{}},"body":{"aws/network.html":{},"aws/workloads.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["cvss",{"_index":8180,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["cwpp",{"_index":5161,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["cyber",{"_index":7958,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/threat-model.html":{}}}],["cybersecur",{"_index":7652,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/genai.html":{},"general/ir.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{}}}],["cycl",{"_index":4691,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/logging.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["cyclonedx",{"_index":8442,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["d",{"_index":1645,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/ir.html":{},"gcp/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["daemon",{"_index":5550,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/workloads.html":{}}}],["daemon'",{"_index":9508,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["daemonset",{"_index":2584,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/workloads.html":{}}}],["daili",{"_index":754,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/logging.html":{},"oci/logging.html":{}}}],["danger",{"_index":6185,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["dangerous/viol",{"_index":1404,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"oci/genai.html":{}}}],["dark",{"_index":4413,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/logging.html":{}}}],["dart",{"_index":4735,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["dash",{"_index":5743,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"general/compliance-frameworks.html":{},"general/methodology.html":{}}}],["dashboard",{"_index":2111,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["dashboard'",{"_index":5288,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"gcp/logging.html":{}}}],["data",{"_index":28,"title":{"aws/data.html":{},"azure/data.html":{},"gcp/data.html":{},"general/data.html":{},"oci/data.html":{}},"breadcrumb":{"aws/data.html":{},"azure/data.html":{},"gcp/data.html":{},"general/data.html":{},"oci/data.html":{}},"description":{"aws/data.html":{},"aws/index.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/index.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/index.html":{},"gcp/logging.html":{},"general/data.html":{},"general/index.html":{},"oci/data.html":{},"oci/index.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["data\":{\"identity\":{\"principalname\":[\"breakglass",{"_index":8965,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["data'",{"_index":665,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["data.\"inst",{"_index":9459,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["data.\"lifecycl",{"_index":8785,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["data.\"priv",{"_index":9418,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["data.\"publ",{"_index":8577,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["data.aws_ssm_parameter.bottlerocket_ami.valu",{"_index":2772,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["data.azuread_directory_role.global_admin.template_id",{"_index":4484,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["data.azurerm_client_config.current.tenant_id",{"_index":5036,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/network.html":{}}}],["data.azurerm_policy_set_definition.pss_restricted.id",{"_index":5107,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["data.contentmoderationconfig\"</cod",{"_index":8721,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["data.google_kms_crypto_key_version.ci_attest.id",{"_index":7541,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["data.google_kms_crypto_key_version.ci_attest.public_key[0].algorithm",{"_index":7546,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["data.google_kms_crypto_key_version.ci_attest.public_key[0].pem",{"_index":7544,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["data.google_project.svc_app.number}@comput",{"_index":5978,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["data.google_project.svc_app.number}@g",{"_index":5943,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["data.google_project.svc_app.number}@gcp",{"_index":6037,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["data.html",{"_index":7684,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["data.id",{"_index":8531,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["data.identity.principalid",{"_index":9003,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["data.identity.principalnam",{"_index":8822,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["data.item",{"_index":9457,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["data.oci_core_services.all.services[0].id",{"_index":8741,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["data.oci_identity_availability_domain.ad.nam",{"_index":9461,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["data.oci_identity_domain.default.url",{"_index":8863,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["data.oci_kms_vault.security.management_endpoint",{"_index":9590,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["data.oci_objectstorage_namespace.ns.namespac",{"_index":8515,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["data.oci_objectstorage_namespace.this.namespac",{"_index":8758,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["data.request.payload",{"_index":9414,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["data.request.payload.accesstyp",{"_index":8559,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["data.request.payload.endpointconfig.ispublicipen",{"_index":9145,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["data.request.payload.feder",{"_index":8926,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["data.request.payload.imagepolicyconfig.ispolicyen",{"_index":9218,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["data.request.payload.kmskeyid",{"_index":8601,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/kubernetes.html":{}}}],["data.request.payload.metadataurl",{"_index":8924,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["data.request.payload.networkaccesstyp",{"_index":9428,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["data.request.payload.networkconfig.networktyp",{"_index":8752,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["data.request.payload.protectionmod",{"_index":8599,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["data.request.payload.publicaccesstyp",{"_index":8557,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["data.request.payload.retentionperiodday",{"_index":9278,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["data.request.payload.routerul",{"_index":9376,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["data.request.payload.scanningen",{"_index":9615,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["data.request.payload.stat",{"_index":8717,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["data.request.payload.statu",{"_index":9333,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["data.request.payload.typ",{"_index":9202,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["data.response.payload.groupnam",{"_index":8849,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["data.target.bastion.id",{"_index":9566,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["data.target.bucket.nam",{"_index":8560,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["data.target.cluster.id",{"_index":9146,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["data.target.cluster.id</cod",{"_index":9166,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["data.target.endpoint.id",{"_index":8734,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["data.target.id",{"_index":8602,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["data.target.instance.id",{"_index":9505,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["data.target.log.configuration.source.categori",{"_index":9302,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["data.target.log.displaynam",{"_index":8774,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/logging.html":{}}}],["data.target.policy.nam",{"_index":8718,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["data.target.repository.nam",{"_index":9616,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["data.target.responderrecipe.id",{"_index":9060,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["data.target.user.id",{"_index":9005,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["data.typ",{"_index":8782,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["data.unitcount",{"_index":8784,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["data.{kms:\"km",{"_index":8658,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["data.{name:\"display",{"_index":8621,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/iam.html":{}}}],["data/iam/secur",{"_index":2766,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{},"general/threat-model.html":{}}}],["data[*].{name:nam",{"_index":8505,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["data[0].id",{"_index":8528,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["data[?\"display",{"_index":8853,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["data[?\"tim",{"_index":8937,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["data[?contains(\"ev",{"_index":9531,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["data[?email==`<provis",{"_index":8800,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["data[?name==`administrators`].id",{"_index":8797,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["data[?name==`securityadmins`].id",{"_index":8835,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["data[].id",{"_index":8936,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["data[].stat",{"_index":8676,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["data[].{name:name,active:\"lifecycl",{"_index":8798,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["data_bucket",{"_index":594,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["data_cmk",{"_index":8624,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["data_cmk_ocid",{"_index":8613,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["data_read",{"_index":6227,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["data_read/data_writ",{"_index":7003,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["data_resourc",{"_index":3001,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["data_storage_size_in_tb",{"_index":8665,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["data_writ",{"_index":6234,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["databas",{"_index":782,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["database_encrypt",{"_index":6880,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["database_flag",{"_index":6054,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["database_vers",{"_index":6041,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["databaseadmin",{"_index":8828,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["databaseencrypt",{"_index":6887,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["databaseencryption.keynam",{"_index":6891,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["databaseencryption.st",{"_index":6890,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["databasevers",{"_index":6060,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["datacustomercustomercustom",{"_index":8300,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["dataflow",{"_index":5893,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["datapath_provid",{"_index":6814,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["dataplan",{"_index":5278,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"azure/network.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{}}}],["dataplex",{"_index":5796,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["dataresources.valu",{"_index":3016,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["dataset",{"_index":2432,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"oci/data.html":{}}}],["dataset.upd",{"_index":6339,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["dataset_id",{"_index":7057,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["datasourc",{"_index":3200,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["datastor",{"_index":6314,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["datastore.delet",{"_index":6307,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["date",{"_index":1544,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"compliance-matrix.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["date_sub(current_d",{"_index":6791,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["datetim",{"_index":8166,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["datetime=\"yyyi",{"_index":8210,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["day",{"_index":899,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["day'",{"_index":3026,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["db",{"_index":805,"title":{},"breadcrumb":{},"description":{"oci/data.html":{}},"body":{"aws/data.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/network.html":{},"oci/data.html":{},"oci/index.html":{},"oci/network.html":{}}}],["db.r6i.larg",{"_index":811,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["db_name",{"_index":8663,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["dbinstances[?storageencrypted==`false`].[dbinstanceidentifier,engin",{"_index":806,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["dbir",{"_index":8175,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["dbname=app",{"_index":6033,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["dd",{"_index":8212,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{},"oci/workloads.html":{}}}],["ddl",{"_index":2447,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["ddo",{"_index":4724,"title":{},"breadcrumb":{},"description":{"azure/network.html":{},"oci/network.html":{}},"body":{"azure/index.html":{},"azure/network.html":{},"gcp/network.html":{},"general/network.html":{},"index.html":{},"oci/network.html":{}}}],["de",{"_index":4106,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{}}}],["deactiv",{"_index":1779,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"oci/iam.html":{}}}],["deactivatemfadevic",{"_index":1602,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["dead",{"_index":8150,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["deadlin",{"_index":1924,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{}}}],["deb",{"_index":7580,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["debian",{"_index":5982,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["debt",{"_index":786,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["debug",{"_index":3311,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/network.html":{},"oci/data.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["debugg",{"_index":8403,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["dec",{"_index":3552,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["decad",{"_index":7877,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["decay",{"_index":6582,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{}}}],["decemb",{"_index":6351,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["decentralis",{"_index":8156,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["decid",{"_index":55,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/logging.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["decis",{"_index":2412,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["declar",{"_index":2328,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["decommiss",{"_index":4113,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/kubernetes.html":{},"oci/data.html":{}}}],["decompos",{"_index":6566,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["decor",{"_index":8202,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["decoupl",{"_index":2586,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["decoy",{"_index":5281,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["decreas",{"_index":6220,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["decrement",{"_index":3573,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["decrypt",{"_index":229,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/ir.html":{},"oci/logging.html":{}}}],["decrypt/generatedatakey",{"_index":548,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["dedic",{"_index":1111,"title":{},"breadcrumb":{},"description":{"oci/genai.html":{}},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["dedicated_ai_cluster_id",{"_index":8723,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["dedicated_infrastructure_typ",{"_index":8791,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["deep",{"_index":7798,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/logging.html":{}}}],["deepli",{"_index":8016,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["default",{"_index":41,"title":{},"breadcrumb":{},"description":{"aws/data.html":{},"aws/kubernetes.html":{},"gcp/iam.html":{},"oci/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["default,values=tru",{"_index":3246,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["default:networkruleset.defaultact",{"_index":3924,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["default_act",{"_index":3897,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["default_action=deni",{"_index":3947,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["default_admission_rul",{"_index":7547,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["default_encryption_configur",{"_index":7060,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["default_kms_key_nam",{"_index":5853,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{}}}],["default_node_pool",{"_index":4952,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["default_retent",{"_index":2359,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{}}}],["default_sl_ocid",{"_index":9382,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["default_table_expiration=63072000",{"_index":7042,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["default_table_expiration_m",{"_index":7058,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["defaultact",{"_index":3968,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/workloads.html":{}}}],["defaultaction\\\":\\\"allow",{"_index":5470,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["defaultadmissionrul",{"_index":6917,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["defaultadmissionrule.evaluationmod",{"_index":6946,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["defaultkmskeynam",{"_index":5961,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["defaultkmskeyref",{"_index":5947,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["defaultretent",{"_index":2350,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["defeat",{"_index":1125,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"general/iam.html":{},"general/network.html":{},"oci/iam.html":{}}}],["defenc",{"_index":517,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/genai.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/workloads.html":{}}}],["defend",{"_index":2694,"title":{},"breadcrumb":{},"description":{"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{}},"body":{"aws/kubernetes.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["defender)2.x",{"_index":9327,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["defender_plan",{"_index":5352,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["defendercontact",{"_index":5313,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["defendercontain",{"_index":5076,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["defenderforcontainersconfiguration/dis",{"_index":5084,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["defenderforstoragev2",{"_index":5350,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["defens",{"_index":2031,"title":{},"breadcrumb":{},"description":{"general/network.html":{}},"body":{"aws/ir.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"general/compliance-frameworks.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/kubernetes.html":{}}}],["defer",{"_index":255,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"general/workloads.html":{}}}],["defin",{"_index":5356,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"gcp/genai.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{}}}],["definit",{"_index":2200,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/logging.html":{}}}],["definition/aw",{"_index":2297,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["degrad",{"_index":2058,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{}}}],["dek",{"_index":4038,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"general/data.html":{},"general/kubernetes.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["delay",{"_index":3111,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/workloads.html":{},"general/methodology.html":{}}}],["deleg",{"_index":1285,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{}}}],["delet",{"_index":254,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["delete_marker_repl",{"_index":2372,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["deletebucket",{"_index":2971,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["deletebucketencrypt",{"_index":644,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["deleteconfigurationrecord",{"_index":3106,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["deletedeliverychannel",{"_index":3110,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["deletedetector",{"_index":3208,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["deletedetector\",\"updatedetector\",\"disassociatemembers\",\"deletememb",{"_index":3207,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["deleteguardrail",{"_index":1250,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["deleteguardrail\",\"updateguardrail\",\"createguardrail",{"_index":1249,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["deleteguardrailvers",{"_index":1419,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["deleteidentityprovid",{"_index":8921,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["deletelog",{"_index":8770,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/logging.html":{}}}],["deleteloggroup",{"_index":2751,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["deletememb",{"_index":3810,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["deletenetworkaclentry\",\"createnetworkaclentry\",\"replacenetworkaclentry\",\"replacenetworkaclassoci",{"_index":3454,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["deleteobject",{"_index":8116,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{},"oci/logging.html":{}}}],["deleteopt",{"_index":5620,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["deletepolici",{"_index":8821,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["deleteprivateendpoint",{"_index":9423,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["deletepublicaccessblock",{"_index":495,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["deleterul",{"_index":2315,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["deleterule\",\"disablerule\",\"removetargets\",\"deletefunction\",\"updatefunctionconfigur",{"_index":2313,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["deletesink",{"_index":7002,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["deletetrail",{"_index":2964,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["deletevirtualmfadevic",{"_index":1848,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["deletion_protect",{"_index":832,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/data.html":{}}}],["deletion_window_in_day",{"_index":595,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/logging.html":{}}}],["deliber",{"_index":284,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["deliv",{"_index":2690,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"general/data.html":{},"general/iam.html":{},"general/logging.html":{},"general/threat-model.html":{}}}],["deliver",{"_index":7681,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["deliveri",{"_index":1610,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/logging.html":{}}}],["delivery_frequ",{"_index":3063,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["delivery_s3_bucket",{"_index":3074,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["delta",{"_index":1603,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["demand",{"_index":4025,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/iam.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/workloads.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{}}}],["demonstr",{"_index":4031,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"general/kubernetes.html":{},"oci/data.html":{}}}],["deni",{"_index":176,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{},"oci/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["denial",{"_index":1359,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/genai.html":{},"general/threat-model.html":{}}}],["denied_valu",{"_index":7316,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["deniedvalu",{"_index":7303,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["densiti",{"_index":8422,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["deny.yaml",{"_index":7207,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["deny</cod",{"_index":3417,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["deny_create_default_vpc",{"_index":3257,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["deny_disable_s3_account_bpa",{"_index":362,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["deny_disable_vpc_bpa",{"_index":3471,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["deny_external_ip",{"_index":7314,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["deny_imdsv1_launch",{"_index":3591,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["deny_internet_admin_port",{"_index":5414,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"gcp/network.html":{}}}],["deny_known_bad",{"_index":3422,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["deny_paas_publ",{"_index":5452,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["deny_public_bucket",{"_index":7136,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["deny_root_create_access_key",{"_index":1655,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["deny_root_without_mfa",{"_index":1578,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["deny_storage_publ",{"_index":3940,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["deny_unplanned_vnet",{"_index":5376,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["denyadmininternet",{"_index":7285,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["denyadminpolici",{"_index":8816,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["denyadminpolicy.id",{"_index":8820,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["denyal",{"_index":4916,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["denyallexceptlistedifnomfa",{"_index":1811,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["denyallexceptmfa",{"_index":1838,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["denyallexceptmfaselfservic",{"_index":1834,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["denyallinbound",{"_index":4824,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["denyalloutbound",{"_index":4829,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["denyallwithoutmfa",{"_index":1841,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["denyallwithoutmfastack",{"_index":1840,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["denycreatedefaultvpc",{"_index":3258,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["denydisableaccountbpa",{"_index":372,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["denydisablevpcbpa",{"_index":3472,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["denyinternettosshrdpsql",{"_index":5409,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["denyrootaccesskeycr",{"_index":1660,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["denyrootcreateaccesskey",{"_index":1656,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["denyrootkeycr",{"_index":1659,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["denyrootkeycreationstack",{"_index":1661,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["denyrootwithoutmfa",{"_index":1579,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["denyrootwithoutmfastack",{"_index":1590,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["denyruninstanceswithoutimdsv2",{"_index":3592,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["denytorexitnod",{"_index":3434,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["depart",{"_index":1706,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"gcp/workloads.html":{}}}],["departur",{"_index":1705,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"oci/iam.html":{}}}],["depend",{"_index":2223,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["dependabot",{"_index":8450,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["depends_on",{"_index":3065,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{}}}],["depict",{"_index":8294,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["deploy",{"_index":1361,"title":{},"breadcrumb":{},"description":{"gcp/workloads.html":{}},"body":{"aws/genai.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["deploy@${project}.iam.gserviceaccount.com",{"_index":6488,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["deployifnotexist",{"_index":4415,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/logging.html":{}}}],["deployment'",{"_index":8457,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["deploymentnam",{"_index":4323,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["deposit",{"_index":8025,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["deprec",{"_index":2684,"title":{},"breadcrumb":{},"description":{"general/kubernetes.html":{}},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"oci/kubernetes.html":{}}}],["depressingli",{"_index":4655,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["deprovis",{"_index":8897,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["depth",{"_index":518,"title":{},"breadcrumb":{},"description":{"general/network.html":{}},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/kubernetes.html":{}}}],["deputi",{"_index":3506,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/network.html":{},"gcp/network.html":{}}}],["deriv",{"_index":1527,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{}}}],["des.id",{"_index":4152,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["des_mi",{"_index":4123,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["des_mi=$(az",{"_index":4122,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["des_mi_kv",{"_index":4131,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["desc",{"_index":467,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{}}}],["desc</cod",{"_index":1762,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["descend",{"_index":1008,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"oci/genai.html":{}}}],["describ",{"_index":135,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["descript",{"_index":384,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/kubernetes.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["description('address",{"_index":5381,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["description('admin",{"_index":5594,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["description('ak",{"_index":4963,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["description('appl",{"_index":4369,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["description('azur",{"_index":4229,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["description('ca",{"_index":4677,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["description('condit",{"_index":4565,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["description('cont",{"_index":4324,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["description('contain",{"_index":5713,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["description('deploy",{"_index":4322,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["description('disk",{"_index":4142,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["description('entra",{"_index":4489,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/kubernetes.html":{}}}],["description('exist",{"_index":5018,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["description('group",{"_index":4779,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/network.html":{}}}],["description('harden",{"_index":3951,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["description('key",{"_index":4080,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{}}}],["description('log",{"_index":4400,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["description('nsg",{"_index":5427,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["description('object",{"_index":4487,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["description('princip",{"_index":4622,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["description('rai",{"_index":4267,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["description('resourc",{"_index":5497,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["description('sentinel",{"_index":4844,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["description('snapshot",{"_index":4908,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["description('sourc",{"_index":4906,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["description('standard",{"_index":5668,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["description('storag",{"_index":4079,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{}}}],["description('subnet",{"_index":4353,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["description('subscript",{"_index":5210,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["description('upn",{"_index":4563,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["description('us",{"_index":4082,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["description('versionless",{"_index":5049,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["description('workspac",{"_index":5272,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["description=\"deni",{"_index":7259,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["description=\"org",{"_index":7046,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"gcp/network.html":{}}}],["description=\"priv",{"_index":7305,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["description='sign",{"_index":6601,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["deserialis",{"_index":3829,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["desid",{"_index":4151,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["design",{"_index":153,"title":{},"breadcrumb":{},"description":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/index.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["designated.foreach((principalid",{"_index":4504,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["desir",{"_index":1999,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"oci/iam.html":{}}}],["desired_s",{"_index":2788,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["desired_st",{"_index":7601,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"oci/workloads.html":{}}}],["desiredprivateclusterconfig.publicendpointen",{"_index":6841,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["desiredst",{"_index":7587,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["desnam",{"_index":4143,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["destin",{"_index":662,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["destination'",{"_index":8120,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["destination_address_prefix",{"_index":4828,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/network.html":{}}}],["destination_port_rang",{"_index":4826,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/network.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["destination_region",{"_index":9088,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["destination_typ",{"_index":8745,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["destinationaddressprefix",{"_index":5432,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["destinationportrang",{"_index":5433,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"oci/network.html":{}}}],["destinationportrange\":{\"min\":22",{"_index":9416,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["destinationportrange\":{\"min\":3389",{"_index":9417,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["destinationtyp",{"_index":9441,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["destroy",{"_index":1233,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"general/ir.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["destruct",{"_index":2416,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"gcp/data.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["detach",{"_index":697,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"gcp/data.html":{},"oci/genai.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["detail",{"_index":2255,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/workloads.html":{},"general/data.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["detect",{"_index":845,"title":{"aws/logging.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/logging.html":{},"oci/logging.html":{}},"breadcrumb":{"aws/logging.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/logging.html":{},"oci/logging.html":{}},"description":{"aws/genai.html":{},"aws/index.html":{},"aws/logging.html":{},"azure/index.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/logging.html":{},"oci/logging.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["detection'",{"_index":7159,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["detector",{"_index":3131,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/logging.html":{},"general/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["detector_id",{"_index":3164,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["detector_id=$(aw",{"_index":3155,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["detector_recipe_id",{"_index":9322,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["detectorid",{"_index":3163,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["determin",{"_index":510,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"azure/genai.html":{},"azure/iam.html":{},"gcp/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["determinist",{"_index":2228,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"azure/ir.html":{},"oci/ir.html":{}}}],["dev",{"_index":9515,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["dev_sess",{"_index":9543,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["develop",{"_index":902,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/iam.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/workloads.html":{}}}],["developer'",{"_index":1636,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/data.html":{},"gcp/workloads.html":{}}}],["deviat",{"_index":1344,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"gcp/genai.html":{},"oci/network.html":{}}}],["devic",{"_index":1552,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["devo",{"_index":8136,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["devop",{"_index":4210,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"oci/workloads.html":{}}}],["devsecop",{"_index":8461,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["df",{"_index":5476,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["diag",{"_index":4391,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/logging.html":{}}}],["diag_settings=$count",{"_index":5186,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["diagblob",{"_index":5275,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["diagnost",{"_index":1164,"title":{},"breadcrumb":{},"description":{"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{}},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"general/genai.html":{},"general/logging.html":{},"oci/logging.html":{}}}],["dialect",{"_index":7615,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/index.html":{}}}],["dif",{"_index":4011,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["diff",{"_index":1145,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["differ",{"_index":69,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["differenti",{"_index":6907,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["difficult",{"_index":6271,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"general/network.html":{},"general/workloads.html":{}}}],["digest",{"_index":1770,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"aws/workloads.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["digit",{"_index":2238,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"general/iam.html":{},"oci/ir.html":{}}}],["dilig",{"_index":3900,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["dimens",{"_index":6294,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"general/compliance-frameworks.html":{}}}],["dip",{"_index":3562,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"oci/workloads.html":{}}}],["direct",{"_index":744,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["direction=='inbound",{"_index":5403,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"azure/workloads.html":{}}}],["direction=ingress",{"_index":7254,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["direction\\\":\\\"inbound",{"_index":5444,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["directli",{"_index":1235,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["directori",{"_index":1699,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["directoryrol",{"_index":4454,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["directoryrolemanag",{"_index":4513,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["directoryscopeid",{"_index":4605,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["disabl",{"_index":214,"title":{},"breadcrumb":{},"description":{"azure/data.html":{},"oci/iam.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{},"search.html":{}}}],["disable\",\"disassociatemember\",\"updateorganizationconfiguration\",\"deletememb",{"_index":3807,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["disable_sa_key_cr",{"_index":6410,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["disable_us",{"_index":9013,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["disableaddon",{"_index":9199,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["disablecopypast",{"_index":5671,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["disabled=fals",{"_index":7261,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["disableebsencryptionbydefault",{"_index":763,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["disableebsencryptionbydefault\",\"modifyebsdefaultkmskeyid\",\"createvolum",{"_index":752,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["disablekey",{"_index":2667,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["disablekey\",\"schedulekeydeletion\",\"putkeypolici",{"_index":2663,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["disablelocalauth",{"_index":4207,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["disablelocalauth=tru",{"_index":4252,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["disablelocalauth\\\":fals",{"_index":4249,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["disablepasswordauthent",{"_index":5610,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["disablerul",{"_index":2318,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["disablesakeycr",{"_index":6417,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["disagr",{"_index":8169,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["disagre",{"_index":8168,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["disallow",{"_index":4012,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["disappear",{"_index":658,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"general/network.html":{},"oci/iam.html":{}}}],["disarm",{"_index":4092,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{}}}],["disassociatememb",{"_index":3809,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["disast",{"_index":8597,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["disciplin",{"_index":7770,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/iam.html":{},"general/logging.html":{},"general/network.html":{},"oci/logging.html":{}}}],["disclos",{"_index":1387,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"general/data.html":{},"general/genai.html":{},"general/methodology.html":{}}}],["disclosur",{"_index":1380,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/data.html":{},"general/genai.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{}}}],["disconnect",{"_index":5679,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/ir.html":{}}}],["discov",{"_index":235,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"azure/genai.html":{},"azure/logging.html":{},"gcp/ir.html":{},"general/data.html":{},"general/ir.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["discoveri",{"_index":5332,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/logging.html":{},"general/data.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/data.html":{}}}],["discoveryengine.googleapis.com",{"_index":6306,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["discret",{"_index":8609,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["discuss",{"_index":6347,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"general/compliance-frameworks.html":{}}}],["disk",{"_index":3845,"title":{},"breadcrumb":{},"description":{"azure/data.html":{},"gcp/data.html":{}},"body":{"azure/data.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/ir.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["disk'",{"_index":4116,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["disk_autores",{"_index":6045,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["disk_compute_ag",{"_index":5976,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["disk_encryption_key",{"_index":5984,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["disk_encryption_set_id",{"_index":4140,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["disk_id",{"_index":4881,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["disk_id=$(az",{"_index":4878,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["disk_size_gb",{"_index":4138,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["diskaccessid",{"_index":4917,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["diskencryptionconfiguration.kmskeynam",{"_index":6073,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["diskencryptionkey",{"_index":5989,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["diskencryptionkey.kmskeynam",{"_index":5996,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["diskencryptionsetid",{"_index":4163,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["diskencryptionsets/delet",{"_index":4160,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["disks/writ",{"_index":4161,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["display",{"_index":2141,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["display_nam",{"_index":2163,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["displaynam",{"_index":4658,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["displayname:displaynam",{"_index":5291,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["displayname=='kubernet",{"_index":5109,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["disproportion",{"_index":8352,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["disput",{"_index":8227,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["disrupt",{"_index":881,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"general/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["disruption_budget",{"_index":7603,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["disruptionbudget",{"_index":7589,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["distanc",{"_index":8325,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["distinct",{"_index":151,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["distinguish",{"_index":5748,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"general/genai.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{}}}],["distribut",{"_index":497,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"oci/iam.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["distribution=tru",{"_index":502,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["div",{"_index":9101,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{},"search.html":{}}}],["dive",{"_index":7800,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/logging.html":{},"oci/logging.html":{}}}],["diverg",{"_index":3029,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/workloads.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/shared-responsibility.html":{}}}],["divert",{"_index":5219,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["divid",{"_index":8314,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["dlp",{"_index":5789,"title":{},"breadcrumb":{},"description":{"gcp/data.html":{}},"body":{"gcp/data.html":{},"gcp/index.html":{},"general/data.html":{},"general/shared-responsibility.html":{},"index.html":{}}}],["dlp.googleapis.com",{"_index":5810,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["dn",{"_index":882,"title":{},"breadcrumb":{},"description":{"azure/network.html":{},"gcp/network.html":{},"general/network.html":{},"oci/network.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/index.html":{},"gcp/network.html":{},"general/index.html":{},"general/network.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["dns.googleapis.com",{"_index":7377,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["dns_label",{"_index":9358,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["dns_name",{"_index":7319,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["dns_prefix",{"_index":4945,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["dnsprefix",{"_index":4965,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["dnssec",{"_index":2015,"title":{},"breadcrumb":{},"description":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}},"body":{"aws/index.html":{},"gcp/index.html":{},"general/network.html":{}}}],["do",{"_index":7816,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"oci/logging.html":{}}}],["doc",{"_index":354,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["docker",{"_index":1888,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/threat-model.html":{}}}],["docker.pkg.dev/svc",{"_index":7518,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["docker.sock",{"_index":8072,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["docker_step",{"_index":5705,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["dockerfil",{"_index":5695,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["dockerfile_path",{"_index":5706,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["docs)n/a",{"_index":6640,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["docs.oracle.com",{"_index":8475,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["docs/control",{"_index":7706,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/methodology.html":{},"general/workloads.html":{}}}],["docs/sever",{"_index":8164,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["document",{"_index":121,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["document/rag",{"_index":4257,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["document_format",{"_index":3642,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["document_typ",{"_index":3641,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["documentformat",{"_index":3658,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["documentsanalysi",{"_index":4259,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["documenttyp",{"_index":3657,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["dod",{"_index":7640,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["doesn't",{"_index":8,"title":{},"breadcrumb":{},"description":{"404.html":{}},"body":{"404.html":{},"gcp/network.html":{}}}],["doj",{"_index":8173,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{},"general/threat-model.html":{}}}],["domain",{"_index":2008,"title":{},"breadcrumb":{},"description":{"compliance-matrix.html":{},"general/index.html":{},"general/threat-model.html":{},"oci/iam.html":{}},"body":{"aws/index.html":{},"aws/ir.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"compliance-matrix.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["domain'",{"_index":8851,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["domain_id",{"_index":8855,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["domain_id=$(oci",{"_index":8852,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["domainocid",{"_index":8878,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["domains/feder",{"_index":8950,"title":{},"breadcrumb":{},"description":{},"body":{"oci/index.html":{}}}],["domin",{"_index":1961,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/iam.html":{},"general/data.html":{},"general/iam.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{}}}],["don't",{"_index":7032,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["done",{"_index":715,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/ir.html":{},"oci/iam.html":{}}}],["done</cod",{"_index":592,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"azure/data.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/workloads.html":{}}}],["door",{"_index":3691,"title":{},"breadcrumb":{},"description":{"azure/network.html":{}},"body":{"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/network.html":{},"general/ir.html":{},"general/network.html":{},"oci/iam.html":{}}}],["dormanc",{"_index":1936,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["dormant",{"_index":1918,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/ir.html":{}}}],["dotfil",{"_index":7832,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["doubl",{"_index":1927,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/data.html":{}}}],["down",{"_index":505,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"general/methodology.html":{},"general/workloads.html":{}}}],["downgrad",{"_index":1239,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"general/network.html":{},"oci/kubernetes.html":{}}}],["download",{"_index":2983,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"general/compliance-frameworks.html":{},"oci/data.html":{},"oci/logging.html":{}}}],["downsid",{"_index":3814,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["downstream",{"_index":631,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["downtim",{"_index":867,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"general/data.html":{},"oci/network.html":{}}}],["downward",{"_index":7879,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["dozen",{"_index":3895,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{}}}],["dr",{"_index":5508,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"oci/data.html":{}}}],["draft",{"_index":1291,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"general/ir.html":{},"general/threat-model.html":{}}}],["drain",{"_index":4177,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{}}}],["draw",{"_index":4426,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/ir.html":{},"general/threat-model.html":{}}}],["drg",{"_index":9338,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["drg_id",{"_index":9366,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["drg_ocid",{"_index":9356,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["dri",{"_index":6169,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["drif",{"_index":9620,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["drift",{"_index":655,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["drill",{"_index":4577,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{},"general/workloads.html":{},"oci/ir.html":{}}}],["drive",{"_index":2061,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/ir.html":{},"compliance-matrix.html":{},"gcp/logging.html":{},"general/data.html":{},"general/ir.html":{},"general/network.html":{},"general/workloads.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["driven",{"_index":2078,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["drop",{"_index":626,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/workloads.html":{},"oci/logging.html":{}}}],["dropper",{"_index":8391,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["drupalgeddon",{"_index":3319,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ds",{"_index":7954,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/methodology.html":{},"general/workloads.html":{}}}],["dsa",{"_index":6187,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["dss",{"_index":2338,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/data.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"oci/data.html":{},"oci/genai.html":{}}}],["dt%h:%m:%sz",{"_index":4609,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/data.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["dt%h:%m:%sz)\"'`].[fingerprint,\"tim",{"_index":8939,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["dt%h:%m:%sz)\"'`].[username,accesskeyid,created",{"_index":1899,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["dual",{"_index":6592,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"general/shared-responsibility.html":{}}}],["due",{"_index":1218,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"oci/genai.html":{}}}],["dump",{"_index":1562,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/workloads.html":{},"general/iam.html":{},"general/ir.html":{}}}],["duplic",{"_index":3540,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"general/data.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["durabl",{"_index":2958,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/logging.html":{},"general/genai.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{}}}],["durat",{"_index":1717,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/iam.html":{},"gcp/ir.html":{},"general/iam.html":{},"general/ir.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["duration('1h",{"_index":7174,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["duration=0s</cod",{"_index":6612,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["dure",{"_index":521,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["duti",{"_index":1522,"title":{},"breadcrumb":{},"description":{"general/iam.html":{}},"body":{"aws/iam.html":{},"gcp/iam.html":{},"general/data.html":{},"general/iam.html":{},"general/index.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["dwell",{"_index":2696,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"oci/logging.html":{}}}],["dynam",{"_index":5574,"title":{},"breadcrumb":{},"description":{"oci/kubernetes.html":{}},"body":{"azure/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/network.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["dynamodb",{"_index":2593,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"general/network.html":{},"general/workloads.html":{}}}],["e.g",{"_index":552,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/network.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/logging.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["e2",{"_index":7448,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["ea_group_id",{"_index":4536,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["ea_group_id=$(az",{"_index":4534,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["each",{"_index":126,"title":{},"breadcrumb":{},"description":{"general/compliance-frameworks.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["each.key",{"_index":2162,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"oci/ir.html":{}}}],["each.key}@${var.tenant_onmicrosoft_domain",{"_index":4549,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["each.key}@contoso.onmicrosoft.com",{"_index":4758,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["each.valu",{"_index":3428,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/logging.html":{}}}],["each.value.acc_id}/${each.value.svc}/default",{"_index":5269,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["each.value.id",{"_index":8973,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["each.value.object_id",{"_index":4562,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["eager",{"_index":309,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["earli",{"_index":5342,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"oci/ir.html":{}}}],["earlier",{"_index":3781,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/network.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{}}}],["earn",{"_index":5546,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"compliance-matrix.html":{}}}],["easi",{"_index":5516,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/data.html":{},"general/workloads.html":{}}}],["easier",{"_index":1417,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"general/network.html":{}}}],["easili",{"_index":4293,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["east",{"_index":1025,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/network.html":{},"general/network.html":{},"oci/kubernetes.html":{}}}],["eb",{"_index":39,"title":{},"breadcrumb":{},"description":{"aws/data.html":{}},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"general/data.html":{},"general/ir.html":{}}}],["ebpf",{"_index":5063,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"gcp/workloads.html":{}}}],["ebs/rd",{"_index":2016,"title":{},"breadcrumb":{},"description":{},"body":{"aws/index.html":{}}}],["ebs_default",{"_index":719,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["ebs_malwar",{"_index":3179,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["ebs_malware_protect",{"_index":3180,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["ebsencryptionbydefaultrul",{"_index":727,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["ec",{"_index":1947,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/workloads.html":{}}}],["ec2",{"_index":691,"title":{},"breadcrumb":{},"description":{"aws/ir.html":{},"aws/workloads.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/workloads.html":{}}}],["ec2,ecr,lambda",{"_index":3816,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ec2.amazonaws.com",{"_index":751,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["ec2.cfnlaunchtemplate(thi",{"_index":3597,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ec2.cfnvpcblockpublicaccessoptions(thi",{"_index":3484,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2.ivpc",{"_index":2519,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{}}}],["ec2.port.tcp(22",{"_index":3359,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2.port.tcp(3389",{"_index":3360,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2.securitygroup(thi",{"_index":3356,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2.subnettype.private_with_egress",{"_index":2528,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["ec2/ecr/lambda",{"_index":3767,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ec2:associaterout",{"_index":3283,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2:associateroutet",{"_index":3497,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2:attachinternetgateway",{"_index":3496,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2:authorizesecuritygroupingress",{"_index":3368,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"aws/workloads.html":{}}}],["ec2:createdefaultsubnet",{"_index":3260,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2:createdefaultvpc",{"_index":3259,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2:createinternetgateway",{"_index":3495,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2:createnetworkaclentri",{"_index":3443,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2:createsnapshot",{"_index":700,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["ec2:createvolum",{"_index":742,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["ec2:createvpc",{"_index":3273,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2:createvpcblockpublicaccessexclus",{"_index":3488,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2:deletenetworkaclentri",{"_index":3442,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2:deletevpcblockpublicaccessexclus",{"_index":3490,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2:deletevpcendpoint",{"_index":1497,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{}}}],["ec2:describeinst",{"_index":3667,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ec2:disableebsencryptionbydefault",{"_index":735,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["ec2:disablevpcblockpublicaccess",{"_index":3473,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2:metadatahttptoken",{"_index":3566,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ec2:modifyebsdefaultkmskeyid",{"_index":740,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["ec2:modifyinstancemetadataopt",{"_index":2807,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["ec2:modifysnapshotattribut",{"_index":701,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["ec2:modifyvpcblockpublicaccessopt",{"_index":3474,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2:modifyvpcendpoint",{"_index":1502,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{}}}],["ec2:replacenetworkaclassoci",{"_index":3448,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ec2:runinst",{"_index":3565,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ec2_ebs_encryption_by_default</cod",{"_index":731,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["ec2_workload",{"_index":3635,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["echo",{"_index":591,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"azure/logging.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["econom",{"_index":9284,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["economi",{"_index":8115,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["ecosystem",{"_index":3684,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ecr",{"_index":1889,"title":{},"breadcrumb":{},"description":{"aws/workloads.html":{}},"body":{"aws/iam.html":{},"aws/index.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"general/workloads.html":{},"oci/workloads.html":{}}}],["ecr.amazonaws.com",{"_index":3756,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ecr:putimagescanningconfigur",{"_index":3753,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ecr:putregistryscanningconfigur",{"_index":3750,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ecrkmskeyarn",{"_index":3736,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ecrkmskeyarn</cod",{"_index":3746,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ed25519",{"_index":9517,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["edg",{"_index":3210,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"general/workloads.html":{},"oci/network.html":{}}}],["edit",{"_index":3465,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/network.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["editor",{"_index":4800,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"gcp/iam.html":{},"general/workloads.html":{}}}],["editor/own",{"_index":6354,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["editori",{"_index":7924,"title":{},"breadcrumb":{},"description":{},"body":{"general/index.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{}}}],["edr",{"_index":5531,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/network.html":{},"general/workloads.html":{}}}],["edr/host",{"_index":8317,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["effect",{"_index":373,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/genai.html":{},"general/logging.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["effect\":\"allow",{"_index":1970,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["effect\":{\"value\":\"deny\"}}'</cod",{"_index":5112,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["effort",{"_index":7727,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/network.html":{}}}],["efi",{"_index":5548,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["egress",{"_index":889,"title":{},"breadcrumb":{},"description":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"general/network.html":{},"oci/network.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/network.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["egress_https_onli",{"_index":3430,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["egress_security_rul",{"_index":9393,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["egresspolici",{"_index":6155,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["egressto.identitytype=any_ident",{"_index":6156,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["eight",{"_index":1509,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/logging.html":{},"gcp/iam.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/iam.html":{}}}],["ek",{"_index":1950,"title":{"aws/kubernetes.html":{}},"breadcrumb":{},"description":{"aws/kubernetes.html":{},"aws/workloads.html":{}},"body":{"aws/iam.html":{},"aws/index.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["ekm",{"_index":7760,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["eks.amazonaws.com",{"_index":2557,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["eks.amazonaws.com/rol",{"_index":2587,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["eks.cluster(thi",{"_index":2521,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["eks.clusterloggingtypes.api",{"_index":2534,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["eks.clusterloggingtypes.audit",{"_index":2535,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["eks.clusterloggingtypes.authent",{"_index":2536,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["eks.clusterloggingtypes.controller_manag",{"_index":2537,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["eks.clusterloggingtypes.schedul",{"_index":2538,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["eks.endpointaccess.priv",{"_index":2530,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["eks.kubernetesversion.v1_31",{"_index":2524,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["eks:createpodidentityassoci",{"_index":2608,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["eks:describepodidentityassoci",{"_index":2005,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["eks:nodegroup",{"_index":2820,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["eks:updateclusterconfig",{"_index":2548,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["eks_addon_manag",{"_index":3189,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["eks_audit_log",{"_index":3178,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["eks_runtime_monitor",{"_index":3187,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["eks_secret",{"_index":2634,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["eks_secrets_encrypt",{"_index":2642,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["eksauditaccessdeni",{"_index":2715,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["ekssecretsencryptedrul",{"_index":2641,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["elabor",{"_index":7873,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["elaps",{"_index":5899,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["elast",{"_index":2448,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{}},"body":{"aws/kubernetes.html":{},"general/kubernetes.html":{},"general/logging.html":{}}}],["elasticach",{"_index":3242,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/shared-responsibility.html":{}}}],["elasticsearch",{"_index":3308,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/threat-model.html":{}}}],["element",{"_index":8023,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/kubernetes.html":{},"general/workloads.html":{}}}],["elev",{"_index":2968,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/genai.html":{},"azure/iam.html":{},"gcp/iam.html":{},"general/iam.html":{},"general/threat-model.html":{}}}],["elicit",{"_index":1381,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"oci/genai.html":{}}}],["elid",{"_index":8455,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["elig",{"_index":4388,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/iam.html":{},"general/iam.html":{},"general/index.html":{},"general/methodology.html":{}}}],["elimin",{"_index":1713,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/network.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["elsewher",{"_index":2746,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["em",{"_index":5742,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"general/compliance-frameworks.html":{},"general/methodology.html":{}}}],["email",{"_index":1373,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["email='al",{"_index":6436,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["email=breakglass",{"_index":6598,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["email>`].{id:id,name:name,active:\"lifecycl",{"_index":8801,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["emailaddress",{"_index":8916,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["emb",{"_index":4261,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"general/genai.html":{}}}],["embed",{"_index":1448,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"general/workloads.html":{}}}],["emerg",{"_index":297,"title":{},"breadcrumb":{},"description":{"azure/iam.html":{},"azure/ir.html":{}},"body":{"aws/data.html":{},"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/ir.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"oci/ir.html":{}}}],["emergency_access",{"_index":4755,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["emergency_access_exclus",{"_index":4554,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["emergency_access_group_object_id",{"_index":4660,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["emergencyresponderarn",{"_index":2185,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["emiss",{"_index":2239,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"gcp/ir.html":{},"oci/ir.html":{}}}],["emit",{"_index":1856,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"compliance-matrix.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["emitt",{"_index":9299,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["emphasis",{"_index":8154,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["empir",{"_index":8330,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["employe",{"_index":1704,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["empti",{"_index":1772,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/workloads.html":{},"azure/data.html":{},"gcp/data.html":{},"general/kubernetes.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["enabl",{"_index":222,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["enable</cod",{"_index":6941,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["enable_dns_hostnam",{"_index":3265,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["enable_dns_support",{"_index":3266,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["enable_integrity_monitor",{"_index":6964,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["enable_key_rot",{"_index":597,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/logging.html":{}}}],["enable_log",{"_index":7269,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["enable_log_file_valid",{"_index":2911,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["enable_osconfig",{"_index":7596,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["enable_private_endpoint",{"_index":6809,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["enable_private_nod",{"_index":6808,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["enable_rbac_author",{"_index":3887,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{},"azure/network.html":{}}}],["enable_secure_boot",{"_index":6963,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["enable_vtpm",{"_index":7443,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["enableaccountroot",{"_index":958,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["enableassetdiscoveri",{"_index":7148,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["enableazurerbac",{"_index":4975,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["enabled)\"</cod",{"_index":7554,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["enabled</cod",{"_index":2793,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["enabled=fals",{"_index":2736,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["enabled_cluster_log_typ",{"_index":2490,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["enabled_log",{"_index":4399,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/logging.html":{}}}],["enabledelet",{"_index":8688,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["enabledtyp",{"_index":2514,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["enablefilevalid",{"_index":2939,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["enablehttpstrafficonli",{"_index":3982,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["enableintegritymonitor",{"_index":6977,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["enableipconnect",{"_index":5674,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["enablekeyrot",{"_index":956,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["enablelogfilevalid",{"_index":2928,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["enablement_st",{"_index":7137,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["enablementst",{"_index":7179,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["enablemfadevic",{"_index":1601,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["enableprivateclust",{"_index":4966,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["enableprivatecluster=fals",{"_index":4994,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["enableprivatecluster\\\":fals",{"_index":4990,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["enableprivateclusterpublicfqdn",{"_index":4968,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["enableprivateendpoint",{"_index":6824,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["enableprivatenod",{"_index":6823,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["enablepurgeprotect",{"_index":4095,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["enablepurgeprotection\\\":fals",{"_index":4102,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["enablerbac",{"_index":4973,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["enablesecureboot",{"_index":6976,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["enableshareablelink",{"_index":5673,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["enablesoftdelet",{"_index":4094,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["enablesoftdelete\\\":fals",{"_index":4101,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["enabletunnel",{"_index":5672,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["enablevtpm",{"_index":7454,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["encod",{"_index":1190,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"azure/iam.html":{},"gcp/workloads.html":{},"general/logging.html":{},"oci/iam.html":{}}}],["encrypt",{"_index":40,"title":{},"breadcrumb":{},"description":{"aws/data.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"general/data.html":{},"general/network.html":{},"oci/data.html":{},"oci/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["encrypt/decrypt",{"_index":5051,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["encrypt_decrypt",{"_index":2892,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{}}}],["encrypted=fals",{"_index":766,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["encryptedbucket",{"_index":613,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["encryption.default_kms_key_nam",{"_index":5890,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["encryption.defaultkmskeynam",{"_index":5955,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["encryption.diskencryptionset",{"_index":4164,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["encryption.diskencryptionsetid",{"_index":4156,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["encryption.diskencryptionsetid==null].{sub:'$sub",{"_index":4124,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["encryption.json",{"_index":669,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["encryption.keysourc",{"_index":4090,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["encryption.typ",{"_index":4166,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["encryption_config",{"_index":2492,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["encryption_configur",{"_index":3720,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["encryption_key_nam",{"_index":6043,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["encryption_spec",{"_index":6329,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["encryption_spec.kms_key_nam",{"_index":6316,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["encryption_typ",{"_index":3721,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/data.html":{}}}],["encryptionatrestwithcustomerkey",{"_index":4120,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["encryptionatrestwithplatformandcustomerkey",{"_index":4107,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["encryptionconfig",{"_index":2511,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["encryptionconfig.provider.keyarn",{"_index":2650,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["encryptionconfigur",{"_index":3743,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["encryptionkey",{"_index":2390,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{}}}],["encryptionkmscryptokeyref",{"_index":6061,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["encryptionspec",{"_index":6318,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["encryptionspec.kmskeynam",{"_index":6342,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["encryptiontyp",{"_index":3744,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/data.html":{}}}],["encryptiontype=kms,kmskey=arn:aws:kms:eu",{"_index":3706,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["end",{"_index":213,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["end;'</cod",{"_index":6797,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["endpoint",{"_index":527,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/network.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/network.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["endpoint\"'</cod",{"_index":9419,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["endpoint'",{"_index":5483,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"oci/genai.html":{}}}],["endpoint.upd",{"_index":6341,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["endpoint_config",{"_index":9115,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["endpoint_config.is_public_ip_en",{"_index":9109,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["endpoint_ocid",{"_index":8720,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["endpoint_private_access",{"_index":2465,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["endpoint_public_access",{"_index":2464,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["endpointaccess",{"_index":2529,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["endpointconfig",{"_index":9132,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["endpointconfig.ispublicipen",{"_index":9142,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["endpointprivateaccess",{"_index":2510,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["endpointpublicaccess",{"_index":2509,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["endpointpublicaccess=fals",{"_index":2568,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["endpointpublicaccess=false,endpointprivateaccess=true,subnetids=subnet",{"_index":2496,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["endpointpublicaccess=tru",{"_index":2561,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["endpointtyp",{"_index":8736,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["endswith",{"_index":4159,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["enforc",{"_index":173,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{},"oci/workloads.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["enforced_block_and_audit_log",{"_index":6912,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["enforcedglobaladmincount",{"_index":4496,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["enforcement_mod",{"_index":7548,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["enforcementmod",{"_index":5461,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["engag",{"_index":1874,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/ir.html":{},"gcp/ir.html":{},"gcp/network.html":{},"oci/data.html":{}}}],["engin",{"_index":292,"title":{},"breadcrumb":{},"description":{"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/logging.html":{},"oci/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["engine.upd",{"_index":6308,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["engine/docs/concepts/secur",{"_index":8099,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["engine_vers",{"_index":822,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["engineer'",{"_index":3148,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/iam.html":{},"gcp/workloads.html":{}}}],["enhanc",{"_index":3680,"title":{},"breadcrumb":{},"description":{"oci/kubernetes.html":{}},"body":{"aws/workloads.html":{},"general/compliance-frameworks.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["enhanced_clust",{"_index":9099,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["enhancedclust",{"_index":9187,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["enhancedcluster.id",{"_index":9194,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["eni",{"_index":886,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["enisa",{"_index":7866,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/methodology.html":{},"general/threat-model.html":{}}}],["enough",{"_index":4786,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/network.html":{}}}],["enrich",{"_index":8928,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["enrol",{"_index":1573,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/ir.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/iam.html":{},"general/ir.html":{},"general/network.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["enrolled.</cod",{"_index":5351,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["ensur",{"_index":2433,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"gcp/genai.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"oci/genai.html":{}}}],["enter",{"_index":3118,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"general/genai.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["enterpris",{"_index":5182,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/genai.html":{}}}],["entir",{"_index":165,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{},"search.html":{}}}],["entiti",{"_index":1372,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/ir.html":{},"general/ir.html":{}}}],["entitl",{"_index":1875,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"gcp/network.html":{},"oci/ir.html":{}}}],["entra",{"_index":1696,"title":{},"breadcrumb":{},"description":{"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/kubernetes.html":{}},"body":{"aws/iam.html":{},"aws/ir.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"index.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["entri",{"_index":1238,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"search.html":{}}}],["entropi",{"_index":7774,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["entry_point",{"_index":6694,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["entrypoint",{"_index":7511,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["enum",{"_index":3884,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"oci/data.html":{},"oci/genai.html":{}}}],["enumer",{"_index":524,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/kubernetes.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["env",{"_index":3832,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/workloads.html":{}}}],["env=prod",{"_index":2562,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["envelop",{"_index":2022,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{}},"body":{"aws/index.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/kubernetes.html":{},"oci/kubernetes.html":{}}}],["environ",{"_index":1638,"title":{},"breadcrumb":{},"description":{"general/threat-model.html":{}},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["environment",{"_index":6356,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["envoy",{"_index":8262,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["eof",{"_index":2685,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/iam.html":{}}}],["eot",{"_index":6620,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["ephemer",{"_index":761,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/network.html":{},"gcp/network.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["episod",{"_index":2221,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["eq",{"_index":4464,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/logging.html":{}}}],["equal",{"_index":2124,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/ir.html":{},"general/genai.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["equip",{"_index":7913,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/logging.html":{}}}],["equival",{"_index":123,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["era",{"_index":5821,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["erad",{"_index":2037,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"oci/ir.html":{}}}],["eras",{"_index":2068,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/ir.html":{},"gcp/data.html":{}}}],["erasur",{"_index":4024,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{},"oci/data.html":{}}}],["eros",{"_index":4409,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/logging.html":{}}}],["errata",{"_index":8215,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["error",{"_index":1409,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"general/iam.html":{},"general/ir.html":{},"oci/ir.html":{}}}],["errorcod",{"_index":1673,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{}}}],["escal",{"_index":912,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["escap",{"_index":2764,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/kubernetes.html":{}}}],["escrow",{"_index":4544,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/data.html":{}}}],["especi",{"_index":2004,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/iam.html":{}}}],["essenti",{"_index":3455,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/methodology.html":{}}}],["establish",{"_index":2215,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"general/data.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["estat",{"_index":59,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{},"gcp/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/data.html":{}}}],["etc",{"_index":1520,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"azure/iam.html":{},"azure/network.html":{},"general/kubernetes.html":{},"general/workloads.html":{}}}],["etc/ssh/sshd_config",{"_index":7567,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["etcd",{"_index":2630,"title":{},"breadcrumb":{},"description":{"azure/kubernetes.html":{}},"body":{"aws/kubernetes.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/kubernetes.html":{}}}],["etcd.*\")</cod",{"_index":6901,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["eu",{"_index":716,"title":{},"breadcrumb":{},"description":{"general/genai.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/genai.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["europ",{"_index":5852,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["euw1",{"_index":5834,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/network.html":{}}}],["euw1/cryptokeys/k",{"_index":5922,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["evad",{"_index":1268,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"azure/genai.html":{},"oci/logging.html":{}}}],["eval",{"_index":8556,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["evalu",{"_index":326,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["evaluation_mod",{"_index":6931,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["evaluation_period",{"_index":2177,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["evaluationmod",{"_index":6909,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["evaluationperiod",{"_index":2723,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["evaluationresults[].{action:evalactionname,decision:evaldecision}'</cod",{"_index":1060,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["evas",{"_index":2950,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["even",{"_index":327,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["event",{"_index":241,"title":{},"breadcrumb":{},"description":{"aws/logging.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/logging.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["event/container/virtu",{"_index":7015,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["event_pattern",{"_index":2281,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["event_selector",{"_index":2998,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["event_threat_detect",{"_index":7160,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["event_trigg",{"_index":6706,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["event_typ",{"_index":6708,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["eventarc",{"_index":6576,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["eventbridg",{"_index":2021,"title":{},"breadcrumb":{},"description":{"aws/ir.html":{}},"body":{"aws/index.html":{},"aws/ir.html":{},"aws/logging.html":{},"general/methodology.html":{}}}],["eventbridge_invok",{"_index":2286,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["eventcategori",{"_index":2915,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["eventid",{"_index":2569,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["eventnam",{"_index":454,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["eventname</cod",{"_index":8603,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["eventname=session.cr",{"_index":9530,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["eventpattern",{"_index":2295,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["events\",\"fieldselector",{"_index":2896,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["events.amazonaws.com",{"_index":2260,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["events.amazonaws.com\",\"lambda.amazonaws.com",{"_index":2312,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["events:deleterul",{"_index":2303,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["events:disablerul",{"_index":2305,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["eventsourc",{"_index":460,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["eventtime)'</cod",{"_index":7168,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["eventtyp",{"_index":8983,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["eventtype\":[\"com.oraclecloud.identitycontrolplane.signin",{"_index":8964,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["eventu",{"_index":3499,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/kubernetes.html":{}}}],["everyday",{"_index":3561,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"oci/workloads.html":{}}}],["everyth",{"_index":2062,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"azure/data.html":{},"azure/ir.html":{},"gcp/data.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{}}}],["evid",{"_index":745,"title":{},"breadcrumb":{},"description":{"aws/ir.html":{},"gcp/ir.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["evidencebucket",{"_index":2376,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["evidencebucketnam",{"_index":2374,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["evidencebucketprop",{"_index":2380,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["evidencebucketstack",{"_index":2381,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["evidencekey",{"_index":2383,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["evidencekmskeyarn",{"_index":2375,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["evilginx",{"_index":7894,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/methodology.html":{}}}],["evolv",{"_index":2996,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["ew",{"_index":4718,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["ews.full_access_as_app",{"_index":8377,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["ex",{"_index":1526,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/iam.html":{}}}],["exact",{"_index":2112,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/index.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["exactli",{"_index":1678,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/methodology.html":{},"oci/ir.html":{}}}],["exampl",{"_index":1513,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["example.com",{"_index":8264,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["exce",{"_index":1265,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/ir.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["exceed",{"_index":2309,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/genai.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["except",{"_index":1777,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/network.html":{},"gcp/genai.html":{},"general/iam.html":{},"general/network.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["excess",{"_index":1043,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"general/workloads.html":{},"oci/genai.html":{}}}],["exchang",{"_index":2592,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"gcp/iam.html":{},"general/iam.html":{},"general/threat-model.html":{}}}],["exchangeactivesync",{"_index":4716,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["exclud",{"_index":2986,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/methodology.html":{}}}],["excluded_group",{"_index":4674,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["excludegroup",{"_index":4540,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["exclus",{"_index":2822,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/genai.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/ir.html":{},"general/kubernetes.html":{},"oci/genai.html":{}}}],["exclusion'",{"_index":3494,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["exclusiongroupid",{"_index":4780,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["exclusiongroupid}/${oid",{"_index":4781,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["excus",{"_index":8417,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["exec",{"_index":1315,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/kubernetes.html":{}}}],["exec'd",{"_index":8427,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["execut",{"_index":1186,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["executor",{"_index":7886,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["exempt",{"_index":5326,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"azure/network.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/genai.html":{}}}],["exempted_memb",{"_index":7105,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["exemptedmemb",{"_index":7099,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["exercis",{"_index":1130,"title":{},"breadcrumb":{},"description":{"azure/ir.html":{}},"body":{"aws/genai.html":{},"aws/ir.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["exfil",{"_index":3505,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"gcp/genai.html":{}}}],["exfiltr",{"_index":531,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["exhaust",{"_index":4213,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"oci/ir.html":{}}}],["exhibit",{"_index":6232,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"general/iam.html":{}}}],["exist",{"_index":9,"title":{},"breadcrumb":{},"description":{"404.html":{}},"body":{"404.html":{},"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["exit",{"_index":7609,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"general/methodology.html":{}}}],["expand",{"_index":7790,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{}}}],["expans",{"_index":4385,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/network.html":{},"general/methodology.html":{},"general/workloads.html":{}}}],["expect",{"_index":760,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["expens",{"_index":787,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"azure/workloads.html":{},"general/logging.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}}}],["experi",{"_index":1260,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{}}}],["expert",{"_index":8004,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["expir",{"_index":2133,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/ir.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["expire_aft",{"_index":4065,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["expires:\"tim",{"_index":8506,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["expiri",{"_index":8497,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["explain",{"_index":109,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/kubernetes.html":{},"oci/iam.html":{}}}],["explicit",{"_index":708,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["explicitli",{"_index":92,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["exploit",{"_index":2476,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["explor",{"_index":6778,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["export",{"_index":400,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["exportpolici",{"_index":5722,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["expos",{"_index":68,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["exposur",{"_index":298,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["express",{"_index":2233,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"general/iam.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["expressrout",{"_index":8271,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["ext",{"_index":4471,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["extend",{"_index":333,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/workloads.html":{}}}],["extens",{"_index":5090,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/workloads.html":{},"oci/logging.html":{}}}],["extern",{"_index":703,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/network.html":{}}}],["external_ir_view",{"_index":6754,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["externalid",{"_index":1985,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["extort",{"_index":8340,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["extract",{"_index":1891,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"azure/genai.html":{},"azure/ir.html":{},"compliance-matrix.html":{},"general/genai.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["extrem",{"_index":7817,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["extremist",{"_index":4304,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["ey",{"_index":4337,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/network.html":{}}}],["f",{"_index":1647,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["f'\\t",{"_index":5974,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/workloads.html":{}}}],["f1,9,11",{"_index":1650,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["faa",{"_index":9447,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["fabric",{"_index":2107,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"general/network.html":{}}}],["face",{"_index":1433,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/network.html":{},"general/logging.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["facet",{"_index":3132,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["facil",{"_index":7917,"title":{},"breadcrumb":{},"description":{},"body":{"general/index.html":{},"general/shared-responsibility.html":{}}}],["facilit",{"_index":8018,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["facilitiescspcspcsp",{"_index":8295,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["fact",{"_index":6731,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{},"general/data.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/logging.html":{}}}],["factor",{"_index":1565,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/network.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["factual",{"_index":7850,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["fail",{"_index":1255,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["fail2ban",{"_index":9507,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["failur",{"_index":206,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["failurepolici",{"_index":8052,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["falco",{"_index":8424,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["fall",{"_index":627,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/logging.html":{},"azure/genai.html":{},"gcp/kubernetes.html":{},"general/ir.html":{},"general/logging.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["fallback",{"_index":641,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/network.html":{},"general/ir.html":{}}}],["fals",{"_index":433,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["false'</cod",{"_index":1839,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["false</cod",{"_index":3659,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/iam.html":{},"oci/iam.html":{}}}],["famili",{"_index":195,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/ir.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["familiar",{"_index":7807,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"general/kubernetes.html":{},"oci/network.html":{}}}],["family\"))'</cod",{"_index":8707,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["family=debian",{"_index":5969,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["family=ubuntu",{"_index":7419,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["family_nam",{"_index":2164,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["familyname=responder,givenname=breakglass",{"_index":2143,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["fan",{"_index":2304,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/kubernetes.html":{},"gcp/ir.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["fanout",{"_index":6717,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["far",{"_index":4362,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/logging.html":{},"general/iam.html":{},"general/network.html":{},"general/workloads.html":{}}}],["fargat",{"_index":8305,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["farm",{"_index":7819,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["fast",{"_index":2134,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"gcp/logging.html":{}}}],["fastconnect",{"_index":8272,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{},"oci/network.html":{}}}],["faster",{"_index":1416,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"general/workloads.html":{}}}],["fastest",{"_index":5824,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["fate",{"_index":8310,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["fatigu",{"_index":8148,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["fbi",{"_index":7962,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["feasibl",{"_index":5898,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/iam.html":{}}}],["featur",{"_index":96,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["feb",{"_index":3860,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"general/compliance-frameworks.html":{}}}],["februari",{"_index":4435,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/compliance-frameworks.html":{}}}],["fed",{"_index":8118,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["feder",{"_index":1694,"title":{},"breadcrumb":{},"description":{"gcp/iam.html":{},"gcp/workloads.html":{},"general/iam.html":{}},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["federatedus",{"_index":2001,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["federation/adf",{"_index":4523,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["fedramp",{"_index":7639,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["feed",{"_index":1683,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["feedback",{"_index":9335,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{},"oci/workloads.html":{}}}],["fell",{"_index":9167,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["fenc",{"_index":196,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/network.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["fetch",{"_index":3824,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/logging.html":{},"general/workloads.html":{},"oci/workloads.html":{}}}],["few",{"_index":6775,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"general/workloads.html":{}}}],["fewer",{"_index":8406,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["ffiec",{"_index":8563,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["fidel",{"_index":5447,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"gcp/genai.html":{},"general/data.html":{},"general/methodology.html":{}}}],["fido2",{"_index":1549,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["fido2/webauthn",{"_index":8370,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["fido_authenticator_en",{"_index":8868,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["fidoauthenticatoren",{"_index":8883,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["field",{"_index":481,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{},"azure/genai.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/genai.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/kubernetes.html":{}}}],["field\":\"eventcategory\",\"equals\":[\"data",{"_index":2899,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["field\":\"eventcategory\",\"equals\":[\"manag",{"_index":2897,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["field\":\"resources.arn\",\"startswith",{"_index":2990,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["field\":\"resources.type\",\"equals\":[\"aws::lambda::funct",{"_index":2901,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["field\":\"resources.type\",\"equals\":[\"aws::s3::object",{"_index":2900,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["field_selector",{"_index":2914,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["fieldselector",{"_index":3007,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["fifteen_minut",{"_index":3157,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["figur",{"_index":8360,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["file",{"_index":1166,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["file(\"${path.module}/okta",{"_index":8913,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["file.</cod",{"_index":6111,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["file:///tmp/key",{"_index":944,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["file://canon",{"_index":668,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{}}}],["file://replication.json</cod",{"_index":2352,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["file://sess",{"_index":3626,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["file://wrap",{"_index":8579,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["file=op",{"_index":7592,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["file_copy_en",{"_index":5658,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["filenam",{"_index":2273,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["fileservic",{"_index":5258,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["fileservices/default",{"_index":5251,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["filesystem",{"_index":5098,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/data.html":{}}}],["fill",{"_index":2865,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/network.html":{},"oci/genai.html":{}}}],["filter",{"_index":459,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/network.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/network.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{},"search.html":{}}}],["filter=\"bindings.members:${sa_email",{"_index":6100,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["filter=\"bindings.role:roles/aiplatform",{"_index":6275,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["filter=\"bindings.role=roles/editor",{"_index":6546,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["filter=\"displayname:vertex",{"_index":6095,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["filter='attributes.category=(\"cryptomin",{"_index":6663,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["filter='bindings.role=roles/resourcemanager.organizationadmin",{"_index":6360,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["filter='category=~\"exfil|cryptomining|malware|suspicious|backdoor",{"_index":7165,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["filter='direction=ingress",{"_index":7260,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["filter='logname=\"organizations/org_id/logs/cloudaudit.googleapis.com%2fact",{"_index":6602,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["filter='metric.type=\"logging.googleapis.com/user/breakglass",{"_index":6608,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["filter='name=default",{"_index":7209,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["filter='state=\"act",{"_index":6660,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["filter_en",{"_index":4319,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["filter_typ",{"_index":3715,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["filteract",{"_index":3795,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["filtercriteria",{"_index":3796,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["filtered=fals",{"_index":4284,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["filtered=tru",{"_index":4283,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["filteria",{"_index":4289,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["filterjb",{"_index":4287,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["filterpattern",{"_index":2710,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["filters_config",{"_index":1210,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["filtersconfig",{"_index":1220,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["fim",{"_index":5532,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["final",{"_index":8280,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{}}}],["finalis",{"_index":7969,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["financ",{"_index":7616,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/index.html":{}}}],["financi",{"_index":679,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"general/data.html":{},"general/logging.html":{},"oci/genai.html":{}}}],["find",{"_index":13,"title":{},"breadcrumb":{},"description":{"404.html":{},"gcp/ir.html":{}},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["finder'",{"_index":8934,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["finding.</cod",{"_index":4473,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["finding_publishing_frequ",{"_index":3174,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["findingpublishingfrequ",{"_index":3186,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["findings.*\"))</cod",{"_index":6723,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["findings</cod",{"_index":2263,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["fine",{"_index":3882,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["fine_tun",{"_index":8787,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["fingerprint",{"_index":8935,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{},"oci/ir.html":{}}}],["fingerprint></cod",{"_index":8946,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["finish",{"_index":7928,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/logging.html":{}}}],["fip",{"_index":3855,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{},"general/data.html":{}}}],["fire",{"_index":1680,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{}}}],["firewal",{"_index":3218,"title":{},"breadcrumb":{},"description":{"azure/network.html":{},"gcp/network.html":{}},"body":{"aws/network.html":{},"azure/data.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/network.html":{},"general/workloads.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["firewall_polici",{"_index":7267,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["firewallpolicies.patch",{"_index":7291,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["firewalls.insert",{"_index":7240,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["firm",{"_index":7929,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["firmwar",{"_index":5547,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/workloads.html":{},"general/workloads.html":{}}}],["first",{"_index":154,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["five",{"_index":2687,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/logging.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/iam.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/index.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{}}}],["fix",{"_index":868,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"gcp/kubernetes.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["flag",{"_index":432,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/shared-responsibility.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["flags=cloudsql.iam_authentication=on,log_connections=on,log_disconnections=on",{"_index":6023,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["flap",{"_index":1768,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["flash",{"_index":6205,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["flat",{"_index":2837,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"general/network.html":{},"oci/network.html":{}}}],["flatten=\"bind",{"_index":6099,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["flatten='bindings[].memb",{"_index":6359,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["flatter",{"_index":8195,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["flavour",{"_index":3220,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"gcp/workloads.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/logging.html":{}}}],["flaw",{"_index":8415,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["fleet",{"_index":491,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/workloads.html":{}}}],["flexibl",{"_index":7833,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"oci/network.html":{}}}],["flight",{"_index":846,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/workloads.html":{},"azure/genai.html":{},"gcp/iam.html":{}}}],["flip",{"_index":747,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["flood",{"_index":3230,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{}}}],["floor",{"_index":2399,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"azure/genai.html":{},"general/data.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{}}}],["flop",{"_index":7856,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["flow",{"_index":885,"title":{},"breadcrumb":{},"description":{"aws/logging.html":{},"azure/logging.html":{},"gcp/logging.html":{},"oci/logging.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"index.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["flow_sampl",{"_index":7231,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["flush",{"_index":7088,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["fmem",{"_index":7997,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["fn",{"_index":2987,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["focal",{"_index":7582,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["focu",{"_index":4427,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["focus",{"_index":2821,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"general/data.html":{}}}],["fold",{"_index":5814,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"general/methodology.html":{}}}],["folder",{"_index":5801,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/iam.html":{},"general/logging.html":{},"general/threat-model.html":{},"general/workloads.html":{}}}],["folder'",{"_index":8113,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["folder/project",{"_index":7955,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["folder=folder_id_secur",{"_index":6733,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["folders/project",{"_index":6416,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["follow",{"_index":17,"title":{},"breadcrumb":{},"description":{},"body":{"404.html":{},"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/index.html":{}}}],["footer",{"_index":7688,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/methodology.html":{}}}],["foothold",{"_index":7946,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["footnot",{"_index":8287,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["footprint",{"_index":5134,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/logging.html":{}}}],["for_each",{"_index":2156,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"oci/ir.html":{}}}],["forbid",{"_index":798,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"oci/iam.html":{}}}],["forbidden",{"_index":3407,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/genai.html":{},"general/methodology.html":{},"general/network.html":{},"oci/iam.html":{}}}],["forc",{"_index":220,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/ir.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["force</cod",{"_index":9444,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["force_password_chang",{"_index":4760,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["forcedestroy",{"_index":5867,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{}}}],["foreign",{"_index":797,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/network.html":{}}}],["forens",{"_index":917,"title":{},"breadcrumb":{},"description":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/ir.html":{},"oci/ir.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"index.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["forensic=tru",{"_index":4927,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["forensic_evid",{"_index":6747,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["forensic_sub_id",{"_index":4872,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["forensicbackup",{"_index":9097,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["forensicbucket",{"_index":6761,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["forensickmskeyocid",{"_index":9095,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["foreseen",{"_index":295,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["forfeit",{"_index":7787,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/logging.html":{}}}],["forg",{"_index":2116,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"azure/workloads.html":{},"oci/ir.html":{}}}],["forgeri",{"_index":2123,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"general/threat-model.html":{},"oci/ir.html":{}}}],["forget",{"_index":6267,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/network.html":{}}}],["forgot",{"_index":7415,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["forgotten",{"_index":2132,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"general/data.html":{}}}],["fork",{"_index":6477,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["form",{"_index":4419,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["formal",{"_index":7838,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"general/shared-responsibility.html":{}}}],["formalis",{"_index":7837,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/workloads.html":{}}}],["format",{"_index":4328,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"gcp/data.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/methodology.html":{},"oci/workloads.html":{}}}],["format=\"json(auditconfig",{"_index":6242,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["format=\"json(nam",{"_index":6317,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["format=\"json(status.restrictedservices)\"</cod",{"_index":6138,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["format=\"table(bindings.rol",{"_index":6101,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["format=\"table(nam",{"_index":6273,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["format=\"value(email",{"_index":6096,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["format=\"value(nam",{"_index":7210,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["format=\"value(name,allowed,sourcerang",{"_index":7263,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["format=\"value(name,iamconfiguration.publicaccessprevention,iamconfiguration.uniformbucketlevelaccess.en",{"_index":5842,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["format=\"value(name,zone,diskencryptionkey.kmskeynam",{"_index":5973,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["format=\"value(name,zone,networkinterfaces[].accessconfigs[].natip",{"_index":7486,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["format=\"value(name,zone,shieldedinstanceconfig.enablesecureboot,shieldedinstanceconfig.enablevtpm,shieldedinstanceconfig.enableintegritymonitor",{"_index":7425,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["format='json(auditconfigs)'</cod",{"_index":7102,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["format='table(nam",{"_index":7167,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["format='value(bindings.memb",{"_index":6361,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["format='value(bindings.members,bindings.role)'</cod",{"_index":6548,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["format='value(email",{"_index":6406,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["format='value(name,validaftertim",{"_index":6409,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["format='value(preferredmemberkey.id",{"_index":6437,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/ir.html":{}}}],["format='value(projectid",{"_index":5840,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["format='value(projectnumb",{"_index":5914,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/iam.html":{}}}],["format='value(serviceenablementst",{"_index":7164,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["format='value(writerident",{"_index":7050,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["format=dock",{"_index":7513,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["format=json",{"_index":6237,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["format_date(\"%y%m%d",{"_index":6790,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["formatdate(\"yyyi",{"_index":9546,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["formerli",{"_index":1690,"title":{},"breadcrumb":{},"description":{"gcp/data.html":{}},"body":{"aws/iam.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["forthcom",{"_index":7863,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["forti",{"_index":8416,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["forward",{"_index":1784,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["forwardingrules.insert",{"_index":7338,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["found",{"_index":1,"title":{"404.html":{}},"breadcrumb":{"404.html":{}},"description":{},"body":{"404.html":{},"aws/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"general/methodology.html":{},"oci/iam.html":{}}}],["foundat",{"_index":218,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["foundation_model",{"_index":1310,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["foundationci",{"_index":7711,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["foundationsci",{"_index":7708,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["foundri",{"_index":4204,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["four",{"_index":265,"title":{},"breadcrumb":{},"description":{"azure/data.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"search.html":{}}}],["fourth",{"_index":7404,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"general/workloads.html":{}}}],["fpe",{"_index":5809,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["fqdn",{"_index":4959,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/network.html":{},"general/network.html":{},"oci/network.html":{}}}],["fraction",{"_index":6650,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{}}}],["fragil",{"_index":7943,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/workloads.html":{}}}],["fragment",{"_index":8780,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["frame",{"_index":3888,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"general/data.html":{},"general/index.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/ir.html":{}}}],["framework",{"_index":134,"title":{"general/compliance-frameworks.html":{}},"breadcrumb":{"general/compliance-frameworks.html":{}},"description":{"general/index.html":{},"general/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["framework'",{"_index":5284,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"general/compliance-frameworks.html":{}}}],["frameworks.html",{"_index":5739,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["frankfurt",{"_index":8901,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{},"oci/network.html":{}}}],["fraud",{"_index":4711,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["free",{"_index":3502,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/kubernetes.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/index.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/workloads.html":{}}}],["freeform_tag",{"_index":9541,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["freeformtags.audit",{"_index":9388,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["freez",{"_index":2668,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"general/ir.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["frequenc",{"_index":3156,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/iam.html":{}}}],["frequent",{"_index":852,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"gcp/iam.html":{},"general/genai.html":{},"general/iam.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/logging.html":{}}}],["fresh",{"_index":1877,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"general/data.html":{}}}],["freshli",{"_index":5686,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/iam.html":{},"oci/workloads.html":{}}}],["friction",{"_index":1641,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/logging.html":{},"general/genai.html":{}}}],["friendli",{"_index":4456,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/logging.html":{}}}],["from=1024,to=65535",{"_index":3414,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["from=443,to=443",{"_index":3415,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["from_plan_job",{"_index":8532,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["from_port",{"_index":1475,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{}}}],["fromimag",{"_index":5617,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["fromport",{"_index":3350,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["fromport\":1433",{"_index":3389,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["fromport\":22",{"_index":3386,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["fromport\":3389",{"_index":3387,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["fromport\":5985",{"_index":3388,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["front",{"_index":144,"title":{},"breadcrumb":{},"description":{"azure/network.html":{}},"body":{"aws/data.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/network.html":{},"oci/data.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["frontier",{"_index":1037,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["fs",{"_index":6595,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["fsbp",{"_index":2863,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["fss",{"_index":8476,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["ft%tz",{"_index":4886,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["full",{"_index":442,"title":{},"breadcrumb":{},"description":{"search.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"search.html":{}}}],["fullaccess",{"_index":1330,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{}}}],["fulli",{"_index":878,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/shared-responsibility.html":{},"oci/data.html":{}}}],["function",{"_index":1279,"title":{},"breadcrumb":{},"description":{"azure/workloads.html":{},"gcp/ir.html":{},"oci/workloads.html":{}},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["function'",{"_index":2250,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/workloads.html":{},"gcp/ir.html":{},"general/iam.html":{},"general/workloads.html":{}}}],["function_nam",{"_index":2268,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["functions.delet",{"_index":6715,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["functions[?contains(role,`lambda_basic_execution`)].[functionname,rol",{"_index":3841,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["further",{"_index":1358,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/iam.html":{},"gcp/iam.html":{},"oci/workloads.html":{}}}],["futur",{"_index":331,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/network.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/methodology.html":{}}}],["fw",{"_index":7247,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["g",{"_index":5014,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["g10.12",{"_index":5781,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["g10.7",{"_index":5780,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["g13",{"_index":9233,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["g16.3",{"_index":8063,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["ga",{"_index":2578,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"gcp/iam.html":{},"oci/genai.html":{},"oci/workloads.html":{}}}],["ga_elig",{"_index":4614,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["ga_role_id=$(az",{"_index":4462,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["ga_template_id",{"_index":4465,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["ga_template_id=\"62e90394",{"_index":4457,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["ga_via_group",{"_index":4616,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["gaassign",{"_index":4492,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["gain",{"_index":6270,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/logging.html":{}}}],["galleri",{"_index":5511,"title":{},"breadcrumb":{},"description":{"azure/workloads.html":{}},"body":{"azure/workloads.html":{}}}],["game",{"_index":8017,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["gap",{"_index":522,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["garden",{"_index":6085,"title":{},"breadcrumb":{},"description":{"gcp/genai.html":{}},"body":{"gcp/genai.html":{},"gcp/index.html":{}}}],["gate",{"_index":332,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["gatekeep",{"_index":5093,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"general/workloads.html":{},"oci/kubernetes.html":{}}}],["gatekeeper'",{"_index":5125,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["gateway",{"_index":201,"title":{},"breadcrumb":{},"description":{"oci/network.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/network.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/genai.html":{},"gcp/network.html":{},"general/genai.html":{},"general/methodology.html":{},"general/network.html":{},"oci/genai.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["gb",{"_index":5166,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"gcp/ir.html":{},"general/logging.html":{},"oci/data.html":{},"oci/logging.html":{}}}],["gc",{"_index":5826,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/logging.html":{},"oci/data.html":{}}}],["gce",{"_index":6872,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["gcloud",{"_index":5827,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"index.html":{}}}],["gcm",{"_index":7755,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["gcp",{"_index":130,"title":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{}},"breadcrumb":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{}},"description":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"index.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["gcp'",{"_index":3402,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"gcp/iam.html":{}}}],["gcp.compute.firewall(\"deni",{"_index":7286,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["gcp.compute.instance(\"harden",{"_index":7457,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["gcp.container.cluster(\"harden",{"_index":6833,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["gcp.logging.organizationsink(\"org",{"_index":7082,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["gcp.organizations.iambinding(\"org",{"_index":6377,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["gcp.organizations.iammember(\"break",{"_index":6637,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["gcp.orgpolicy.policy(\"dis",{"_index":6418,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["gcp.projects.iammember(\"vertex",{"_index":6118,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["gcp.restrictnoncmekservic",{"_index":6003,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["gcp.securitycenter.organizationcustommodule(\"scc",{"_index":7178,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["gcp.serviceaccount.account(\"vertex",{"_index":6116,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["gcp.storage.bucket(\"forens",{"_index":6762,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["gcp.storage.bucket(\"harden",{"_index":5866,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["gcp/data.html",{"_index":7730,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["gcp/genai.html",{"_index":5758,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["gcp/iam.html",{"_index":6802,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["gcp/ir.html",{"_index":7018,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["gcp/kubernetes.html",{"_index":5766,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["gcp/logging.html",{"_index":6804,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"general/logging.html":{}}}],["gcp/network.html",{"_index":6803,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"general/network.html":{}}}],["gcp/workloads.html",{"_index":8395,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["gcp_organization_id=org_id</cod",{"_index":7133,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["gcp_project_id=project_id",{"_index":7132,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["gcpkms://projects/svc",{"_index":7527,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["gd",{"_index":2259,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{}}}],["gd.cfndetector(thi",{"_index":3192,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["gd_critic",{"_index":2280,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["gd_quarantin",{"_index":2267,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["gdpr",{"_index":4027,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"general/data.html":{},"general/ir.html":{},"oci/genai.html":{}}}],["gemini",{"_index":6083,"title":{},"breadcrumb":{},"description":{"gcp/genai.html":{}},"body":{"gcp/genai.html":{},"gcp/index.html":{},"general/genai.html":{}}}],["gen",{"_index":6577,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{}}}],["gen1",{"_index":5541,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["gen2",{"_index":5539,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/ir.html":{}}}],["gen2:latest",{"_index":5564,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["gen:storageprofile.imagereference.sku",{"_index":5558,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["genai",{"_index":983,"title":{"aws/genai.html":{},"gcp/genai.html":{},"general/genai.html":{}},"breadcrumb":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}},"description":{"aws/genai.html":{},"gcp/genai.html":{},"general/genai.html":{}},"body":{"aws/genai.html":{},"aws/index.html":{},"azure/genai.html":{},"azure/index.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/index.html":{},"general/genai.html":{},"general/index.html":{},"index.html":{},"oci/genai.html":{},"oci/index.html":{}}}],["genai_admin",{"_index":8712,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["genai_admin_polici",{"_index":8713,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["genai_infer",{"_index":8681,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["genai_inference_polici",{"_index":8710,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["genai_priv",{"_index":8743,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["genaicompart",{"_index":8686,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["genaicompartment.id",{"_index":8693,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["genaicompartmentocid",{"_index":8695,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["genaifencepolici",{"_index":8689,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["genaiop",{"_index":8694,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["genaiworkload",{"_index":8692,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["gener",{"_index":110,"title":{"general/data.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{},"oci/genai.html":{}},"breadcrumb":{"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{}},"description":{"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{},"oci/genai.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["general/compli",{"_index":5738,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["general/data.html",{"_index":8233,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["general/genai.html",{"_index":5755,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"oci/genai.html":{}}}],["general/genai.html#common",{"_index":6177,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["general/iam.html",{"_index":3545,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"general/network.html":{},"oci/workloads.html":{}}}],["general/ir.html",{"_index":528,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"general/iam.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["general/kubernetes.html",{"_index":2454,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/kubernetes.html":{},"oci/kubernetes.html":{}}}],["general/logging.html",{"_index":7799,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["general/methodology.html",{"_index":5777,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["general/network.html",{"_index":7780,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/logging.html":{}}}],["general/threat",{"_index":7870,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/logging.html":{},"general/network.html":{}}}],["general/workloads.html",{"_index":7906,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["generateaccesstoken",{"_index":6538,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["generatecont",{"_index":6209,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["generatecontentrequest",{"_index":6179,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["generatedatakey",{"_index":9281,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["generationconfig",{"_index":6218,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["generativemodel",{"_index":6193,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["generativemodel(\"gemini",{"_index":6204,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["genuin",{"_index":2471,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/iam.html":{},"gcp/workloads.html":{}}}],["geo",{"_index":4873,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["geograph",{"_index":7829,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"general/ir.html":{},"oci/iam.html":{}}}],["geographi",{"_index":4174,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"general/logging.html":{}}}],["get",{"_index":3571,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["getblob",{"_index":4010,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["geteventselector",{"_index":3025,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["getiampolici",{"_index":7092,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["getobject",{"_index":525,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{},"oci/data.html":{},"oci/logging.html":{}}}],["gh_pat\"</cod",{"_index":5696,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["git",{"_index":1632,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"general/ir.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["github",{"_index":2073,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/iam.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{}}}],["github.com/aquasecurity/kub",{"_index":8080,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["github.com/artur12555/cloud_harden",{"_index":8216,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["github/azur",{"_index":4209,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["gitlab",{"_index":6475,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"general/iam.html":{}}}],["gitop",{"_index":5062,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["give",{"_index":1346,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/network.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["given",{"_index":8125,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["given_nam",{"_index":2165,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["gke",{"_index":2575,"title":{"gcp/kubernetes.html":{}},"breadcrumb":{},"description":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["gke/contain",{"_index":6999,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["gke_audit",{"_index":6993,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["gke_metadata",{"_index":6871,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["gke_metadata</cod",{"_index":6979,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["gkesubnet.id",{"_index":6837,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["gkevpc.id",{"_index":6835,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["glacier",{"_index":2396,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"general/logging.html":{}}}],["glass",{"_index":894,"title":{},"breadcrumb":{},"description":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"oci/ir.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/threat-model.html":{},"index.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["glass@example.com",{"_index":8993,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["glibc",{"_index":5685,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"oci/workloads.html":{}}}],["global",{"_index":302,"title":{},"breadcrumb":{},"description":{"azure/iam.html":{}},"body":{"aws/data.html":{},"aws/logging.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/network.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{}}}],["global_admin",{"_index":4480,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["global_policy_evaluation_mod",{"_index":7551,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["globaladminobjectid",{"_index":4488,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["globaladminroleid",{"_index":4490,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["globalpolicyevaluationmod",{"_index":6940,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["globalsignout",{"_index":7978,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["go",{"_index":803,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/logging.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/logging.html":{}}}],["goal",{"_index":7977,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["goe",{"_index":4782,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/logging.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/methodology.html":{},"oci/workloads.html":{}}}],["golden",{"_index":3535,"title":{},"breadcrumb":{},"description":{"aws/workloads.html":{},"gcp/workloads.html":{}},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"general/logging.html":{}}}],["gone",{"_index":4037,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["good",{"_index":3409,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/ir.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["goodwil",{"_index":8163,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["googl",{"_index":2095,"title":{},"breadcrumb":{},"description":{"gcp/kubernetes.html":{},"gcp/network.html":{}},"body":{"aws/ir.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/ir.html":{}}}],["google'",{"_index":5897,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{}}}],["google.cloud.pubsub.topic.v1.messagepublish",{"_index":6709,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["google.iam.admin.v1.setiampolici",{"_index":6796,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["google.subject",{"_index":6499,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["google_access_context_manager_access_polici",{"_index":6139,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["google_access_context_manager_service_perimet",{"_index":6141,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["google_artifact_registry_repositori",{"_index":7530,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["google_bigquery_dataset",{"_index":7055,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["google_bigquery_dataset.org_audit.dataset_id",{"_index":7075,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["google_bigquery_dataset_iam_memb",{"_index":7073,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["google_bigquery_routin",{"_index":6771,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["google_binary_authorization_attestor",{"_index":6925,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["google_binary_authorization_attestor.built_by_prod_ci.nam",{"_index":7550,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["google_binary_authorization_polici",{"_index":6923,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["google_cloud_identity_group",{"_index":6445,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["google_cloud_identity_group.admins.id",{"_index":6451,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["google_cloud_identity_group_membership",{"_index":6449,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["google_cloudfunctions2_funct",{"_index":6691,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["google_compute_disk",{"_index":5979,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["google_compute_firewal",{"_index":7275,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["google_compute_firewall_polici",{"_index":7264,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["google_compute_firewall_policy.org_no_admin_ingress.id",{"_index":7268,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["google_compute_firewall_policy_associ",{"_index":7272,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["google_compute_firewall_policy_rul",{"_index":7266,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["google_compute_forwarding_rul",{"_index":7370,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["google_compute_global_address",{"_index":7362,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["google_compute_global_address.psc_google_apis.id",{"_index":7368,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["google_compute_global_forwarding_rul",{"_index":7366,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["google_compute_inst",{"_index":7432,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["google_compute_network",{"_index":7218,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["google_compute_network.vpc_app_prod.id",{"_index":6048,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/network.html":{}}}],["google_compute_network.vpc_app_prod.nam",{"_index":7277,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["google_compute_project_metadata",{"_index":7490,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["google_compute_project_metadata_item",{"_index":7595,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["google_compute_subnetwork",{"_index":7223,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["google_compute_subnetwork.snet_psc_euw1.id",{"_index":7372,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["google_container_analysis_not",{"_index":7534,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["google_container_analysis_note.built_by_prod_ci_note.nam",{"_index":7540,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["google_container_clust",{"_index":6806,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["google_container_cluster.hardened.nam",{"_index":6960,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["google_container_node_pool",{"_index":6958,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["google_container_note.build_note.nam",{"_index":6929,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["google_dns_managed_zon",{"_index":7317,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["google_dns_managed_zone.googleapis_private.nam",{"_index":7325,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["google_dns_record_set",{"_index":7322,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["google_iam_workload_identity_pool",{"_index":6493,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["google_iam_workload_identity_pool.github.workload_identity_pool_id",{"_index":6496,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["google_iam_workload_identity_pool_provid",{"_index":6495,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["google_iap_tunnel_instance_iam_memb",{"_index":7495,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["google_kms_crypto_key",{"_index":5927,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{}}}],["google_kms_crypto_key.bucket.id",{"_index":5854,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["google_kms_crypto_key.disk.id",{"_index":5977,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["google_kms_crypto_key.k8s_secrets.id",{"_index":6885,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["google_kms_crypto_key.sql.id",{"_index":6036,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["google_kms_crypto_key.vertex_ai_key.id",{"_index":6325,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["google_kms_crypto_key_iam_memb",{"_index":5938,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{}}}],["google_kms_crypto_key_iam_member.sql_service_ag",{"_index":6057,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["google_kms_crypto_key_iam_member.vertex_ai_kms_access",{"_index":6331,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["google_kms_key_r",{"_index":5924,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{}}}],["google_kms_key_ring.app_prod_euw1.id",{"_index":5929,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["google_kms_key_ring.k8s_keyring.id",{"_index":6884,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["google_kms_key_ring.vertex_ai_keyring.id",{"_index":6323,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["google_logging_metr",{"_index":6618,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["google_logging_organization_sink",{"_index":7062,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["google_logging_organization_sink.org_audit_bq.writer_ident",{"_index":7077,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["google_logging_organization_sink.org_audit_storage.writer_ident",{"_index":7072,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["google_logging_project_sink",{"_index":6253,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["google_model_armor_",{"_index":6182,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["google_monitoring_alert_polici",{"_index":6626,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["google_org_policy_polici",{"_index":5843,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/iam.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["google_organization_iam_audit_config",{"_index":7103,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["google_organization_iam_bind",{"_index":6367,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["google_organization_iam_memb",{"_index":6613,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["google_os_config_os_policy_assign",{"_index":7597,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["google_project",{"_index":5936,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["google_project_iam_audit_config",{"_index":6249,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["google_project_iam_memb",{"_index":6108,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/workloads.html":{}}}],["google_project_servic",{"_index":7593,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["google_pubsub_subscript",{"_index":6687,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["google_pubsub_top",{"_index":6676,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["google_pubsub_topic.scc_findings.id",{"_index":6682,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{}}}],["google_scc_notification_config",{"_index":6679,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{}}}],["google_scc_organization_custom_modul",{"_index":7135,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["google_scc_sourc",{"_index":7143,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["google_service_account",{"_index":6104,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/ir.html":{}}}],["google_service_account.app.nam",{"_index":6857,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["google_service_account.containment_sa.email",{"_index":6701,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["google_service_account.deploy.nam",{"_index":6512,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["google_service_account_iam_bind",{"_index":6509,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/kubernetes.html":{}}}],["google_sql_database_inst",{"_index":6039,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["google_storage_bucket",{"_index":5849,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{}}}],["google_storage_bucket.forensic_evidence.nam",{"_index":6751,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["google_storage_bucket.org_audit_logs.nam",{"_index":7070,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["google_storage_bucket_iam_memb",{"_index":6286,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{}}}],["google_symmetric_encrypt",{"_index":5934,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{}}}],["google_vertex_ai_endpoint",{"_index":6211,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["google_vertex_ai_index",{"_index":6289,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["google_vertex_ai_index_endpoint",{"_index":6298,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["google_vertex_ai_safety_filt",{"_index":6181,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["googleapi",{"_index":7304,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["googleapis.com",{"_index":7300,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["googleapis_priv",{"_index":7318,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["googleapis_wildcard",{"_index":7323,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["googlecloudplatform",{"_index":7118,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["gov",{"_index":72,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["gov.amazonaws.com",{"_index":1515,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["gov.com",{"_index":2035,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{}}}],["govcloud",{"_index":63,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{}}}],["govern",{"_index":335,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["govern/identify/protect/detect/respond/recov",{"_index":7621,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["gpai",{"_index":4305,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"gcp/genai.html":{},"general/genai.html":{}}}],["gpgkey",{"_index":7583,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["gpt",{"_index":4329,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["gpu",{"_index":6652,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/workloads.html":{},"oci/genai.html":{}}}],["gr",{"_index":4889,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["grace",{"_index":2673,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"oci/logging.html":{}}}],["grade",{"_index":2092,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"general/methodology.html":{},"general/workloads.html":{}}}],["gradient",{"_index":8293,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["grain",{"_index":3883,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"general/network.html":{}}}],["grant",{"_index":199,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["grant_control",{"_index":4675,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["grantcontrol",{"_index":4663,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["grants.yaml",{"_index":6544,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["granular",{"_index":541,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/network.html":{},"general/iam.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["graph",{"_index":571,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/logging.html":{}}}],["greater",{"_index":9610,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["greater_than_or_equal_to",{"_index":9034,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["greaterthan",{"_index":4777,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["greaterthanorequaltothreshold",{"_index":2176,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["greaterthanthreshold",{"_index":2726,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["green",{"_index":5544,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"oci/kubernetes.html":{}}}],["grep",{"_index":589,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/methodology.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["ground",{"_index":6084,"title":{},"breadcrumb":{},"description":{"gcp/genai.html":{}},"body":{"gcp/genai.html":{},"gcp/index.html":{},"general/threat-model.html":{}}}],["grounding/retriev",{"_index":6087,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["group",{"_index":300,"title":{},"breadcrumb":{},"description":{"aws/network.html":{},"oci/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/ir.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["group'",{"_index":2750,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"azure/ir.html":{}}}],["group/resourc",{"_index":4425,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["group:al",{"_index":6123,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["group:extern",{"_index":6755,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["group:gcp",{"_index":6370,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["group_id",{"_index":4620,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["group_id=$(az",{"_index":4748,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["group_key",{"_index":6447,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["group_object_id",{"_index":4559,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["groupdescript",{"_index":3347,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["groupid",{"_index":4358,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/network.html":{},"oci/iam.html":{}}}],["groupkey",{"_index":6458,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["groupnam",{"_index":2858,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"oci/iam.html":{}}}],["grow",{"_index":1702,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"general/kubernetes.html":{},"oci/workloads.html":{}}}],["grown",{"_index":8357,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["grub2",{"_index":5553,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["gs://${rag_source_bucket",{"_index":6277,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["gs://${var.rag_source_bucket}/embed",{"_index":6293,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["gs://app",{"_index":5833,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["gs://bucket/object#gener",{"_index":6770,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["gs://forens",{"_index":6735,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["gs://legaci",{"_index":5839,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["gs://org",{"_index":7037,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["gs://sensit",{"_index":7094,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["gsutil",{"_index":5962,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{}}}],["guarante",{"_index":3041,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/data.html":{},"gcp/kubernetes.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/threat-model.html":{}}}],["guard",{"_index":434,"title":{},"breadcrumb":{},"description":{"oci/ir.html":{},"oci/logging.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/network.html":{},"gcp/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["guard'",{"_index":8953,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{},"oci/logging.html":{}}}],["guardduti",{"_index":1624,"title":{},"breadcrumb":{},"description":{"aws/logging.html":{}},"body":{"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/logging.html":{}}}],["guardduty'",{"_index":2226,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{}}}],["guardduty.amazonaws.com",{"_index":3206,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["guardduty:deletedetector",{"_index":3196,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["guardduty:deletememb",{"_index":3202,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["guardduty:disassociatememb",{"_index":3201,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["guardduty:updatedetector",{"_index":3198,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["guarddutydetector",{"_index":3184,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["guarddutydetectorstack",{"_index":3191,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["guardrail",{"_index":984,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{},"oci/genai.html":{}},"body":{"aws/genai.html":{},"aws/index.html":{},"azure/genai.html":{},"general/genai.html":{},"general/shared-responsibility.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{}}}],["guardrail_id",{"_index":1195,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["guardrails[].{id:guardrailid,name:name,version:version,status:status}'</cod",{"_index":1393,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["guess",{"_index":3908,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/iam.html":{},"azure/network.html":{},"general/threat-model.html":{}}}],["guest",{"_index":4109,"title":{},"breadcrumb":{},"description":{"azure/iam.html":{}},"body":{"azure/data.html":{},"azure/iam.html":{},"azure/workloads.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/shared-responsibility.html":{}}}],["guest'",{"_index":7409,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["guid",{"_index":5,"title":{"404.html":{},"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}},"breadcrumb":{},"description":{"general/compliance-frameworks.html":{},"general/methodology.html":{},"search.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"search.html":{}}}],["guid(aks.id",{"_index":5154,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["guid(aoairesourceid",{"_index":4378,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["guid(managementgroup().id",{"_index":4494,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["guidanc",{"_index":2224,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/network.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{}}}],["guidance)iso/iec",{"_index":7718,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["guide'",{"_index":5737,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"general/threat-model.html":{}}}],["guidelin",{"_index":7764,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/iam.html":{}}}],["gvisor",{"_index":6571,"title":{},"breadcrumb":{},"description":{"gcp/kubernetes.html":{}},"body":{"gcp/index.html":{}}}],["gymnast",{"_index":2443,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["h",{"_index":6441,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["h:%p",{"_index":9527,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["habit",{"_index":3381,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/iam.html":{}}}],["hack",{"_index":8372,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["half",{"_index":2231,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"azure/ir.html":{},"gcp/workloads.html":{},"general/shared-responsibility.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["halt",{"_index":3088,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"general/logging.html":{}}}],["halv",{"_index":7786,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/shared-responsibility.html":{}}}],["hand",{"_index":3826,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/ir.html":{},"compliance-matrix.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"index.html":{},"oci/workloads.html":{}}}],["handl",{"_index":2065,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["handle_find",{"_index":6695,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["handler",{"_index":2270,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"gcp/logging.html":{},"oci/ir.html":{}}}],["handoff",{"_index":2051,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"oci/ir.html":{}}}],["handshak",{"_index":3570,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"oci/network.html":{}}}],["happen",{"_index":2049,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/ir.html":{},"gcp/logging.html":{},"general/kubernetes.html":{},"general/threat-model.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["harass",{"_index":6186,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["hard",{"_index":1964,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"oci/data.html":{},"oci/workloads.html":{}}}],["hardcod",{"_index":4211,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["harden",{"_index":4,"title":{"404.html":{},"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}},"breadcrumb":{},"description":{"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/workloads.html":{},"index.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"search.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["hardened_default",{"_index":9470,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["hardened_nod",{"_index":6959,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["hardenedbucket",{"_index":5865,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["hardenedclust",{"_index":6832,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["hardenedinst",{"_index":9479,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["hardenedinstance.id",{"_index":9497,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["hardenednacl",{"_index":3432,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["hardenedvm",{"_index":7456,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["hardeningcustomersharedshar",{"_index":8302,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["harder",{"_index":2307,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"azure/data.html":{},"general/ir.html":{},"oci/data.html":{}}}],["hardest",{"_index":3871,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["hardwar",{"_index":1548,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"oci/genai.html":{},"oci/ir.html":{}}}],["hardware/virtu",{"_index":1570,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["hardwareprofil",{"_index":5601,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["harm",{"_index":1180,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/data.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["harm_category_",{"_index":6214,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["harm_category_dangerous_cont",{"_index":6174,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["harm_category_harass",{"_index":6175,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["harm_category_hate_speech",{"_index":6173,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["harm_category_sexually_explicit",{"_index":6176,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["harmblockthreshold",{"_index":6196,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["harmcategori",{"_index":6195,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["harvest",{"_index":4448,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/logging.html":{},"gcp/iam.html":{},"general/iam.html":{},"general/threat-model.html":{}}}],["has_ani",{"_index":5469,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["hash",{"_index":2675,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/ir.html":{},"general/ir.html":{},"general/logging.html":{}}}],["hashicorp",{"_index":9106,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["hashicorp/aw",{"_index":1201,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{}}}],["hashicorp/azuread",{"_index":4476,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["hashicorp/azurerm",{"_index":4935,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["hashicorp/googl",{"_index":6180,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/kubernetes.html":{}}}],["hasn't",{"_index":4597,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["hatch",{"_index":3449,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["hate",{"_index":1364,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"oci/genai.html":{}}}],["hate/insults/sexual/violence/misconduct",{"_index":1400,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["have",{"_index":228,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/ir.html":{},"azure/workloads.html":{},"oci/workloads.html":{}}}],["hcl",{"_index":350,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["head",{"_index":2680,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["header",{"_index":2452,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/workloads.html":{}}}],["health",{"_index":5089,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/data.html":{},"general/workloads.html":{}}}],["healthcar",{"_index":7750,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"oci/genai.html":{}}}],["healthi",{"_index":3113,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{}}}],["heartbeat",{"_index":4411,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/logging.html":{}}}],["heatmap",{"_index":8146,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["heavili",{"_index":8056,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["held",{"_index":1711,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"general/data.html":{},"general/ir.html":{},"oci/data.html":{}}}],["hello",{"_index":4646,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/iam.html":{}}}],["helm",{"_index":8067,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["help",{"_index":7385,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["helpdesk",{"_index":1868,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["here",{"_index":239,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["hermet",{"_index":8440,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["heurist",{"_index":7021,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"oci/iam.html":{}}}],["hfp",{"_index":7248,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["hide",{"_index":5551,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"compliance-matrix.html":{},"general/shared-responsibility.html":{}}}],["hierarch",{"_index":3403,"title":{},"breadcrumb":{},"description":{"gcp/network.html":{}},"body":{"aws/network.html":{},"azure/ir.html":{},"gcp/index.html":{},"gcp/network.html":{},"general/iam.html":{},"general/shared-responsibility.html":{},"oci/network.html":{}}}],["hierarchi",{"_index":6345,"title":{},"breadcrumb":{},"description":{"oci/iam.html":{}},"body":{"gcp/iam.html":{},"general/iam.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["high",{"_index":498,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["high+crit",{"_index":7176,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["high/crit",{"_index":4816,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["high/medium",{"_index":1537,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["high</cod",{"_index":1198,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/workloads.html":{}}}],["higher",{"_index":3447,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/ir.html":{},"general/logging.html":{}}}],["highest",{"_index":185,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/iam.html":{},"general/data.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/workloads.html":{}}}],["highli",{"_index":8779,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["highsevguarddutyrul",{"_index":2292,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["hijack",{"_index":1501,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"general/network.html":{}}}],["hint",{"_index":7537,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["hipaa",{"_index":2339,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/data.html":{},"azure/ir.html":{},"gcp/logging.html":{},"general/data.html":{},"general/ir.html":{},"oci/data.html":{},"oci/genai.html":{}}}],["hipaa'",{"_index":8121,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["histor",{"_index":1712,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/iam.html":{},"general/logging.html":{},"oci/logging.html":{}}}],["histori",{"_index":290,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/ir.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["hit",{"_index":2560,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/logging.html":{},"gcp/iam.html":{}}}],["hmac",{"_index":2879,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["hoc",{"_index":3391,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/logging.html":{}}}],["hold",{"_index":312,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["holder",{"_index":1688,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"oci/data.html":{}}}],["home",{"_index":6,"title":{},"breadcrumb":{"404.html":{},"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}},"description":{},"body":{"404.html":{},"aws/logging.html":{},"oci/iam.html":{},"oci/logging.html":{}}}],["home/azureuser/.ssh/authorized_key",{"_index":5612,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["home_region",{"_index":8905,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["honour",{"_index":5517,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["hook",{"_index":2317,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"gcp/genai.html":{},"gcp/workloads.html":{},"general/iam.html":{}}}],["hop",{"_index":2023,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{}},"body":{"aws/index.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"gcp/network.html":{}}}],["horizon",{"_index":5181,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"gcp/data.html":{},"gcp/iam.html":{},"general/network.html":{},"oci/logging.html":{}}}],["horizont",{"_index":5762,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["host",{"_index":1001,"title":{},"breadcrumb":{},"description":{"oci/workloads.html":{}},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["host=127.0.0.1",{"_index":6028,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["hostil",{"_index":7779,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/genai.html":{}}}],["hostnam",{"_index":8240,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{},"oci/data.html":{},"oci/network.html":{}}}],["hostnetwork",{"_index":5129,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"general/kubernetes.html":{},"general/workloads.html":{}}}],["hostpath",{"_index":5096,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"general/kubernetes.html":{}}}],["hostpid",{"_index":8047,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{},"general/workloads.html":{}}}],["hosts/network/datacent",{"_index":8308,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["hot",{"_index":5204,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"general/logging.html":{}}}],["hotlin",{"_index":7961,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["hour",{"_index":317,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["hourli",{"_index":6725,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"oci/kubernetes.html":{}}}],["hous",{"_index":8001,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["housekeep",{"_index":2077,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{}}}],["hover",{"_index":5745,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["href",{"_index":7865,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"oci/logging.html":{}}}],["href=\"compli",{"_index":9630,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["href=\"general/index.html\">gener",{"_index":9636,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["href=\"https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/fin",{"_index":8197,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["href=\"index.html\">home</a",{"_index":9639,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["hri",{"_index":1783,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["hsm",{"_index":3856,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{},"general/data.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["html",{"_index":1015,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"general/genai.html":{},"general/methodology.html":{},"index.html":{},"oci/genai.html":{}}}],["html\"><a",{"_index":8196,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["http",{"_index":1472,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/network.html":{},"oci/workloads.html":{}}}],["http://169.254.169.254/latest/meta",{"_index":2765,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{},"general/threat-model.html":{}}}],["http://169.254.169.254/opc/v1/inst",{"_index":9451,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["http://www.okta.com/exk1abcdefghijkl",{"_index":8912,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["http_endpoint",{"_index":2776,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["http_put_response_hop_limit",{"_index":2754,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["http_token",{"_index":2753,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["http_tokens=requir",{"_index":2758,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["httpendpoint",{"_index":2799,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["httpputresponsehoplimit",{"_index":2801,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["https://admin.googleapis.com/admin/directory/v1/users/admin@example.com?projection=ful",{"_index":6442,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["https://events.pagerduty.com/integration/$pagerduty_key/enqueue\"</cod",{"_index":8969,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["https://events.pagerduty.com/integration/${var.pagerduty_key}/enqueu",{"_index":8981,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["https://example.com/org/harden",{"_index":8524,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["https://github.com/artur12555/cloud_hardening/issues/new",{"_index":8217,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["https://github.com/example/app.git",{"_index":5694,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["https://github.com/googlecloudplatform/inspec",{"_index":7130,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["https://graph.microsoft.com/v1.0",{"_index":4440,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["https://graph.microsoft.com/v1.0/directoryobjects/$user_id",{"_index":4752,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["https://graph.microsoft.com/v1.0/directoryroles/${ga_role_id}/memb",{"_index":4467,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["https://graph.microsoft.com/v1.0/directoryroles/${ga_role_id}/members/${user_id}/\\$ref\"</cod",{"_index":4612,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["https://graph.microsoft.com/v1.0/directoryroles/roletemplateid=62e90394",{"_index":4749,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["https://graph.microsoft.com/v1.0/directoryroles?\\$filter=roletemplateid",{"_index":4463,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["https://graph.microsoft.com/v1.0/identity/conditionalaccess/polici",{"_index":4541,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["https://graph.microsoft.com/v1.0/rolemanagement/directory/roleeligibilityschedulerequest",{"_index":4602,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["https://management.azure.com/subscriptions/$(az",{"_index":5295,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["https://packages.cloud.google.com/apt",{"_index":7581,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["https://packages.cloud.google.com/apt/doc/apt",{"_index":7584,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["https://schema.management.azure.com/providers/microsoft.logic/schemas/2016",{"_index":4848,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["https://token.actions.githubusercontent.com",{"_index":6508,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["https://{endpoint}/contentsafety/text:shieldprompt?api",{"_index":4266,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["https://{endpoint}/openai/rai/policies?api",{"_index":4308,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["httptoken",{"_index":2800,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["httptokens=opt",{"_index":2823,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["httptokens=requir",{"_index":3594,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["hub",{"_index":2017,"title":{},"breadcrumb":{},"description":{"aws/logging.html":{},"oci/workloads.html":{}},"body":{"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/network.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["hub'",{"_index":8114,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{},"general/network.html":{}}}],["hub/spok",{"_index":5389,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["human",{"_index":1124,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["human'",{"_index":1780,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["human_readable_nam",{"_index":7538,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["hundr",{"_index":3244,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/iam.html":{}}}],["hunt",{"_index":4727,"title":{},"breadcrumb":{},"description":{"azure/ir.html":{}},"body":{"azure/ir.html":{},"gcp/ir.html":{}}}],["hurri",{"_index":4742,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"general/iam.html":{}}}],["hybrid",{"_index":4703,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/network.html":{},"general/workloads.html":{}}}],["hygien",{"_index":1785,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/index.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["hyok",{"_index":7759,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"oci/data.html":{}}}],["hyper",{"_index":5512,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["hyperlink",{"_index":5741,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"general/compliance-frameworks.html":{}}}],["hyperscal",{"_index":8286,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{},"general/threat-model.html":{}}}],["hypervisor",{"_index":4108,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/kubernetes.html":{},"general/index.html":{},"general/shared-responsibility.html":{}}}],["hypervisorcspcspcsp",{"_index":8296,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["hypothesi",{"_index":8137,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["hypothet",{"_index":8019,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["ia",{"_index":1112,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/methodology.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{}}}],["iaa",{"_index":7918,"title":{},"breadcrumb":{},"description":{"general/shared-responsibility.html":{}},"body":{"general/index.html":{},"general/logging.html":{},"general/shared-responsibility.html":{}}}],["iaas/paas/saa",{"_index":8292,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["iac",{"_index":81,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["iam",{"_index":564,"title":{"aws/iam.html":{},"azure/iam.html":{},"gcp/iam.html":{},"general/iam.html":{},"oci/iam.html":{}},"breadcrumb":{"aws/iam.html":{},"azure/iam.html":{},"gcp/iam.html":{},"general/iam.html":{},"oci/iam.html":{}},"description":{"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/index.html":{},"general/iam.html":{},"general/index.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/logging.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["iam.allowedpolicymemberdomain",{"_index":6394,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["iam.amazonaw",{"_index":2034,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["iam.amazonaws.com",{"_index":1137,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["iam.arnprincipal(props.appprincipalarn",{"_index":1100,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["iam.arnprincipal(props.emergencyresponderarn).withcondit",{"_index":2194,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["iam.automaticiamgrantsfordefaultserviceaccount",{"_index":6540,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["iam.cnrm.cloud.google.com/v1beta1",{"_index":6112,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{}}}],["iam.disableserviceaccountkeycr",{"_index":6395,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["iam.effect.allow",{"_index":1843,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["iam.effect.deni",{"_index":1845,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["iam.gke.io/gcp",{"_index":6863,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["iam.googleapis.com",{"_index":6516,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/logging.html":{}}}],["iam.googleapis.com/serviceaccountkey",{"_index":6428,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/logging.html":{}}}],["iam.html",{"_index":7682,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["iam.managedpolicy(thi",{"_index":1093,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{}}}],["iam.managedpolicy.fromawsmanagedpolicyname('administratoraccess",{"_index":2195,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["iam.policydocu",{"_index":1842,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["iam.policystat",{"_index":1095,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{}}}],["iam.role(thi",{"_index":1098,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{}}}],["iam.serviceaccounts.getaccesstoken",{"_index":6400,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["iam.serviceprincipal('bedrock.amazonaws.com",{"_index":1325,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["iam.u",{"_index":1514,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["iam.workloadidentitypoolprovid",{"_index":6526,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["iam/rbac",{"_index":2607,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/kubernetes.html":{}}}],["iam:attachrolepolici",{"_index":1121,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["iam:attachuserpolici",{"_index":1120,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["iam:changepassword",{"_index":1836,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["iam:createaccesskey",{"_index":1657,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{}}}],["iam:createrol",{"_index":1131,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/logging.html":{}}}],["iam:createvirtualmfadevic",{"_index":1813,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["iam:enablemfadevic",{"_index":1814,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["iam:getus",{"_index":1815,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["iam:listmfadevic",{"_index":1816,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["iam:listus",{"_index":1758,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["iam:listvirtualmfadevic",{"_index":1817,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["iam:passrol",{"_index":3282,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["iam:putrolepolici",{"_index":1132,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["iam:resyncmfadevic",{"_index":1818,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["iam:simulateprincipalpolici",{"_index":1144,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["iam:updateaccesskey",{"_index":1658,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["iam_servic",{"_index":7107,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["iamconfiguration.publicaccessprevent",{"_index":5873,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["iamcredenti",{"_index":6124,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["iamcredentials.googleapis.com/generateaccesstoken",{"_index":6531,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["iamcredentials.tokens.revok",{"_index":6537,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["iampartialpolici",{"_index":6372,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["iampolici",{"_index":5885,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/iam.html":{},"gcp/logging.html":{}}}],["iampolicymemb",{"_index":6301,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/ir.html":{}}}],["iamserviceaccount",{"_index":6113,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["iamus",{"_index":1752,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["iamworkloadidentitypool",{"_index":6515,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["iap",{"_index":7283,"title":{},"breadcrumb":{},"description":{"gcp/workloads.html":{}},"body":{"gcp/network.html":{},"gcp/workloads.html":{},"general/network.html":{},"oci/workloads.html":{}}}],["iap_tunnel_alic",{"_index":7494,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["ibm",{"_index":8134,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{},"general/methodology.html":{}}}],["ic",{"_index":2211,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"oci/workloads.html":{}}}],["iceberg",{"_index":2428,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["icmp",{"_index":7206,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["icmp|internal|rdp|ssh)\"))</cod",{"_index":7245,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["icon",{"_index":8183,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["id",{"_index":85,"title":{},"breadcrumb":{},"description":{"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["id\":\"<vm",{"_index":5646,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["id'",{"_index":5001,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/logging.html":{}}}],["id,values={id",{"_index":3287,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["id:id",{"_index":9436,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["id=<uami",{"_index":5016,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["id=quarantine,arn=arn:aws:lambda:eu",{"_index":2257,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["id>\",\"ports\":[{\"number\":22,\"protocol\":\"tcp\",\"allowedsourceaddressprefix\":\"<corp",{"_index":5647,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["id>\"</cod",{"_index":5370,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"azure/workloads.html":{}}}],["id></cod",{"_index":5017,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["idc",{"_index":8315,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["idc_instance_arn",{"_index":2135,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["idcs_endpoint",{"_index":8862,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["idcsendpoint",{"_index":8876,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{},"oci/ir.html":{}}}],["ideal",{"_index":8252,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["ident",{"_index":1503,"title":{},"breadcrumb":{},"description":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/iam.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}},"body":{"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["identif",{"_index":5798,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/methodology.html":{}}}],["identifi",{"_index":672,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["identity'",{"_index":4118,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"general/network.html":{},"oci/genai.html":{}}}],["identity.principalid",{"_index":4047,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/ir.html":{}}}],["identity</cod",{"_index":5048,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["identity_claim_appid_g",{"_index":4291,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["identity_id",{"_index":4956,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["identity_store_id",{"_index":2159,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["identityinfo",{"_index":4634,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["identityprovid",{"_index":8903,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["identityresourceid",{"_index":4083,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["identitystor",{"_index":2139,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["idiom",{"_index":1272,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{}}}],["idp",{"_index":2100,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/iam.html":{},"general/ir.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["idp'",{"_index":8898,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["idp_metadata",{"_index":8923,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["idp_metadata</cod",{"_index":8927,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["ids/ip",{"_index":8246,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["ids_id",{"_index":2140,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["ietf",{"_index":7781,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/network.html":{}}}],["if(data.request.payload.clientcidrblockallowlist",{"_index":9563,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["if(data.request.payload.contentmoderationconfig.isen",{"_index":8733,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["if(data.request.payload.instanceoptions.arelegacyimdsendpointsdis",{"_index":9504,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["if(data.request.payload.isimmut",{"_index":9614,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["if(data.request.payload.responderrul",{"_index":9058,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["if(data.request.payload.sessionttlinsecond",{"_index":9565,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["if(data.request.payload.workloadidentityconfig.workloadidentityen",{"_index":9165,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["if(data.response.payload.mfaenrollmenttyp",{"_index":8894,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["if(data.target.compartment.id",{"_index":8701,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["if(data.target.log.configuration.source.servic",{"_index":8773,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["if(data.target.log.logtyp",{"_index":9301,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["if(eventnam",{"_index":9375,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["ignor",{"_index":4262,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"general/kubernetes.html":{}}}],["ignore_chang",{"_index":8591,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/iam.html":{}}}],["ignore_public_acl",{"_index":358,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["ignorepublicacl",{"_index":267,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["igw",{"_index":3234,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"oci/network.html":{}}}],["igw/egw",{"_index":3477,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ii",{"_index":5822,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["iii",{"_index":5823,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"general/genai.html":{}}}],["illustr",{"_index":7679,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{}}}],["im",{"_index":4595,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["imag",{"_index":918,"title":{},"breadcrumb":{},"description":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["image_id",{"_index":2771,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"oci/workloads.html":{}}}],["image_nam",{"_index":5710,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["image_ocid",{"_index":9456,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["image_policy_config",{"_index":9204,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["image_scanning_configur",{"_index":3718,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["image_sign",{"_index":9207,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["image_tag_mut",{"_index":3681,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["image_typ",{"_index":6967,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["imagecountmorethan",{"_index":3731,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["imageocid",{"_index":9475,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["imageref",{"_index":7451,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["imagerefer",{"_index":5615,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["images/api",{"_index":7520,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["images/api@sha256:digest",{"_index":7521,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["images/api@sha256:digest</cod",{"_index":7529,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["imagescanfindings.findingseveritycounts'</cod",{"_index":3709,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["imagescanningconfigur",{"_index":3740,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["imagetag",{"_index":5733,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["imagetag=v2024.03.15",{"_index":3708,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["imagetagmut",{"_index":3742,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["imap",{"_index":4700,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["imap/smtp/pop",{"_index":4705,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["imap4",{"_index":4696,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["imd",{"_index":2752,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"general/network.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["imdsv1",{"_index":2810,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/workloads.html":{}}}],["imdsv2",{"_index":2018,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{},"aws/workloads.html":{},"oci/workloads.html":{}},"body":{"aws/index.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"general/threat-model.html":{},"oci/workloads.html":{}}}],["imdsv2/scp",{"_index":3771,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["imdsv2launchtempl",{"_index":3595,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["imdsv2launchtemplatestack",{"_index":3596,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["imdsv2lt",{"_index":3598,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["immedi",{"_index":490,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["immut",{"_index":2467,"title":{},"breadcrumb":{},"description":{"azure/data.html":{},"azure/ir.html":{},"gcp/data.html":{}},"body":{"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/data.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["immutability_period_in_day",{"_index":4901,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["impact",{"_index":1159,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/genai.html":{}}}],["imper",{"_index":8222,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["imperson",{"_index":1273,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/iam.html":{}}}],["impersonat",{"_index":6399,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["implant",{"_index":5556,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/kubernetes.html":{}}}],["implement",{"_index":4436,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/network.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{},"oci/workloads.html":{}}}],["impli",{"_index":1860,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"gcp/workloads.html":{},"general/shared-responsibility.html":{}}}],["implic",{"_index":4790,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"general/iam.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/genai.html":{}}}],["implicit",{"_index":3611,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/network.html":{},"general/network.html":{},"general/workloads.html":{}}}],["implicitli",{"_index":3501,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/threat-model.html":{},"oci/kubernetes.html":{}}}],["import",{"_index":397,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/logging.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["importantli",{"_index":8243,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["importkey",{"_index":8594,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["impos",{"_index":7970,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["imposs",{"_index":542,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/ir.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["improp",{"_index":7843,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["improv",{"_index":4022,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"oci/genai.html":{}}}],["improvis",{"_index":7991,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["in",{"_index":1763,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/ir.html":{}}}],["in_subset",{"_index":8702,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["inabl",{"_index":556,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["inadequ",{"_index":8288,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["inadvert",{"_index":2335,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/data.html":{},"general/methodology.html":{}}}],["inbound",{"_index":887,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["inbox",{"_index":8499,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/iam.html":{}}}],["inc",{"_index":9086,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["incant",{"_index":2453,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["incid",{"_index":288,"title":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/ir.html":{},"oci/ir.html":{}},"breadcrumb":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/ir.html":{},"oci/ir.html":{}},"description":{"aws/index.html":{},"aws/ir.html":{},"azure/index.html":{},"azure/ir.html":{},"gcp/index.html":{},"gcp/ir.html":{},"general/ir.html":{},"oci/index.html":{},"oci/ir.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["incident'",{"_index":8014,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"oci/ir.html":{}}}],["incident_id",{"_index":4864,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"oci/ir.html":{}}}],["incident_id\":\"'\"$incident_id",{"_index":9074,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["incident_id=\"inc",{"_index":9069,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["incident_id=$incident_id",{"_index":4882,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["incident_id=ir",{"_index":4876,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["incidentsever",{"_index":4841,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["includ",{"_index":928,"title":{},"breadcrumb":{},"description":{"general/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/network.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["include_all_metadata",{"_index":7233,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["include_children",{"_index":7016,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["include_global_resource_typ",{"_index":3059,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["include_global_service_ev",{"_index":2912,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["include_management_ev",{"_index":3000,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["includeappl",{"_index":4661,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["includechildren",{"_index":7080,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["included_appl",{"_index":4672,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["included_us",{"_index":4673,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["includeglobalresourcetyp",{"_index":3080,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["includeglobalresourcetypes\":tru",{"_index":3048,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["includeglobalserviceev",{"_index":2929,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["includeus",{"_index":4539,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["inclus",{"_index":7383,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["inclusionlabel",{"_index":7607,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["incomingbyt",{"_index":2743,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["incompat",{"_index":8083,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["incomplet",{"_index":6265,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"general/logging.html":{}}}],["inconveni",{"_index":5240,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["incorrect",{"_index":7842,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"general/methodology.html":{}}}],["incorrectli",{"_index":8290,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["increas",{"_index":3607,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/ir.html":{},"general/shared-responsibility.html":{}}}],["increasingli",{"_index":8270,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{},"general/workloads.html":{}}}],["increment",{"_index":3608,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/ir.html":{}}}],["incur",{"_index":1149,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/genai.html":{},"gcp/network.html":{}}}],["indefinit",{"_index":1884,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"gcp/iam.html":{},"general/data.html":{},"oci/iam.html":{}}}],["independ",{"_index":169,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"oci/data.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["index",{"_index":21,"title":{},"breadcrumb":{},"description":{},"body":{"404.html":{},"aws/data.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"oci/kubernetes.html":{},"search.html":{}}}],["index(var.known_bad_cidr",{"_index":3427,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["index.handl",{"_index":2271,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["index.j",{"_index":9625,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["index.json",{"_index":9622,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["indic",{"_index":666,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/kubernetes.html":{}}}],["indirect",{"_index":925,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["indirect/rag",{"_index":4260,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["indirect_attack",{"_index":4272,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["indirectli",{"_index":2811,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["individu",{"_index":1622,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/genai.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["industri",{"_index":3880,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"general/iam.html":{},"oci/data.html":{}}}],["inert",{"_index":2306,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["infer",{"_index":991,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{}},"body":{"aws/genai.html":{},"aws/index.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["inflat",{"_index":6779,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/methodology.html":{}}}],["influenc",{"_index":7809,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["info",{"_index":7478,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"general/kubernetes.html":{},"general/methodology.html":{}}}],["inform",{"_index":1116,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{}}}],["infosteal",{"_index":7868,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/methodology.html":{},"general/threat-model.html":{}}}],["infra",{"_index":6213,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["infrastructur",{"_index":1004,"title":{},"breadcrumb":{},"description":{"oci/index.html":{}},"body":{"aws/genai.html":{},"aws/logging.html":{},"azure/genai.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["infrequ",{"_index":9061,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["ingest",{"_index":2434,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/genai.html":{},"general/logging.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["ingress",{"_index":1474,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["ingress/egress",{"_index":7188,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{},"general/kubernetes.html":{}}}],["ingressnightmar",{"_index":8034,"title":{},"breadcrumb":{},"description":{"general/kubernetes.html":{}},"body":{"general/kubernetes.html":{}}}],["inherit",{"_index":65,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["init",{"_index":3677,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["init_id",{"_index":5111,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["init_id=$(az",{"_index":5108,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["initi",{"_index":513,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["initial_admin",{"_index":8804,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["initial_admin_lockdown",{"_index":8809,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["initialize_param",{"_index":7438,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["initializeparam",{"_index":7450,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["initialnodecount",{"_index":6821,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["initiatedbi",{"_index":4639,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["initiativeid",{"_index":5455,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["initramf",{"_index":7414,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["inject",{"_index":1174,"title":{},"breadcrumb":{},"description":{"general/genai.html":{}},"body":{"aws/genai.html":{},"aws/ir.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/network.html":{},"general/genai.html":{},"oci/genai.html":{},"oci/workloads.html":{}}}],["inlin",{"_index":1799,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"general/iam.html":{},"general/ir.html":{},"oci/kubernetes.html":{}}}],["input",{"_index":1175,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["input_act",{"_index":1396,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["input_action/output_act",{"_index":1395,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["input_paramet",{"_index":1903,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{}}}],["input_strength",{"_index":1211,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["inputparamet",{"_index":1907,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["inputstrength",{"_index":1221,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["inputtext",{"_index":1161,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["insecur",{"_index":7840,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["insensit",{"_index":8199,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["insert",{"_index":5449,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"gcp/data.html":{},"gcp/network.html":{},"oci/iam.html":{}}}],["insid",{"_index":485,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/index.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["insight",{"_index":471,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/logging.html":{}}}],["insights.diagnosticsetting(\"subscript",{"_index":5212,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["insist",{"_index":3223,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"gcp/network.html":{}}}],["inspec",{"_index":7019,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["inspect",{"_index":933,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/network.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}}}],["inspecti",{"_index":5510,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["inspector",{"_index":2019,"title":{},"breadcrumb":{},"description":{"aws/workloads.html":{}},"body":{"aws/index.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["inspector'",{"_index":3779,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["inspector2",{"_index":3782,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["inspector2.amazonaws.com",{"_index":3806,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["inspector2:dis",{"_index":3799,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["inspector2:disassociatememb",{"_index":3801,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["inspector2:updateorganizationconfigur",{"_index":3803,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["inspectorenabl",{"_index":3793,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["instal",{"_index":2580,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["install_ops_ag",{"_index":7598,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["instanc",{"_index":223,"title":{},"breadcrumb":{},"description":{"oci/iam.html":{},"oci/ir.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["instance'",{"_index":2230,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"gcp/data.html":{},"oci/workloads.html":{}}}],["instance/lb",{"_index":9383,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["instance_arn",{"_index":1724,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{}}}],["instance_class",{"_index":823,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["instance_detail",{"_index":9471,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["instance_filt",{"_index":7602,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["instance_metadata_tag",{"_index":2777,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["instance_ocid",{"_index":9453,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["instance_opt",{"_index":9449,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["instance_typ",{"_index":2773,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{},"oci/workloads.html":{}}}],["instancearn",{"_index":1741,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["instancefilt",{"_index":7588,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["instancemetadatatag",{"_index":2802,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["instancemetadatav1en",{"_index":9502,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["instanceocid",{"_index":9496,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["instanceopt",{"_index":9489,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["instanceoptions.arelegacyimdsendpointsdis",{"_index":9500,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["instances.insert",{"_index":6557,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["instances.patch",{"_index":6070,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["instanti",{"_index":8104,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{},"general/threat-model.html":{}}}],["instantli",{"_index":569,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/workloads.html":{},"index.html":{},"oci/logging.html":{}}}],["instead",{"_index":1782,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/network.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["institut",{"_index":5783,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"general/kubernetes.html":{}}}],["instruct",{"_index":1176,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"general/network.html":{},"oci/genai.html":{}}}],["instrument",{"_index":1630,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/ir.html":{},"general/genai.html":{}}}],["insuffici",{"_index":2059,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"oci/network.html":{}}}],["insult",{"_index":1367,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["insur",{"_index":7959,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["int",{"_index":4497,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["int64",{"_index":6625,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["intact",{"_index":1244,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/workloads.html":{},"azure/data.html":{},"oci/iam.html":{}}}],["integr",{"_index":1230,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["intel",{"_index":7022,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"gcp/workloads.html":{},"general/network.html":{}}}],["intellig",{"_index":2861,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"oci/ir.html":{}}}],["intend",{"_index":1041,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/workloads.html":{}}}],["intens",{"_index":7818,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["intent",{"_index":1126,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/logging.html":{},"general/data.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/ir.html":{}}}],["intention",{"_index":3825,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"general/compliance-frameworks.html":{},"general/workloads.html":{}}}],["interact",{"_index":1336,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/iam.html":{},"general/genai.html":{},"general/workloads.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["intercept",{"_index":1438,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"azure/iam.html":{},"gcp/data.html":{},"general/network.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["interconnect",{"_index":5391,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"general/network.html":{}}}],["interest",{"_index":9006,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["interfac",{"_index":980,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"general/network.html":{},"oci/network.html":{}}}],["interfer",{"_index":4928,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["interim",{"_index":1427,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["intermedi",{"_index":875,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/network.html":{}}}],["intermediari",{"_index":8268,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["intern",{"_index":242,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/network.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/ir.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{}}}],["internet",{"_index":200,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["internet_gateway_block_mod",{"_index":3470,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["internetgateway",{"_index":9377,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["internetgatewayblockmod",{"_index":3481,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["interpret",{"_index":3090,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/data.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/logging.html":{},"oci/iam.html":{}}}],["interrupt",{"_index":8335,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{},"oci/logging.html":{}}}],["intersect",{"_index":3834,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"general/data.html":{},"general/shared-responsibility.html":{}}}],["interv",{"_index":2397,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"oci/iam.html":{}}}],["interval_5_sec",{"_index":7230,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["intra",{"_index":8244,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["intrins",{"_index":5779,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["introduc",{"_index":864,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["introduct",{"_index":3671,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"general/ir.html":{}}}],["introspect",{"_index":8409,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["intrud",{"_index":2891,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["intrus",{"_index":6992,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"general/data.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/logging.html":{}}}],["intuit",{"_index":8179,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["invalid",{"_index":2574,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/genai.html":{},"general/ir.html":{},"oci/iam.html":{}}}],["invari",{"_index":170,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["invent",{"_index":8193,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["inventori",{"_index":673,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["inventory'",{"_index":7342,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["invers",{"_index":8258,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["invest",{"_index":3554,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"general/threat-model.html":{}}}],["investig",{"_index":1425,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/iam.html":{},"general/ir.html":{},"oci/logging.html":{}}}],["investigation'",{"_index":2419,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["invis",{"_index":2688,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/logging.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["invoc",{"_index":985,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{}},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"gcp/genai.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["invok",{"_index":1050,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["invokemodel",{"_index":1063,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["invokeonemodel",{"_index":1321,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["involv",{"_index":4390,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"gcp/ir.html":{},"general/methodology.html":{}}}],["inward",{"_index":3211,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["ip",{"_index":1667,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["ip.yaml",{"_index":7301,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["ip_address",{"_index":7367,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["ip_allocation_polici",{"_index":6813,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["ip_cidr_rang",{"_index":7225,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["ip_configur",{"_index":5570,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/data.html":{}}}],["ip_configuration.ipv4_enabled=fals",{"_index":6082,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["ip_connect_en",{"_index":5660,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["ip_protocol",{"_index":3335,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"gcp/network.html":{}}}],["ip_rul",{"_index":3937,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["ipaddress",{"_index":4582,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["ipam",{"_index":9373,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["ipcfg",{"_index":5571,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["ipcidrrang",{"_index":7332,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["ipconfig",{"_index":5598,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["ipconfigur",{"_index":5597,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/data.html":{}}}],["ipconfiguration.ipv4en",{"_index":6071,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["ippermiss",{"_index":3390,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ipprotocol",{"_index":3349,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["iprang",{"_index":3370,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ipsec",{"_index":9339,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["iptabl",{"_index":8235,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["ipv4",{"_index":3380,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"gcp/kubernetes.html":{}}}],["ipv4_en",{"_index":6046,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["ipv4en",{"_index":6064,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["ipv6",{"_index":3377,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ipv6ranges.cidripv6=::/0",{"_index":3378,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ir",{"_index":2030,"title":{},"breadcrumb":{},"description":{"general/index.html":{}},"body":{"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/ir.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"index.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["ir+${each.key}@example.com",{"_index":2167,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["ir.html",{"_index":7687,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["ir@example.com",{"_index":6638,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["ir@example.com\"</cod",{"_index":6636,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["ir_alert",{"_index":8976,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["ir_auto_contain",{"_index":9025,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["ir_compartment_ocid",{"_index":9020,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["ir_evid",{"_index":4893,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["ir_function_ocid\"</cod",{"_index":9023,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["ir_notifications_topic_ocid",{"_index":8968,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["ir_pagerduti",{"_index":8978,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["ir_partner_read",{"_index":4903,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["ir_playbook",{"_index":9048,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["ir_team_admin",{"_index":6750,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["ir_vault_key_ocid",{"_index":9078,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["irp",{"_index":8030,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["irrecover",{"_index":4040,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/ir.html":{}}}],["irrevers",{"_index":1420,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/ir.html":{},"general/genai.html":{}}}],["irsa",{"_index":1955,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"general/iam.html":{}}}],["is_act",{"_index":8807,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["is_auto_rotation_en",{"_index":8590,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["is_data_ev",{"_index":9300,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["is_en",{"_index":3069,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["is_genai",{"_index":8772,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["is_immut",{"_index":9567,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["is_lock",{"_index":6579,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{}}}],["is_management_dis",{"_index":9465,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["is_manual_connect",{"_index":4351,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/network.html":{}}}],["is_monitoring_dis",{"_index":9466,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["is_mtls_connection_requir",{"_index":8647,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["is_multi_region_trail",{"_index":2909,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["is_organization_trail",{"_index":2910,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["is_policy_en",{"_index":9210,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["is_publ",{"_index":9586,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["is_public_ip_en",{"_index":9116,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["isdefault=tru",{"_index":3284,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["isen",{"_index":9015,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{},"oci/logging.html":{}}}],["isenabled\":fals",{"_index":9059,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["isenabled\":true,\"triggerson\":\"incidents\",\"triggerswhen\":\"created\",\"conditions\":[{\"conditiontype\":\"property\",\"conditionproperties\":{\"propertyname\":\"incidentseverity\",\"operator\":\"equals\",\"propertyvalues\":[\"high\",\"crit",{"_index":4817,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["isenforcedin2sv=fals",{"_index":6465,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["isenforcedin2sv}'</cod",{"_index":6444,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["isenrolledin2sv",{"_index":6438,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["isenrolledin2sv=fals",{"_index":6472,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["islock",{"_index":6758,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["islog",{"_index":2925,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["ism",{"_index":7658,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["ismeasuredbooten",{"_index":9494,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["isms)iso/iec",{"_index":7716,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["ismultiregiontrail",{"_index":2926,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["isn't",{"_index":5639,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["iso",{"_index":87,"title":{},"breadcrumb":{},"description":{"compliance-matrix.html":{},"index.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"index.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["iso/bsi",{"_index":8192,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["iso/iec",{"_index":418,"title":{},"breadcrumb":{},"description":{"general/compliance-frameworks.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["iso_d",{"_index":8753,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["isol",{"_index":2028,"title":{},"breadcrumb":{},"description":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"oci/genai.html":{},"oci/ir.html":{}},"body":{"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["isolate_vm",{"_index":4832,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["isolateec2instance:$default",{"_index":2298,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["isorganizationtrail",{"_index":2927,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["isp",{"_index":1443,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["ispodsecuritypolicyen",{"_index":9138,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["ispolicyen",{"_index":9219,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["ispolicyenabled=true,keydetails=[{kmskeyid=<km",{"_index":9213,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["ispresent(requestparameters.keynam",{"_index":3669,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ispublicipen",{"_index":9133,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["issecurebooten",{"_index":9493,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["issu",{"_index":1700,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["issuanc",{"_index":4243,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"gcp/iam.html":{},"oci/workloads.html":{}}}],["issuer",{"_index":4995,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/iam.html":{}}}],["issuer_uri",{"_index":6507,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["istio",{"_index":8237,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["istrustedplatformmoduleen",{"_index":9495,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["item",{"_index":1508,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"general/ir.html":{},"oci/iam.html":{}}}],["items[].spec.volum",{"_index":8074,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["iter",{"_index":692,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/logging.html":{},"general/genai.html":{}}}],["itself",{"_index":1577,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["jailbreak",{"_index":1172,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["jailbreak.filtered=fals",{"_index":4294,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["jammi",{"_index":5589,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["jammy:22_04",{"_index":5562,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["jan",{"_index":1789,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/methodology.html":{},"general/workloads.html":{}}}],["januari",{"_index":536,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/workloads.html":{},"general/compliance-frameworks.html":{},"general/threat-model.html":{}}}],["java",{"_index":7394,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["javascript",{"_index":8463,"title":{},"breadcrumb":{},"description":{},"body":{"index.html":{},"search.html":{}}}],["javascript.</strong",{"_index":9627,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["javascript:</p",{"_index":9628,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["jira",{"_index":4798,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"general/logging.html":{}}}],["jit",{"_index":4429,"title":{},"breadcrumb":{},"description":{"azure/workloads.html":{}},"body":{"azure/iam.html":{},"azure/index.html":{},"azure/workloads.html":{},"oci/workloads.html":{}}}],["jit_user_prov_en",{"_index":8917,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["jituserprovis",{"_index":8922,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["jmespath",{"_index":9009,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["jndi:ldap",{"_index":7387,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["job",{"_index":755,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/logging.html":{},"gcp/genai.html":{},"general/data.html":{},"general/logging.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["join",{"_index":650,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"oci/iam.html":{}}}],["joinabl",{"_index":6777,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["joint",{"_index":8147,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["jq",{"_index":934,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/genai.html":{},"oci/workloads.html":{}}}],["js",{"_index":9634,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["js/complianc",{"_index":5774,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["js/search",{"_index":9621,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["json",{"_index":480,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/iam.html":{},"general/kubernetes.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["json,si",{"_index":6244,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["json.stringifi",{"_index":1593,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["jsonencod",{"_index":366,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"oci/ir.html":{}}}],["jsonpayload.eventtype=\"integrityviol",{"_index":7460,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["jul",{"_index":1106,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["juli",{"_index":8445,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["jump",{"_index":1689,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"oci/network.html":{}}}],["jumpcloud",{"_index":1697,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["june",{"_index":3773,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["jurisdict",{"_index":7963,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["jurisdiction",{"_index":7739,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["justif",{"_index":503,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/iam.html":{},"general/kubernetes.html":{},"general/methodology.html":{}}}],["justifi",{"_index":2980,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"general/threat-model.html":{}}}],["k",{"_index":2425,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"gcp/data.html":{}}}],["k0",{"_index":8038,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["k3",{"_index":8037,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["k8",{"_index":2463,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"index.html":{},"oci/kubernetes.html":{}}}],["k8s.io/api/v1/namespaces/*/pods/exec",{"_index":6850,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["k8s.io/api/v1/namespaces/*/secret",{"_index":6895,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["k8s_cluster",{"_index":6956,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["k8s_keyr",{"_index":6882,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["k8s_secret",{"_index":6883,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["kcc",{"_index":6260,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{}}}],["kebab",{"_index":8221,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["keep",{"_index":2109,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["kept",{"_index":348,"title":{},"breadcrumb":{},"description":{"general/methodology.html":{}},"body":{"aws/data.html":{},"azure/logging.html":{},"general/index.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/network.html":{}}}],["kernel",{"_index":3775,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{}}}],["key",{"_index":43,"title":{},"breadcrumb":{},"description":{"aws/data.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/data.html":{},"oci/iam.html":{},"oci/ir.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["key\"</cod",{"_index":5951,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/kubernetes.html":{}}}],["key'",{"_index":663,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/kubernetes.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["key(",{"_index":8944,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["key.bin",{"_index":8580,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["key.gpg",{"_index":7585,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["key.kid",{"_index":4052,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{}}}],["key.pem",{"_index":8578,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["key.us",{"_index":8610,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["key='projects/secur",{"_index":6737,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["key=projects/project_id/locations/region/keyrings/keyring/cryptokeys/key_nam",{"_index":6886,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["key=projects/sec",{"_index":5919,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["key=projects/svc",{"_index":7514,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["key_arn",{"_index":723,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{}}}],["key_detail",{"_index":9211,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["key_id",{"_index":5046,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["key_management_servic",{"_index":5042,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["key_nam",{"_index":4075,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/kubernetes.html":{}}}],["key_opt",{"_index":4061,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{}}}],["key_r",{"_index":5928,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{}}}],["key_shap",{"_index":8588,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["key_siz",{"_index":4060,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{}}}],["key_typ",{"_index":4059,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{}}}],["key_uri",{"_index":4119,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["key_uri\"</cod",{"_index":4054,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["key_uri=$(az",{"_index":4051,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["key_vaul",{"_index":4203,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["key_vault_id",{"_index":4057,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{}}}],["key_vault_key_id",{"_index":4129,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{}}}],["key_vault_network_access",{"_index":5044,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["key_vers",{"_index":4077,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["keyarn",{"_index":2512,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["keyboard",{"_index":2241,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/logging.html":{},"oci/ir.html":{}}}],["keydata",{"_index":5613,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["keydelet",{"_index":4099,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{}}}],["keyid",{"_index":5054,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["keyless",{"_index":7400,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"general/workloads.html":{}}}],["keynam",{"_index":3672,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/data.html":{},"gcp/kubernetes.html":{}}}],["keyname=nul",{"_index":3673,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["keypair",{"_index":8931,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["keypolici",{"_index":957,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["keyr",{"_index":5906,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{}}}],["keyring=kr",{"_index":5909,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["keyringref",{"_index":6334,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["keys=fals",{"_index":7500,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["keys=tru",{"_index":7482,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["keysourc",{"_index":4086,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["keysource\\\":\\\"microsoft.storag",{"_index":4100,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["keystrok",{"_index":3622,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["keyuri",{"_index":5060,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["keyurl",{"_index":4145,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["keyvault",{"_index":4013,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{}}}],["keyvaultkeyid",{"_index":5050,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["keyvaultnetworkaccess",{"_index":5055,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["keyvaultproperti",{"_index":4087,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["keyvaultresourceid",{"_index":5052,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["keyvaulturi",{"_index":4081,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["kid",{"_index":4184,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["kill",{"_index":3557,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"general/data.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/workloads.html":{}}}],["kind",{"_index":3960,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["kind\":\"logging\",\"logsources\":[{\"compartmentid\":\"'\"$tenancy_ocid\"'\",\"loggroupid\":\"_audit\",\"logid\":\"_audit",{"_index":9245,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["kind\":\"objectstorage\",\"bucketname\":\"audit",{"_index":9246,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["kind=='openai",{"_index":4217,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["kind=leftanti",{"_index":5728,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["kind\\\":\\\"composite\\\",\\\"leftoperand\\\":{\\\"kind\\\":\\\"simple\\\",\\\"parameter\\\":\\\"riskscore\\\",\\\"operator\\\":\\\"greater_than_or_equal_to\\\",\\\"value\\\":\\\"7\\\",\\\"valuetype\\\":\\\"value\\\"},\\\"compositeoperator\\\":\\\"and\\\",\\\"rightoperand\\\":{\\\"kind\\\":\\\"simple\\\",\\\"parameter\\\":\\\"problemlifecyclestate\\\",\\\"operator\\\":\\\"in\\\",\\\"value\\\":\\\"[\\\\\\\"open\\\\\\\"]\\\",\\\"valuetype\\\":\\\"multi_valu",{"_index":9017,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["kit",{"_index":1563,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"general/iam.html":{},"general/methodology.html":{},"general/threat-model.html":{}}}],["km",{"_index":37,"title":{},"breadcrumb":{},"description":{"aws/data.html":{},"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/data.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["kms.amazonaws.com",{"_index":2662,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["kms.cnrm.cloud.google.com/v1beta1",{"_index":6332,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["kms.key.fromkeyarn(thi",{"_index":2382,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{}}}],["kms/byok",{"_index":8951,"title":{},"breadcrumb":{},"description":{},"body":{"oci/index.html":{}}}],["kms:\"km",{"_index":8622,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["kms:cancelkeydelet",{"_index":974,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms:creat",{"_index":961,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms:decrypt",{"_index":567,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"general/data.html":{}}}],["kms:delet",{"_index":970,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms:describ",{"_index":962,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms:describekey",{"_index":943,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms:disabl",{"_index":968,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["kms:disablekey",{"_index":2649,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["kms:enabl",{"_index":963,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms:encrypt",{"_index":976,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms:generatedatakey",{"_index":893,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms:get",{"_index":969,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms:list",{"_index":964,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms:put",{"_index":965,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms:putkeypolici",{"_index":2652,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["kms:reencrypt",{"_index":977,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms:revok",{"_index":967,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms:schedulekeydelet",{"_index":973,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{}}}],["kms:tagresourc",{"_index":971,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms:untagresourc",{"_index":972,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms:updat",{"_index":966,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms:viaservic",{"_index":907,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kms_interfac",{"_index":3524,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["kms_key",{"_index":3722,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["kms_key_id",{"_index":826,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["kms_key_nam",{"_index":6330,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/logging.html":{},"gcp/workloads.html":{}}}],["kms_key_resource_id",{"_index":6881,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["kms_key_self_link",{"_index":5985,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["kms_key_version_id",{"_index":9603,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["kms_master_key_id",{"_index":607,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{}}}],["kmscryptokey",{"_index":6333,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["kmsendpoint",{"_index":3527,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["kmskey",{"_index":3745,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["kmskeyarn",{"_index":612,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["kmskeyid",{"_index":862,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{},"aws/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["kmskeyid=<key",{"_index":3633,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["kmskeyocid",{"_index":8539,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["kmskeyref",{"_index":5990,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["kmsmasterkeyid",{"_index":575,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["knew",{"_index":7034,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["knob",{"_index":8392,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["know",{"_index":2050,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/ir.html":{},"oci/iam.html":{}}}],["knowledg",{"_index":988,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{}},"body":{"aws/genai.html":{},"aws/index.html":{},"azure/genai.html":{},"general/genai.html":{},"general/iam.html":{},"general/threat-model.html":{}}}],["known",{"_index":1271,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["kpi",{"_index":5169,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["kql",{"_index":4003,"title":{},"breadcrumb":{},"description":{"azure/ir.html":{}},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"general/logging.html":{}}}],["kr",{"_index":5907,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{}}}],["kr/cryptokeys/comput",{"_index":5992,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["kr/cryptokeys/data",{"_index":5950,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["kr/cryptokeys/etcd",{"_index":6889,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["kr/cryptokeys/sql",{"_index":6063,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["krebsonsecur",{"_index":8371,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["ksa_nam",{"_index":6862,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["kti",{"_index":4017,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["kube",{"_index":2468,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/kubernetes.html":{}}}],["kube_proxi",{"_index":9182,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["kubeadm",{"_index":8036,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["kubeconfig",{"_index":2474,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/kubernetes.html":{}}}],["kubectl",{"_index":2479,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/kubernetes.html":{}}}],["kubelet",{"_index":2853,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{}}}],["kubelet/nod",{"_index":2804,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["kubeproxi",{"_index":9183,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["kubeproxy</cod",{"_index":9184,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["kubernet",{"_index":1949,"title":{"general/kubernetes.html":{}},"breadcrumb":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/kubernetes.html":{}},"description":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/kubernetes.html":{}},"body":{"aws/iam.html":{},"aws/index.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["kubernetes.io",{"_index":8096,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["kubernetes.io/blog/2025/03/24/ingress",{"_index":8094,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["kubernetes.io/docs/concepts/security/pod",{"_index":8097,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["kubernetes.io/docs/tasks/debug/debug",{"_index":8100,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["kubernetes_vers",{"_index":9112,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["kubernetesvers",{"_index":9130,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["kv",{"_index":4041,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{},"azure/network.html":{}}}],["kyverno",{"_index":8432,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{},"oci/kubernetes.html":{}}}],["l",{"_index":8142,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["l3/l4",{"_index":3226,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["l4",{"_index":5173,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["l4/l7",{"_index":5358,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"azure/workloads.html":{}}}],["l7",{"_index":3225,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["la",{"_index":4810,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["la_princip",{"_index":4813,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["la_principal=$(az",{"_index":4811,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["label",{"_index":5130,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/network.html":{}}}],["lack",{"_index":799,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/network.html":{},"general/kubernetes.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["ladder",{"_index":8285,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{},"general/workloads.html":{}}}],["lag",{"_index":1151,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"gcp/logging.html":{}}}],["lake",{"_index":2027,"title":{},"breadcrumb":{},"description":{"aws/ir.html":{},"aws/logging.html":{}},"body":{"aws/ir.html":{},"aws/logging.html":{},"azure/ir.html":{},"general/ir.html":{}}}],["lambda",{"_index":1142,"title":{},"breadcrumb":{},"description":{"aws/workloads.html":{}},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{}}}],["lambda'",{"_index":2314,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["lambda.amazonaws.com",{"_index":3843,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["lambda:invokefunct",{"_index":1303,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{}}}],["lambda_basic_execut",{"_index":3840,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["lambda_cod",{"_index":3784,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["lambda_network_log",{"_index":3182,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["lan",{"_index":3576,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"oci/workloads.html":{}}}],["land",{"_index":738,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/logging.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["landscap",{"_index":7867,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/methodology.html":{},"general/threat-model.html":{}}}],["lang",{"_index":9572,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["languag",{"_index":3683,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["laps",{"_index":9203,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["laptop",{"_index":1635,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"gcp/iam.html":{},"general/iam.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["larg",{"_index":1051,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/iam.html":{},"azure/network.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/genai.html":{},"general/ir.html":{},"oci/network.html":{}}}],["large_coher",{"_index":8790,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["larger",{"_index":1038,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"general/ir.html":{},"oci/iam.html":{}}}],["largest",{"_index":4428,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/kubernetes.html":{},"gcp/logging.html":{},"general/iam.html":{},"general/threat-model.html":{}}}],["last",{"_index":1915,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["last(split(aoairesourceid",{"_index":4404,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["lastmodifi",{"_index":674,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["laststatus=success",{"_index":3114,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["late",{"_index":3142,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"general/ir.html":{}}}],["latenc",{"_index":2243,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/workloads.html":{},"general/genai.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["latent",{"_index":3819,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/logging.html":{}}}],["later",{"_index":1288,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["latest",{"_index":3628,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/data.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/kubernetes.html":{},"oci/workloads.html":{}}}],["latter",{"_index":4443,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/logging.html":{}}}],["launch",{"_index":694,"title":{},"breadcrumb":{},"description":{"azure/workloads.html":{}},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/index.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["launch_detail",{"_index":9472,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["launch_templ",{"_index":2784,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["launchinst",{"_index":9499,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["launchtemplatedata",{"_index":2797,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["launchtemplatenam",{"_index":2796,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["law",{"_index":553,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/ir.html":{},"general/data.html":{},"general/ir.html":{}}}],["law_id",{"_index":5074,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/logging.html":{}}}],["law_id=$(az",{"_index":5188,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["lax",{"_index":8900,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["laxer",{"_index":6219,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["layer",{"_index":649,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["layer4",{"_index":7255,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["layer4_config",{"_index":7271,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["layout",{"_index":2091,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"gcp/ir.html":{}}}],["lb",{"_index":7202,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["lead",{"_index":2331,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"azure/network.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/ir.html":{},"general/kubernetes.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["leadership",{"_index":7660,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/logging.html":{}}}],["leak",{"_index":58,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["leakag",{"_index":1160,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/network.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["leaki",{"_index":8337,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["learn",{"_index":2039,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"general/index.html":{},"general/ir.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{}}}],["leav",{"_index":318,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["ledger",{"_index":1773,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["left",{"_index":1881,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{}}}],["left.repositori",{"_index":5731,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["leftoperand",{"_index":9032,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["leg",{"_index":6902,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["legaci",{"_index":1786,"title":{},"breadcrumb":{},"description":{"azure/iam.html":{}},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["legacy.json",{"_index":4720,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["legacy/deprec",{"_index":2834,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["legacy=$(oci",{"_index":9458,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["legacy_en",{"_index":9503,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["legal",{"_index":2032,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/data.html":{},"azure/ir.html":{},"general/data.html":{},"general/ir.html":{}}}],["legalhold.status=off",{"_index":2404,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["legitim",{"_index":1286,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["len",{"_index":7936,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/shared-responsibility.html":{}}}],["lend",{"_index":7184,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["length",{"_index":4762,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["length(data",{"_index":8943,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["length(globaladminobjectid",{"_index":4498,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["length(mfadevic",{"_index":1804,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["length(valu",{"_index":5184,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["length=16",{"_index":6011,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["lent",{"_index":7204,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["less",{"_index":4445,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/logging.html":{},"general/iam.html":{}}}],["lesson",{"_index":2038,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"general/index.html":{},"general/methodology.html":{}}}],["let",{"_index":2429,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/data.html":{},"general/network.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["level",{"_index":35,"title":{},"breadcrumb":{},"description":{"aws/data.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["lever",{"_index":3894,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["leverag",{"_index":186,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"azure/data.html":{},"gcp/iam.html":{},"oci/workloads.html":{}}}],["lfi",{"_index":7200,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["li><a",{"_index":9629,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["liaison",{"_index":7951,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["lib",{"_index":396,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["libc",{"_index":3777,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["libcrypto",{"_index":5681,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["librari",{"_index":2421,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"general/logging.html":{},"oci/logging.html":{}}}],["licens",{"_index":4181,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{},"azure/workloads.html":{},"oci/iam.html":{}}}],["license_typ",{"_index":8906,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["life",{"_index":4999,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{}}}],["lifecycl",{"_index":261,"title":{},"breadcrumb":{},"description":{"gcp/logging.html":{},"general/ir.html":{}},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["lifecycle.json",{"_index":2414,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["lifecyclest",{"_index":8508,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/workloads.html":{}}}],["lifespan",{"_index":3286,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["lifetim",{"_index":762,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/iam.html":{}}}],["lift",{"_index":2973,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["lightli",{"_index":2080,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{}}}],["likelihood",{"_index":8157,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["likewis",{"_index":4649,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["limit",{"_index":468,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{},"azure/genai.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["limit=1",{"_index":3582,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["line",{"_index":6184,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["lineag",{"_index":5812,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["link",{"_index":19,"title":{},"breadcrumb":{},"description":{},"body":{"404.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["linkag",{"_index":4732,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["linkerd",{"_index":8238,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["linux",{"_index":3613,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["linuxconfigur",{"_index":5609,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["list",{"_index":580,"title":{},"breadcrumb":{},"description":{"oci/network.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["list<aws::ec2::securitygroup::id",{"_index":2504,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["list<aws::ec2::subnet::id",{"_index":1485,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{}}}],["listen",{"_index":7475,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"general/network.html":{},"general/workloads.html":{},"oci/workloads.html":{}}}],["liter",{"_index":5397,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"compliance-matrix.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["live",{"_index":1018,"title":{},"breadcrumb":{},"description":{"general/shared-responsibility.html":{}},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["llm",{"_index":1003,"title":{},"breadcrumb":{},"description":{"general/genai.html":{}},"body":{"aws/genai.html":{},"azure/genai.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"general/genai.html":{},"general/index.html":{},"oci/genai.html":{}}}],["llm'",{"_index":7826,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["llm01:2025",{"_index":1183,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["llm02:2025",{"_index":1379,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["llm03:2025",{"_index":6268,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"general/genai.html":{}}}],["llm04:2025",{"_index":7813,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["llm05:2025",{"_index":7825,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["llm06:2025",{"_index":1042,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["llm07:2025",{"_index":7814,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["llm08:2025",{"_index":1045,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["llm09:2025",{"_index":7847,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["llm10:2025",{"_index":1440,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["llmxx:2025",{"_index":7839,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["lntp",{"_index":8405,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["load",{"_index":3288,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/network.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["load_balancing_schem",{"_index":7369,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["loadbalancersku",{"_index":4972,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["loader",{"_index":5557,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"general/ir.html":{}}}],["local",{"_index":3567,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["local.account_service_pair",{"_index":5268,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["local.defender_plan",{"_index":5353,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["local.forensic_account_id",{"_index":2370,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["local.idc_instance_arn",{"_index":2152,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["local.identity_store_id",{"_index":2160,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["local.storage_servic",{"_index":5267,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["local/remot",{"_index":8490,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["local_account_dis",{"_index":5135,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["local_auth_en",{"_index":4228,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["locat",{"_index":1967,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["location=eu",{"_index":7038,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["location=europ",{"_index":5836,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{},"gcp/workloads.html":{}}}],["location=glob",{"_index":6481,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["location=region",{"_index":6198,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["locationconstraint=eu",{"_index":2347,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["locations/global/workloadidentitypools/.../subject",{"_index":6525,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["lock",{"_index":219,"title":{},"breadcrumb":{},"description":{"aws/ir.html":{},"aws/logging.html":{},"gcp/data.html":{},"gcp/ir.html":{},"oci/ir.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["lockdown",{"_index":4007,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"oci/iam.html":{},"oci/index.html":{}}}],["lockout",{"_index":4526,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/ir.html":{},"general/ir.html":{}}}],["log",{"_index":244,"title":{"aws/logging.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/logging.html":{},"oci/logging.html":{}},"breadcrumb":{"aws/logging.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/logging.html":{},"oci/logging.html":{}},"description":{"aws/genai.html":{},"aws/index.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/genai.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/index.html":{},"general/logging.html":{},"oci/genai.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["log'",{"_index":9303,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["log4j",{"_index":3694,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{}}}],["log4shel",{"_index":3695,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/network.html":{}}}],["log_analytics_workspace_id",{"_index":4393,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{}}}],["log_config",{"_index":7228,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["log_connect",{"_index":6056,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["log_group_id",{"_index":8766,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/logging.html":{}}}],["log_group_nam",{"_index":2170,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["log_group_ocid",{"_index":9286,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["log_id",{"_index":9256,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["log_sourc",{"_index":8765,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/logging.html":{}}}],["log_typ",{"_index":6252,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"oci/logging.html":{}}}],["loganalyt",{"_index":5209,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["loganalytics\\\":{\\\"value\\\":\\\"$law_id",{"_index":5201,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["logbucketref",{"_index":6759,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["logging'",{"_index":8000,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["logging.cnrm.cloud.google.com/v1beta1",{"_index":6994,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["logging.googleapis.com",{"_index":7000,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["logging.googleapis.com/sink",{"_index":7090,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["logging.html",{"_index":7685,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["logging.sinks.upd",{"_index":7012,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["logging_compartment_ocid",{"_index":9241,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["logginglogsink",{"_index":6995,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["loggroupid",{"_index":9266,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["loggroupnam",{"_index":2709,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["logic",{"_index":1447,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/network.html":{},"general/genai.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["logic_app_id",{"_index":4834,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["login",{"_index":1618,"title":{},"breadcrumb":{},"description":{"gcp/workloads.html":{}},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/ir.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/workloads.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["login_usernam",{"_index":4195,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["loginprofil",{"_index":1849,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["logname:\"cloudaudit.googleapis.com",{"_index":7079,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["logname:\"cloudaudit.googleapis.com\"'</cod",{"_index":6998,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["logname:\\\"projects/${var.project_id}/logs/cloudaudit.googleapis.com",{"_index":6256,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["logname=\"organizations/${var.org_id}/logs/cloudaudit.googleapis.com%2fact",{"_index":6621,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["logname=~\"organizations/.*/logs/cloudaudit.googleapis.com",{"_index":7086,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["logname=~\"projects/.*/logs/cloudaudit.googleapis.com%2fact",{"_index":6898,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["logrecord",{"_index":8824,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["logrecords</cod",{"_index":8825,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["logs:deleteloggroup",{"_index":2740,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["logtyp",{"_index":6241,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/logging.html":{},"oci/logging.html":{}}}],["logtype=data_read",{"_index":6266,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/logging.html":{}}}],["long",{"_index":1539,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["long_ttl",{"_index":9564,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["longer",{"_index":538,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/data.html":{},"general/iam.html":{},"general/kubernetes.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["look",{"_index":24,"title":{},"breadcrumb":{},"description":{},"body":{"404.html":{},"aws/genai.html":{},"aws/logging.html":{},"aws/workloads.html":{},"general/network.html":{},"general/workloads.html":{},"oci/logging.html":{}}}],["lookback_day",{"_index":6795,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["lookup",{"_index":2411,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"gcp/genai.html":{},"general/genai.html":{}}}],["loop",{"_index":234,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["loosen",{"_index":4338,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{}}}],["lose",{"_index":4214,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/workloads.html":{},"gcp/logging.html":{},"general/data.html":{},"general/ir.html":{},"oci/ir.html":{}}}],["loss",{"_index":913,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/logging.html":{},"general/data.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["lost",{"_index":898,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/kubernetes.html":{},"general/ir.html":{},"oci/iam.html":{}}}],["loud",{"_index":7904,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["low",{"_index":921,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/network.html":{},"general/data.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["lower",{"_index":2619,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/workloads.html":{},"general/data.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["lowercas",{"_index":3952,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"general/methodology.html":{}}}],["lowest",{"_index":8234,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{},"general/threat-model.html":{}}}],["ls",{"_index":6782,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["lt",{"_index":5563,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/workloads.html":{}}}],["lump",{"_index":4699,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["m",{"_index":1898,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"gcp/data.html":{},"gcp/logging.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["m365",{"_index":4741,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["m6i.larg",{"_index":2774,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["ma",{"_index":7974,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["machin",{"_index":3539,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/iam.html":{},"search.html":{}}}],["machine_typ",{"_index":7435,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["machineri",{"_index":1512,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["machinetyp",{"_index":7447,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["maci",{"_index":46,"title":{},"breadcrumb":{},"description":{"aws/data.html":{}},"body":{"aws/data.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/logging.html":{},"general/data.html":{},"general/logging.html":{}}}],["made",{"_index":1017,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/logging.html":{},"oci/genai.html":{},"oci/workloads.html":{}}}],["magnitud",{"_index":7027,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"general/logging.html":{}}}],["mail",{"_index":4709,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["mail_nicknam",{"_index":4756,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["mailbox",{"_index":4654,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/iam.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["main",{"_index":2779,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["maintain",{"_index":651,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/genai.html":{}}}],["mainten",{"_index":772,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/workloads.html":{},"azure/data.html":{},"gcp/workloads.html":{},"general/workloads.html":{},"oci/kubernetes.html":{}}}],["major",{"_index":7753,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/genai.html":{}}}],["make",{"_index":783,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["malici",{"_index":3828,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}}}],["malwar",{"_index":2860,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/logging.html":{},"gcp/ir.html":{},"general/threat-model.html":{}}}],["man",{"_index":4339,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["manag",{"_index":53,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"oci/workloads.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["manage_default_resource_id",{"_index":9391,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["manage_master_user_password",{"_index":834,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["managed_policy_arn",{"_index":1728,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{}}}],["managed_ssh",{"_index":9520,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["managed_zon",{"_index":7324,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["manageddisk",{"_index":5618,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["managedpolici",{"_index":1101,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{}}}],["managedpolicyarn",{"_index":1083,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{}}}],["managedpolicynam",{"_index":1086,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{}}}],["managedzones.upd",{"_index":7378,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["management_endpoint",{"_index":8585,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["management_group_id",{"_index":3941,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["managementgroup",{"_index":4486,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["mandat",{"_index":1559,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"general/data.html":{},"general/kubernetes.html":{}}}],["mandatori",{"_index":1555,"title":{},"breadcrumb":{},"description":{"aws/workloads.html":{},"gcp/iam.html":{}},"body":{"aws/iam.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["mandiant",{"_index":6574,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{}}}],["mandiant'",{"_index":8344,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{},"oci/logging.html":{}}}],["mani",{"_index":1625,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/network.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/network.html":{}}}],["manifest",{"_index":5099,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"gcp/workloads.html":{}}}],["manipul",{"_index":7846,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["manual",{"_index":1278,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/iam.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["map",{"_index":88,"title":{},"breadcrumb":{},"description":{"compliance-matrix.html":{},"general/compliance-frameworks.html":{},"index.html":{},"search.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["map(str",{"_index":5255,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["mapi",{"_index":4698,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["mapping='google.subject=assertion.sub,attribute.repository=assertion.repository,attribute.ref=assertion.ref",{"_index":6485,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["mar",{"_index":8093,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["march",{"_index":8053,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{}}}],["margarita",{"_index":7995,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["marin",{"_index":8061,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["mark",{"_index":3989,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"general/genai.html":{},"general/shared-responsibility.html":{}}}],["marker",{"_index":2415,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["market",{"_index":7725,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/genai.html":{},"general/methodology.html":{}}}],["marketplac",{"_index":8348,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["markup",{"_index":7801,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{}}}],["mask",{"_index":2744,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/data.html":{},"general/data.html":{},"general/genai.html":{},"oci/data.html":{}}}],["masquerad",{"_index":3112,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["mass",{"_index":5237,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"azure/workloads.html":{},"general/iam.html":{}}}],["master",{"_index":814,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/kubernetes.html":{}}}],["master_authorized_networks_config",{"_index":6812,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["master_ipv4_cidr_block",{"_index":6810,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["master_user_secret_kms_key_id",{"_index":835,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["masterauthorizednetworksconfig",{"_index":6826,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["masteripv4cidrblock",{"_index":6825,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["match",{"_index":128,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/ir.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["matchingrul",{"_index":8714,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["materi",{"_index":70,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["materialis",{"_index":4692,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/ir.html":{}}}],["matric",{"_index":5792,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/network.html":{},"general/logging.html":{},"general/workloads.html":{}}}],["matrix",{"_index":4860,"title":{"compliance-matrix.html":{}},"breadcrumb":{"compliance-matrix.html":{}},"description":{"compliance-matrix.html":{}},"body":{"azure/ir.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/iam.html":{}}}],["matrix.html",{"_index":7680,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/methodology.html":{}}}],["matrix.html\">compli",{"_index":9631,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["matrix.j",{"_index":5771,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["matrix.json",{"_index":5775,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["matrix</a",{"_index":9632,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["matter",{"_index":152,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/network.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["matur",{"_index":7408,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/network.html":{},"general/workloads.html":{}}}],["maven",{"_index":3688,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/workloads.html":{}}}],["max",{"_index":4645,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["max_password_ag",{"_index":1831,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["max_rows=10000",{"_index":6786,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["max_session_ttl_in_second",{"_index":9540,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["max_siz",{"_index":2790,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["maxaccesskeyag",{"_index":1904,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["maxaccesskeyage\":\"90\"}'</cod",{"_index":1908,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["maximum",{"_index":4591,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/data.html":{},"general/logging.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["maxlength(24",{"_index":3955,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["maxsessiondur",{"_index":1989,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{}}}],["maxtim",{"_index":5223,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["maxtime=max(timegener",{"_index":5222,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["mcsb",{"_index":4594,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/logging.html":{},"general/shared-responsibility.html":{}}}],["mdc",{"_index":5333,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["mde",{"_index":5331,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["mean",{"_index":211,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["meaning",{"_index":3280,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/compliance-frameworks.html":{},"general/shared-responsibility.html":{}}}],["measur",{"_index":4524,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/workloads.html":{}}}],["mechan",{"_index":1953,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["media",{"_index":8058,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["media.defense.gov",{"_index":8091,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["median",{"_index":9239,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["mediat",{"_index":202,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"general/data.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["medium",{"_index":1011,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["meet",{"_index":7893,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/kubernetes.html":{},"general/methodology.html":{}}}],["member",{"_index":272,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/iam.html":{},"oci/iam.html":{}}}],["member=\"$writ",{"_index":7051,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["member=\"principalset://iam.googleapis.com/projects/${project_number}/locations/global/workloadidentitypools/${pool_id}/attribute.repository/your",{"_index":6490,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["member='group:extern",{"_index":6744,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["member='group:gcp",{"_index":6364,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["member='serviceaccount:ir",{"_index":6741,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["member='serviceaccount:scc",{"_index":6671,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["member='user:alice@example.com",{"_index":7483,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["member='user:breakglass",{"_index":6599,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["member='user:departing.admin@example.com",{"_index":6362,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["member=serviceaccount:servic",{"_index":5915,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["member_object_id",{"_index":4561,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["membership",{"_index":1781,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["memori",{"_index":7020,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/logging.html":{},"oci/genai.html":{},"oci/ir.html":{}}}],["memoris",{"_index":7812,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"general/iam.html":{}}}],["memory_in_gb",{"_index":8635,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/workloads.html":{}}}],["memory_in_mb",{"_index":9052,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["memoryingb",{"_index":9455,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["memorystor",{"_index":7348,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["mental",{"_index":1519,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"gcp/iam.html":{},"oci/iam.html":{}}}],["mention",{"_index":7875,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["merci",{"_index":2344,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{}}}],["merg",{"_index":5262,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"gcp/logging.html":{}}}],["merit",{"_index":2567,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["mesh",{"_index":8069,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{},"general/network.html":{},"general/workloads.html":{}}}],["messag",{"_index":463,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/network.html":{},"gcp/ir.html":{},"general/genai.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["met",{"_index":2336,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"general/methodology.html":{}}}],["meta",{"_index":994,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/logging.html":{}}}],["metadata",{"_index":1634,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["metadata\")</cod",{"_index":6877,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["metadata.xml",{"_index":8914,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["metadata=en",{"_index":7479,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["metadata_opt",{"_index":2775,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["metadataopt",{"_index":2798,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["metal",{"_index":9445,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["method",{"_index":4256,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/ir.html":{}}}],["methodolog",{"_index":122,"title":{"general/methodology.html":{}},"breadcrumb":{"general/methodology.html":{}},"description":{"general/index.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/network.html":{},"compliance-matrix.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/index.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["metric",{"_index":793,"title":{},"breadcrumb":{},"description":{"gcp/logging.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/genai.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/workloads.html":{}}}],["metric.type=\\\"logging.googleapis.com/user/${google_logging_metric.breakglass_signin.nam",{"_index":6631,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["metric_descriptor",{"_index":6622,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["metric_kind",{"_index":6623,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["metric_nam",{"_index":2178,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["metric_transform",{"_index":2171,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["metricnam",{"_index":2714,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["metricname=breakglassuse,metricnamespace=security,metricvalue=1</cod",{"_index":2150,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["metricnamespac",{"_index":2716,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["metrictransform",{"_index":2713,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["metricvalu",{"_index":2718,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["mfa",{"_index":253,"title":{},"breadcrumb":{},"description":{"aws/iam.html":{},"azure/iam.html":{},"gcp/iam.html":{},"general/iam.html":{},"oci/iam.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"index.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["mfa.json",{"_index":4657,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["mfa=$(aw",{"_index":1803,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["mfa_act",{"_index":1604,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["mfa_active=fals",{"_index":1863,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["mfa_enrollment_typ",{"_index":8871,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["mfadevic",{"_index":1608,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["mfaenabl",{"_index":8884,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["mfaenrollmenttyp",{"_index":8890,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["mfasettingocid",{"_index":8887,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["mfaus",{"_index":1611,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["mgmt",{"_index":5171,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["mgmt_cidr/32",{"_index":6817,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["mgrolemanagementdirectoryroleassign",{"_index":4641,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["mgusersigninsess",{"_index":4588,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["mi",{"_index":2252,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/kubernetes.html":{},"oci/ir.html":{}}}],["mic",{"_index":4998,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"general/kubernetes.html":{}}}],["micro",{"_index":8251,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["microsoft",{"_index":410,"title":{},"breadcrumb":{},"description":{"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["microsoft'",{"_index":4021,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"general/genai.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{}}}],["microsoft.authorization/policyassignments/delet",{"_index":5127,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["microsoft.authorization/policyassignments@2024",{"_index":5116,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/network.html":{}}}],["microsoft.authorization/roleassignments/delet",{"_index":4578,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["microsoft.authorization/roleassignments/writ",{"_index":4384,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/iam.html":{}}}],["microsoft.authorization/roleassignments@2024",{"_index":4377,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{}}}],["microsoft.authorization/roleeligibilityschedulerequests@2024",{"_index":4624,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["microsoft.cognitiveservic",{"_index":4245,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["microsoft.cognitiveservices/account",{"_index":4248,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/network.html":{}}}],["microsoft.cognitiveservices/accounts/deployments@2024",{"_index":4327,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["microsoft.cognitiveservices/accounts/raipolici",{"_index":4334,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["microsoft.cognitiveservices/accounts/raipolicies/delet",{"_index":4332,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["microsoft.cognitiveservices/accounts/raipolicies/writ",{"_index":4331,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["microsoft.cognitiveservices/accounts/raipolicies@2024",{"_index":4269,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["microsoft.cognitiveservices/accounts/regeneratekey/act",{"_index":4242,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["microsoft.cognitiveservices/accounts/writ",{"_index":4240,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["microsoft.cognitiveservices/accounts@2024",{"_index":4231,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["microsoft.compute/diskencryptionsets/delet",{"_index":4157,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["microsoft.compute/diskencryptionsets/writ",{"_index":4158,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["microsoft.compute/diskencryptionsets@2024",{"_index":4147,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["microsoft.compute/disks/writ",{"_index":4155,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["microsoft.compute/snapshots/delet",{"_index":4926,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["microsoft.compute/snapshots@2024",{"_index":4910,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["microsoft.compute/virtualmachines/writ",{"_index":5628,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["microsoft.compute/virtualmachines@2024",{"_index":5600,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["microsoft.compute/virtualmachinescalesets/writ",{"_index":5630,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["microsoft.containerregistry/registries/writ",{"_index":5724,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["microsoft.containerregistry/registries@2023",{"_index":5716,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["microsoft.containerservic",{"_index":4989,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["microsoft.containerservice/managedclusters/writ",{"_index":4986,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["microsoft.containerservice/managedclusters@2024",{"_index":4964,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["microsoft.defaultv2",{"_index":4326,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["microsoft.documentdb/databaseaccount",{"_index":5467,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["microsoft.graph",{"_index":4807,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["microsoft.graph/groups/members@2023",{"_index":4570,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["microsoft.graph/identity/conditionalaccess/policies@2023",{"_index":4680,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["microsoft.graph/users@2023",{"_index":4568,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["microsoft.insights/diagnosticset",{"_index":4410,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/logging.html":{}}}],["microsoft.insights/diagnosticsettings/delet",{"_index":4408,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/logging.html":{}}}],["microsoft.insights/diagnosticsettings/writ",{"_index":5218,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["microsoft.insights/diagnosticsettings@2024",{"_index":4402,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/logging.html":{}}}],["microsoft.keyvault",{"_index":4053,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{}}}],["microsoft.keyvault/vault",{"_index":5465,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["microsoft.keyvault/vaults/writ",{"_index":4093,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["microsoft.logic/workflows/dis",{"_index":4855,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["microsoft.logic/workflows/disable/act",{"_index":4858,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["microsoft.logic/workflows@2024",{"_index":4847,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["microsoft.network",{"_index":5504,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["microsoft.network/bastionhosts/delet",{"_index":5677,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["microsoft.network/bastionhosts@2024",{"_index":5670,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["microsoft.network/networkinterfaces/writ",{"_index":4806,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["microsoft.network/networkinterfaces@2024",{"_index":5596,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["microsoft.network/networksecuritygroups/securityrul",{"_index":5641,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["microsoft.network/networksecuritygroups/securityrules/writ",{"_index":5440,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"azure/workloads.html":{}}}],["microsoft.network/networksecuritygroups@2024",{"_index":5429,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["microsoft.network/privateendpoints/delet",{"_index":4359,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/network.html":{}}}],["microsoft.network/privateendpoints/privatelinkserviceconnections/writ",{"_index":5501,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["microsoft.network/privateendpoints@2024",{"_index":4355,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/network.html":{}}}],["microsoft.network/privatelinkservices/privateendpointconnections/writ",{"_index":5502,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["microsoft.network/virtualnetworks/subnets/writ",{"_index":5392,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["microsoft.network/virtualnetworks/virtualnetworkpeerings/writ",{"_index":5390,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["microsoft.network/virtualnetworks/writ",{"_index":5388,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["microsoft.network/virtualnetworks@2024",{"_index":5384,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["microsoft.secur",{"_index":5083,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["microsoft.security/assessmentmetadata/writ",{"_index":5322,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["microsoft.security/autoprovisioningsettings/writ",{"_index":5321,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["microsoft.security/autoprovisioningsettings@2024",{"_index":5311,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["microsoft.security/locations/jitnetworkaccesspolicies/delet",{"_index":5676,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["microsoft.security/pricings/writ",{"_index":5082,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["microsoft.security/pricings@2024",{"_index":5077,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["microsoft.security/securitycontacts@2023",{"_index":5314,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["microsoft.security/securitystandards/writ",{"_index":5323,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["microsoft.securityinsights/automationrules/delet",{"_index":4854,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["microsoft.securityinsights/incidents/relations/delet",{"_index":4859,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["microsoft.sql/serv",{"_index":5466,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["microsoft.storag",{"_index":4091,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["microsoft.storage/storageaccount",{"_index":5236,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"azure/network.html":{}}}],["microsoft.storage/storageaccounts/blobservices/containers/writ",{"_index":3990,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["microsoft.storage/storageaccounts/blobservices@2024",{"_index":5274,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["microsoft.storage/storageaccounts/writ",{"_index":3988,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{}}}],["microsoft.storage/storageaccounts@2024",{"_index":3959,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{}}}],["microsoft_defend",{"_index":5070,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["microsoftazurebastionauditlog",{"_index":5678,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["mid",{"_index":1867,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"general/compliance-frameworks.html":{}}}],["middl",{"_index":4340,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"general/iam.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{}}}],["middlewarecustomercspcsp",{"_index":8298,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["midnight",{"_index":2118,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/ir.html":{}}}],["migrat",{"_index":709,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["migrati",{"_index":4723,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["million",{"_index":6589,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"general/threat-model.html":{}}}],["min",{"_index":1394,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/data.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["min_siz",{"_index":2789,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["min_tls_vers",{"_index":3872,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["min_wait_dur",{"_index":7604,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["mine",{"_index":6654,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"general/network.html":{}}}],["miner",{"_index":7157,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["minim",{"_index":1212,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/workloads.html":{},"gcp/genai.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/kubernetes.html":{}}}],["minimalsever",{"_index":5319,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["minimum",{"_index":1203,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"azure/genai.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["minimum_password_length",{"_index":1823,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["minimum_tls_vers",{"_index":3874,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["minimumtlsvers",{"_index":3964,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{}}}],["minlength(3",{"_index":3954,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["minor",{"_index":9305,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["minu",{"_index":5751,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["minut",{"_index":661,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["minwaitdur",{"_index":7591,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["mirror",{"_index":1921,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["misalign",{"_index":7671,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["misconduct",{"_index":1368,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["misconfigur",{"_index":280,"title":{},"breadcrumb":{},"description":{"general/genai.html":{},"general/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["misfram",{"_index":5339,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["misinform",{"_index":7848,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["mislabel",{"_index":2611,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["mislead",{"_index":7851,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["mismatch",{"_index":2959,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/workloads.html":{},"general/logging.html":{}}}],["miss",{"_index":482,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/kubernetes.html":{}}}],["mistak",{"_index":2768,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/ir.html":{}}}],["mistral",{"_index":995,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["misunderstand",{"_index":7919,"title":{},"breadcrumb":{},"description":{},"body":{"general/index.html":{},"general/shared-responsibility.html":{}}}],["misus",{"_index":1193,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/iam.html":{},"general/workloads.html":{},"oci/genai.html":{}}}],["mitig",{"_index":281,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["mitr",{"_index":8031,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/logging.html":{},"general/threat-model.html":{},"general/workloads.html":{}}}],["mix",{"_index":7670,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["mk",{"_index":7041,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["ml",{"_index":1171,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/network.html":{},"general/genai.html":{}}}],["mlop",{"_index":6125,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["mm",{"_index":8211,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{},"oci/workloads.html":{}}}],["mo",{"_index":4931,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"oci/logging.html":{}}}],["mobil",{"_index":7898,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"oci/iam.html":{}}}],["modal",{"_index":6583,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["mode",{"_index":207,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["mode=custom",{"_index":7205,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["mode=project_singleton_policy_enforc",{"_index":6934,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["mode=region",{"_index":7213,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["model",{"_index":992,"title":{"general/shared-responsibility.html":{},"general/threat-model.html":{}},"breadcrumb":{"general/shared-responsibility.html":{},"general/threat-model.html":{}},"description":{"gcp/genai.html":{},"general/genai.html":{},"general/index.html":{},"general/kubernetes.html":{}},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["model.generate_cont",{"_index":6206,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["model.html",{"_index":7871,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{}}}],["model.upd",{"_index":6340,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["model/${allowedmodelid}'</cod",{"_index":1089,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["model/${props.allowedmodelid",{"_index":1097,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["model/${var.allowed_model_id",{"_index":1066,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["model/anthropic.claud",{"_index":1027,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["model_id",{"_index":8725,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["modelsummaries[].{id:modelid,provider:providername,status:modellifecycle.statu",{"_index":1057,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["moder",{"_index":1179,"title":{},"breadcrumb":{},"description":{"oci/genai.html":{}},"body":{"aws/genai.html":{},"azure/genai.html":{},"general/genai.html":{},"oci/genai.html":{},"oci/index.html":{}}}],["moderation_off",{"_index":8732,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["modern",{"_index":2831,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/iam.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/network.html":{}}}],["modif",{"_index":1287,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"gcp/kubernetes.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}}}],["modifi",{"_index":713,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/genai.html":{},"oci/ir.html":{}}}],["modifydbinst",{"_index":869,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["modifyinstancemetadataopt",{"_index":2819,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["modifyinstancemetadataoptions\",\"runinst",{"_index":3605,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["modifyvpcblockpublicaccessoptions\",\"createvpcblockpublicaccessexclusion\",\"deletevpcblockpublicaccessexclusion\",\"modifyvpcblockpublicaccessexclus",{"_index":3493,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["modsecur",{"_index":7196,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{},"general/threat-model.html":{}}}],["modul",{"_index":306,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/workloads.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/kubernetes.html":{},"oci/genai.html":{}}}],["modules/oci",{"_index":8525,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["moment",{"_index":1257,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/logging.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["monday",{"_index":2446,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["monetis",{"_index":8339,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["mongodb",{"_index":3299,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["monitor",{"_index":2081,"title":{},"breadcrumb":{},"description":{"azure/genai.html":{}},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/logging.html":{}}}],["monitoring/log",{"_index":7563,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["month",{"_index":1709,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["monthli",{"_index":1943,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/logging.html":{},"gcp/logging.html":{}}}],["more",{"_index":637,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["mortem",{"_index":1963,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"gcp/iam.html":{}}}],["mostli",{"_index":8353,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["motiv",{"_index":8265,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{},"general/threat-model.html":{}}}],["mount",{"_index":1965,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/kubernetes.html":{}}}],["move",{"_index":1933,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/logging.html":{}}}],["movement",{"_index":1289,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["msgraph",{"_index":4681,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["msp",{"_index":8382,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["mssql",{"_index":3376,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["mtl",{"_index":5362,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"general/data.html":{},"general/network.html":{},"oci/data.html":{},"oci/network.html":{}}}],["mtls:\"i",{"_index":8660,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["much",{"_index":6565,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"general/data.html":{},"general/shared-responsibility.html":{}}}],["muddl",{"_index":147,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["multi",{"_index":1572,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/genai.html":{}}}],["multi_valu",{"_index":9038,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["multifactor",{"_index":7645,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/iam.html":{},"general/methodology.html":{}}}],["multipl",{"_index":1007,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/kubernetes.html":{}}}],["multipli",{"_index":4525,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/iam.html":{},"oci/data.html":{}}}],["multiten",{"_index":7677,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["mutabl",{"_index":3704,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["mutat",{"_index":1252,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["mute",{"_index":7149,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"general/workloads.html":{}}}],["muteconfig",{"_index":7156,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["muteconfig.cr",{"_index":7150,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["mutual",{"_index":4936,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"general/kubernetes.html":{},"general/network.html":{}}}],["myrepo:latest",{"_index":3690,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["mysecurityinfo",{"_index":4757,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["mysql",{"_index":3123,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/network.html":{},"oci/data.html":{},"oci/network.html":{}}}],["n",{"_index":586,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"general/logging.html":{},"oci/iam.html":{}}}],["n.namespac",{"_index":8544,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["n/a",{"_index":1110,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/genai.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}}}],["n/a(best",{"_index":4784,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/workloads.html":{}}}],["n/a2.xn/an/a",{"_index":5320,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["n/a3.7n/an/a",{"_index":3986,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["n/a3.x",{"_index":4088,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["n/a5.1",{"_index":5216,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["n/a5.x",{"_index":5276,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["n/a6.x",{"_index":5387,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["n/a7.x",{"_index":4153,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/workloads.html":{}}}],["n/an/a(best",{"_index":7144,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"gcp/workloads.html":{}}}],["n/an/a(bucket",{"_index":6763,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["n/an/a(cloud",{"_index":6639,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["n/an/a(scc",{"_index":6713,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["n/an/a1.x",{"_index":5952,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["n/an/a2.1",{"_index":7084,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["n/an/a2.x",{"_index":7110,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["n/an/a3.1n/a",{"_index":7235,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["n/an/a3.x",{"_index":7335,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["n/an/a4.x",{"_index":5993,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/workloads.html":{}}}],["n/an/a5.1",{"_index":5868,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["n/an/a6.x",{"_index":6068,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["n/an/an/a(best",{"_index":8999,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{},"oci/workloads.html":{}}}],["n/an/an/a2.1",{"_index":9411,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["n/an/an/a2.x",{"_index":9368,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["n/an/an/a3.x",{"_index":8551,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["n/an/an/a5.x",{"_index":9498,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["n2",{"_index":7436,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["n=$(oci",{"_index":8942,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["nacl",{"_index":2011,"title":{},"breadcrumb":{},"description":{"aws/network.html":{}},"body":{"aws/index.html":{},"aws/network.html":{}}}],["name",{"_index":192,"title":{},"breadcrumb":{},"description":{"oci/iam.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["name\",(\"us",{"_index":9534,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["name\",url:\"url\",state:\"lifecycl",{"_index":8856,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["name\":\"al",{"_index":2898,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name\":\"default",{"_index":3043,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name\":\"lambda",{"_index":2993,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name\":\"manag",{"_index":2895,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name\":\"management\",\"fieldselector",{"_index":2988,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name\":\"s3",{"_index":2989,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name\"==`default`].id",{"_index":8854,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["name'</cod",{"_index":8644,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["name(",{"_index":2957,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name,values=com.amazonaws.${region}.bedrock",{"_index":1450,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["name:actiongroupname,executor:actiongroupexecutor,state:actiongroupst",{"_index":1293,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["name:nam",{"_index":3920,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["name=\"cmek",{"_index":6319,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["name=\"github",{"_index":6482,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["name=\"projects/${project_id}/locations/${region}/keyrings/${key_ring}/cryptokeys/${key_name}\"</cod",{"_index":6320,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["name='break",{"_index":6607,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["name='forens",{"_index":6734,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["name=ebs_malware_protection,autoenable=new",{"_index":3167,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name=ebs_malware_protection,status=en",{"_index":3160,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name=eks_audit_logs,autoenable=new",{"_index":3166,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name=eks_audit_logs,status=en",{"_index":3159,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name=encrypted,values=fals",{"_index":757,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["name=googleapis.com",{"_index":7306,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["name=i",{"_index":3245,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["name=ip",{"_index":3321,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["name=lambda_network_logs,autoenable=new</cod",{"_index":3169,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name=lambda_network_logs,status=en",{"_index":3162,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name=metadata",{"_index":3583,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["name=org",{"_index":7251,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["name=rds_login_events,autoenable=new",{"_index":3168,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name=rds_login_events,status=en",{"_index":3161,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name=s3_data_events,autoenable=new",{"_index":3165,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name=s3_data_events,status=en",{"_index":3158,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["name=servic",{"_index":1449,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["name=tag:env,values=prod",{"_index":770,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["name=vpc",{"_index":1451,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{}}}],["name>.blob.core.windows.net",{"_index":3906,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["name_id_format",{"_index":8915,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["name_prefix",{"_index":2770,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["namespac",{"_index":1141,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["namespace'",{"_index":9206,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["namespace/pod/nod",{"_index":5067,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["namespaceselector",{"_index":8055,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["narrow",{"_index":922,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/network.html":{}}}],["narrowli",{"_index":7882,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["nat",{"_index":1499,"title":{},"breadcrumb":{},"description":{"gcp/network.html":{},"oci/network.html":{}},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"gcp/network.html":{},"general/network.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["nat/internet",{"_index":5473,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["nat/sgw",{"_index":9380,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["nation",{"_index":5782,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/threat-model.html":{}}}],["nativ",{"_index":3141,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["native/author",{"_index":4499,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/network.html":{}}}],["native/cognitiveservic",{"_index":4234,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["native/comput",{"_index":4918,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/workloads.html":{}}}],["native/containerservic",{"_index":4980,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["native/insight",{"_index":5211,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["native/network",{"_index":5435,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["native/resourc",{"_index":3975,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{}}}],["native/storag",{"_index":3974,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["natur",{"_index":7510,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["navig",{"_index":12,"title":{},"breadcrumb":{},"description":{"404.html":{}},"body":{"404.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/methodology.html":{},"index.html":{}}}],["nc",{"_index":7158,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["near",{"_index":1620,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"oci/iam.html":{}}}],["nearli",{"_index":1534,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"oci/iam.html":{}}}],["necessari",{"_index":477,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/kubernetes.html":{},"oci/genai.html":{}}}],["necessarili",{"_index":8006,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["need",{"_index":14,"title":{},"breadcrumb":{},"description":{"404.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["neglig",{"_index":4787,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"general/threat-model.html":{}}}],["negoti",{"_index":5540,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"general/network.html":{},"general/workloads.html":{}}}],["neighbour",{"_index":8407,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["nest",{"_index":479,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"oci/genai.html":{},"oci/iam.html":{}}}],["net",{"_index":190,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/network.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["net_mod",{"_index":9427,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["net_mode</cod",{"_index":9430,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["net_typ",{"_index":8751,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["network",{"_index":115,"title":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"general/network.html":{},"oci/network.html":{}},"breadcrumb":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"general/network.html":{},"oci/network.html":{}},"description":{"aws/index.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/index.html":{},"general/network.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/network.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["network.accessruledirection.inbound",{"_index":5437,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["network.html",{"_index":7683,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["network.networksecuritygroup(\"workload",{"_index":5436,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["network.securityruleaccess.deni",{"_index":5438,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["network.securityruleprotocol.tcp",{"_index":5439,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["network=projects/svc",{"_index":6020,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["network=vpc",{"_index":6012,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/network.html":{}}}],["network_acl",{"_index":5038,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/network.html":{}}}],["network_acl_id",{"_index":3424,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["network_compartment_ocid",{"_index":9355,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["network_entity_id",{"_index":8747,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/network.html":{}}}],["network_interfac",{"_index":7441,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["network_interface_id",{"_index":5577,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["network_rul",{"_index":3896,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["network_rule_set",{"_index":5701,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["network_rules.default_act",{"_index":3879,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["network_security_group",{"_index":9385,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["network_security_group_id",{"_index":5425,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["network_security_group_nam",{"_index":5415,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["network_url",{"_index":7321,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["networkaccesspolici",{"_index":4915,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["networkaccesstyp",{"_index":9432,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["networkacl",{"_index":3967,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{}}}],["networkacl.networkaclid",{"_index":3412,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["networkaclid",{"_index":3436,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["networkacls.defaultact",{"_index":5468,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["networkadmin",{"_index":8827,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["networkclass",{"_index":9378,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["networkconfig.networktyp",{"_index":8749,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["networkentityid",{"_index":9442,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["networkinterfac",{"_index":5621,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/workloads.html":{}}}],["networkplugin",{"_index":4970,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["networkpolici",{"_index":2828,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/kubernetes.html":{}}}],["networkprofil",{"_index":4969,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/workloads.html":{}}}],["networkref",{"_index":6829,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["networkruleset",{"_index":3984,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/workloads.html":{}}}],["networks/default",{"_index":7238,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["networks=<corp",{"_index":6849,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["networks=vpc",{"_index":7307,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["networksecuritygroup",{"_index":5393,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["networksecuritygroupflowev",{"_index":5442,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["networksecuritygroupid",{"_index":9408,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["networktyp",{"_index":8750,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["neutral",{"_index":7805,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{}}}],["neutralis",{"_index":3222,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/ir.html":{}}}],["never",{"_index":16,"title":{},"breadcrumb":{},"description":{},"body":{"404.html":{},"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["nevertheless",{"_index":4280,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["new",{"_index":221,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["new_retent",{"_index":9277,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["new_retention</cod",{"_index":9279,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["newer",{"_index":1422,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["newevaluationresult.compliancetyp",{"_index":1920,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["newli",{"_index":3116,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"oci/genai.html":{}}}],["next",{"_index":659,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["nf",{"_index":8477,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["nf==3",{"_index":7487,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["nftabl",{"_index":8236,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["nf{print",{"_index":3250,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ng",{"_index":2781,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["ngfw",{"_index":8263,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["nginx",{"_index":8054,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["nic",{"_index":4354,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"general/logging.html":{}}}],["nic.id",{"_index":5622,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["nic/subnet",{"_index":5360,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["nicknam",{"_index":4745,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["night",{"_index":9283,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["nine",{"_index":7822,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"general/kubernetes.html":{}}}],["nist",{"_index":86,"title":{},"breadcrumb":{},"description":{"compliance-matrix.html":{},"general/compliance-frameworks.html":{},"index.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["nist/iso",{"_index":1517,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["nmi",{"_index":8085,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["nnnnn",{"_index":8449,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["no_default_sa_gr",{"_index":6549,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["nobodi",{"_index":1890,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/logging.html":{},"general/logging.html":{},"oci/logging.html":{}}}],["node",{"_index":2451,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{},"gcp/kubernetes.html":{},"oci/kubernetes.html":{}},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{},"search.html":{}}}],["node'",{"_index":9147,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["node.j",{"_index":7395,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["node_config",{"_index":6961,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["node_config_detail",{"_index":9228,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["node_count",{"_index":4955,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["node_group_nam",{"_index":2780,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["node_pool",{"_index":6969,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["node_role_arn",{"_index":2782,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["node_shap",{"_index":9226,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["nodeconfig",{"_index":6974,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["nodeconfig.workloadmetadataconfig.mod",{"_index":6870,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["nodefaultvpcrul",{"_index":3267,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["nodelaunchtempl",{"_index":2794,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["nodes_from_clust",{"_index":2846,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["nodesg",{"_index":2856,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["noecho",{"_index":1986,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["noexpir",{"_index":4610,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["nois",{"_index":3038,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/iam.html":{},"general/logging.html":{},"general/workloads.html":{}}}],["noisi",{"_index":5287,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"oci/logging.html":{}}}],["nomin",{"_index":3762,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["non",{"_index":496,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["non_compli",{"_index":1910,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["noncurr",{"_index":6769,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["none",{"_index":1227,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["none</cod",{"_index":1223,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["nopublicaccess",{"_index":8484,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{}}}],["norm",{"_index":4863,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["normal",{"_index":3766,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"general/ir.html":{},"oci/network.html":{}}}],["north",{"_index":3216,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["not(bodi",{"_index":4162,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{}}}],["notabl",{"_index":7905,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["notact",{"_index":1812,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["notappli",{"_index":4683,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["notari",{"_index":5719,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"general/kubernetes.html":{},"general/workloads.html":{}}}],["notat",{"_index":8429,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["notbreach",{"_index":2182,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["note",{"_index":168,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"oci/genai.html":{},"oci/iam.html":{}}}],["note=projects/svc",{"_index":7525,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["note_refer",{"_index":6928,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["notes.delet",{"_index":6948,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["noth",{"_index":1628,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"azure/data.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/network.html":{},"oci/data.html":{},"oci/ir.html":{}}}],["notic",{"_index":6392,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"general/genai.html":{},"general/ir.html":{},"oci/kubernetes.html":{}}}],["notif",{"_index":2418,"title":{},"breadcrumb":{},"description":{"oci/logging.html":{}},"body":{"aws/ir.html":{},"azure/genai.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/ir.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["notifi",{"_index":533,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{},"azure/ir.html":{},"gcp/logging.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["notification_channel",{"_index":6628,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["notificationsbyrol",{"_index":5316,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["notify_before_expiri",{"_index":4067,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["noun",{"_index":8223,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["nov",{"_index":2579,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"general/kubernetes.html":{}}}],["novel",{"_index":7836,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["novemb",{"_index":5543,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"general/genai.html":{},"general/kubernetes.html":{}}}],["now",{"_index":506,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/genai.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["now=$(dat",{"_index":9071,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["npm",{"_index":3685,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"general/workloads.html":{}}}],["nr==1",{"_index":1648,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["ns",{"_index":8510,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["ns.then((n",{"_index":8543,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["nsa",{"_index":7930,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{}}}],["nsa/cisa",{"_index":2544,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/kubernetes.html":{}}}],["nsg",{"_index":3401,"title":{},"breadcrumb":{},"description":{"azure/logging.html":{},"azure/network.html":{},"oci/kubernetes.html":{},"oci/network.html":{}},"body":{"aws/network.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"index.html":{},"oci/data.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["nsg_id",{"_index":5402,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"azure/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["nsgid",{"_index":9134,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["nsgname",{"_index":5428,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["nsgocid",{"_index":9410,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["ntia",{"_index":8444,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["nuanc",{"_index":8304,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["nuget",{"_index":3689,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["null",{"_index":3674,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/kubernetes.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["nullifi",{"_index":910,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["number",{"_index":2099,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["numer",{"_index":2256,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"gcp/logging.html":{}}}],["numericlessthan",{"_index":2187,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["numofreplica",{"_index":9197,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["nva",{"_index":5359,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["nxdomain",{"_index":8276,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["nydf",{"_index":7973,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["o",{"_index":2678,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/workloads.html":{}}}],["oaep",{"_index":8568,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["oauth",{"_index":4430,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/kubernetes.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/kubernetes.html":{}}}],["object",{"_index":275,"title":{},"breadcrumb":{},"description":{"aws/ir.html":{},"aws/logging.html":{},"oci/data.html":{},"oci/ir.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["object_delet",{"_index":9238,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["object_events_en",{"_index":8517,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["object_id",{"_index":4196,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["object_lock_en",{"_index":2353,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{}}}],["objecteventsen",{"_index":8547,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["objectlockconfigur",{"_index":2377,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["objectlockdefaultretent",{"_index":2387,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["objectlocken",{"_index":2349,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["objectread",{"_index":8493,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["objectreadwithoutlist",{"_index":8494,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["objectstorag",{"_index":8548,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["objectstorage_read",{"_index":9291,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["objectstorage_writ",{"_index":9294,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["oblig",{"_index":2417,"title":{},"breadcrumb":{},"description":{"general/genai.html":{}},"body":{"aws/ir.html":{},"azure/data.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{}}}],["obscur",{"_index":3233,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["observ",{"_index":1962,"title":{},"breadcrumb":{},"description":{"gcp/workloads.html":{}},"body":{"aws/iam.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/ir.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["obsolet",{"_index":3548,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["obtain",{"_index":698,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/logging.html":{},"aws/workloads.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"general/iam.html":{},"general/methodology.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["oc1",{"_index":8473,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["occasion",{"_index":4596,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/iam.html":{}}}],["occupi",{"_index":5441,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["occur",{"_index":2657,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/ir.html":{},"azure/network.html":{},"gcp/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/logging.html":{}}}],["occurr",{"_index":1612,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["occurrences.delet",{"_index":7555,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["oci",{"_index":131,"title":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}},"breadcrumb":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}},"description":{"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["oci'",{"_index":3404,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["oci.audit.configuration(\"ten",{"_index":9259,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["oci.containerengine.addon(\"calico",{"_index":9192,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci.containerengine.cluster(\"harden",{"_index":9128,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci.containerengine.cluster(\"ok",{"_index":9188,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci.core.instance(\"harden",{"_index":9480,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["oci.core.networksecuritygroup(\"app",{"_index":9405,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["oci.core.networksecuritygroupsecurityrule(\"ssh",{"_index":9407,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["oci.core.volu",{"_index":9098,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oci.identity.compartment(\"genai",{"_index":8687,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["oci.identity.domainsauthenticationfactorset",{"_index":8881,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["oci.identity.domainsuser(\"ten",{"_index":8991,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oci.identity.getgroup",{"_index":8814,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["oci.identity.policy(\"break",{"_index":8995,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oci.identity.policy(\"deni",{"_index":8817,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["oci.identity.policy(\"genai",{"_index":8690,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["oci.logging.log(\"audit",{"_index":9265,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["oci.logging.loggroup(\"audit",{"_index":9263,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["oci.objectstorage.bucket(\"harden",{"_index":8542,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["oci.objectstorage.getnamespac",{"_index":8541,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["oci.oraclecloud.com/workload",{"_index":9150,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci/config",{"_index":8933,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["oci/data.html",{"_index":7731,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["oci/genai.html",{"_index":5759,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["oci/iam.html",{"_index":9105,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci/kubernetes.html",{"_index":5767,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["oci/logging.html",{"_index":8103,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{},"oci/kubernetes.html":{}}}],["oci/network.html",{"_index":8248,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{},"oci/kubernetes.html":{}}}],["oci/workloads.html",{"_index":8396,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["oci_all_services_cidr_label",{"_index":9440,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["oci_artifacts_container_image_signatur",{"_index":9600,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["oci_artifacts_container_repositori",{"_index":9584,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["oci_artifacts_container_repository.prod_images.id",{"_index":9598,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["oci_audit_configur",{"_index":9248,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["oci_bastion_bast",{"_index":9535,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["oci_bastion_bastion.app_prod.id",{"_index":9545,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["oci_bastion_sess",{"_index":9542,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["oci_cloud_guard_cloud_guard_configur",{"_index":9311,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["oci_cloud_guard_detector_recip",{"_index":9313,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["oci_cloud_guard_detector_recipe.activity_clone.id",{"_index":9324,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["oci_cloud_guard_detector_recipe.config_clone.id",{"_index":9323,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["oci_cloud_guard_responder_recip",{"_index":9024,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{},"oci/logging.html":{}}}],["oci_cloud_guard_responder_recipe.ir_auto_contain.id",{"_index":9044,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oci_cloud_guard_responder_recipe.responder_clone.id",{"_index":9325,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["oci_cloud_guard_target",{"_index":9039,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{},"oci/logging.html":{}}}],["oci_containerengine_addon",{"_index":9172,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci_containerengine_clust",{"_index":9110,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci_containerengine_cluster.hardened.id",{"_index":9180,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci_containerengine_cluster.typ",{"_index":9107,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci_containerengine_node_pool",{"_index":9225,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci_core_default_security_list",{"_index":9389,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["oci_core_drg",{"_index":9362,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["oci_core_drg.hub.id",{"_index":9367,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["oci_core_drg_attach",{"_index":9364,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["oci_core_inst",{"_index":8632,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/workloads.html":{}}}],["oci_core_instance.app_prod.id",{"_index":9552,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["oci_core_instance.source_details.kms_key_id",{"_index":8608,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["oci_core_instance_configur",{"_index":9469,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["oci_core_network_security_group",{"_index":9221,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{},"oci/network.html":{}}}],["oci_core_network_security_group.api.id",{"_index":9118,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci_core_network_security_group.app_tier.id",{"_index":8669,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["oci_core_network_security_group.bastion_tier.id",{"_index":9397,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["oci_core_network_security_group.nodes.id",{"_index":9232,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci_core_network_security_group_security_rul",{"_index":9222,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{},"oci/network.html":{}}}],["oci_core_route_t",{"_index":8742,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["oci_core_service_gateway",{"_index":8737,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["oci_core_service_gateway.genai.id",{"_index":8748,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["oci_core_subnet",{"_index":9359,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["oci_core_subnet.api.id",{"_index":9117,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci_core_subnet.app_prod_private.id",{"_index":9420,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{},"oci/workloads.html":{}}}],["oci_core_subnet.nodes.id",{"_index":9231,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci_core_vcn",{"_index":9357,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["oci_core_vcn.app_prod.default_security_list_id",{"_index":9392,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["oci_core_vcn.app_prod.id",{"_index":9361,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["oci_core_vcn.k8s.id",{"_index":9114,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci_core_volum",{"_index":8626,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["oci_core_volume_backup_polici",{"_index":9087,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oci_database_autonomous_databas",{"_index":8662,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["oci_dns_view",{"_index":9421,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["oci_events_rul",{"_index":8982,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oci_functions_funct",{"_index":9047,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oci_functions_function.ir_playbook.id",{"_index":9054,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oci_generative_ai_dedicated_ai_clust",{"_index":8775,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["oci_generative_ai_endpoint",{"_index":8722,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["oci_identity_api_key",{"_index":8948,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["oci_identity_compart",{"_index":8679,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["oci_identity_compartment.genai.id",{"_index":8682,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["oci_identity_domain",{"_index":8859,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["oci_identity_domain.partners.url",{"_index":8908,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["oci_identity_domains_authentication_factor_set",{"_index":8861,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["oci_identity_domains_identity_provid",{"_index":8907,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["oci_identity_group",{"_index":8709,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/iam.html":{}}}],["oci_identity_group.security_admins.id",{"_index":8841,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["oci_identity_polici",{"_index":8518,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{}}}],["oci_identity_tag",{"_index":9083,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oci_identity_tag_namespac",{"_index":9082,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oci_identity_tag_namespace.forensics.id",{"_index":9085,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oci_identity_us",{"_index":8803,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{},"oci/ir.html":{}}}],["oci_identity_user.alice.id",{"_index":8840,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["oci_identity_user.break_glass",{"_index":8972,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oci_identity_user.initial_admin",{"_index":8802,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["oci_identity_user.initial_admin.id",{"_index":8811,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["oci_identity_user_group_membership",{"_index":8838,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{},"oci/ir.html":{}}}],["oci_kms_key",{"_index":8583,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["oci_kms_key.adb_cmk.id",{"_index":8668,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["oci_kms_key.bucket_cmk.id",{"_index":8516,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["oci_kms_key.data_cmk.id",{"_index":8631,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["oci_kms_key.image_signing.id",{"_index":9212,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["oci_kms_key.oke_secrets.id",{"_index":9170,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci_kms_vault",{"_index":8480,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/kubernetes.html":{}}}],["oci_kms_vault.oke.management_endpoint",{"_index":9169,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci_kms_vault.prod_private.management_endpoint",{"_index":8586,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["oci_logging_log",{"_index":9290,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["oci_logging_log_group",{"_index":9288,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["oci_logging_log_group.service_data_events.id",{"_index":9292,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["oci_objectstorage_bucket",{"_index":8513,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["oci_objectstorage_bucket.audit_archive.nam",{"_index":9257,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["oci_objectstorage_bucket.audit_logs.nam",{"_index":8769,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["oci_objectstorage_namespac",{"_index":8509,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["oci_ons_notification_top",{"_index":8975,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oci_ons_notification_topic.cg_problems.id",{"_index":9053,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oci_ons_notification_topic.ir_alerts.id",{"_index":8980,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oci_ons_subscript",{"_index":8977,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oci_sch_service_connector",{"_index":8763,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/logging.html":{}}}],["oci_tenancy_ocid",{"_index":8796,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["oci_vcn_ip_n",{"_index":9178,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["oci_vulnerability_scans_container_scan_recip",{"_index":9591,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["oci_vulnerability_scans_container_scan_recipe.prod.id",{"_index":9596,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["oci_vulnerability_scans_container_scan_target",{"_index":9594,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["ocid",{"_index":8596,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["ocid>\"]'</cod",{"_index":9121,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["ocid></cod",{"_index":8858,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{},"oci/kubernetes.html":{}}}],["ocid>}]'</cod",{"_index":9214,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["ocik8sexposedsecret",{"_index":9163,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["ocik8sunsignedimag",{"_index":9216,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["ocir",{"_index":9205,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["ociservic",{"_index":9269,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["ocpu",{"_index":8634,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/workloads.html":{}}}],["ocpus\":2,\"memoryingbs\":16",{"_index":8615,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["octob",{"_index":5528,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["odata.id",{"_index":4751,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["offboard",{"_index":1708,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/workloads.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["offend",{"_index":2229,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/network.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["offer",{"_index":5587,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"oci/data.html":{}}}],["offic",{"_index":3620,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/logging.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{}}}],["offici",{"_index":5740,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/methodology.html":{}}}],["offlin",{"_index":1553,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"azure/iam.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/iam.html":{},"oci/data.html":{}}}],["oid",{"_index":4493,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"oci/workloads.html":{}}}],["oidc",{"_index":2585,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/workloads.html":{},"oci/iam.html":{}}}],["oidc.allowedaudi",{"_index":6521,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["oidc_issuer_en",{"_index":5013,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["oidcissuerprofil",{"_index":5019,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["oidcissuerprofile.en",{"_index":5022,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["oidcissuerprofile.issuerurl",{"_index":5015,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["oidcissuerprofile\\\":{\\\"enabled\\\":fals",{"_index":5027,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["ok",{"_index":2577,"title":{"oci/kubernetes.html":{}},"breadcrumb":{},"description":{"oci/kubernetes.html":{},"oci/workloads.html":{}},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/kubernetes.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["oke_secret",{"_index":9168,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["okta",{"_index":1695,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"gcp/ir.html":{},"general/iam.html":{},"general/ir.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["old",{"_index":1693,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"general/data.html":{},"oci/iam.html":{}}}],["older",{"_index":1894,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/workloads.html":{},"azure/iam.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["omiss",{"_index":7035,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["omit",{"_index":4078,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{}}}],["on",{"_index":212,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["onboard",{"_index":1349,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/logging.html":{},"oci/iam.html":{}}}],["onc",{"_index":246,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["one_hour",{"_index":3064,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["ongo",{"_index":3559,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"oci/workloads.html":{}}}],["onlin",{"_index":4701,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/genai.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["only'</cod",{"_index":6675,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["onmicrosoft.com",{"_index":4528,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["onpremisessyncenabled=tru",{"_index":4472,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["onto",{"_index":2009,"title":{},"breadcrumb":{},"description":{},"body":{"aws/index.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/workloads.html":{},"gcp/index.html":{},"gcp/network.html":{},"general/iam.html":{},"general/index.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["op",{"_index":4043,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["opa",{"_index":8433,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{},"oci/kubernetes.html":{}}}],["opc",{"_index":8400,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{},"oci/workloads.html":{}}}],["opc@\"$instance_private_ip",{"_index":9529,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["opcadmin",{"_index":8831,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["open",{"_index":258,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/network.html":{},"general/data.html":{},"general/iam.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["openai",{"_index":1012,"title":{"azure/genai.html":{}},"breadcrumb":{},"description":{"azure/genai.html":{}},"body":{"aws/genai.html":{},"azure/genai.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["openai/deployments/{deploymentname}?api",{"_index":4314,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["openai/rai/policies/{policyname}?api",{"_index":4313,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["openaiuserroleid",{"_index":4371,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["openid",{"_index":7900,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"oci/iam.html":{}}}],["openssh",{"_index":7566,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"oci/workloads.html":{}}}],["openssl",{"_index":3776,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"oci/workloads.html":{}}}],["oper",{"_index":572,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["operation",{"_index":5398,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/network.html":{},"general/logging.html":{},"general/methodology.html":{}}}],["operationalis",{"_index":8309,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{},"general/threat-model.html":{}}}],["operationid",{"_index":4991,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["operationnam",{"_index":4098,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{}}}],["operationnamevalu",{"_index":3996,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["operations.servicenam",{"_index":6157,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["operator'",{"_index":3398,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["opinion",{"_index":8311,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["opportunist",{"_index":7921,"title":{},"breadcrumb":{},"description":{},"body":{"general/index.html":{},"general/threat-model.html":{},"oci/data.html":{}}}],["ops@bast",{"_index":9519,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["opsgeni",{"_index":8151,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["opt",{"_index":739,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{},"oci/iam.html":{},"oci/logging.html":{}}}],["optim",{"_index":6965,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"general/kubernetes.html":{}}}],["optimis",{"_index":3109,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["option",{"_index":250,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["options\".\"ar",{"_index":9460,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["options.http",{"_index":3584,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["oracl",{"_index":3297,"title":{},"breadcrumb":{},"description":{"oci/index.html":{},"oci/kubernetes.html":{}},"body":{"aws/network.html":{},"compliance-matrix.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["oracle'",{"_index":8606,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["oracle/oci",{"_index":8491,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["oracle_funct",{"_index":9022,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oracle_managed_config_detector_ocid",{"_index":9309,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["oracle_managed_responder_ocid\"</cod",{"_index":9310,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["oracle_managed_responder_recipe_ocid",{"_index":9012,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["oraclelinux:8",{"_index":9569,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["orchestr",{"_index":1281,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/logging.html":{},"azure/workloads.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/workloads.html":{}}}],["order",{"_index":216,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["order_processor",{"_index":3842,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ordinari",{"_index":4522,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["org",{"_index":360,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{},"aws/logging.html":{},"gcp/iam.html":{},"gcp/logging.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"index.html":{},"oci/logging.html":{}}}],["org'",{"_index":526,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["org.yaml",{"_index":5828,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["org/your",{"_index":6491,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["org_admin_breakglass_onli",{"_index":6368,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["org_audit",{"_index":7056,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["org_audit_bq",{"_index":7065,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["org_audit_log",{"_index":7053,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["org_audit_storag",{"_index":7063,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["org_id",{"_index":6358,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{}}}],["org_id=<your",{"_index":6357,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["org_no_admin_ingress",{"_index":7250,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["org_polici",{"_index":6140,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["org_root",{"_index":7273,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["orgadminbreakglass",{"_index":6376,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["organ",{"_index":172,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["organis",{"_index":319,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/logging.html":{}}}],["organisation",{"_index":8111,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["organisation'",{"_index":2093,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["organiz",{"_index":6593,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"general/compliance-frameworks.html":{}}}],["organization\")</cod",{"_index":6432,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["organization'",{"_index":5895,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["organization=org_id",{"_index":5830,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["organizationaccountaccessrol",{"_index":1569,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"general/threat-model.html":{}}}],["organizations/${org_id}/policies/iam.automaticiamgrantsfordefaultserviceaccount",{"_index":6545,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["organizations/${orgid",{"_index":6420,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["organizations/${orgid}/policies/iam.disableserviceaccountkeycr",{"_index":6419,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["organizations/${var.org_id",{"_index":5846,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["organizations/${var.org_id}/policies/compute.requireoslogin",{"_index":7489,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["organizations/${var.org_id}/policies/compute.requireshieldedvm",{"_index":7431,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["organizations/${var.org_id}/policies/compute.skipdefaultnetworkcr",{"_index":7217,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["organizations/${var.org_id}/policies/compute.vmexternalipaccess",{"_index":7315,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["organizations/${var.org_id}/policies/gcp.restrictnoncmekservic",{"_index":5945,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["organizations/${var.org_id}/policies/storage.publicaccessprevent",{"_index":5845,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["organizations/${var.org_id}/policies/storage.uniformbucketlevelaccess",{"_index":5848,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["organizations/${var.organization_id",{"_index":6412,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["organizations/${var.organization_id}/policies/iam.automaticiamgrantsfordefaultserviceaccount",{"_index":6550,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["organizations/${var.organization_id}/policies/iam.disableserviceaccountkeycr",{"_index":6411,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["organizations/org_id",{"_index":6374,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["organizations/org_id/policies/compute.requireoslogin",{"_index":7477,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["organizations/org_id/policies/compute.requireoslogin\"</cod",{"_index":7497,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["organizations/org_id/policies/compute.requireshieldedvm",{"_index":7417,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["organizations/org_id/policies/compute.skipdefaultnetworkcr",{"_index":7208,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["organizations/org_id/policies/compute.skipdefaultnetworkcreation\"</cod",{"_index":7234,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["organizations/org_id/policies/compute.vmexternalipaccess",{"_index":7302,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["organizations/org_id/policies/gcp.restrictnoncmekservic",{"_index":5901,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["organizations/org_id/policies/iam.automaticiamgrantsfordefaultserviceaccounts\"</cod",{"_index":6551,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["organizations/org_id/policies/iam.disableserviceaccountkeycreation\"</cod",{"_index":6415,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["organizations/org_id/policies/storage.publicaccessprevent",{"_index":5829,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["organizations/org_id/policies/storage.uniformbucketlevelaccess",{"_index":5832,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["organizations/org_id_placeholder/policies/iam.disableserviceaccountkeycr",{"_index":6402,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["orgid",{"_index":3478,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{}}}],["orgpolicy.cnrm.cloud.google.com/v1beta1",{"_index":6413,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["orgpolicy.googleapis.com",{"_index":6426,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/network.html":{}}}],["orgpolicypolici",{"_index":6414,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["orgrootid",{"_index":1584,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["orgs.cfnpolicy(thi",{"_index":1591,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["orgsink",{"_index":7081,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["orgtrail",{"_index":2921,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["orgtrailprop",{"_index":2931,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["orgtrailstack",{"_index":2932,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["orient",{"_index":8319,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["origin",{"_index":1437,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/logging.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["orm",{"_index":8487,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["orphan",{"_index":1703,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"gcp/workloads.html":{},"oci/iam.html":{}}}],["orthogon",{"_index":8483,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["os",{"_index":3606,"title":{},"breadcrumb":{},"description":{"gcp/workloads.html":{},"general/workloads.html":{},"oci/workloads.html":{}},"body":{"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["os_disk",{"_index":5584,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["os_namespac",{"_index":8503,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/logging.html":{}}}],["os_polici",{"_index":7599,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["osconfig",{"_index":7594,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["osconfig.cnrm.cloud.google.com/v1beta1",{"_index":7605,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["osconfig.googleapis.com",{"_index":7574,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["osconfig=true,en",{"_index":7575,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["osconfigospolicyassign",{"_index":7606,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["oscustomercspcsp",{"_index":8297,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["osdisk",{"_index":5616,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["oslogin",{"_index":7445,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["oslogin.yaml",{"_index":7476,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["oslogin=tru",{"_index":7507,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["oslogin=true,en",{"_index":7480,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["oslogin_alic",{"_index":7492,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["oslogin_metadata",{"_index":7491,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["ospolici",{"_index":7577,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["osprofil",{"_index":5606,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["osqueri",{"_index":8410,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["oss",{"_index":8486,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["other",{"_index":996,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{}}}],["otherwis",{"_index":238,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"general/data.html":{},"general/ir.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["otp",{"_index":7899,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/methodology.html":{}}}],["ou",{"_index":1585,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"gcp/iam.html":{},"gcp/ir.html":{}}}],["out",{"_index":1348,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["outag",{"_index":2113,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/ir.html":{},"oci/ir.html":{}}}],["outbound",{"_index":3145,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"azure/ir.html":{},"gcp/network.html":{},"general/network.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["outcom",{"_index":3089,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"azure/network.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/methodology.html":{}}}],["outdat",{"_index":18,"title":{},"breadcrumb":{},"description":{},"body":{"404.html":{},"aws/workloads.html":{},"gcp/workloads.html":{}}}],["outliv",{"_index":5156,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["outlook.office365.com:993",{"_index":4708,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["outpac",{"_index":5753,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["output",{"_index":582,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["output)\"</cod",{"_index":8836,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["output_act",{"_index":1397,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["output_strength",{"_index":1399,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["outputstrength",{"_index":1222,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["outright",{"_index":1234,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["outsid",{"_index":82,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["outsourc",{"_index":8460,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["over",{"_index":308,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["overal",{"_index":6222,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["overlap",{"_index":3232,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"general/ir.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/network.html":{}}}],["overlay",{"_index":4932,"title":{},"breadcrumb":{},"description":{"azure/kubernetes.html":{}},"body":{"general/data.html":{}}}],["overlay</cod",{"_index":4962,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["overli",{"_index":4363,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/kubernetes.html":{},"oci/genai.html":{}}}],["overlook",{"_index":3379,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/network.html":{}}}],["overrid",{"_index":171,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/network.html":{},"general/genai.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["overridden",{"_index":7189,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["oversight",{"_index":7857,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["overview",{"_index":47,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["overwrit",{"_index":2881,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/workloads.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"oci/workloads.html":{}}}],["overwritten",{"_index":9568,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["owasp",{"_index":1102,"title":{},"breadcrumb":{},"description":{"general/genai.html":{}},"body":{"aws/genai.html":{},"azure/genai.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"general/genai.html":{},"general/index.html":{},"general/network.html":{},"oci/genai.html":{}}}],["own",{"_index":1669,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/index.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["owner",{"_index":532,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["owner'",{"_index":1928,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["ownership",{"_index":4453,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["oxley",{"_index":8124,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["p",{"_index":3458,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"oci/workloads.html":{}}}],["p0",{"_index":8002,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["p0/p1/p2/p3/p4",{"_index":7944,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["p1",{"_index":8003,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["p2",{"_index":5349,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"azure/workloads.html":{},"general/ir.html":{}}}],["p3/p4",{"_index":8005,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["p30d",{"_index":4064,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["p365d",{"_index":4066,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/iam.html":{}}}],["p99",{"_index":2622,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["p><strong>search",{"_index":9626,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["pa",{"_index":5199,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["paa",{"_index":3868,"title":{},"breadcrumb":{},"description":{"general/shared-responsibility.html":{}},"body":{"azure/data.html":{},"azure/network.html":{},"general/index.html":{},"general/logging.html":{},"general/shared-responsibility.html":{}}}],["pack",{"_index":3033,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/logging.html":{},"oci/logging.html":{}}}],["pack'",{"_index":3040,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["packag",{"_index":3682,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["packet",{"_index":2864,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"gcp/network.html":{},"general/network.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["packs/secur",{"_index":3053,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["page",{"_index":0,"title":{"404.html":{}},"breadcrumb":{},"description":{"404.html":{},"compliance-matrix.html":{},"index.html":{}},"body":{"404.html":{},"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["page'",{"_index":4668,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["pager",{"_index":2240,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"general/ir.html":{},"general/methodology.html":{},"oci/ir.html":{}}}],["pager+${each.key}@example.com",{"_index":8971,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["pager+bg01@example.com",{"_index":8961,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["pagerduti",{"_index":2106,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/logging.html":{},"oci/ir.html":{}}}],["pages</li",{"_index":9638,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["paid",{"_index":7932,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"oci/data.html":{}}}],["pair",{"_index":146,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["palo",{"_index":9341,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["pam",{"_index":6542,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["pane",{"_index":3153,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/workloads.html":{}}}],["panic",{"_index":916,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["panick",{"_index":2880,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/logging.html":{}}}],["pap",{"_index":5817,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/logging.html":{}}}],["pap_org",{"_index":5844,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["par",{"_index":8495,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/logging.html":{}}}],["par_scop",{"_index":8558,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["par_scope</cod",{"_index":8561,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["paragraph",{"_index":8138,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["parallel",{"_index":3670,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"oci/kubernetes.html":{}}}],["param",{"_index":3956,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["paramet",{"_index":610,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/genai.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"oci/ir.html":{}}}],["paraphras",{"_index":8161,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["parent",{"_index":1938,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["parent_id",{"_index":5005,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["parentcompartmentid",{"_index":8684,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["pariti",{"_index":7117,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["pars",{"_index":1855,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"compliance-matrix.html":{},"gcp/network.html":{}}}],["parser",{"_index":5773,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"oci/logging.html":{}}}],["part",{"_index":1048,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{}}}],["parti",{"_index":1793,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/iam.html":{}}}],["partial",{"_index":2320,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/genai.html":{},"azure/ir.html":{},"gcp/logging.html":{}}}],["participatori",{"_index":7927,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["particular",{"_index":1524,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/iam.html":{}}}],["particularli",{"_index":6519,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/threat-model.html":{},"oci/genai.html":{}}}],["partit",{"_index":71,"title":{},"breadcrumb":{},"description":{"general/shared-responsibility.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{}}}],["partli",{"_index":9431,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["partner",{"_index":2235,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["partner'",{"_index":4869,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["partner_nam",{"_index":8910,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["partner_provider_id",{"_index":8911,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["partners@example.com",{"_index":6745,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["party'",{"_index":8383,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["pass",{"_index":753,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"oci/kubernetes.html":{}}}],["passcode_length",{"_index":8874,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["passiv",{"_index":1243,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/workloads.html":{},"azure/genai.html":{}}}],["password",{"_index":816,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["password_en",{"_index":1851,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["password_enabled=tru",{"_index":1862,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["password_enabled=true,mfa_active=fals",{"_index":1858,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["password_reuse_prevent",{"_index":1829,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["passwordless",{"_index":8185,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["past",{"_index":759,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/data.html":{},"general/iam.html":{},"index.html":{},"oci/data.html":{},"oci/ir.html":{}}}],["pat",{"_index":3909,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["patch",{"_index":3464,"title":{},"breadcrumb":{},"description":{"aws/workloads.html":{},"gcp/workloads.html":{},"general/workloads.html":{},"oci/workloads.html":{}},"body":{"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["patchdeployments.delet",{"_index":7612,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["patchdeployments.patch",{"_index":7613,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["patchsignonpolici",{"_index":8893,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["path",{"_index":473,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["patienc",{"_index":8355,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["pattern",{"_index":1006,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["paus",{"_index":1354,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/logging.html":{}}}],["pausabl",{"_index":2351,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["pay",{"_index":3126,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"general/ir.html":{}}}],["payload",{"_index":181,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["payment",{"_index":1629,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"general/data.html":{},"general/ir.html":{},"general/threat-model.html":{}}}],["paywal",{"_index":7672,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["pci",{"_index":2337,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/data.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"oci/data.html":{},"oci/genai.html":{}}}],["pcr",{"_index":5524,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/workloads.html":{}}}],["pd",{"_index":5981,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["pdf",{"_index":2546,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"oci/kubernetes.html":{}}}],["pdz",{"_index":5482,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["pdzg",{"_index":5484,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["pe",{"_index":3917,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["pe:\"priv",{"_index":8659,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["pec",{"_index":5480,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["pedagog",{"_index":7017,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"gcp/workloads.html":{}}}],["peel",{"_index":3802,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["peer",{"_index":3399,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/data.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/methodology.html":{},"general/network.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["pem",{"_index":8930,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["penalti",{"_index":7737,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["pend",{"_index":1870,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["pendingwindowinday",{"_index":2671,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["penetr",{"_index":7835,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["pentest",{"_index":3139,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["peopl",{"_index":7664,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["per",{"_index":161,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["percent",{"_index":7590,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["perform",{"_index":780,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["performance_insights_en",{"_index":828,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["performance_insights_kms_key_id",{"_index":829,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["performance_insights_retention_period",{"_index":830,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["pergb2018",{"_index":5069,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/logging.html":{}}}],["perhap",{"_index":3466,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["perimet",{"_index":3503,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/network.html":{},"oci/workloads.html":{}}}],["perimeter'",{"_index":6168,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["period",{"_index":1852,"title":{"index.html":{}},"breadcrumb":{},"description":{"index.html":{}},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/logging.html":{},"index.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["period=31557600",{"_index":6740,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["period=63072000",{"_index":7040,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["period=90d",{"_index":5911,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["perman",{"_index":3462,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/data.html":{},"azure/iam.html":{},"gcp/data.html":{},"gcp/logging.html":{},"general/iam.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{}}}],["permiss",{"_index":180,"title":{},"breadcrumb":{},"description":{"aws/iam.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["permission.cidr,values=0.0.0.0/0",{"_index":3322,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["permission.from",{"_index":3323,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["permission_set_arn",{"_index":1730,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{}}}],["permit",{"_index":908,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["permitrootlogin",{"_index":7568,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["persist",{"_index":2216,"title":{},"breadcrumb":{},"description":{"gcp/data.html":{}},"body":{"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["person",{"_index":1384,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"gcp/iam.html":{},"general/data.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["perspect",{"_index":7347,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["petabyt",{"_index":2978,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["pga",{"_index":7193,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["phase",{"_index":905,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["phi",{"_index":678,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/logging.html":{},"general/data.html":{},"oci/genai.html":{}}}],["phish",{"_index":1528,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["phone",{"_index":2217,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"general/iam.html":{},"general/ir.html":{}}}],["phrase",{"_index":1188,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"general/methodology.html":{},"oci/data.html":{}}}],["physic",{"_index":2102,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/index.html":{},"general/ir.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/genai.html":{},"oci/ir.html":{}}}],["pi",{"_index":4298,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"oci/genai.html":{}}}],["pick",{"_index":3224,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"gcp/network.html":{},"general/methodology.html":{}}}],["piec",{"_index":7990,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/network.html":{}}}],["piecem",{"_index":7721,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["pii",{"_index":236,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/logging.html":{},"general/data.html":{},"general/genai.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["pii_entities_config",{"_index":1371,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["pillar",{"_index":8171,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{}}}],["pilot",{"_index":2010,"title":{},"breadcrumb":{},"description":{},"body":{"aws/index.html":{},"azure/index.html":{},"gcp/index.html":{},"general/genai.html":{},"general/kubernetes.html":{},"oci/index.html":{}}}],["pim",{"_index":4387,"title":{},"breadcrumb":{},"description":{"azure/iam.html":{}},"body":{"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"general/iam.html":{},"oci/iam.html":{}}}],["pimelig",{"_index":4623,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["pin",{"_index":184,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["ping",{"_index":2094,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"general/iam.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["pip",{"_index":5645,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/genai.html":{}}}],["pipe",{"_index":7999,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"oci/iam.html":{}}}],["pipelin",{"_index":2110,"title":{},"breadcrumb":{},"description":{"gcp/workloads.html":{},"oci/workloads.html":{}},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["pitfal",{"_index":3140,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"oci/workloads.html":{}}}],["pitr",{"_index":6008,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["pivot",{"_index":1036,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["pkg",{"_index":7586,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["pkix_public_key",{"_index":7542,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["place",{"_index":322,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/ir.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/iam.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["place.)</cod",{"_index":819,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["placehold",{"_index":7864,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["placement",{"_index":9174,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{},"oci/network.html":{}}}],["placement_config",{"_index":9229,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["plagu",{"_index":3780,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["plain",{"_index":7911,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"oci/workloads.html":{}}}],["plaintext",{"_index":57,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/data.html":{},"gcp/data.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"oci/data.html":{}}}],["plaintext\">(logname=~\"projects/.*/logs/cloudaudit.googleapis.com%2fact",{"_index":6896,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["plaintext\">logname=\"organizations/org_id/logs/cloudaudit.googleapis.com%2fact",{"_index":6386,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["plaintext\">logname=~\"organizations/.*/logs/cloudaudit.googleapis.com%2fact",{"_index":6158,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{}}}],["plaintext\">logname=~\"projects/.*/logs/cloudaudit.googleapis.com%2fact",{"_index":5877,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["plaintext\">logname=~\"projects/.*/logs/cloudaudit.googleapis.com%2fdata_access",{"_index":6224,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["plan",{"_index":1557,"title":{},"breadcrumb":{},"description":{"azure/workloads.html":{}},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["plan/appli",{"_index":8947,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["plan_job_ocid",{"_index":8533,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["plan_job_ocid=$(oci",{"_index":8529,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["plane",{"_index":551,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["platform",{"_index":293,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["platform'",{"_index":804,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/index.html":{},"gcp/index.html":{},"general/workloads.html":{}}}],["platformconfig",{"_index":9491,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["plausibl",{"_index":7849,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["play",{"_index":1189,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{},"azure/genai.html":{},"general/ir.html":{},"oci/logging.html":{}}}],["playbook",{"_index":2029,"title":{},"breadcrumb":{},"description":{"aws/ir.html":{},"azure/ir.html":{}},"body":{"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/methodology.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["playbook'",{"_index":4804,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["playbook.json",{"_index":4830,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["playbook.zip",{"_index":6698,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["playbook_sub",{"_index":6688,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["playbooknam",{"_index":4846,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["pleas",{"_index":8229,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["plot",{"_index":6845,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["plsc",{"_index":5500,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["plu",{"_index":1787,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["plugin",{"_index":2659,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"general/genai.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["plugins_config",{"_index":9467,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["pna:publicnetworkaccess",{"_index":3922,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["poc",{"_index":9570,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["pod",{"_index":1951,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"oci/kubernetes.html":{}},"body":{"aws/iam.html":{},"aws/index.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["pod'",{"_index":9148,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["pod_identity_ag",{"_index":2599,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["podidentityassoci",{"_index":2603,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["podrolearn",{"_index":2602,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["podrolearn</cod",{"_index":2605,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["pods.creat",{"_index":6957,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["pods.eks.amazonaws.com",{"_index":2594,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["podsecur",{"_index":5097,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"general/kubernetes.html":{}}}],["point",{"_index":127,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["point=handle_find",{"_index":6666,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["point_in_time_recovery_en",{"_index":6052,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["pointer",{"_index":243,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["points</li",{"_index":9640,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["poison",{"_index":4263,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/network.html":{}}}],["polic",{"_index":9306,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["polici",{"_index":44,"title":{},"breadcrumb":{},"description":{"aws/data.html":{},"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["policies.quarantinepolici",{"_index":5725,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["policy'",{"_index":4538,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["policy.get('bind",{"_index":6280,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["policy.json",{"_index":938,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["policy.json.frag",{"_index":7098,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["policy.json</cod",{"_index":945,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/kubernetes.html":{}}}],["policy.upd",{"_index":6427,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["policy.yaml",{"_index":6914,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["policy/amazoneksclusteradminpolici",{"_index":2843,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["policy=\"${access_policy_nam",{"_index":6137,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["policy=json.load(sys.stdin",{"_index":6278,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["policy=org_no_admin_ingress",{"_index":7252,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["policy=termin",{"_index":7413,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["policy_arn",{"_index":1072,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["policy_definition_id",{"_index":3943,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["policy_mod",{"_index":4897,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["policyassign",{"_index":5115,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["policyassignmentnam",{"_index":5463,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["policydefinitionid",{"_index":5117,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/network.html":{}}}],["policydocu",{"_index":1087,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{}}}],["policyocid",{"_index":8819,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["polish",{"_index":7720,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["poll",{"_index":7572,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["pool",{"_index":4169,"title":{},"breadcrumb":{},"description":{"oci/kubernetes.html":{}},"body":{"azure/data.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/network.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["pool'",{"_index":6990,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"oci/ir.html":{}}}],["pool=\"$pool_id",{"_index":6484,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["pool=project.svc.id.goog",{"_index":6879,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["pool=project_id.svc.id.goog",{"_index":6859,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["pool_id",{"_index":6480,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["pool_id=github",{"_index":6478,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["poorli",{"_index":3851,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["pop",{"_index":4717,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/network.html":{}}}],["pop3",{"_index":4695,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["popul",{"_index":4514,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/logging.html":{},"compliance-matrix.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/iam.html":{}}}],["port",{"_index":2854,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["port,values=22,3389,3306,5432,1521,27017,6379",{"_index":3324,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["port=5432",{"_index":6029,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["portal",{"_index":3905,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/workloads.html":{}}}],["portion",{"_index":8326,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["ports:destinationportrang",{"_index":5408,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["posit",{"_index":2209,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["posix",{"_index":7470,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["possess",{"_index":7887,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["possibl",{"_index":435,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/network.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/methodology.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["post",{"_index":94,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["postgr",{"_index":809,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"gcp/data.html":{}}}],["postgres_15",{"_index":6042,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["postgresql",{"_index":3124,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/network.html":{},"oci/data.html":{},"oci/network.html":{}}}],["postur",{"_index":765,"title":{},"breadcrumb":{},"description":{"general/data.html":{}},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["potenti",{"_index":494,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/ir.html":{},"oci/network.html":{}}}],["power",{"_index":1893,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["powershel",{"_index":7897,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["poweruseraccess",{"_index":1797,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["pr.aa",{"_index":7656,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["practic",{"_index":98,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["practices)n/a",{"_index":7145,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"gcp/workloads.html":{}}}],["practices)n/an/a",{"_index":4785,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/workloads.html":{}}}],["practices)n/an/an/a",{"_index":2196,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/workloads.html":{}}}],["practices1.1",{"_index":6379,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["practices1.1.41.5best",{"_index":6552,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["practices1.1.6best",{"_index":1994,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/iam.html":{}}}],["practicesbest",{"_index":1749,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"gcp/iam.html":{},"oci/iam.html":{}}}],["practition",{"_index":7937,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["pre",{"_index":1333,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["preauth",{"_index":8496,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["preced",{"_index":1872,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/ir.html":{},"azure/network.html":{},"gcp/logging.html":{},"general/threat-model.html":{}}}],["precis",{"_index":1765,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/shared-responsibility.html":{},"oci/ir.html":{}}}],["preconfigur",{"_index":7195,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["precursor",{"_index":1873,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{}}}],["predat",{"_index":3463,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["predefin",{"_index":6567,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["predefinedacl",{"_index":5875,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["predic",{"_index":6563,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/logging.html":{}}}],["predict",{"_index":6131,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["prediction\"</cod",{"_index":6114,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["prefer",{"_index":1952,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/iam.html":{},"gcp/network.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{}}}],["preference=accept_manu",{"_index":7345,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["preferred_member_key",{"_index":6452,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["prefix",{"_index":3019,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"oci/ir.html":{}}}],["prefixes:addressspace.addressprefix",{"_index":5368,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["prefs.json",{"_index":3627,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["prem",{"_index":3128,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/ir.html":{},"oci/data.html":{},"oci/network.html":{}}}],["premier",{"_index":4744,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["premis",{"_index":4738,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"gcp/iam.html":{},"general/data.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{}}}],["premium",{"_index":3858,"title":{},"breadcrumb":{},"description":{"azure/network.html":{}},"body":{"azure/data.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/methodology.html":{},"oci/iam.html":{},"oci/logging.html":{}}}],["premium/enterpris",{"_index":7155,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["premium_lr",{"_index":4136,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/workloads.html":{}}}],["prepar",{"_index":2036,"title":{},"breadcrumb":{},"description":{"general/ir.html":{}},"body":{"aws/ir.html":{},"aws/logging.html":{},"azure/genai.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/index.html":{},"general/ir.html":{},"oci/ir.html":{}}}],["prerequisit",{"_index":1005,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}}}],["prescript",{"_index":7633,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/shared-responsibility.html":{}}}],["presenc",{"_index":7246,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{},"oci/logging.html":{}}}],["present",{"_index":1270,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{},"oci/kubernetes.html":{}}}],["preserv",{"_index":2020,"title":{},"breadcrumb":{},"description":{"aws/ir.html":{}},"body":{"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/ir.html":{},"general/methodology.html":{},"index.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["pressur",{"_index":2435,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"azure/data.html":{},"azure/network.html":{},"gcp/network.html":{}}}],["pretend",{"_index":5158,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["prevent",{"_index":264,"title":{},"breadcrumb":{},"description":{"gcp/data.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["prevent_destroy",{"_index":5855,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"oci/iam.html":{}}}],["preventive/detective/respons",{"_index":5776,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["preview",{"_index":2563,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"general/shared-responsibility.html":{}}}],["preview\"</cod",{"_index":5299,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["previou",{"_index":884,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"general/threat-model.html":{},"general/workloads.html":{}}}],["previous",{"_index":849,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["price",{"_index":3231,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"general/data.html":{}}}],["pricingti",{"_index":5078,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["primari",{"_index":2090,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["primarili",{"_index":7134,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["primaryemail",{"_index":6443,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["primit",{"_index":111,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["princip",{"_index":271,"title":{},"breadcrumb":{},"description":{"oci/iam.html":{},"oci/workloads.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["principal\":{\"service\":\"ec2.amazonaws.com",{"_index":1971,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["principal'",{"_index":1157,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/genai.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["principal://iam.googleapis.com/project",{"_index":6524,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["principal_arn",{"_index":2839,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["principal_id",{"_index":1734,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{}}}],["principal_object_id",{"_index":4485,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["principal_typ",{"_index":1736,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["principalid",{"_index":4379,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{}}}],["principalnam",{"_index":8984,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["principalset://iam.googleapis.com/projects/${var.project_number}/locations/global/workloadidentitypools/${google_iam_workload_identity_pool.github.workload_identity_pool_id}/attribute.repository/your",{"_index":6514,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["principaltyp",{"_index":4380,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{}}}],["principl",{"_index":104,"title":{"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{}},"breadcrumb":{},"description":{"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["print",{"_index":5975,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/iam.html":{},"gcp/workloads.html":{},"index.html":{}}}],["print('warn",{"_index":6279,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["print(c",{"_index":6246,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["printf",{"_index":1805,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["prior",{"_index":1684,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"oci/genai.html":{},"oci/iam.html":{}}}],["prioriti",{"_index":499,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/network.html":{},"general/iam.html":{}}}],["prioritis",{"_index":3893,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"general/logging.html":{}}}],["priv",{"_index":892,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"oci/kubernetes.html":{}}}],["privaci",{"_index":1405,"title":{},"breadcrumb":{},"description":{"oci/data.html":{}},"body":{"aws/genai.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/ir.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/genai.html":{}}}],["privat",{"_index":850,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/network.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/network.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/index.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["private.googleapis.com",{"_index":7186,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["private/restrict",{"_index":7381,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["private</cod",{"_index":7375,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["private_cluster_config",{"_index":6807,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["private_cluster_en",{"_index":4946,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["private_cluster_public_fqdn_en",{"_index":4948,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["private_connection_resource_id",{"_index":4348,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/network.html":{}}}],["private_dns_en",{"_index":1467,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{}}}],["private_dns_zone_group",{"_index":5495,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["private_dns_zone_id",{"_index":4947,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/network.html":{}}}],["private_dns_zone_nam",{"_index":5489,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["private_endpoint_label",{"_index":8646,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["private_ip_address_alloc",{"_index":5573,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["private_ip_google_access",{"_index":7227,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["private_network",{"_index":6047,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["private_pe_view",{"_index":9422,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["private_rt_ocid",{"_index":9439,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["private_service_connect",{"_index":4346,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/network.html":{},"gcp/network.html":{}}}],["private_subnet_ocid",{"_index":8616,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["private_visibility_config",{"_index":7320,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["privateapisubnetocid",{"_index":9124,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["privateclust",{"_index":2522,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["privateclusterconfig",{"_index":6822,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["privateclusterconfig.enableprivateendpoint=fals",{"_index":6840,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["privatednsen",{"_index":1493,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{}}}],["privatednszon",{"_index":4967,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["privateeksclust",{"_index":2505,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["privateeksclusterstack",{"_index":2520,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["privateeksprop",{"_index":2518,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["privateendpoint",{"_index":9429,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["privateipallocationmethod",{"_index":5599,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["privateipgoogleaccess",{"_index":7334,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["privatelink",{"_index":1439,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{},"general/network.html":{}}}],["privatelink.blob.core.windows.net",{"_index":5481,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["privatelinkserviceanonym",{"_index":5505,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["privatelinkserviceconnect",{"_index":4356,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/network.html":{}}}],["privatelinkserviceid",{"_index":4357,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/network.html":{}}}],["privatenetworkref",{"_index":6065,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["private|edg",{"_index":9379,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["privileg",{"_index":227,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{},"aws/workloads.html":{},"gcp/data.html":{},"general/iam.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["privilege_escal",{"_index":6649,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["probabl",{"_index":8015,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["probe",{"_index":3149,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["problem",{"_index":1958,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/iam.html":{},"general/ir.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["problemlifecyclest",{"_index":9037,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["proce",{"_index":8386,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["procedur",{"_index":6584,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{}}}],["process",{"_index":554,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{}}}],["processor",{"_index":3835,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["prod",{"_index":808,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["prod\",\"alias/ek",{"_index":2664,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["prod\",\"namespacename\":\"'\"$os_namespace\"'\"}'</cod",{"_index":9247,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["prod.cloudaudit_googleapis_com_activity.cloudaudit_googleapis_com_activity_",{"_index":6788,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["prod.forensic_hunts.iam_grants_by_actor",{"_index":6794,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["prod.iam",{"_index":6032,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["prod.iam.gserviceaccount.com",{"_index":6670,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/workloads.html":{}}}],["prod.vault.azure.net",{"_index":5472,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["prod/app",{"_index":7519,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["prod/attestors/built",{"_index":7523,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["prod/cryptokeys/artifact",{"_index":7516,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["prod/datasets/org_audit",{"_index":7048,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["prod/global/networks/vpc",{"_index":6021,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["prod/locations/europ",{"_index":5920,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{},"gcp/workloads.html":{}}}],["prod/locations/global/keyrings/attest/cryptokeys/ci/cryptokeyversions/1",{"_index":7528,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["prod/notes/built",{"_index":7526,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["prod/providers/microsoft.logic/workflows/la",{"_index":4819,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["prod/regions/europ",{"_index":7359,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["prod/topics/scc",{"_index":6659,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["prod:europ",{"_index":6025,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["prod:org_audit",{"_index":7043,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["prod</cod",{"_index":5923,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/workloads.html":{},"oci/network.html":{}}}],["prod@svc",{"_index":7423,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["prod_imag",{"_index":9585,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["prod_ord",{"_index":821,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["prod_priv",{"_index":8582,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["prodadb",{"_index":8649,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["produc",{"_index":1275,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/genai.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["producer'",{"_index":7349,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["product",{"_index":657,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["production/app",{"_index":9156,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["prodvpc.id",{"_index":7287,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{},"gcp/workloads.html":{}}}],["profil",{"_index":1040,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["program",{"_index":6590,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/index.html":{}}}],["programm",{"_index":2232,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"general/ir.html":{},"general/logging.html":{},"oci/ir.html":{}}}],["programmat",{"_index":1574,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"oci/iam.html":{}}}],["progress",{"_index":1538,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/index.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/index.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{}}}],["prohibit",{"_index":2979,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/data.html":{},"azure/ir.html":{},"gcp/iam.html":{},"general/data.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["prohibit_public_ip_on_vn",{"_index":9337,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{},"oci/workloads.html":{}}}],["project",{"_index":2444,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/network.html":{},"search.html":{}}}],["project\"'\\t",{"_index":7429,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["project'",{"_index":7028,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["project=\"$project",{"_index":5841,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/iam.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["project=<your",{"_index":6405,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["project=debian",{"_index":5970,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["project=forens",{"_index":6736,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["project=project_id",{"_index":6933,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["project=sec",{"_index":5908,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["project=secur",{"_index":6657,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["project=svc",{"_index":5835,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["project=ubuntu",{"_index":7421,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["project_id",{"_index":5860,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{}}}],["project_id.svc.id.goog",{"_index":6854,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["project_id.svc.id.goog\"</cod",{"_index":6867,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["project_id=secur",{"_index":6783,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["project_numb",{"_index":6089,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["project_number=$(gcloud",{"_index":5913,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/iam.html":{}}}],["project_number}@comput",{"_index":5971,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["project_number}@g",{"_index":5916,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["project_singleton_policy_enforc",{"_index":6932,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["projectid",{"_index":6119,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["projectref",{"_index":6937,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["projects/${var.project_numb",{"_index":6146,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["projects/debian",{"_index":7452,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["projects/log_project/datasets/security_audit",{"_index":7078,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["projects/my_project/attestors/build",{"_index":6919,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["projects/project_id",{"_index":6938,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["projects/project_id/attestors/prod",{"_index":6939,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["projects/project_id/datasets/gke_audit",{"_index":6997,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["projects/project_id/global/networks/sql",{"_index":6066,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["projects/project_id/locations/u",{"_index":5948,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/kubernetes.html":{}}}],["projects/project_numb",{"_index":6150,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["projects/svc",{"_index":7522,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["projects/ubuntu",{"_index":7439,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["promot",{"_index":1264,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["prompt",{"_index":986,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{},"azure/genai.html":{},"general/genai.html":{}},"body":{"aws/genai.html":{},"aws/index.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["prompt/respons",{"_index":4295,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["prompt_attack",{"_index":1205,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["prompt_attack_policy_config",{"_index":1209,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["promptattackconfig",{"_index":1196,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["promptattackguardrail",{"_index":1214,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["promptattackguardrailstack",{"_index":1225,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["promptshieldresult.detect",{"_index":4279,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["prone",{"_index":8087,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["proof",{"_index":5220,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"gcp/ir.html":{},"general/iam.html":{}}}],["prop",{"_index":405,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["propag",{"_index":883,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{},"azure/data.html":{},"general/network.html":{}}}],["properli",{"_index":930,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"gcp/data.html":{}}}],["properti",{"_index":388,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/logging.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"oci/workloads.html":{}}}],["properties.contentsafetyconfig\"</cod",{"_index":4264,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["properties.customsubdomainnam",{"_index":4307,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["properties.disablelocalauth",{"_index":4241,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["properties.disablelocalauth!=true].{name:nam",{"_index":4218,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["properties.publicnetworkaccess\"</cod",{"_index":4341,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["properties_",{"_index":4292,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["propertynam",{"_index":4840,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["propertyvalu",{"_index":4842,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["proport",{"_index":1865,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/workloads.html":{}}}],["propos",{"_index":7885,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["proprietari",{"_index":1162,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"general/genai.html":{}}}],["props.agentnam",{"_index":1324,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["props.clusterkmskeyarn",{"_index":2533,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["props.clusternam",{"_index":2523,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["props.evidencebucketnam",{"_index":2386,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["props.evidencekmskeyarn",{"_index":2384,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["props.orgrootid",{"_index":1592,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["props.trailbucketnam",{"_index":2935,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["props.trailkmskeyarn",{"_index":2937,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["props.vpc",{"_index":2525,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{}}}],["prose",{"_index":3459,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/logging.html":{},"oci/logging.html":{}}}],["prose).</cod",{"_index":9398,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["protect",{"_index":29,"title":{"aws/data.html":{},"azure/data.html":{},"gcp/data.html":{},"general/data.html":{},"oci/data.html":{}},"breadcrumb":{"azure/data.html":{},"gcp/data.html":{},"general/data.html":{},"oci/data.html":{}},"description":{"aws/data.html":{},"aws/index.html":{},"azure/data.html":{},"azure/index.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/index.html":{},"gcp/network.html":{},"general/data.html":{},"oci/data.html":{},"oci/index.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["protected_append_writes_all_en",{"_index":4902,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["protected_material_cod",{"_index":4274,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["protected_material_text",{"_index":4273,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["protection_level",{"_index":5935,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["protection_mod",{"_index":8587,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["protectionlevel",{"_index":6337,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protectionmod",{"_index":8595,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["protocol",{"_index":1478,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/logging.html":{},"general/network.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["protopayload",{"_index":6384,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["protopayload.authenticationinfo.principalemail",{"_index":6230,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{}}}],["protopayload.authenticationinfo.principalemail=(\"breakglass",{"_index":6603,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["protopayload.authenticationinfo.principalemail=~\"break",{"_index":6643,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["protopayload.authenticationinfo.principalsubject",{"_index":6523,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["protopayload.metadata.event.name=\"2sv_dis",{"_index":6466,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["protopayload.metadata.event.name=\"allow_strong_authent",{"_index":6467,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["protopayload.methodnam",{"_index":6383,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/ir.html":{}}}],["protopayload.methodname=\"generateaccesstoken",{"_index":6522,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["protopayload.methodname=\"google.cloud.orgpolicy.v2.orgpolicy.updatepolici",{"_index":6430,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["protopayload.methodname=\"google.container.v1.clustermanager.createnodepool",{"_index":6986,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.methodname=\"google.container.v1.clustermanager.updateclust",{"_index":6839,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.methodname=\"google.container.v1.clustermanager.updatenodepool",{"_index":6875,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.methodname=\"google.iam.admin.v1.createserviceaccountkey",{"_index":6425,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["protopayload.methodname=\"google.iam.v1.workloadidentitypools.createworkloadidentitypoolprovid",{"_index":6529,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["protopayload.methodname=\"google.iam.v1.workloadidentitypools.updateworkloadidentitypoolprovider\")</cod",{"_index":6530,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["protopayload.methodname=\"google.logging.v2.configservicev2.deletesink",{"_index":7006,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["protopayload.methodname=\"google.logging.v2.configservicev2.updatesink",{"_index":7005,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["protopayload.methodname=\"setiampolici",{"_index":5959,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{}}}],["protopayload.methodname=\"storage.buckets.upd",{"_index":5881,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{}}}],["protopayload.methodname=\"storage.setiampermiss",{"_index":5879,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{}}}],["protopayload.methodname=\"storage.setiampermissions\")</cod",{"_index":6768,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["protopayload.methodname=\"v1.compute.firewalls.insert",{"_index":7243,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["protopayload.methodname=\"v1.compute.forwardingrules.insert",{"_index":7340,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["protopayload.methodname=\"v1.compute.networks.insert",{"_index":7241,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["protopayload.methodname=\"v1.compute.subnetworks.patch",{"_index":7379,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["protopayload.methodname=~\".*(dataset|model|endpoint|trainingpipeline).(create|upd",{"_index":6343,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.methodname=~\".*createmuteconfig",{"_index":7153,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["protopayload.methodname=~\".*cryptokey",{"_index":6899,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.methodname=~\".*datastore.(delete|setiampolici",{"_index":6310,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.methodname=~\".*deleteattestor",{"_index":6952,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.methodname=~\".*endpoint.predict",{"_index":6225,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.methodname=~\".*functions.(delete|upd",{"_index":6719,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["protopayload.methodname=~\".*instances.(patch|update|cr",{"_index":6075,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["protopayload.methodname=~\".*occurrences.delet",{"_index":7558,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["protopayload.methodname=~\".*serviceperimet",{"_index":6160,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.methodname=~\".*setiampolici",{"_index":7560,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["protopayload.methodname=~\".*subscriptions.setiampolici",{"_index":6722,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["protopayload.methodname=~\".*updatemuteconfig\")</cod",{"_index":7154,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["protopayload.methodname=~\".*updateorganizationset",{"_index":7152,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["protopayload.methodname=~\".*updateorgunit",{"_index":6468,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["protopayload.methodname=~\".*updatepolici",{"_index":6951,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.methodname=~\"v1.compute.(disks|regiondisks|snapshots).insert",{"_index":5998,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["protopayload.methodname=~\"v1.compute.(firewalls|firewallpolici",{"_index":7292,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["protopayload.methodname=~\"v1.compute.(instances|projects).setmetadata",{"_index":7502,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["protopayload.methodname=~\"v1.compute.instances.updateshieldedinstanceconfig",{"_index":7461,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["protopayload.methodname=~\"v1.compute.serviceattachments.(insert|patch",{"_index":7339,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["protopayload.request",{"_index":6535,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["protopayload.request.allowed.ports=\"22",{"_index":7294,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["protopayload.request.allowed.ports=\"3389\")</cod",{"_index":7295,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["protopayload.request.cryptokey.name=~\".*gk",{"_index":6900,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.request.diskencryptionkey.kmskeyname=~\".*\"</cod",{"_index":5999,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["protopayload.request.enableintegritymonitoring=false)</cod",{"_index":7463,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["protopayload.request.enablesecureboot=fals",{"_index":7462,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["protopayload.request.encryption.defaultkmskeynam",{"_index":5957,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["protopayload.request.encryptionspec.kmskeyname=~\".*\"</cod",{"_index":6344,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.request.iamconfiguration.publicaccessprevention=\"inherited\"))</cod",{"_index":5882,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["protopayload.request.items.key=\"block",{"_index":7503,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["protopayload.request.items.key=\"en",{"_index":7504,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["protopayload.request.items.value=\"fals",{"_index":7505,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["protopayload.request.items.value=\"false\")</cod",{"_index":7506,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["protopayload.request.name=~\"default",{"_index":7244,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["protopayload.request.nodepool.config.shieldedinstanceconfig.enableintegritymonitoring=false)</cod",{"_index":6988,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.request.policy.defaultadmissionrule.evaluationmode=\"always_allow",{"_index":6953,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.request.privateipgoogleaccess=false</cod",{"_index":7380,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["protopayload.request.safetysettings.threshold",{"_index":6215,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.request.safetysettings.threshold=\"block_none\"</cod",{"_index":6226,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.request.serviceperimeter.spec.egresspolicies.egressto.operations.servicename=\"aiplatform.googleapis.com\")</cod",{"_index":6162,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.request.serviceperimeter.spec.restrictedservices=\"aiplatform.googleapis.com",{"_index":6161,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.request.settings.backupconfiguration.enabled=false)</cod",{"_index":6077,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["protopayload.request.settings.ipconfiguration.ipv4enabled=tru",{"_index":6076,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["protopayload.request.sink.filter=~\".*k8s_cluster.*\"</cod",{"_index":7007,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.request.sourceranges=\"0.0.0.0/0",{"_index":7293,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["protopayload.request.target=~\".*serviceattachments.*\"))</cod",{"_index":7341,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["protopayload.request.update.desireddatabaseencryption.state=\"decrypt",{"_index":6897,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.request.update.desiredmasterauthorizednetworksconfig.cidrblocks.cidrblock=\"0.0.0.0/0\")</cod",{"_index":6844,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.request.update.desirednodepoolautoconfig.networktags.tags=~\"legaci",{"_index":6876,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.request.update.desirednodepoolautoconfig.shieldedinstanceconfig.enablesecureboot=fals",{"_index":6987,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.request.update.desiredprivateclusterconfig.enableprivateendpoint=fals",{"_index":6843,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.request.update.desiredworkloadidentityconfig.workloadpool",{"_index":6869,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.resourcenam",{"_index":7237,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["protopayload.resourcename=~\".*/networks/default",{"_index":7242,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["protopayload.resourcename=~\".*buckets/forens",{"_index":6767,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["protopayload.resourcename=~\".*rag",{"_index":6311,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.resourcename=~\".*scc",{"_index":6720,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["protopayload.response.status.message=~\".*deni",{"_index":6955,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.servicedata.policydelta.auditconfigdeltas.action=\"remov",{"_index":7113,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["protopayload.servicedata.policydelta.auditconfigdeltas.action=\"remove\"</cod",{"_index":6263,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.servicedata.policydelta.auditconfigdeltas.logtype=\"data_read",{"_index":7114,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["protopayload.servicedata.policydelta.auditconfigdeltas.logtype=\"data_write\")</cod",{"_index":7115,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["protopayload.servicedata.policydelta.auditconfigdeltas.service=\"aiplatform.googleapis.com",{"_index":6262,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.servicedata.policydelta.bindingdelta",{"_index":6554,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/ir.html":{}}}],["protopayload.servicedata.policydelta.bindingdeltas.action=\"add",{"_index":6127,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{}}}],["protopayload.servicedata.policydelta.bindingdeltas.member=\"allusers\"))</cod",{"_index":6312,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.servicedata.policydelta.bindingdeltas.member=~\"allusers|allauthenticatedus",{"_index":5880,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["protopayload.servicedata.policydelta.bindingdeltas.member=~\"serviceaccount:[0",{"_index":6560,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["protopayload.servicedata.policydelta.bindingdeltas.member=~\"user:break",{"_index":6642,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["protopayload.servicedata.policydelta.bindingdeltas.role=\"roles/aiplatform.admin\")</cod",{"_index":6129,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.servicedata.policydelta.bindingdeltas.role=\"roles/aiplatform.us",{"_index":6128,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.servicedata.policydelta.bindingdeltas.role=\"roles/artifactregistry.writer\"))</cod",{"_index":7561,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["protopayload.servicedata.policydelta.bindingdeltas.role=\"roles/editor\"</cod",{"_index":6561,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["protopayload.servicedata.policydelta.bindingdeltas.role=\"roles/iam.securityadmin",{"_index":6389,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["protopayload.servicedata.policydelta.bindingdeltas.role=\"roles/own",{"_index":6388,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["protopayload.servicedata.policydelta.bindingdeltas.role=\"roles/resourcemanager.organizationadmin",{"_index":6387,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["protopayload.servicenam",{"_index":6774,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["protopayload.servicename=\"accesscontextmanager.googleapis.com",{"_index":6159,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.servicename=\"admin.googleapis.com",{"_index":6463,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/ir.html":{}}}],["protopayload.servicename=\"aiplatform.googleapis.com",{"_index":6126,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.servicename=\"artifactregistry.googleapis.com",{"_index":7559,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["protopayload.servicename=\"binaryauthorization.googleapis.com",{"_index":6950,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["protopayload.servicename=\"cloudfunctions.googleapis.com",{"_index":6718,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["protopayload.servicename=\"cloudkms.googleapis.com",{"_index":5958,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/kubernetes.html":{}}}],["protopayload.servicename=\"compute.googleapis.com",{"_index":5997,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["protopayload.servicename=\"containeranalysis.googleapis.com",{"_index":7557,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["protopayload.servicename=\"discoveryengine.googleapis.com",{"_index":6309,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["protopayload.servicename=\"logging.googleapis.com",{"_index":7004,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["protopayload.servicename=\"pubsub.googleapis.com",{"_index":6721,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["protopayload.servicename=\"securitycenter.googleapis.com",{"_index":7151,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["protopayload.servicename=\"sqladmin.googleapis.com",{"_index":6074,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["protopayload.servicename=\"storage.googleapis.com",{"_index":5878,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{}}}],["protopayload.servicename=\\\"aiplatform.googleapis.com",{"_index":6258,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["provabl",{"_index":8257,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["prove",{"_index":2069,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"azure/ir.html":{},"oci/data.html":{}}}],["proven",{"_index":2213,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["provi",{"_index":4416,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["provid",{"_index":351,"title":{},"breadcrumb":{},"description":{"compliance-matrix.html":{},"general/shared-responsibility.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["provider\":{\"keyarn\":\"arn:aws:kms:region:account:key/key",{"_index":2639,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["provider'",{"_index":1163,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"compliance-matrix.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{},"oci/ir.html":{}}}],["provider_id",{"_index":6483,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["provider_id=github",{"_index":6479,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["providers/microsoft.authorization/policydefinitions/404c3081",{"_index":5305,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["providers/microsoft.authorization/policydefinitions/<act",{"_index":5200,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["providers/microsoft.authorization/policysetdefinitions/<ip",{"_index":5369,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["providers/microsoft.authorization/policysetdefinitions/<trust",{"_index":5566,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["providers/microsoft.authorization/policysetdefinitions/d1cb47db",{"_index":5456,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["providers/microsoft.authorization/roledefinitions/${globaladminroleid",{"_index":4507,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["providers/microsoft.authorization/roledefinitions/62e90394",{"_index":4627,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["providers/microsoft.insights/diagnosticset",{"_index":5221,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["providers/microsoft.management/managementgroups/<ten",{"_index":4506,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["providers/microsoft.management/managementgroups/ten",{"_index":3942,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["provis",{"_index":784,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["proxi",{"_index":1442,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"azure/genai.html":{},"gcp/data.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/kubernetes.html":{}}}],["proxycommand",{"_index":9523,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["proxycommand=\"ssh",{"_index":9525,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["ps_arn",{"_index":2137,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["psa",{"_index":6009,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["psc",{"_index":4347,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"gcp/network.html":{}}}],["psc_google_api",{"_index":7363,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["psc_vendor_api",{"_index":7371,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["psp",{"_index":8081,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{},"oci/kubernetes.html":{}}}],["psql",{"_index":6027,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["pss",{"_index":4725,"title":{},"breadcrumb":{},"description":{"azure/kubernetes.html":{}},"body":{"azure/index.html":{},"azure/kubernetes.html":{},"general/kubernetes.html":{}}}],["pss_restrict",{"_index":5103,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["pt1h",{"_index":1747,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{}}}],["pt4h",{"_index":1718,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["pt5m",{"_index":4774,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["pub",{"_index":6646,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"oci/data.html":{}}}],["pub/sub",{"_index":5892,"title":{},"breadcrumb":{},"description":{"gcp/ir.html":{}},"body":{"gcp/data.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/logging.html":{}}}],["public",{"_index":32,"title":{},"breadcrumb":{},"description":{"aws/data.html":{},"aws/network.html":{},"azure/data.html":{},"gcp/data.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["public.pem",{"_index":8945,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["public_access_cidr",{"_index":2466,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["public_access_prevent",{"_index":5802,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{}}}],["public_access_prevention=enforc",{"_index":7142,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["public_access_typ",{"_index":8492,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["public_api",{"_index":9144,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["public_ip_address_id",{"_index":5663,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["public_key",{"_index":5582,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/workloads.html":{}}}],["public_key_cont",{"_index":9548,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["public_key_pem",{"_index":7543,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["public_network_access_en",{"_index":3875,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["public_network_access_enabled=fals",{"_index":3945,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["publicaccess",{"_index":3991,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["publicaccess\\\":\\\"blob",{"_index":4000,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["publicaccess\\\":\\\"contain",{"_index":3999,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["publicaccessblockconfigur",{"_index":478,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["publicaccesscidr",{"_index":2550,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["publicaccessprevent",{"_index":5863,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{}}}],["publicaccessprevention=enforc",{"_index":5888,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/logging.html":{}}}],["publicaccesstyp",{"_index":8546,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["publication'",{"_index":7938,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["publicendpointdomainnam",{"_index":6274,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["publicipaddress",{"_index":5675,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["publicipid",{"_index":5669,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["publickey",{"_index":5611,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["publickeycontent\":\"ssh",{"_index":9516,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["publicli",{"_index":880,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{}}}],["publiclyaccessible=tru",{"_index":870,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["publicnetworkaccess",{"_index":3965,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["publicnetworkaccess=='en",{"_index":3918,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["publicnetworkaccess\\\":\\\"en",{"_index":4360,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/network.html":{}}}],["publicread",{"_index":5876,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["publish",{"_index":1408,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/logging.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["pubsub",{"_index":6656,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["pubsub.subscriptions.cr",{"_index":6773,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["pubsub_top",{"_index":6681,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{}}}],["pull",{"_index":519,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/kubernetes.html":{}}}],["pulumi",{"_index":3971,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["pulumi.config",{"_index":8536,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["pulumi.interpolate`allow",{"_index":8691,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["pulumi.interpolate`bigquery.googleapis.com/projects/${logproject}/datasets/security_audit",{"_index":7083,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["pulumi/azur",{"_index":3973,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["pulumi/gcp",{"_index":5864,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["pulumi/gcp/cloudident",{"_index":6455,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["pulumi/oci",{"_index":8534,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["pulumi/pulumi",{"_index":3972,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["punch",{"_index":3899,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["pur",{"_index":3844,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["pure",{"_index":7501,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"general/network.html":{},"index.html":{}}}],["purg",{"_index":4015,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["purge_protection_en",{"_index":5037,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/network.html":{}}}],["purpl",{"_index":8020,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["purpos",{"_index":2265,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/workloads.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["purpose=encrypt",{"_index":5910,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["purpose=private_service_connect",{"_index":7353,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["purpose=vpc_p",{"_index":6010,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["pursu",{"_index":1941,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["purview",{"_index":3847,"title":{},"breadcrumb":{},"description":{"azure/data.html":{}},"body":{"azure/data.html":{},"azure/index.html":{},"general/data.html":{}}}],["push",{"_index":2126,"title":{},"breadcrumb":{},"description":{"aws/workloads.html":{}},"body":{"aws/ir.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["push_en",{"_index":8867,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["put",{"_index":164,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"gcp/data.html":{},"gcp/logging.html":{},"general/threat-model.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["putaccountpublicaccessblock",{"_index":489,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["putaccountpublicaccessblock\",\"deletepublicaccessblock\",\"putpublicaccessblock\",\"putbucketpolici",{"_index":462,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["putbucketencrypt",{"_index":632,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["putbucketencryption\",\"deletebucketencrypt",{"_index":643,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["putbucketlifecycleconfiguration\",\"deleteobject\",\"deleteobjectversion\",\"putobjectlegalhold\",\"putobjectretent",{"_index":2410,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["putbucketpolici",{"_index":2970,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["putconfigurationrecord",{"_index":3108,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["putcontainerimag",{"_index":9612,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["puteventselector",{"_index":3015,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["putkeypolici",{"_index":2674,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["putlogev",{"_index":2767,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["putobject",{"_index":2972,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"general/logging.html":{},"oci/logging.html":{}}}],["putregistryscanningconfigur",{"_index":3759,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["putregistryscanningconfiguration\",\"putimagescanningconfigur",{"_index":3757,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["pw",{"_index":1807,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["pw=$(aw",{"_index":1802,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["pypi",{"_index":3686,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["python",{"_index":6189,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/workloads.html":{}}}],["python3",{"_index":6243,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["python3.12",{"_index":2272,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["python312",{"_index":6693,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["q",{"_index":590,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["q2",{"_index":6212,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{}}}],["qp",{"_index":6261,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["qradar",{"_index":8135,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["qualif",{"_index":7860,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["qualifi",{"_index":3770,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"general/genai.html":{},"oci/data.html":{}}}],["qualiti",{"_index":4303,"title":{},"breadcrumb":{},"description":{"general/logging.html":{}},"body":{"azure/genai.html":{},"azure/logging.html":{},"general/index.html":{},"general/ir.html":{},"general/methodology.html":{},"oci/ir.html":{}}}],["quantit",{"_index":8013,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["quarantin",{"_index":2054,"title":{},"breadcrumb":{},"description":{"azure/workloads.html":{}},"body":{"aws/ir.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["quarantine.zip",{"_index":2275,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["quarantine=tru",{"_index":5395,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["quarantine_policy_en",{"_index":5680,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["quarantine_sg_id",{"_index":2277,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["quarantinepolici",{"_index":5721,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["quarter",{"_index":6586,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/workloads.html":{}}}],["quarterli",{"_index":2075,"title":{},"breadcrumb":{},"description":{"gcp/ir.html":{}},"body":{"aws/ir.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["queri",{"_index":451,"title":{},"breadcrumb":{},"description":{"gcp/ir.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["query_frequ",{"_index":4773,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["query_period",{"_index":4775,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["queryabl",{"_index":2439,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"general/workloads.html":{}}}],["question",{"_index":259,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/iam.html":{}}}],["questionnair",{"_index":7614,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["queue",{"_index":1869,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/logging.html":{},"general/logging.html":{},"oci/genai.html":{},"oci/iam.html":{}}}],["queueservic",{"_index":5259,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["queueservices/default",{"_index":5252,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["quick",{"_index":5638,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"general/workloads.html":{}}}],["quickli",{"_index":2128,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/ir.html":{}}}],["quiet",{"_index":5225,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"gcp/ir.html":{}}}],["quietli",{"_index":3021,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["quota",{"_index":2237,"title":{},"breadcrumb":{},"description":{"azure/genai.html":{}},"body":{"aws/ir.html":{},"azure/genai.html":{},"azure/index.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/genai.html":{},"oci/network.html":{}}}],["r",{"_index":935,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"oci/workloads.html":{}}}],["r\"\\t\"$1",{"_index":3251,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["r5/upd1/fin",{"_index":7651,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["r=\"$region",{"_index":3249,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ra",{"_index":3747,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"oci/workloads.html":{}}}],["raccoon",{"_index":8366,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["race",{"_index":8896,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["radiu",{"_index":330,"title":{},"breadcrumb":{},"description":{"general/threat-model.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["rag",{"_index":1192,"title":{},"breadcrumb":{},"description":{"gcp/genai.html":{}},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"gcp/index.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["rag_corpus_index",{"_index":6290,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["rag_corpus_sa",{"_index":6283,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["rag_corpus_vertex_us",{"_index":6284,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["rag_endpoint",{"_index":6299,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["rag_source_bucket_access",{"_index":6287,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["rai",{"_index":4277,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["rai_policy_nam",{"_index":4315,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["raipolici",{"_index":4268,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["raipolicynam",{"_index":4276,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["rais",{"_index":2244,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/ir.html":{}}}],["ramp",{"_index":1998,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["ran",{"_index":3621,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/kubernetes.html":{}}}],["rand",{"_index":4533,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["random",{"_index":818,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["random_password",{"_index":4761,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["random_password.bg[each.key].result",{"_index":4550,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["random_password.break_glass[each.key].result",{"_index":4759,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["rang",{"_index":2815,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/network.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["range=10.40.0.0/22",{"_index":7214,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["ranges=0.0.0.0/0",{"_index":7258,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["ranges=cloudsql",{"_index":6014,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["ransom",{"_index":7971,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["ransomwar",{"_index":3310,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/network.html":{},"general/data.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"oci/network.html":{}}}],["rapid",{"_index":1154,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/network.html":{}}}],["rare",{"_index":1960,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/index.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{}}}],["rate",{"_index":1242,"title":{},"breadcrumb":{},"description":{"general/methodology.html":{}},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/iam.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"oci/genai.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["ratio",{"_index":6228,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/kubernetes.html":{}}}],["raw",{"_index":475,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/logging.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["rbac",{"_index":2693,"title":{},"breadcrumb":{},"description":{"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{}},"body":{"aws/kubernetes.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{}}}],["rce",{"_index":2589,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["rd",{"_index":42,"title":{},"breadcrumb":{},"description":{"aws/data.html":{}},"body":{"aws/data.html":{},"aws/logging.html":{},"aws/network.html":{},"general/data.html":{},"general/shared-responsibility.html":{}}}],["rdma",{"_index":8674,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["rdp",{"_index":3293,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/network.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["rdp/ssh",{"_index":5665,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["rdp/sshe",{"_index":4802,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["rdp:3389",{"_index":9400,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["rds.amazonaws.com",{"_index":859,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["rds:copydbsnapshot",{"_index":861,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["rds:createdbclust",{"_index":843,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["rds:createdbinst",{"_index":842,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["rds:createdbsnapshot",{"_index":795,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["rds:modifydbinst",{"_index":847,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["rds:modifydbsnapshotattribut",{"_index":796,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["rds:restoredbinstancefromdbsnapshot",{"_index":854,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["rds_login_ev",{"_index":3181,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["rds_storage_encrypt",{"_index":837,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["rdsstorageencryptedrul",{"_index":836,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["re",{"_index":76,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["reach",{"_index":328,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["reachabl",{"_index":507,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["reactiv",{"_index":8808,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["read",{"_index":311,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{},"search.html":{}}}],["read/writ",{"_index":2626,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/logging.html":{},"general/genai.html":{},"general/kubernetes.html":{}}}],["read/write/delet",{"_index":5157,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["read_onli",{"_index":1723,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["read_only_auditor",{"_index":1733,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["read_write_typ",{"_index":2999,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["readabl",{"_index":705,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/data.html":{},"gcp/data.html":{},"gcp/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{}}}],["reader",{"_index":1530,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"general/index.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["readi",{"_index":2406,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{}}}],["readm",{"_index":9587,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["readonlyaccess",{"_index":1745,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["readonlyauditor",{"_index":1716,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["readonlypermissionset",{"_index":1743,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["reads/writ",{"_index":3006,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["readwrit",{"_index":5585,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["readwritetype=writeonli",{"_index":3028,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["real",{"_index":205,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"azure/network.html":{},"compliance-matrix.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["realis",{"_index":3240,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/threat-model.html":{}}}],["realiti",{"_index":7797,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/ir.html":{},"general/logging.html":{}}}],["realiz",{"_index":8184,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["realm",{"_index":8472,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["reappear",{"_index":3262,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["reappli",{"_index":4008,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{}}}],["reason",{"_index":794,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/network.html":{}}}],["reattach",{"_index":8645,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["reauthent",{"_index":5028,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["rebind",{"_index":8604,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/ir.html":{}}}],["reboot",{"_index":3676,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"oci/workloads.html":{}}}],["rebrand",{"_index":8479,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["rebuild",{"_index":3778,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"oci/network.html":{}}}],["rebuilt",{"_index":9624,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["recaptcha",{"_index":7384,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["receiv",{"_index":1714,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["recenc",{"_index":1916,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["recent",{"_index":289,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"general/iam.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/genai.html":{},"oci/workloads.html":{}}}],["recip",{"_index":6647,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["recipi",{"_index":4518,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/ir.html":{},"oci/iam.html":{}}}],["recipientaccountid",{"_index":1761,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["reciproc",{"_index":8387,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["recognis",{"_index":4527,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"compliance-matrix.html":{},"general/shared-responsibility.html":{}}}],["recommend",{"_index":99,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["recon",{"_index":3133,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["recon:iamuser/userpermiss",{"_index":3151,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["reconcil",{"_index":2201,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/logging.html":{},"azure/network.html":{},"general/logging.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["reconcili",{"_index":2208,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/data.html":{},"azure/network.html":{},"azure/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["reconfigur",{"_index":1421,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"general/data.html":{}}}],["reconfirm",{"_index":4694,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{}}}],["reconnaiss",{"_index":1682,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/logging.html":{}}}],["reconnect",{"_index":3678,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["reconstruct",{"_index":2220,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/ir.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["record",{"_index":1866,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["recorder/sink",{"_index":3093,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["recording_group",{"_index":3057,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["recordinggroup",{"_index":3046,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["recordinggroup.allsupport",{"_index":3098,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["recordinggroup.resourcetyp",{"_index":3099,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["recov",{"_index":927,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"oci/genai.html":{},"oci/ir.html":{}}}],["recover",{"_index":5032,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"general/data.html":{}}}],["recoveri",{"_index":696,"title":{},"breadcrumb":{},"description":{"general/ir.html":{},"oci/ir.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/ir.html":{},"general/data.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["recreat",{"_index":2346,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"azure/genai.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["recur",{"_index":1945,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/workloads.html":{}}}],["recurs",{"_index":2342,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"gcp/ir.html":{}}}],["red",{"_index":6229,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{},"general/ir.html":{},"oci/kubernetes.html":{}}}],["redact",{"_index":1369,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"general/genai.html":{},"general/iam.html":{},"oci/genai.html":{}}}],["redefin",{"_index":7823,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["redeploy",{"_index":2325,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"gcp/iam.html":{},"gcp/workloads.html":{},"oci/workloads.html":{}}}],["redi",{"_index":3301,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["redirect",{"_index":1351,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"general/threat-model.html":{}}}],["redlin",{"_index":8364,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["reduc",{"_index":431,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["reduct",{"_index":334,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{},"gcp/logging.html":{},"gcp/network.html":{},"oci/ir.html":{}}}],["redund",{"_index":4611,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{},"general/network.html":{},"general/threat-model.html":{}}}],["ref",{"_index":390,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["refer",{"_index":89,"title":{"index.html":{}},"breadcrumb":{},"description":{"aws/index.html":{},"azure/index.html":{},"gcp/index.html":{},"general/kubernetes.html":{},"index.html":{},"oci/index.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["referenc",{"_index":544,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["reference/components.html",{"_index":8187,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["referenced_security_group_id",{"_index":3333,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["reflect",{"_index":1510,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/network.html":{},"oci/workloads.html":{}}}],["reflex",{"_index":3547,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/logging.html":{}}}],["refram",{"_index":7935,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["refresh",{"_index":4587,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"oci/network.html":{}}}],["refus",{"_index":321,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{}}}],["regardless",{"_index":1666,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["regener",{"_index":4251,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["regeneratekey/act",{"_index":4250,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["regex",{"_index":476,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{}}}],["regim",{"_index":7768,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["region",{"_index":62,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["region'",{"_index":2877,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{}}}],["region.cluster_nam",{"_index":6921,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["region</cod",{"_index":6818,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["region=\"${region",{"_index":6272,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["region=europ",{"_index":6016,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{},"gcp/network.html":{}}}],["regions/account",{"_index":2963,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["regions[].regionnam",{"_index":712,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{}}}],["regist",{"_index":1571,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/genai.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/iam.html":{}}}],["registr",{"_index":2222,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/network.html":{},"general/ir.html":{}}}],["registration_en",{"_index":5493,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["registri",{"_index":1200,"title":{},"breadcrumb":{},"description":{"gcp/workloads.html":{},"oci/workloads.html":{}},"body":{"aws/genai.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["registry.terraform.io/providers/hashicorp/googl",{"_index":6924,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["regress",{"_index":443,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["regresshion",{"_index":9510,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["regul",{"_index":260,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["regular",{"_index":8380,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{},"oci/data.html":{}}}],["regularli",{"_index":7628,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/kubernetes.html":{}}}],["regulated_storage_account_id",{"_index":5254,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["regulatori",{"_index":1386,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["rehears",{"_index":7939,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["rehydr",{"_index":8129,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["reinforc",{"_index":1560,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["reinstanti",{"_index":4167,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["reinvent",{"_index":7626,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["reissu",{"_index":4103,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["reiter",{"_index":8454,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["reject",{"_index":5100,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/workloads.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["rel",{"_index":9618,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["relat",{"_index":3862,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/iam.html":{},"general/ir.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["relationship",{"_index":1959,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/data.html":{},"general/data.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{}}}],["relax",{"_index":2825,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{}}}],["releas",{"_index":1790,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/methodology.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["release_v123",{"_index":9601,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["relev",{"_index":1251,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{},"azure/ir.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/network.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["reli",{"_index":438,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["reliabl",{"_index":3027,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"general/data.html":{},"general/ir.html":{},"general/methodology.html":{}}}],["relianc",{"_index":5364,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"gcp/network.html":{},"oci/data.html":{}}}],["reload",{"_index":5554,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["reloc",{"_index":3290,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/data.html":{}}}],["remain",{"_index":504,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["remedi",{"_index":339,"title":{},"breadcrumb":{},"description":{"oci/ir.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["remediat",{"_index":6798,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["rememb",{"_index":9468,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["remot",{"_index":3536,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/network.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/workloads.html":{}}}],["remov",{"_index":178,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["remove_addon_resources_on_delet",{"_index":9181,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["removeaddonresourcesondelet",{"_index":9196,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["removedefaultnodepool",{"_index":6834,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["renam",{"_index":15,"title":{},"breadcrumb":{},"description":{},"body":{"404.html":{},"aws/iam.html":{},"azure/workloads.html":{},"general/methodology.html":{}}}],["render",{"_index":4032,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"general/iam.html":{},"general/methodology.html":{},"oci/data.html":{}}}],["renew",{"_index":9344,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{},"oci/workloads.html":{}}}],["rent",{"_index":7722,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/shared-responsibility.html":{}}}],["renumb",{"_index":8191,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{},"oci/network.html":{}}}],["repay",{"_index":788,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["repeat",{"_index":3394,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/genai.html":{},"general/genai.html":{},"general/iam.html":{},"oci/genai.html":{}}}],["repeatedli",{"_index":8307,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["replac",{"_index":771,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["replacenetworkaclassoci",{"_index":3457,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["replay",{"_index":1796,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/iam.html":{},"general/methodology.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["repli",{"_index":4715,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["replic",{"_index":926,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"azure/ir.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/network.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/iam.html":{}}}],["replica",{"_index":929,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/logging.html":{},"oci/iam.html":{}}}],["repo",{"_index":2074,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/threat-model.html":{}}}],["repo\"</cod",{"_index":6492,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["reponam",{"_index":3735,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["repopul",{"_index":5330,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["report",{"_index":149,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["reporting_region",{"_index":9312,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["reportingregion",{"_index":9331,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["repositori",{"_index":1147,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["repository'",{"_index":3761,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["repository_filt",{"_index":3714,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["repository_id",{"_index":7532,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"oci/workloads.html":{}}}],["repositoryid\":\"'\"$repo_ocid",{"_index":9580,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["repositorynam",{"_index":3739,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["repo}:{tag",{"_index":5734,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["repres",{"_index":2625,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["reproduc",{"_index":3549,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"compliance-matrix.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{}}}],["repudi",{"_index":8329,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["reput",{"_index":1388,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"general/threat-model.html":{},"oci/genai.html":{}}}],["req",{"_index":9173,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["request",{"_index":7,"title":{},"breadcrumb":{},"description":{"404.html":{}},"body":{"404.html":{},"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/data.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["request.principal.cluster_id='${oci_containerengine_cluster.hardened.id",{"_index":9160,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["request.principal.cluster_id='\\''<clust",{"_index":9153,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["request.principal.namespace='\\''product",{"_index":9154,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["request.principal.namespace='product",{"_index":9161,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["request.principal.service_account='\\''app",{"_index":9155,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["request.principal.service_account='app",{"_index":9162,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["request.principal.type='\\''workload",{"_index":9152,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["request.principal.type='workload",{"_index":9159,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["request.serviceaccounts.email",{"_index":6558,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["request.user.identitydomain='break",{"_index":8996,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["request.user.mfatotp.is.absent='tru",{"_index":8818,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["requester'",{"_index":5507,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["requestmetadata.callerip",{"_index":6434,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["requestobject.kind=endpoint",{"_index":2554,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["requestor",{"_index":5889,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["requestparameters.accountid",{"_index":3205,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/workloads.html":{}}}],["requestparameters.actiongroupexecutor",{"_index":1340,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["requestparameters.advancedeventselector",{"_index":3024,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["requestparameters.agentid",{"_index":1338,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["requestparameters.agentnam",{"_index":1339,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["requestparameters.agentresourcerolearn",{"_index":1329,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["requestparameters.autoen",{"_index":3805,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["requestparameters.bucketnam",{"_index":456,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["requestparameters.cidrblock",{"_index":3453,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["requestparameters.cidrblock=0.0.0.0/0",{"_index":3445,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["requestparameters.clusternam",{"_index":2612,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["requestparameters.configurationrecordernam",{"_index":3100,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["requestparameters.contentpolicyconfig",{"_index":1247,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["requestparameters.contentpolicyconfig.filtersconfig",{"_index":1413,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["requestparameters.datasourc",{"_index":3204,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["requestparameters.dbinstanceidentifi",{"_index":858,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["requestparameters.detectorid",{"_index":3203,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["requestparameters.en",{"_index":3199,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["requestparameters.eventbusnam",{"_index":2310,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["requestparameters.eventselector",{"_index":3023,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["requestparameters.exclusionid",{"_index":3491,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["requestparameters.functionnam",{"_index":2311,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["requestparameters.groupid",{"_index":3382,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["requestparameters.guardrailidentifi",{"_index":1245,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["requestparameters.guardrailvers",{"_index":1414,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["requestparameters.httpendpoint",{"_index":3602,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["requestparameters.httpputresponsehoplimit",{"_index":2818,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["requestparameters.httptoken",{"_index":2809,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["requestparameters.imagescanningconfiguration.scanonpush",{"_index":3754,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["requestparameters.instanceid",{"_index":2817,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["requestparameters.internetgatewayblockmod",{"_index":3487,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["requestparameters.ippermiss",{"_index":3383,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["requestparameters.ippermissions.item",{"_index":3369,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["requestparameters.ismultiregiontrail",{"_index":2952,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["requestparameters.isorganizationtrail",{"_index":2953,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["requestparameters.key",{"_index":2407,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["requestparameters.keyid",{"_index":2660,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["requestparameters.keynam",{"_index":3663,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["requestparameters.kmskeyid",{"_index":749,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["requestparameters.legalhold",{"_index":2409,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["requestparameters.lifecycleconfigur",{"_index":2408,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["requestparameters.logging.clusterlog",{"_index":2735,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["requestparameters.logging.clusterlogging.0.en",{"_index":2741,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["requestparameters.logging.clusterlogging.1.en",{"_index":2742,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["requestparameters.metadataoptions.httptoken",{"_index":3604,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["requestparameters.nam",{"_index":1246,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{}}}],["requestparameters.namespac",{"_index":2613,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["requestparameters.networkaclid",{"_index":3450,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["requestparameters.pendingwindowinday",{"_index":2661,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["requestparameters.polici",{"_index":457,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["requestparameters.policyarn",{"_index":1135,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["requestparameters.policydocu",{"_index":1136,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{}}}],["requestparameters.publicaccessblockconfigur",{"_index":455,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["requestparameters.publiclyaccess",{"_index":848,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["requestparameters.recordinggroup.allsupport",{"_index":3101,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["requestparameters.recordinggroup.resourcetyp",{"_index":3102,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["requestparameters.repositorynam",{"_index":3755,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["requestparameters.resourcearn",{"_index":3492,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["requestparameters.resourcesvpcconfig.endpointpublicaccess",{"_index":2549,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["requestparameters.resourcesvpcconfig.publicaccesscidr",{"_index":2556,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["requestparameters.resourcetyp",{"_index":3800,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["requestparameters.rolearn",{"_index":2148,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{}}}],["requestparameters.rolenam",{"_index":1134,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["requestparameters.rul",{"_index":3752,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["requestparameters.ruleact",{"_index":3452,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["requestparameters.ruleaction=allow",{"_index":3444,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["requestparameters.rulenumb",{"_index":3451,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["requestparameters.scantyp",{"_index":3751,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["requestparameters.serversideencryptionconfigur",{"_index":642,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["requestparameters.serversideencryptionconfiguration.rules[0].applyserversideencryptionbydefault.ssealgorithm",{"_index":623,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["requestparameters.serviceaccount",{"_index":2614,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["requestparameters.storageencrypt",{"_index":844,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["requestparameters.trailnam",{"_index":3022,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["requestparameters.usernam",{"_index":1133,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{}}}],["requestrespons",{"_index":4278,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["requesttyp",{"_index":4625,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["requir",{"_index":344,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["require_attest",{"_index":6911,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["require_attestations_bi",{"_index":7549,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["require_lowercase_charact",{"_index":1827,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["require_mfa",{"_index":1809,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["require_mfa_all_us",{"_index":4670,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["require_numb",{"_index":1825,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["require_oslogin",{"_index":7488,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["require_shielded_vm",{"_index":7430,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["require_ssl",{"_index":5799,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["require_symbol",{"_index":1824,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["require_uppercase_charact",{"_index":1826,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["requireattestationsbi",{"_index":6918,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["required\"}'</cod",{"_index":8661,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["required.sh",{"_index":8218,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["required_provid",{"_index":4475,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{},"oci/kubernetes.html":{}}}],["requiremfa",{"_index":4684,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"oci/iam.html":{}}}],["requisit",{"_index":4862,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["rerun",{"_index":4296,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["rescan",{"_index":3764,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["research",{"_index":257,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"gcp/genai.html":{},"general/methodology.html":{},"oci/logging.html":{}}}],["reserv",{"_index":3618,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/logging.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["reservations[].instances[].[instanceid,tags[?key==`name`].value|[0",{"_index":3586,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["reservations[].instances[].metadataopt",{"_index":2757,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["reserved_concurrent_execut",{"_index":3821,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["reset",{"_index":1623,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"compliance-matrix.html":{},"gcp/ir.html":{},"oci/logging.html":{}}}],["resid",{"_index":1389,"title":{},"breadcrumb":{},"description":{"gcp/genai.html":{}},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/index.html":{},"general/genai.html":{},"general/logging.html":{},"oci/data.html":{}}}],["residenti",{"_index":3312,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/data.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/network.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["residu",{"_index":1533,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"oci/genai.html":{},"oci/iam.html":{}}}],["resist",{"_index":1529,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["resolut",{"_index":654,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{},"azure/genai.html":{},"gcp/network.html":{},"general/network.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["resolv",{"_index":301,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/network.html":{},"general/ir.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/network.html":{}}}],["resort",{"_index":2871,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/logging.html":{}}}],["resourc",{"_index":194,"title":{},"breadcrumb":{},"description":{"oci/workloads.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["resource'",{"_index":9304,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["resource.createtim",{"_index":7172,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["resource.eksclusterdetail",{"_index":2572,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["resource.iampolicy.bindings.exists(b",{"_index":7139,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["resource.labels.project_id",{"_index":6787,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["resource.publicaccessprevent",{"_index":7181,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["resource.typ",{"_index":7171,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["resource.type=\"audited_resourc",{"_index":7508,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["resource.type=\"audited_resource\"</cod",{"_index":6469,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["resource.type=\"binaryauthorization.googleapis.com/attestor\")</cod",{"_index":6954,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["resource.type=\"cloudkms_cryptokey\"))</cod",{"_index":5960,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["resource.type=\"cloudsql_databas",{"_index":6081,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["resource.type=\"gce_inst",{"_index":7459,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["resource.type=\"gke_clust",{"_index":6842,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["resource.type=\"gke_node_pool",{"_index":6985,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["resource.type=\"glob",{"_index":6609,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["resource.type=\"iam_workload_identity_pool_provid",{"_index":6528,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["resource.type=\"k8s_clust",{"_index":6851,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["resource.type=\"logging_sink\"</cod",{"_index":7089,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["resource.type=\"organ",{"_index":6393,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/logging.html":{}}}],["resource.type=\"project",{"_index":6559,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["resource.type=(\"service_account",{"_index":6431,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["resource.type=\\\"audited_resourc",{"_index":6257,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["resource.type=\\\"glob",{"_index":6632,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["resource_group",{"_index":7600,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["resource_group_id",{"_index":5105,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["resource_group_nam",{"_index":3928,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["resource_selector",{"_index":7141,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["resource_typ",{"_index":3792,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/logging.html":{}}}],["resourcearn",{"_index":2808,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["resourcedisplaynam",{"_index":4689,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["resourcegroup",{"_index":3950,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/workloads.html":{}}}],["resourcegroup().loc",{"_index":3958,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["resourcegroupnam",{"_index":3978,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["resourcegroups/rg",{"_index":4929,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["resourcehealth",{"_index":5177,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["resourceid",{"_index":4002,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["resourcemanager.cnrm.cloud.google.com/v1beta1",{"_index":6373,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["resourceprovid",{"_index":4244,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/kubernetes.html":{},"azure/network.html":{}}}],["resourceref",{"_index":6302,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["resources.arn",{"_index":3008,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["resources.resourcegroup(\"ak",{"_index":4981,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["resources.resourcegroup(\"aoai",{"_index":4235,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["resources.resourcegroup(\"data",{"_index":3976,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["resources.typ",{"_index":2916,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["resources=\"projects/${project_numb",{"_index":6135,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["resourceselector",{"_index":7182,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["resourcesvpcconfig",{"_index":2508,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["resourcetyp",{"_index":7183,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["resourceuri",{"_index":5213,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["respect",{"_index":3236,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["respond",{"_index":2066,"title":{},"breadcrumb":{},"description":{"oci/ir.html":{}},"body":{"aws/ir.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["responder'",{"_index":2131,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"oci/ir.html":{}}}],["responder_clon",{"_index":9319,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["responder_recipe_id",{"_index":9043,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{},"oci/logging.html":{}}}],["responder_rul",{"_index":9028,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["responder_rule_id",{"_index":9029,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["responderact",{"_index":9056,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["responderrecipeid\":\"'\"$custom_recipe_ocid",{"_index":9019,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["respons",{"_index":511,"title":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"oci/ir.html":{}},"breadcrumb":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"oci/ir.html":{}},"description":{"aws/index.html":{},"aws/ir.html":{},"azure/index.html":{},"azure/ir.html":{},"gcp/index.html":{},"gcp/ir.html":{},"general/index.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"oci/index.html":{},"oci/ir.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["responseelements.consolelogin",{"_index":2204,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["responseelements.instancesset.items.0.tagset",{"_index":3668,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["responseelements.volume.encrypt",{"_index":743,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["responseelements.volume.volumeid",{"_index":750,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["responseelements.vpc.isdefault",{"_index":3274,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["responseelements.vpc.vpcid",{"_index":3276,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["responsestatus.cod",{"_index":2711,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["responsibility.html",{"_index":7872,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["rest",{"_index":106,"title":{},"breadcrumb":{},"description":{"general/data.html":{}},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["restart",{"_index":2623,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["restat",{"_index":6572,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"general/ir.html":{},"general/workloads.html":{}}}],["restor",{"_index":514,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/ir.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["restoredbinstancefromdbsnapshot",{"_index":874,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["restrict",{"_index":1033,"title":{},"breadcrumb":{},"description":{"azure/iam.html":{}},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["restrict.yaml",{"_index":5900,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["restrict_non_cmek",{"_index":5944,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["restrict_public_bucket",{"_index":359,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["restricted.googleapis.com",{"_index":7187,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["restricted_common_port",{"_index":3337,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["restricted_incoming_traff",{"_index":3338,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["restricted_servic",{"_index":6145,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["restrictedservic",{"_index":6151,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["restrictpublicbucket",{"_index":269,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["restrictpublicbuckets\":fals",{"_index":465,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["restructur",{"_index":7630,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"oci/ir.html":{}}}],["result",{"_index":1146,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/network.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{},"search.html":{}}}],["resultdescript",{"_index":4581,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["resulttyp",{"_index":4580,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["resum",{"_index":7009,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"oci/genai.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["retain",{"_index":633,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/iam.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/iam.html":{}}}],["retarget",{"_index":5283,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["retent",{"_index":1165,"title":{},"breadcrumb":{},"description":{"general/data.html":{},"general/logging.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{}},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["retention_in_day",{"_index":2700,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"azure/logging.html":{}}}],["retention_period",{"_index":6749,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{}}}],["retention_period_day",{"_index":9249,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["retention_period_second",{"_index":6580,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{}}}],["retention_polici",{"_index":5700,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/ir.html":{},"gcp/logging.html":{}}}],["retention_rul",{"_index":8760,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["retentiondur",{"_index":9270,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["retentionperiod",{"_index":6756,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["retentionperiodday",{"_index":9261,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["retentionpolici",{"_index":5720,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/ir.html":{}}}],["retentionpolicy.retentionperiod",{"_index":6764,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["retir",{"_index":3551,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/iam.html":{},"azure/workloads.html":{},"gcp/logging.html":{},"general/logging.html":{}}}],["retriev",{"_index":2108,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["retroact",{"_index":8108,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{},"oci/logging.html":{}}}],["retrofit",{"_index":2345,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["retrospect",{"_index":2071,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{}}}],["retry_polici",{"_index":6710,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["retry_policy_retri",{"_index":6711,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["return",{"_index":25,"title":{},"breadcrumb":{},"description":{},"body":{"404.html":{},"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"general/genai.html":{},"general/network.html":{},"oci/genai.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["reus",{"_index":1561,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/data.html":{},"general/logging.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["rev",{"_index":2041,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/data.html":{},"general/ir.html":{},"oci/ir.html":{}}}],["rev5",{"_index":417,"title":{},"breadcrumb":{},"description":{"compliance-matrix.html":{},"general/compliance-frameworks.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["revalid",{"_index":4644,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["reveal",{"_index":1383,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"compliance-matrix.html":{}}}],["revers",{"_index":4039,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/network.html":{}}}],["revert",{"_index":1360,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["review",{"_index":150,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["revis",{"_index":7406,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/methodology.html":{},"general/threat-model.html":{}}}],["revisit",{"_index":8313,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["revoc",{"_index":2628,"title":{},"breadcrumb":{},"description":{"azure/ir.html":{},"gcp/ir.html":{}},"body":{"aws/kubernetes.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/data.html":{}}}],["revok",{"_index":540,"title":{},"breadcrumb":{},"description":{"oci/ir.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["rewrap",{"_index":4165,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["rewrit",{"_index":5807,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["rewritten",{"_index":8481,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["rfc",{"_index":7782,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/network.html":{}}}],["rfc1918",{"_index":3213,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{}}}],["rfi",{"_index":7201,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["rg",{"_index":3911,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["rg.name",{"_index":3979,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{}}}],["rg/providers/microsoft.containerservice/managedclusters/harden",{"_index":5143,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["rg/providers/microsoft.keyvault/vaults/ak",{"_index":5047,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["rg/providers/microsoft.managedidentity/userassignedidentities/ak",{"_index":4961,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["rg:resourcegroup",{"_index":3921,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["rich",{"_index":7942,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["ride",{"_index":7915,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["right",{"_index":557,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/logging.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["right.repo",{"_index":5732,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["rightoperand",{"_index":9036,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["rigour",{"_index":8110,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["ring",{"_index":2210,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"gcp/data.html":{},"gcp/genai.html":{},"general/network.html":{}}}],["rise",{"_index":6429,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["risk",{"_index":776,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["riskscor",{"_index":9033,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["ritual",{"_index":5170,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"gcp/logging.html":{},"gcp/workloads.html":{}}}],["rm",{"_index":2341,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"azure/logging.html":{},"gcp/ir.html":{}}}],["rng",{"_index":7773,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["roadmap",{"_index":7023,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"general/data.html":{}}}],["rogu",{"_index":8929,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["role",{"_index":566,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["role'",{"_index":1280,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"general/iam.html":{}}}],["role.assumerolepolicydocument\"</cod",{"_index":1296,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["role/config.amazonaws.com/awsserviceroleforconfig",{"_index":3045,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["role</cod",{"_index":1975,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{}}}],["role='roles/compute.oslogin",{"_index":7484,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["role='roles/iam.serviceaccountadmin",{"_index":6672,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["role='roles/iam.workloadidentityus",{"_index":6489,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["role='roles/iap.tunnelresourceaccessor",{"_index":7485,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["role='roles/resourcemanager.organizationadmin",{"_index":6363,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/ir.html":{}}}],["role='roles/resourcemanager.organizationadmin'</cod",{"_index":6366,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["role='roles/storage.objectadmin",{"_index":6742,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["role='roles/storage.objectviewer'</cod",{"_index":6746,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["role=roles/cloudkms.cryptokeyencrypterdecrypt",{"_index":5918,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["role=roles/storage.objectcreator</cod",{"_index":7052,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["role\\/breakglass",{"_index":2207,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["role_arn",{"_index":1059,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{}}}],["role_definition_nam",{"_index":4070,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{}}}],["role_id",{"_index":4483,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["rolearn",{"_index":2202,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{}}}],["rolearn\":\"arn:aws:iam::111122223333:role/aw",{"_index":3044,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["rolebind",{"_index":5133,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["roledefinitionid",{"_index":4382,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{}}}],["roledefinitionname=='cognit",{"_index":4365,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["rolemanag",{"_index":4631,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["rolemanagement.readwrite.directori",{"_index":4450,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["rolenam",{"_index":1079,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{}}}],["roles/aiplatform.admin",{"_index":6107,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["roles/aiplatform.us",{"_index":6092,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["roles/artifactregistry.writ",{"_index":7556,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["roles/bigquery.dataeditor",{"_index":7076,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["roles/cloudkms.admin",{"_index":5806,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["roles/cloudkms.cryptokeyencrypterdecrypt",{"_index":5941,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{}}}],["roles/compute.networkus",{"_index":7337,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["roles/compute.osadminlogin",{"_index":7468,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["roles/compute.oslogin",{"_index":7467,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["roles/editor",{"_index":6091,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{},"gcp/workloads.html":{}}}],["roles/iam.securityadmin",{"_index":6385,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/ir.html":{}}}],["roles/iam.workloadidentityus",{"_index":6513,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/kubernetes.html":{}}}],["roles/iap.tunnelresourceaccessor",{"_index":7473,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["roles/own",{"_index":6102,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{}}}],["roles/pubsub.subscrib",{"_index":6716,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["roles/resourcemanager.organizationadmin",{"_index":6355,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/ir.html":{}}}],["roles/storage.admin",{"_index":7036,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["roles/storage.objectadmin",{"_index":6752,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["roles/storage.objectcr",{"_index":7071,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["roles/storage.objectview",{"_index":5825,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{}}}],["roletemplateid",{"_index":4455,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["roll",{"_index":1556,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["rollback",{"_index":4006,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{},"azure/workloads.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["rollout",{"_index":6352,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/iam.html":{}}}],["rollov",{"_index":6904,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["root",{"_index":686,"title":{},"breadcrumb":{},"description":{"aws/iam.html":{},"general/shared-responsibility.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["root\"</cod",{"_index":5202,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["root_account",{"_index":1605,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["root_compartment_ocid",{"_index":8675,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["rootaccountbreakglass",{"_index":939,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["rootkit",{"_index":5522,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["rot",{"_index":8955,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["rotat",{"_index":45,"title":{},"breadcrumb":{},"description":{"aws/data.html":{},"aws/ir.html":{},"azure/data.html":{},"gcp/data.html":{},"oci/data.html":{},"oci/iam.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["rotation_period",{"_index":5930,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{}}}],["rotation_polici",{"_index":4062,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["rotationperiod",{"_index":6335,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["rotationtolatestkeyversionen",{"_index":4148,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["roughli",{"_index":7637,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["round",{"_index":5750,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"general/methodology.html":{}}}],["rout",{"_index":909,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["routabl",{"_index":3772,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"general/network.html":{}}}],["route53",{"_index":2014,"title":{},"breadcrumb":{},"description":{"aws/network.html":{}},"body":{"aws/index.html":{}}}],["route_rul",{"_index":8744,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["route_table_id",{"_index":3518,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["router",{"_index":6391,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{}}}],["routet",{"_index":5394,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["routin",{"_index":157,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"azure/logging.html":{},"gcp/ir.html":{},"general/iam.html":{}}}],["routing_mod",{"_index":7222,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["row",{"_index":136,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"compliance-matrix.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"oci/iam.html":{}}}],["rows/hour",{"_index":5226,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["rpc",{"_index":2658,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/iam.html":{}}}],["rpo",{"_index":7792,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["rrdata",{"_index":7326,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["rrdatas=199.36.153.8,199.36.153.9,199.36.153.10,199.36.153.11</cod",{"_index":7312,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["rsa",{"_index":4018,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["rt",{"_index":9438,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["rtb",{"_index":3510,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["rto",{"_index":7793,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["rubric",{"_index":120,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/ir.html":{},"azure/network.html":{},"compliance-matrix.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/index.html":{},"general/methodology.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["rubric.md",{"_index":8165,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["rubygem",{"_index":3687,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["rule",{"_index":262,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["rule'",{"_index":7296,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{},"general/data.html":{},"oci/ir.html":{}}}],["rule_act",{"_index":3429,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["rule_numb",{"_index":3426,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ruleact",{"_index":3438,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["rulenumb",{"_index":3437,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ruleprior",{"_index":3727,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["rules.json",{"_index":3763,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ruleset",{"_index":3410,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["run",{"_index":756,"title":{},"breadcrumb":{},"description":{"gcp/workloads.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{},"search.html":{}}}],["run.googleapis.com/secret",{"_index":7405,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["runasen",{"_index":3652,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["runaway",{"_index":3827,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"general/genai.html":{}}}],["runbook",{"_index":710,"title":{},"breadcrumb":{},"description":{"azure/ir.html":{},"gcp/ir.html":{}},"body":{"aws/data.html":{},"aws/ir.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"oci/ir.html":{}}}],["runinst",{"_index":3117,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/workloads.html":{}}}],["runnabl",{"_index":6780,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["runner",{"_index":2472,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/iam.html":{},"general/ir.html":{},"general/workloads.html":{}}}],["runtim",{"_index":1122,"title":{},"breadcrumb":{},"description":{"general/workloads.html":{}},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/workloads.html":{}}}],["runtime:invokemodel",{"_index":1127,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["runtime=python312",{"_index":6664,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["runtimedefault",{"_index":8436,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["rush",{"_index":915,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["s",{"_index":2424,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"gcp/iam.html":{}}}],["s/org_id_placeholder/${org_id",{"_index":6404,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["s0",{"_index":4227,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["s3",{"_index":30,"title":{},"breadcrumb":{},"description":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/ir.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["s3.amazonaws.com",{"_index":461,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["s3.blockpublicaccess.block_al",{"_index":2392,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["s3.bucket(thi",{"_index":2385,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["s3.bucket.frombucketname(thi",{"_index":2933,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["s3.bucketencryption.km",{"_index":2389,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["s3.cfnaccountpublicaccessblock(thi",{"_index":408,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["s3.objectlockretention.compliance(cdk.duration.days(2555",{"_index":2388,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["s3://mi",{"_index":2343,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["s3://org",{"_index":3052,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["s3://{bucket}/{key",{"_index":677,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["s3:bypassgovernanceretent",{"_index":2333,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"gcp/ir.html":{}}}],["s3:deleteaccountpublicaccessblock",{"_index":375,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["s3:deletebucketencrypt",{"_index":638,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["s3:deleteobject",{"_index":2401,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["s3:deleteobjectvers",{"_index":2402,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["s3:deletepublicaccessblock",{"_index":437,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["s3:getobject",{"_index":559,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"general/iam.html":{},"general/threat-model.html":{}}}],["s3:listbucket",{"_index":3522,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/threat-model.html":{}}}],["s3:putaccountpublicaccessblock",{"_index":177,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["s3:putbucketencrypt",{"_index":622,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["s3:putbucketlifecycleconfigur",{"_index":2395,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["s3:putbucketpolici",{"_index":445,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["s3:putbucketpublicaccessblock",{"_index":179,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["s3:putobject",{"_index":3521,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["s3:putobjectlegalhold",{"_index":2403,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["s3_bucket_nam",{"_index":2908,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["s3_data_ev",{"_index":3177,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["s3_gateway",{"_index":3516,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["s3api",{"_index":163,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["s3bucketnam",{"_index":2924,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/workloads.html":{}}}],["s3bucketname\":\"org",{"_index":3049,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["s3control",{"_index":166,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["s3dataeventstrail",{"_index":3004,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["s3encryptionen",{"_index":3648,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["s3encryptionenabled=tru",{"_index":3630,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["s3keyprefix",{"_index":3629,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["s\\tconsole=%s\\tmfa_devices=%s\\n",{"_index":1806,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["sa",{"_index":2590,"title":{},"breadcrumb":{},"description":{"gcp/iam.html":{}},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["sa\"</cod",{"_index":9157,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["sa'",{"_index":6569,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["sa@project_id.iam.gserviceaccount.com\"</cod",{"_index":6305,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["sa@secur",{"_index":6669,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["sa@svc",{"_index":6031,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["sa_email=\"vertex",{"_index":6097,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["sa_id",{"_index":5241,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["sa_id/blobservices/default",{"_index":5246,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["sa_id=$(az",{"_index":5242,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["saa",{"_index":1795,"title":{},"breadcrumb":{},"description":{"general/shared-responsibility.html":{}},"body":{"aws/iam.html":{},"aws/ir.html":{},"azure/iam.html":{},"gcp/iam.html":{},"gcp/network.html":{},"general/index.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/iam.html":{}}}],["sabotag",{"_index":2672,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{}}}],["safe",{"_index":2103,"title":{},"breadcrumb":{},"description":{"oci/data.html":{}},"body":{"aws/ir.html":{},"aws/network.html":{},"azure/data.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"oci/data.html":{},"oci/index.html":{},"oci/ir.html":{}}}],["safeguard",{"_index":7745,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/workloads.html":{}}}],["safer",{"_index":7883,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["safeti",{"_index":4205,"title":{},"breadcrumb":{},"description":{"gcp/genai.html":{}},"body":{"azure/genai.html":{},"gcp/genai.html":{},"gcp/index.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["safety_set",{"_index":6178,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["safety_settings=safety_set",{"_index":6207,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["safetyratings[].blocked=tru",{"_index":6221,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["safetyset",{"_index":6194,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["sagemak",{"_index":998,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"general/genai.html":{}}}],["sake",{"_index":8241,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["sale",{"_index":7820,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["samba",{"_index":3316,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["same",{"_index":66,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["saml",{"_index":2117,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"gcp/iam.html":{},"general/iam.html":{},"general/ir.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["saml/oidc",{"_index":7903,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"oci/ir.html":{}}}],["sampl",{"_index":1428,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"gcp/genai.html":{},"general/data.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["san",{"_index":7993,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["sanction",{"_index":1775,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{}}}],["sandbox",{"_index":3818,"title":{},"breadcrumb":{},"description":{"gcp/kubernetes.html":{}},"body":{"aws/workloads.html":{},"azure/logging.html":{}}}],["sane",{"_index":8399,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["saniti",{"_index":4722,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["sanitis",{"_index":7824,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"general/logging.html":{}}}],["santand",{"_index":8362,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["sarban",{"_index":8123,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["satisfi",{"_index":6235,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["saturday",{"_index":2438,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["save",{"_index":2436,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/logging.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["saw",{"_index":8571,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["sbom",{"_index":8411,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["sc",{"_index":427,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/network.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["scale",{"_index":932,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/network.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"oci/genai.html":{},"oci/ir.html":{}}}],["scale_unit",{"_index":5661,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["scaling_config",{"_index":2787,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["scan",{"_index":3122,"title":{},"breadcrumb":{},"description":{"aws/workloads.html":{},"gcp/workloads.html":{},"oci/logging.html":{},"oci/workloads.html":{}},"body":{"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["scan_frequ",{"_index":3712,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["scan_level",{"_index":9593,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["scan_off",{"_index":9613,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["scan_on_push",{"_index":3719,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["scan_set",{"_index":9592,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["scan_typ",{"_index":3711,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["scanfrequency=continuous_scan,repositoryfilters=[{filter=\"*\",filtertype=\"wildcard",{"_index":3702,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["scanlevel\":\"standard",{"_index":9575,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["scanner",{"_index":3304,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/index.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["scanonpush",{"_index":3741,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["scanonpush=fals",{"_index":3760,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["scanonpush=tru",{"_index":3705,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["scanonpushrepo",{"_index":3737,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["scantype=bas",{"_index":3758,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["scc",{"_index":6570,"title":{},"breadcrumb":{},"description":{"gcp/ir.html":{}},"body":{"gcp/index.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"index.html":{}}}],["scc'",{"_index":6653,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{}}}],["scc)(best",{"_index":9328,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["scc_find",{"_index":6677,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["scenario",{"_index":2064,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/ir.html":{},"general/threat-model.html":{},"oci/ir.html":{}}}],["sch",{"_index":9063,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{},"oci/logging.html":{}}}],["schedul",{"_index":546,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/iam.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["scheduleinfo",{"_index":4607,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["schedulekeydelet",{"_index":2670,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"oci/kubernetes.html":{}}}],["scheduler</cod",{"_index":2515,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["schema",{"_index":2442,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"compliance-matrix.html":{},"general/genai.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["schema.yaml",{"_index":8488,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["schemavers",{"_index":3643,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["scheme",{"_index":7724,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["scienc",{"_index":8673,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["scim",{"_index":8847,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["scope",{"_index":60,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{},"gcp/genai.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["scopes=cloud",{"_index":7424,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["score",{"_index":5162,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["scoreboard",{"_index":7120,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["scorecard",{"_index":210,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["scp",{"_index":175,"title":{},"breadcrumb":{},"description":{"aws/iam.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"general/iam.html":{},"general/ir.html":{}}}],["scrape",{"_index":4706,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/workloads.html":{}}}],["scratch",{"_index":2437,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["screen",{"_index":8201,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["scribe",{"_index":7950,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["script",{"_index":1643,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"compliance-matrix.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["scriptabl",{"_index":7908,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["scroll",{"_index":5761,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["scrutini",{"_index":2033,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{}}}],["scuba",{"_index":4439,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["sdk",{"_index":1129,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{}}}],["sdp",{"_index":5813,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["seal",{"_index":1021,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/genai.html":{},"general/ir.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}}}],["search",{"_index":314,"title":{"search.html":{}},"breadcrumb":{"search.html":{}},"description":{"oci/ir.html":{},"search.html":{}},"body":{"aws/data.html":{},"compliance-matrix.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/logging.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["searchabl",{"_index":8126,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["sec",{"_index":4186,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/logging.html":{}}}],["sec:securityprofile.securitytyp",{"_index":5559,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["seccomp",{"_index":8435,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["second",{"_index":187,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["secondari",{"_index":2884,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/iam.html":{},"oci/ir.html":{}}}],["secret",{"_index":1523,"title":{},"breadcrumb":{},"description":{"general/iam.html":{},"general/workloads.html":{},"oci/kubernetes.html":{}},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["secretaccesskey",{"_index":8374,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["secrets.cr",{"_index":2653,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["secrets.upd",{"_index":2654,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["secretsencryptionkey",{"_index":2531,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["secretsmanag",{"_index":817,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["section",{"_index":20,"title":{},"breadcrumb":{},"description":{},"body":{"404.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"compliance-matrix.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/iam.html":{},"oci/index.html":{}}}],["sector",{"_index":7972,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["secur",{"_index":872,"title":{"general/genai.html":{},"general/index.html":{},"general/kubernetes.html":{},"index.html":{}},"breadcrumb":{},"description":{"aws/index.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/genai.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["secure_boot_en",{"_index":5579,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["secure_transf",{"_index":5304,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["securebooten",{"_index":5604,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["securebootenabled\\\":fals",{"_index":5632,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["securestr",{"_index":7907,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["security.kubernetes.io/enforc",{"_index":8057,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["security.md",{"_index":8232,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["security/ek",{"_index":2717,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["security</a",{"_index":9637,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["security_admin",{"_index":8837,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["security_admins_scop",{"_index":8842,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["security_compartment_ocid",{"_index":9573,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["security_credenti",{"_index":9452,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["security_en",{"_index":4555,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["security_group_id",{"_index":1465,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{}}}],["security_health_analyt",{"_index":7127,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["security_questions_en",{"_index":8870,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["security_rul",{"_index":4823,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["securityadmin",{"_index":8829,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["securityalert",{"_index":5085,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/workloads.html":{}}}],["securitycenter.googleapis.com",{"_index":7146,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["securitycontext.privileg",{"_index":8046,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["securitygroupid",{"_index":1486,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{}}}],["securitygroupingress",{"_index":3348,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["securitygroups[].[groupid,groupname,vpcid",{"_index":3325,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["securityincid",{"_index":4856,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["securitylist",{"_index":9387,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["securityprofil",{"_index":5020,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/workloads.html":{}}}],["securityprofile.azurekeyvaultkms.en",{"_index":5056,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["securityprofile.defend",{"_index":5091,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["securityprofile.securitytyp",{"_index":5535,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["securityprofile.uefisettings.securebooten",{"_index":5629,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["securityprofile.workloadidentity.en",{"_index":5023,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["securityrecommend",{"_index":5324,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["securityrul",{"_index":5430,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["securitytyp",{"_index":5602,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["securitytype\\\":\\\"standard",{"_index":5631,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["sed",{"_index":6403,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/network.html":{}}}],["see",{"_index":189,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{},"search.html":{}}}],["seem",{"_index":7980,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["seen",{"_index":208,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{},"general/kubernetes.html":{}}}],["segment",{"_index":1444,"title":{},"breadcrumb":{},"description":{"general/network.html":{},"oci/kubernetes.html":{}},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/index.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"index.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["segreg",{"_index":7676,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{}}}],["select",{"_index":2985,"title":{},"breadcrumb":{},"description":{"general/methodology.html":{}},"body":{"aws/logging.html":{},"aws/workloads.html":{},"compliance-matrix.html":{},"gcp/ir.html":{},"general/compliance-frameworks.html":{},"general/index.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{}}}],["select(.data.request.act",{"_index":8754,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["select(contains(\"gen",{"_index":8677,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["select(contains(\"manag",{"_index":8706,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["selector",{"_index":2609,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/logging.html":{},"general/kubernetes.html":{}}}],["selectors.json",{"_index":3030,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["self",{"_index":1000,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/logging.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/kubernetes.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/logging.html":{}}}],["selfharm",{"_index":4312,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["selinux",{"_index":8089,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["sell",{"_index":7634,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/threat-model.html":{}}}],["seller",{"_index":1631,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["semant",{"_index":7403,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["send",{"_index":2745,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/logging.html":{},"gcp/network.html":{},"general/genai.html":{},"general/network.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["sender",{"_index":4714,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["senior",{"_index":8007,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["sens",{"_index":9348,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["sensit",{"_index":768,"title":{},"breadcrumb":{},"description":{"gcp/data.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["sensitive_data_ev",{"_index":2997,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["sensitive_information_policy_config",{"_index":1370,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["sensitivebucketarn",{"_index":3003,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["sensitivebucketarn]</cod",{"_index":3010,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["sensor",{"_index":5065,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"general/workloads.html":{}}}],["sent",{"_index":7828,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["sentenc",{"_index":7876,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/methodology.html":{}}}],["sentinel",{"_index":4005,"title":{},"breadcrumb":{},"description":{"azure/ir.html":{},"azure/logging.html":{}},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"general/ir.html":{},"general/logging.html":{},"index.html":{}}}],["sentinelincid",{"_index":4852,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["sep",{"_index":2542,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/kubernetes.html":{}}}],["separ",{"_index":107,"title":{},"breadcrumb":{},"description":{"azure/iam.html":{},"gcp/iam.html":{},"general/iam.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["septemb",{"_index":5000,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/workloads.html":{},"general/kubernetes.html":{}}}],["sequenc",{"_index":1153,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/network.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"general/logging.html":{},"oci/logging.html":{}}}],["seri",{"_index":7014,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["seriou",{"_index":7854,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"general/ir.html":{}}}],["serv",{"_index":3393,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/workloads.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["server",{"_index":520,"title":{},"breadcrumb":{},"description":{"azure/workloads.html":{}},"body":{"aws/data.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["server'",{"_index":4172,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["server_id",{"_index":4201,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["serverless",{"_index":5515,"title":{},"breadcrumb":{},"description":{"general/workloads.html":{}},"body":{"azure/workloads.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/workloads.html":{},"oci/data.html":{}}}],["serversideencryptionbydefault",{"_index":617,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["serversideencryptionconfigur",{"_index":616,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["servic",{"_index":51,"title":{"azure/genai.html":{}},"breadcrumb":{},"description":{"aws/kubernetes.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["service'",{"_index":7346,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{},"oci/genai.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["service=\"$svc",{"_index":7163,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["service=\"oslogin.googleapis.com",{"_index":7509,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["service=security_health_analyt",{"_index":7124,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["service=servicenetworking.googleapis.com",{"_index":6013,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["service=web_security_scann",{"_index":7126,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["service_account",{"_index":1982,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"gcp/workloads.html":{}}}],["service_account_email",{"_index":6700,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["service_account_id",{"_index":6511,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/kubernetes.html":{}}}],["service_cidr_block",{"_index":8746,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/network.html":{}}}],["service_config",{"_index":6699,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["service_control_polici",{"_index":364,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["service_data_ev",{"_index":9289,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["service_id",{"_index":8740,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["service_id\":\"'\"$oci_all_services_ocid",{"_index":9437,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["service_nam",{"_index":1460,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{}}}],["serviceaccount",{"_index":2581,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"general/iam.html":{},"general/kubernetes.html":{},"oci/kubernetes.html":{}}}],["serviceaccount'",{"_index":9149,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["serviceaccount:${",{"_index":6121,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["serviceaccount:${google_service_account.rag_corpus_sa.email",{"_index":6285,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["serviceaccount:${google_service_account.vertex_ai_workload.email",{"_index":6110,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["serviceaccount:${var.project_id}.svc.id.goog[${var.namespace}/${var.ksa_nam",{"_index":6858,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["serviceaccount:high",{"_index":7100,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["serviceaccount:ir",{"_index":6753,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["serviceaccount:project_id.svc.id.goog[namespace/ksa_nam",{"_index":6861,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["serviceaccount:project_numb",{"_index":6555,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["serviceaccount:project_number@appspot.gserviceaccount.com",{"_index":6556,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["serviceaccount:servic",{"_index":5942,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{}}}],["serviceaccount:vertex",{"_index":6304,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["serviceadmin",{"_index":5317,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["servicedetails[].{name:servicename,available:servicetype[0].servicetype}'</cod",{"_index":1455,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["servicehealth",{"_index":5175,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["servicelbsubnetid",{"_index":9136,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["servicenam",{"_index":1490,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{}}}],["servicename=\"aiplatform.googleapis.com",{"_index":6165,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["servicenow",{"_index":4797,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"general/logging.html":{}}}],["serviceperimeter.patch",{"_index":6154,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["serviceprincip",{"_index":4381,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["services=aiplatform.googleapis.com",{"_index":6136,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["session",{"_index":1566,"title":{},"breadcrumb":{},"description":{"aws/workloads.html":{}},"body":{"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["session_dur",{"_index":1726,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{}}}],["session_ocid@host.bastion.$region.oci.oraclecloud.com",{"_index":9528,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["session_pref",{"_index":3640,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["session_ttl_in_second",{"_index":9547,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["session_typ",{"_index":9551,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["session`)].[(\"ev",{"_index":9532,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["sessiondur",{"_index":1746,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["sessionkmskeyarn",{"_index":3654,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["sessionloggroupnam",{"_index":3653,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["sessionmanagerprefer",{"_index":3655,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["sessionmanagerrunshel",{"_index":3625,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["sessionttlinsecond",{"_index":9560,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["sessiontyp",{"_index":3645,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"oci/workloads.html":{}}}],["set",{"_index":160,"title":{},"breadcrumb":{},"description":{"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["setcommoninstancemetadata",{"_index":7498,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["setiampolici",{"_index":6122,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{}}}],["setmetadata",{"_index":7499,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["setter",{"_index":9280,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["setup",{"_index":2145,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/data.html":{},"azure/genai.html":{},"gcp/genai.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["sev",{"_index":2294,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"gcp/workloads.html":{},"general/methodology.html":{}}}],["seven",{"_index":138,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["seventi",{"_index":7967,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/workloads.html":{}}}],["sever",{"_index":118,"title":{},"breadcrumb":{},"description":{"general/methodology.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["severity=\"crit",{"_index":6661,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["severity=\\\"crit",{"_index":6685,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["severity>=7",{"_index":2253,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["severity>=notice</cod",{"_index":6390,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["severity_threshold",{"_index":4321,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["severity≥7",{"_index":2053,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["sexual",{"_index":1365,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"gcp/genai.html":{},"oci/genai.html":{}}}],["sg",{"_index":1471,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"general/network.html":{},"oci/network.html":{}}}],["sg.addingressrule(ec2.peer.ipv4(props.admincidr",{"_index":3358,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["sg/nacl/rout",{"_index":3467,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["sgw",{"_index":9434,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["sgw_ocid",{"_index":9443,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["sha",{"_index":6729,"title":{},"breadcrumb":{},"description":{"gcp/logging.html":{}},"body":{"gcp/ir.html":{},"gcp/logging.html":{}}}],["sha256",{"_index":3692,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["sha_512_rsa_pkcs_pss",{"_index":9582,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["shadow",{"_index":5366,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"gcp/network.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["shape",{"_index":2000,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"general/iam.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/workloads.html":{}}}],["shape_config",{"_index":8633,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/workloads.html":{}}}],["shapeconfig",{"_index":9483,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["share",{"_index":702,"title":{"general/shared-responsibility.html":{}},"breadcrumb":{"general/shared-responsibility.html":{}},"description":{"azure/workloads.html":{},"general/index.html":{}},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["shareabl",{"_index":704,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["shareable_link_en",{"_index":5659,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["shared_access_key_en",{"_index":3934,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["sharepoint",{"_index":4452,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["sharpli",{"_index":8358,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["sheet",{"_index":8174,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{}}}],["shell",{"_index":3609,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/methodology.html":{},"general/workloads.html":{}}}],["shield",{"_index":2013,"title":{},"breadcrumb":{},"description":{"aws/network.html":{},"azure/genai.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{}},"body":{"aws/index.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/index.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/network.html":{},"oci/workloads.html":{}}}],["shielded_instance_config",{"_index":6962,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["shieldedinstanceconfig",{"_index":6975,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["shieldedinstanceconfig.enablesecureboot",{"_index":6982,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["shift",{"_index":624,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{}}}],["ship",{"_index":247,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/index.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["shodan",{"_index":3303,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["short",{"_index":1540,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"gcp/iam.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["short_nam",{"_index":7265,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["shorten",{"_index":2327,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/ir.html":{},"oci/logging.html":{}}}],["shorter",{"_index":2398,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"general/data.html":{}}}],["shot",{"_index":2566,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/iam.html":{},"gcp/logging.html":{},"general/workloads.html":{}}}],["shotgun",{"_index":7996,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["show",{"_index":1350,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["shown",{"_index":1432,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"compliance-matrix.html":{},"gcp/logging.html":{},"oci/workloads.html":{}}}],["shrink",{"_index":6079,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/kubernetes.html":{},"general/workloads.html":{}}}],["si",{"_index":1228,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["sibl",{"_index":132,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["sid",{"_index":371,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["side",{"_index":543,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/network.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["sidebar",{"_index":22,"title":{},"breadcrumb":{},"description":{},"body":{"404.html":{}}}],["sideway",{"_index":8468,"title":{},"breadcrumb":{},"description":{},"body":{"index.html":{}}}],["siem",{"_index":2869,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"oci/logging.html":{}}}],["siem/soar",{"_index":4731,"title":{},"breadcrumb":{},"description":{"azure/logging.html":{}},"body":{"azure/ir.html":{},"general/logging.html":{}}}],["sift",{"_index":7994,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["sight",{"_index":8316,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["sigma",{"_index":8140,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["sign",{"_index":1564,"title":{},"breadcrumb":{},"description":{"oci/workloads.html":{}},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["signal",{"_index":430,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["signatur",{"_index":4285,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["signature_algorithm",{"_index":7545,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["signer",{"_index":8431,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["signific",{"_index":8062,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{},"general/methodology.html":{},"oci/genai.html":{}}}],["significantli",{"_index":8778,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["signin",{"_index":4769,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"gcp/ir.html":{},"general/ir.html":{},"oci/ir.html":{}}}],["signing_algorithm",{"_index":9605,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["signinlog",{"_index":4511,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{},"azure/workloads.html":{}}}],["signonpolici",{"_index":8891,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["sigstor",{"_index":7398,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"general/kubernetes.html":{},"general/workloads.html":{}}}],["sigstore'",{"_index":8428,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["silenc",{"_index":1929,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/logging.html":{}}}],["silent",{"_index":636,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["silo",{"_index":5179,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["similar",{"_index":1412,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/logging.html":{},"general/threat-model.html":{}}}],["simpl",{"_index":8247,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{},"oci/ir.html":{}}}],["simpli",{"_index":2329,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"compliance-matrix.html":{},"gcp/logging.html":{},"general/network.html":{},"oci/ir.html":{}}}],["simul",{"_index":1058,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"azure/iam.html":{}}}],["simultan",{"_index":2876,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"general/data.html":{},"oci/logging.html":{}}}],["sinceimagepush",{"_index":3733,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["singl",{"_index":279,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["singlefactorauthent",{"_index":4688,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["sink",{"_index":2461,"title":{},"breadcrumb":{},"description":{"gcp/logging.html":{}},"body":{"aws/kubernetes.html":{},"aws/logging.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/kubernetes.html":{},"general/logging.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["sink'",{"_index":7087,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{},"general/logging.html":{}}}],["sink_writer_bq",{"_index":7074,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["sink_writer_storag",{"_index":7069,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["sir",{"_index":8152,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["sit",{"_index":684,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["site",{"_index":10,"title":{},"breadcrumb":{},"description":{"404.html":{}},"body":{"404.html":{},"aws/data.html":{},"azure/iam.html":{},"azure/logging.html":{},"gcp/network.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["situat",{"_index":6596,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["six",{"_index":1010,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/index.html":{},"aws/logging.html":{},"azure/iam.html":{},"azure/index.html":{},"gcp/index.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{}}}],["sixti",{"_index":6398,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["size",{"_index":1158,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/data.html":{},"azure/workloads.html":{},"gcp/data.html":{},"general/data.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["size:disksizegb",{"_index":4125,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["size=50gb",{"_index":5966,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["size_in_gb",{"_index":8630,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["sizegb",{"_index":5988,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["skim",{"_index":3560,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"oci/workloads.html":{}}}],["skip",{"_index":4686,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/network.html":{}}}],["skip_default_network",{"_index":7216,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["sku",{"_index":3857,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{}}}],["sku_nam",{"_index":4226,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/kubernetes.html":{},"azure/network.html":{}}}],["sl",{"_index":9381,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["sla",{"_index":4033,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["slack",{"_index":2218,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"oci/ir.html":{}}}],["slice",{"_index":3215,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/network.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["slide",{"_index":8306,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["slightli",{"_index":5354,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"azure/workloads.html":{}}}],["slip",{"_index":237,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"general/workloads.html":{}}}],["slo",{"_index":2236,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["slot",{"_index":6564,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["slow",{"_index":3037,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/logging.html":{},"general/threat-model.html":{}}}],["slsa",{"_index":7401,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"general/workloads.html":{}}}],["slsa.dev",{"_index":8441,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["sm",{"_index":4647,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/iam.html":{},"general/methodology.html":{},"oci/iam.html":{}}}],["small",{"_index":1627,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/iam.html":{},"gcp/iam.html":{},"general/iam.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["smaller",{"_index":8474,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["smallest",{"_index":8381,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["smoke",{"_index":3679,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["sms_enabl",{"_index":8869,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["sms_otp_validity_duration_in_min",{"_index":8875,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["smtp",{"_index":4697,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["smtp.office365.com:587",{"_index":4707,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["sn",{"_index":2105,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["snap",{"_index":4880,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["snapshot",{"_index":688,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/ir.html":{},"oci/data.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["snapshot_delivery_properti",{"_index":3062,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["snapshotnam",{"_index":4909,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["snat",{"_index":9340,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["snet",{"_index":3916,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["snet_app_prod_euw1",{"_index":7224,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["snippet",{"_index":4442,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/iam.html":{},"general/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["snowflak",{"_index":7910,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{}}}],["snowflake/unc5537",{"_index":8342,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["snp",{"_index":7411,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["snyk",{"_index":8451,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["soar",{"_index":4733,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/methodology.html":{}}}],["soc",{"_index":2400,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/logging.html":{},"gcp/logging.html":{},"general/kubernetes.html":{},"general/logging.html":{},"oci/iam.html":{},"oci/logging.html":{}}}],["soc'",{"_index":5227,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["soc@example.org",{"_index":5315,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["social",{"_index":4713,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/iam.html":{},"general/methodology.html":{}}}],["socket",{"_index":2756,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"general/kubernetes.html":{}}}],["soft",{"_index":4014,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{},"oci/genai.html":{}}}],["soft_delete_retention_day",{"_index":5451,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["softwar",{"_index":5797,"title":{},"breadcrumb":{},"description":{"general/workloads.html":{}},"body":{"gcp/data.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["software</cod",{"_index":6338,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["solarwind",{"_index":8346,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{},"general/workloads.html":{}}}],["sold",{"_index":8368,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["sole",{"_index":336,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/genai.html":{},"azure/network.html":{},"general/genai.html":{},"oci/data.html":{},"oci/genai.html":{}}}],["somehow",{"_index":800,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/workloads.html":{}}}],["someon",{"_index":6641,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["someth",{"_index":2966,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"oci/workloads.html":{}}}],["sometim",{"_index":7926,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["sonatyp",{"_index":8452,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["sonnet",{"_index":1028,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["soon",{"_index":2651,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["sooner",{"_index":7947,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/methodology.html":{}}}],["sort",{"_index":466,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"compliance-matrix.html":{},"oci/iam.html":{}}}],["sortabl",{"_index":9633,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["sourc",{"_index":353,"title":{},"breadcrumb":{},"description":{"general/methodology.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["source\":\"0.0.0.0/0",{"_index":9415,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["source\":{\"owner\":\"aws\",\"sourceidentifier\":\"restricted_incoming_traffic\"}}'</cod",{"_index":3328,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["source=./contain",{"_index":6665,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["source_address_prefix",{"_index":4827,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/network.html":{}}}],["source_application_security_group_id",{"_index":5421,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["source_arn",{"_index":2289,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["source_detail",{"_index":8637,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/workloads.html":{}}}],["source_detector_recipe_id",{"_index":9315,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["source_id",{"_index":8639,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/workloads.html":{}}}],["source_identifi",{"_index":1902,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{}}}],["source_image_refer",{"_index":5586,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["source_port_rang",{"_index":4825,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/network.html":{}}}],["source_rang",{"_index":7278,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["source_resource_id",{"_index":4867,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["source_resource_id=$disk_id</cod",{"_index":4887,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["source_responder_recipe_id",{"_index":9026,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{},"oci/logging.html":{}}}],["source_security_group_id",{"_index":2849,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["source_typ",{"_index":8638,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["sourceaddressprefix",{"_index":5406,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"azure/workloads.html":{}}}],["sourceaddressprefix=='0.0.0.0/0')].{nsg:'$nsg_id",{"_index":5407,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["sourceaddressprefix=='internet",{"_index":5405,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"azure/workloads.html":{}}}],["sourceaddressprefix\\\":\\\"0.0.0.0/0",{"_index":5445,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["sourceaddressprefix\\\":\\\"internet",{"_index":5446,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["sourcedetail",{"_index":9484,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["sourcediskresourceid",{"_index":4907,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["sourceid",{"_index":9485,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["sourceidentifi",{"_index":730,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{}}}],["sourceip",{"_index":2555,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{}}}],["sourceipaddress",{"_index":1607,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{}}}],["sourceportrang",{"_index":5431,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["sourcerang",{"_index":7281,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["sourceranges:0.0.0.0/0",{"_index":7262,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["sourceresourceid",{"_index":4914,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["sourcetyp",{"_index":9268,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["sourcetype\":\"image\",\"imageid\":\"'\"$ol9_image_ocid\"'\",\"kmskeyid\":\"'\"$boot_cmk_ocid",{"_index":8617,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["sourcevault",{"_index":4150,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["sourcevolumeocid",{"_index":9093,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["south",{"_index":3217,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["sovereign",{"_index":3859,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["sovereignti",{"_index":7765,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["sox",{"_index":2340,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"general/data.html":{},"general/logging.html":{}}}],["sp",{"_index":414,"title":{},"breadcrumb":{},"description":{"general/compliance-frameworks.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["space",{"_index":5355,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"gcp/data.html":{},"general/network.html":{},"general/workloads.html":{}}}],["span",{"_index":2559,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"general/genai.html":{},"general/logging.html":{},"general/methodology.html":{}}}],["spawn",{"_index":8426,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["spdx",{"_index":8443,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["spec",{"_index":2689,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/workloads.html":{}}}],["special",{"_index":4763,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"general/compliance-frameworks.html":{},"general/methodology.html":{}}}],["specif",{"_index":116,"title":{},"breadcrumb":{},"description":{"general/workloads.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["specifi",{"_index":5198,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"gcp/data.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"oci/genai.html":{}}}],["specul",{"_index":8776,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["speech",{"_index":1382,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"oci/genai.html":{}}}],["spend",{"_index":1150,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/ir.html":{},"general/logging.html":{},"oci/genai.html":{}}}],["spiff",{"_index":8256,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["spike",{"_index":2704,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{}}}],["spin",{"_index":6651,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["spl",{"_index":8143,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["split",{"_index":2045,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/index.html":{},"general/network.html":{}}}],["splunk",{"_index":8132,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["spoke",{"_index":5357,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"gcp/network.html":{},"general/logging.html":{},"general/network.html":{},"oci/network.html":{}}}],["spoof",{"_index":8275,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{},"general/threat-model.html":{}}}],["spot",{"_index":2308,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"gcp/logging.html":{},"general/methodology.html":{}}}],["sprawl",{"_index":3553,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/iam.html":{}}}],["spray",{"_index":4651,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/threat-model.html":{}}}],["spreadsheet",{"_index":7121,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["spring4shel",{"_index":3696,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["sq",{"_index":2234,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/workloads.html":{}}}],["sql",{"_index":2057,"title":{},"breadcrumb":{},"description":{"azure/data.html":{},"gcp/data.html":{}},"body":{"aws/ir.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/index.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["sql\">'log",{"_index":8554,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["sql\">auditlog",{"_index":4635,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["sql\">azureact",{"_index":3995,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["sql\">azurediagnost",{"_index":4286,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["sql\">containerregistryrepositoryev",{"_index":5727,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["sql\">field",{"_index":452,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["sql\">signinlog",{"_index":4579,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["sql'",{"_index":4176,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["sql.cnrm.cloud.google.com/v1beta1",{"_index":6058,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["sql.iam.gserviceaccount.com",{"_index":6038,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["sql/mongodb/redi",{"_index":5400,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["sql_mi",{"_index":4183,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["sql_mi=$(az",{"_index":4182,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["sql_mi_kv",{"_index":4198,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["sql_service_ag",{"_index":6035,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["sqladmin",{"_index":4191,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["sqladmin.googleapis.com",{"_index":5904,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["sqladmin.googleapis.com/inst",{"_index":6078,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["sqli",{"_index":7198,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["sqlinstanc",{"_index":6059,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["sqlsecurityauditev",{"_index":5471,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["sqlserver",{"_index":4185,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{}}}],["sqlservervirtualmachin",{"_index":5347,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["squar",{"_index":8322,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["squid",{"_index":8261,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["src",{"_index":7257,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["src_ip_rang",{"_index":7270,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["sre",{"_index":5145,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["sregroupobjectid",{"_index":5146,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["srg",{"_index":7641,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["ss",{"_index":8404,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["ssd",{"_index":5968,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["ssdf",{"_index":8350,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{},"general/workloads.html":{}}}],["sse",{"_index":36,"title":{},"breadcrumb":{},"description":{"aws/data.html":{}},"body":{"aws/data.html":{},"aws/index.html":{},"general/data.html":{}}}],["sse_algorithm",{"_index":606,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{}}}],["ssealgorithm",{"_index":574,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{}}}],["ssealgorithm\":\"aes256",{"_index":645,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["ssealgorithm\":nul",{"_index":646,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["ssh",{"_index":3291,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/network.html":{},"general/workloads.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["ssh/authorized_key",{"_index":3675,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ssh/ephemeral_ed25519",{"_index":9524,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["ssh/id_ed25519.pub",{"_index":8619,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["ssh/rdp",{"_index":5417,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"azure/workloads.html":{},"gcp/network.html":{}}}],["ssh/rdp/sql",{"_index":5637,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["ssh:22",{"_index":9399,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["ssh_authorized_key",{"_index":9488,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["ssh_authorized_keys\":\"'\"$(cat",{"_index":8618,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["ssh_from_bast",{"_index":3331,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["ssh_from_bastion_nsg",{"_index":9396,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["sshauthorizedkey",{"_index":9477,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["sshd",{"_index":7564,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"oci/workloads.html":{}}}],["sshe",{"_index":2248,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["sshfrombast",{"_index":9406,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["ssl",{"_index":1500,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/data.html":{}}}],["ssl/tl",{"_index":6005,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["sslmode=disable\"</cod",{"_index":6034,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["ssm",{"_index":652,"title":{},"breadcrumb":{},"description":{"aws/workloads.html":{}},"body":{"aws/data.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/workloads.html":{}}}],["ssm:updateinstanceinform",{"_index":3665,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ssm_core",{"_index":3636,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["ssmendpoint",{"_index":3529,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["sso",{"_index":1691,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"azure/iam.html":{},"oci/iam.html":{}}}],["sso:deleteaccountassign",{"_index":1755,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["sso:describeinst",{"_index":1742,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["sso:disassociatepermissionset",{"_index":1754,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["ssrf",{"_index":1633,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/genai.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/workloads.html":{}}}],["ssrf/imd",{"_index":3504,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["st",{"_index":1516,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"general/workloads.html":{}}}],["stabil",{"_index":9334,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["stabilis",{"_index":6007,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["stabl",{"_index":2666,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{}}}],["stack",{"_index":2047,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["stack_ocid",{"_index":8530,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["stack_ocid=$(oci",{"_index":8527,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["staff",{"_index":7729,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"oci/data.html":{}}}],["stage",{"_index":2665,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/logging.html":{}}}],["stagger",{"_index":7852,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["stale",{"_index":1880,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"general/data.html":{},"general/ir.html":{}}}],["stamp",{"_index":8167,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["stand",{"_index":1535,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/iam.html":{},"general/iam.html":{},"oci/genai.html":{},"oci/iam.html":{}}}],["standalon",{"_index":5815,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"general/iam.html":{}}}],["standard",{"_index":1167,"title":{},"breadcrumb":{},"description":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/kubernetes.html":{},"oci/kubernetes.html":{}},"body":{"aws/genai.html":{},"aws/index.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["standard/automat",{"_index":4933,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["standard</cod",{"_index":5075,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["standard_d4ds_v5",{"_index":4978,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/workloads.html":{}}}],["standard_d4s_v5",{"_index":4954,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/workloads.html":{}}}],["standard_gr",{"_index":3962,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/ir.html":{}}}],["standard_ia",{"_index":2369,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["standard_stream",{"_index":3646,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["standard_zr",{"_index":4911,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["standpoint",{"_index":3095,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["stappprodwesteu001",{"_index":3913,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["start",{"_index":2902,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["start_tim",{"_index":6050,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["startdatetim",{"_index":4608,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["startsess",{"_index":3623,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["startswith",{"_index":3009,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{}}}],["startup",{"_index":6543,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["stat",{"_index":1615,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["state",{"_index":1677,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["state\"}'</cod",{"_index":8786,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["state=\"act",{"_index":7166,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["state=\\\"act",{"_index":6684,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["state=en",{"_index":7125,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["stateless",{"_index":3219,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"general/network.html":{}}}],["statement",{"_index":370,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["statement_id",{"_index":2287,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["static",{"_index":1685,"title":{},"breadcrumb":{},"description":{"index.html":{}},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"index.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["statist",{"_index":2179,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"general/methodology.html":{}}}],["statu",{"_index":2357,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["status=en",{"_index":2348,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["statustext",{"_index":5279,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["statutori",{"_index":7736,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["stay",{"_index":3256,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/network.html":{},"oci/network.html":{}}}],["std",{"_index":5379,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"general/compliance-frameworks.html":{},"general/methodology.html":{}}}],["steadi",{"_index":1676,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/logging.html":{}}}],["steal",{"_index":3577,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/iam.html":{},"oci/workloads.html":{}}}],["stealth",{"_index":3137,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["stealthi",{"_index":7008,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["steer",{"_index":1944,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["step",{"_index":863,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["stforensicirprodweu",{"_index":4874,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["stg",{"_index":5245,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["still",{"_index":640,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/genai.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["stmt",{"_index":8716,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["stock",{"_index":8954,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["stolen",{"_index":2203,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/iam.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["stop",{"_index":1357,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/ir.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{}}}],["stopconfigurationrecord",{"_index":3105,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["stopconfigurationrecorder\",\"deleteconfigurationrecorder\",\"deletedeliverychannel\",\"putconfigurationrecord",{"_index":3104,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["stoplog",{"_index":2960,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["stoplogging\",\"updatetrail\",\"deletetrail",{"_index":2956,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["stopransomwar",{"_index":7796,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["storag",{"_index":52,"title":{},"breadcrumb":{},"description":{"azure/data.html":{},"azure/ir.html":{},"gcp/data.html":{},"oci/data.html":{},"oci/ir.html":{}},"body":{"aws/data.html":{},"aws/ir.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["storage','core','databas",{"_index":8600,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["storage.buckets.upd",{"_index":5954,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{}}}],["storage.cnrm.cloud.google.com/v1beta1",{"_index":5857,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{}}}],["storage.defaultaction.deni",{"_index":3985,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["storage.googleapis.com",{"_index":5870,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{}}}],["storage.googleapis.com\"</cod",{"_index":6152,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["storage.googleapis.com/${google_storage_bucket.org_audit_logs.nam",{"_index":7064,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["storage.googleapis.com/${var.audit_log_bucket",{"_index":6255,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["storage.googleapis.com/bucket",{"_index":5884,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/logging.html":{}}}],["storage.googleapis.com/org",{"_index":7044,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["storage.id",{"_index":3970,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["storage.kind.storagev2",{"_index":3980,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["storage.minimumtlsversion.tls1_2",{"_index":3983,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["storage.objects.delet",{"_index":6766,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["storage.objects.get",{"_index":7095,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["storage.objects.list",{"_index":6772,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["storage.objects.rewrit",{"_index":5956,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["storage.objects.setiampolici",{"_index":5818,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["storage.objects.upd",{"_index":5874,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["storage.setiampermiss",{"_index":5871,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["storage.skuname.standard_gr",{"_index":3981,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["storage.storageaccount(\"harden",{"_index":3977,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["storage_account_id",{"_index":4073,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["storage_account_nam",{"_index":4894,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["storage_account_typ",{"_index":4135,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/workloads.html":{}}}],["storage_blob",{"_index":5494,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["storage_class",{"_index":2368,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"gcp/data.html":{}}}],["storage_container_resource_manager_id",{"_index":4899,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["storage_encrypt",{"_index":825,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["storage_id",{"_index":5479,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["storage_id=$(az",{"_index":5478,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["storage_mi_kv",{"_index":4069,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["storage_mi_princip",{"_index":4050,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["storage_mi_principal=$(az",{"_index":4046,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["storage_servic",{"_index":5256,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["storage_sourc",{"_index":6696,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["storageaccount",{"_index":5346,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["storageaccountbackfil",{"_index":5229,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["storageaccounttyp",{"_index":5619,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["storagebloblog",{"_index":3992,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{}}}],["storagebucket",{"_index":5858,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{}}}],["storagedelet",{"_index":5232,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["storageencrypted=fals",{"_index":866,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["storageid",{"_index":3969,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["storagenam",{"_index":3957,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{}}}],["storageprofil",{"_index":5614,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["storageprofile.osdisk.manageddisk.id",{"_index":4879,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["storageread",{"_index":5230,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["storageread/storagewrite/storagedelet",{"_index":5277,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["storageread/write/delet",{"_index":5282,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["storagev2",{"_index":3961,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/ir.html":{}}}],["storagewrit",{"_index":5231,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["store",{"_index":653,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["stori",{"_index":3903,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/iam.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/network.html":{}}}],["storm",{"_index":2120,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"oci/ir.html":{}}}],["straightforward",{"_index":7884,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["strateg",{"_index":1882,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["strategi",{"_index":7655,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["stratifi",{"_index":1429,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"oci/network.html":{}}}],["stream",{"_index":1854,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/logging.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["streaming_config",{"_index":6683,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{}}}],["stregprod001",{"_index":5243,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["strength",{"_index":1197,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"general/data.html":{},"oci/workloads.html":{}}}],["stress",{"_index":2440,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"gcp/ir.html":{}}}],["strict",{"_index":4730,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["stricter",{"_index":4300,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"gcp/genai.html":{},"general/workloads.html":{}}}],["strictli",{"_index":5450,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"general/workloads.html":{},"oci/ir.html":{}}}],["stride",{"_index":8328,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["string",{"_index":404,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/methodology.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["stringequ",{"_index":1067,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{}}}],["stringlik",{"_index":1582,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["stringnotequ",{"_index":377,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["strip",{"_index":1764,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/iam.html":{},"general/genai.html":{},"general/network.html":{},"oci/kubernetes.html":{}}}],["strong",{"_index":1822,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/data.html":{},"general/data.html":{}}}],["strongest",{"_index":8242,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["strongli",{"_index":2965,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/iam.html":{}}}],["structur",{"_index":1253,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/network.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["sts:assumerol",{"_index":1082,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{}}}],["sts:externalid",{"_index":1992,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["sts:getcallerident",{"_index":3578,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["sts:getsessiontoken",{"_index":1819,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["sts:tagsess",{"_index":2595,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["stsrevokeoldsess",{"_index":7979,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["stub",{"_index":1356,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/index.html":{},"azure/index.html":{},"gcp/index.html":{},"oci/index.html":{}}}],["stuf",{"_index":1791,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/network.html":{},"general/iam.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["style",{"_index":2122,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/logging.html":{},"gcp/network.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["sub",{"_index":84,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["sub:'$sub",{"_index":5367,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"azure/workloads.html":{}}}],["sub=$sub",{"_index":5185,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["sub_id",{"_index":5189,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["sub_id=$(az",{"_index":5187,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["subcategori",{"_index":7623,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["subclass",{"_index":8351,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["subdivid",{"_index":7653,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["subject",{"_index":871,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"gcp/iam.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"oci/data.html":{},"oci/genai.html":{}}}],["submiss",{"_index":8705,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["submit",{"_index":4265,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["subnet",{"_index":1473,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/logging.html":{},"general/network.html":{},"oci/data.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["subnet'",{"_index":3408,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["subnet</cod",{"_index":6831,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["subnet=snet",{"_index":7357,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["subnet_id",{"_index":1463,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/network.html":{},"azure/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["subnetid",{"_index":1484,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["subnetids=subnet",{"_index":2637,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["subnetocid",{"_index":9473,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["subnets/rout",{"_index":3252,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["subnettyp",{"_index":2527,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["subnetwork",{"_index":6836,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["subnetworkref",{"_index":6830,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["subplan",{"_index":5079,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{}}}],["subpoena",{"_index":7766,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["subresource_nam",{"_index":4350,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/network.html":{}}}],["subscrib",{"_index":5477,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/shared-responsibility.html":{},"oci/ir.html":{}}}],["subscript",{"_index":3890,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["subscription'",{"_index":4871,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/logging.html":{},"general/logging.html":{}}}],["subscription/resourc",{"_index":4424,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["subscriptionid",{"_index":5087,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/logging.html":{}}}],["subscriptionresourceid('microsoft.authorization/roledefinit",{"_index":4383,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/kubernetes.html":{}}}],["subscriptions/$sub_id/resourcegroups/rg",{"_index":4814,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["subscriptions/${subscription_id",{"_index":4364,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["subscriptions/${subscription_id}/resourcegroups/${rg}/providers/microsoft.cognitiveservices/accounts/${aoai_account",{"_index":4366,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["subscriptions/${var.subscription_id",{"_index":5206,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["subscriptions/.../disks/<sourc",{"_index":4923,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["subscriptions/.../workspaces/centr",{"_index":5215,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["subscriptions/<sub",{"_index":5214,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"azure/network.html":{}}}],["subscriptions/sub/resourcegroups/harden",{"_index":4960,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["subsequ",{"_index":736,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"general/shared-responsibility.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/workloads.html":{}}}],["subset",{"_index":3020,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"general/logging.html":{}}}],["substant",{"_index":8219,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["substanti",{"_index":7629,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["substitut",{"_index":4794,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/genai.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["substr",{"_index":8204,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{},"oci/network.html":{}}}],["substrat",{"_index":5963,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{}}}],["subsum",{"_index":7841,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["subtre",{"_index":8699,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["succe",{"_index":561,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/network.html":{},"azure/ir.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/threat-model.html":{},"oci/iam.html":{}}}],["succeed",{"_index":801,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/workloads.html":{},"azure/iam.html":{},"general/logging.html":{}}}],["success",{"_index":1665,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["successfulli",{"_index":1267,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/ir.html":{}}}],["successor",{"_index":5533,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"general/ir.html":{},"general/workloads.html":{}}}],["such",{"_index":529,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["sudden",{"_index":5088,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/genai.html":{}}}],["sudo",{"_index":7469,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["suffic",{"_index":4444,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/iam.html":{}}}],["suffici",{"_index":900,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"azure/data.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["suffix",{"_index":3853,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"general/compliance-frameworks.html":{}}}],["suggest",{"_index":2564,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"gcp/iam.html":{},"gcp/network.html":{},"general/genai.html":{}}}],["suit",{"_index":4297,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"gcp/logging.html":{},"general/data.html":{},"general/network.html":{}}}],["sum",{"_index":2180,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{}}}],["summar",{"_index":4517,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/logging.html":{}}}],["summari",{"_index":1575,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"compliance-matrix.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/methodology.html":{},"general/threat-model.html":{}}}],["summaris",{"_index":7916,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/network.html":{}}}],["summarymap.accountmfaen",{"_index":1576,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["sumo",{"_index":8133,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["super",{"_index":6471,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/ir.html":{},"general/iam.html":{}}}],["super(scop",{"_index":407,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["supersed",{"_index":7194,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/methodology.html":{}}}],["supervis",{"_index":8564,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["supervisori",{"_index":8029,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["supplement",{"_index":2405,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"general/genai.html":{},"general/methodology.html":{}}}],["suppli",{"_index":3537,"title":{},"breadcrumb":{},"description":{"general/workloads.html":{}},"body":{"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["supplier",{"_index":8447,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["support",{"_index":1956,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["support'",{"_index":4743,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["supported.</cod",{"_index":4754,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["supportshttpstrafficonli",{"_index":3963,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["suppos",{"_index":3285,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["suppress",{"_index":1766,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"azure/iam.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/ir.html":{}}}],["surcharg",{"_index":9435,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["sure",{"_index":3831,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["surfac",{"_index":54,"title":{},"breadcrumb":{},"description":{"gcp/logging.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["surg",{"_index":9617,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["surrog",{"_index":9490,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["surround",{"_index":8200,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["survey",{"_index":8289,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["surviv",{"_index":758,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{}}}],["suscept",{"_index":4208,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["suspect",{"_index":4734,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/ir.html":{},"oci/genai.html":{}}}],["suspend",{"_index":6167,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{}}}],["suspens",{"_index":4306,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"gcp/genai.html":{}}}],["suspici",{"_index":2423,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/logging.html":{},"oci/logging.html":{}}}],["sustain",{"_index":2621,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["svc",{"_index":5266,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"gcp/data.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"oci/network.html":{}}}],["svc_app",{"_index":5937,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["swap",{"_index":648,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/network.html":{},"gcp/ir.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["sweep",{"_index":474,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/logging.html":{},"general/methodology.html":{}}}],["switch",{"_index":3130,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"index.html":{},"oci/data.html":{},"oci/network.html":{}}}],["symbol",{"_index":9433,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["symmetr",{"_index":7775,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"oci/iam.html":{}}}],["symptom",{"_index":5058,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/logging.html":{}}}],["syn",{"_index":7386,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["synaps",{"_index":4168,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["sync",{"_index":4470,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{},"gcp/iam.html":{},"gcp/ir.html":{}}}],["synchron",{"_index":4551,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["synchronis",{"_index":4520,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{},"gcp/ir.html":{}}}],["syntax",{"_index":7874,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"oci/iam.html":{}}}],["synthesis",{"_index":8334,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["synthet",{"_index":2322,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{}}}],["syscal",{"_index":8423,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["sysctl",{"_index":8398,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["syslog",{"_index":5164,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["system",{"_index":1177,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["system.iam.gserviceaccount.com",{"_index":5972,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["system:mast",{"_index":2836,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["system:serviceaccount:namespace:nam",{"_index":8070,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["system:serviceaccount:production:app",{"_index":5010,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["systemassign",{"_index":3938,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{}}}],["systemat",{"_index":4643,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/genai.html":{}}}],["systemctl",{"_index":7608,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["s|^|$project",{"_index":7211,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["t",{"_index":585,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"gcp/logging.html":{},"oci/iam.html":{}}}],["t1078",{"_index":8331,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["t1078.004",{"_index":8139,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["t1098.003",{"_index":8378,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["t1110.003",{"_index":8376,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["t1114.002",{"_index":8379,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["t1526",{"_index":8332,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["t1567",{"_index":8333,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["tabl",{"_index":807,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["table</cod",{"_index":3587,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/genai.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["tables/igw/vpc",{"_index":3253,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["tableservic",{"_index":5260,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["tableservices/default.</cod",{"_index":5253,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["tabletop",{"_index":2076,"title":{},"breadcrumb":{},"description":{"azure/ir.html":{},"gcp/ir.html":{},"general/ir.html":{},"oci/ir.html":{}},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/ir.html":{},"oci/ir.html":{}}}],["tactic",{"_index":4795,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"general/logging.html":{},"general/threat-model.html":{}}}],["tag",{"_index":501,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["tag_namespace_id",{"_index":9084,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["tagpatternlist",{"_index":3729,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["tagstatu",{"_index":3728,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["tail",{"_index":7010,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/workloads.html":{}}}],["tailscal",{"_index":8254,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["take",{"_index":450,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"general/ir.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["takedown",{"_index":4530,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["taken",{"_index":6539,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/genai.html":{},"general/ir.html":{},"oci/ir.html":{}}}],["takeov",{"_index":1506,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"general/iam.html":{},"general/methodology.html":{},"oci/iam.html":{}}}],["talk",{"_index":5688,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["tamper",{"_index":1757,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["tape",{"_index":4035,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{}}}],["target",{"_index":183,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["target.bucket.nam",{"_index":8498,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["target.user.id",{"_index":8810,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["target_detector_recip",{"_index":9321,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["target_id",{"_index":1737,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{}}}],["target_key_id",{"_index":600,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{}}}],["target_ocid",{"_index":9308,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["target_registri",{"_index":9597,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["target_resource_detail",{"_index":9550,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["target_resource_id",{"_index":4397,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/logging.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["target_resource_operating_system_user_nam",{"_index":9553,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["target_resource_port",{"_index":9554,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["target_resource_typ",{"_index":9041,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{},"oci/logging.html":{}}}],["target_responder_recip",{"_index":9042,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{},"oci/logging.html":{}}}],["target_subnet_id",{"_index":9537,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["target_typ",{"_index":1739,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["targetid",{"_index":1587,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["targetresourc",{"_index":4636,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["targetresourceid",{"_index":5498,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"oci/workloads.html":{}}}],["targetresourceoperatingsystemusernam",{"_index":9521,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["targetresourceport",{"_index":9522,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["targetresourceprivateipaddress",{"_index":9557,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["task",{"_index":1948,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/workloads.html":{},"general/genai.html":{},"general/iam.html":{}}}],["taxonomi",{"_index":4729,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/logging.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"general/data.html":{},"general/genai.html":{},"general/logging.html":{},"general/threat-model.html":{}}}],["tb",{"_index":8651,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["tcp",{"_index":1479,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["tcp_option",{"_index":9224,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{},"oci/network.html":{}}}],["tcpoption",{"_index":9386,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["tde",{"_index":3846,"title":{},"breadcrumb":{},"description":{"azure/data.html":{}},"body":{"azure/data.html":{},"azure/index.html":{},"oci/data.html":{}}}],["tdx",{"_index":7412,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["teach",{"_index":8231,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["team",{"_index":294,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["team'",{"_index":1155,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["technic",{"_index":785,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/methodology.html":{},"oci/kubernetes.html":{}}}],["techniqu",{"_index":7986,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/logging.html":{},"general/threat-model.html":{}}}],["technolog",{"_index":5784,"title":{},"breadcrumb":{},"description":{"general/kubernetes.html":{}},"body":{"compliance-matrix.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/kubernetes.html":{}}}],["telemetri",{"_index":2060,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/workloads.html":{}}}],["tell",{"_index":2048,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"azure/ir.html":{},"azure/logging.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/kubernetes.html":{}}}],["templat",{"_index":291,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/ir.html":{},"oci/workloads.html":{}}}],["template.md",{"_index":7707,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/methodology.html":{},"general/workloads.html":{}}}],["template_s3_uri",{"_index":3072,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["tempor",{"_index":7859,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["temporari",{"_index":3569,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/ir.html":{},"azure/workloads.html":{},"general/iam.html":{},"general/threat-model.html":{}}}],["temporarili",{"_index":1871,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/data.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["tempt",{"_index":5338,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["temptat",{"_index":8388,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["ten",{"_index":1507,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/network.html":{},"gcp/ir.html":{},"general/ir.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["tenanc",{"_index":3107,"title":{},"breadcrumb":{},"description":{"oci/iam.html":{}},"body":{"aws/logging.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["tenancy\"))'</cod",{"_index":8678,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["tenancy'",{"_index":8793,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["tenancy_admin_group_ocid",{"_index":8963,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["tenancy_namespac",{"_index":9077,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["tenancy_ocid",{"_index":8960,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{},"oci/logging.html":{}}}],["tenancy_root",{"_index":9040,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{},"oci/logging.html":{}}}],["tenancy_root_target_ocid",{"_index":9018,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["tenancyocid",{"_index":8812,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["tenant",{"_index":3849,"title":{},"breadcrumb":{},"description":{"oci/ir.html":{}},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{}}}],["tenant'",{"_index":5239,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["tenant.onmicrosoft.com",{"_index":4576,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["tenant_domain=\"contoso.onmicrosoft.com",{"_index":4531,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["tenant_id",{"_index":5035,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/network.html":{}}}],["tenantresourceid('microsoft.authorization/policysetdefinit",{"_index":5118,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["tenantresourceid('microsoft.authorization/roledefinit",{"_index":4495,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["tend",{"_index":1798,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["terabyt",{"_index":8500,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["term",{"_index":4451,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/genai.html":{},"general/index.html":{},"general/logging.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{},"search.html":{}}}],["termin",{"_index":767,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"general/data.html":{},"general/ir.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["terminolog",{"_index":7933,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/shared-responsibility.html":{},"oci/data.html":{}}}],["terraform",{"_index":305,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["terraform.tfvar",{"_index":8489,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["territori",{"_index":8321,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["test",{"_index":1262,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/ir.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/ir.html":{}}}],["text",{"_index":583,"title":{},"breadcrumb":{},"description":{"search.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/logging.html":{},"aws/network.html":{},"gcp/ir.html":{},"general/genai.html":{},"general/iam.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["text/markdown",{"_index":9588,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["tf",{"_index":8521,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["theatr",{"_index":911,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"general/data.html":{}}}],["theft",{"_index":1886,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["theme",{"_index":7662,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["themselv",{"_index":226,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/iam.html":{},"azure/ir.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/data.html":{}}}],["theoret",{"_index":4023,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{}}}],["therefor",{"_index":3870,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/workloads.html":{}}}],["thiev",{"_index":7922,"title":{},"breadcrumb":{},"description":{},"body":{"general/index.html":{},"general/threat-model.html":{}}}],["thing",{"_index":2872,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/logging.html":{},"general/ir.html":{},"oci/logging.html":{}}}],["think",{"_index":2072,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"general/network.html":{}}}],["third",{"_index":1792,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["thirti",{"_index":8153,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{},"general/workloads.html":{}}}],["this.account",{"_index":409,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{}}}],["those",{"_index":1406,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["though",{"_index":2683,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/data.html":{},"gcp/data.html":{},"gcp/workloads.html":{},"general/logging.html":{},"general/methodology.html":{}}}],["thought",{"_index":3461,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["thousand",{"_index":5534,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/iam.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{}}}],["thread",{"_index":8794,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["threat",{"_index":1002,"title":{"general/threat-model.html":{}},"breadcrumb":{"general/threat-model.html":{}},"description":{"gcp/logging.html":{},"general/genai.html":{},"general/index.html":{},"general/kubernetes.html":{},"general/threat-model.html":{}},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["threat_high_crit",{"_index":7175,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["three",{"_index":156,"title":{},"breadcrumb":{},"description":{"gcp/logging.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["threshold",{"_index":488,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["threshold=harmblockthreshold.block_medium_and_abov",{"_index":6200,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["threshold=harmblockthreshold.block_non",{"_index":6208,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["threshold_valu",{"_index":6634,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["throttl",{"_index":2324,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"oci/logging.html":{}}}],["through",{"_index":273,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["throughout",{"_index":1518,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["throughput",{"_index":5636,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["ti",{"_index":6724,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/workloads.html":{}}}],["ticket",{"_index":500,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["ticketmast",{"_index":8361,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["tidi",{"_index":8181,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["tier",{"_index":1168,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/data.html":{},"general/iam.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["tier:pricingti",{"_index":5344,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["tier=db",{"_index":6017,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["tighten",{"_index":1774,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"general/iam.html":{},"oci/data.html":{}}}],["tighter",{"_index":8453,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["tightli",{"_index":4789,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"gcp/ir.html":{},"oci/workloads.html":{}}}],["time",{"_index":656,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["time\"),\"ev",{"_index":9533,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["time=$(d",{"_index":5912,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["time=02:00",{"_index":6022,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["time_amount",{"_index":8762,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["time_amount=730",{"_index":9243,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["time_before_expiri",{"_index":4063,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["time_rule_lock",{"_index":8485,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["time_step_in_sec",{"_index":8873,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["time_unit",{"_index":8761,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["timeadd(timestamp",{"_index":9092,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{},"oci/logging.html":{}}}],["timeamount\":365,\"timeunit\":\"day",{"_index":9080,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["timeamount\":730,\"timeunit\":\"day",{"_index":9244,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["timegener",{"_index":4001,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["timelin",{"_index":2859,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/ir.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/ir.html":{},"oci/genai.html":{}}}],["timeout",{"_index":2276,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["timeout_second",{"_index":6704,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["timer",{"_index":4857,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/logging.html":{}}}],["timeseri",{"_index":6166,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["timestamp",{"_index":453,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/genai.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["timestamp(now",{"_index":7173,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["timestat",{"_index":8823,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["titan",{"_index":7896,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["titl",{"_index":4420,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"general/methodology.html":{},"oci/logging.html":{}}}],["title=\"vertex",{"_index":6134,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["title=svc",{"_index":6674,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["tl",{"_index":2633,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["tls1_2",{"_index":3873,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["tmp/key",{"_index":937,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["tmp/policy.json",{"_index":6238,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["to_port",{"_index":1477,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{}}}],["today",{"_index":3664,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"general/compliance-frameworks.html":{}}}],["togeth",{"_index":2867,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/data.html":{},"azure/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/network.html":{}}}],["toggl",{"_index":285,"title":{},"breadcrumb":{},"description":{"azure/data.html":{}},"body":{"aws/data.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["token",{"_index":2115,"title":{},"breadcrumb":{},"description":{"azure/ir.html":{}},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["token'",{"_index":8066,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["token=$(gcloud",{"_index":6439,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["tokenis",{"_index":7830,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["tokens,values=opt",{"_index":3585,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["toler",{"_index":2890,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"gcp/ir.html":{},"general/data.html":{},"general/network.html":{}}}],["tolist(data.aws_ssoadmin_instances.this.arns)[0",{"_index":1725,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["tomorrow",{"_index":5174,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["took",{"_index":3994,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/network.html":{},"gcp/ir.html":{},"oci/ir.html":{}}}],["tool",{"_index":315,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/workloads.html":{}}}],["toolchain",{"_index":8430,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["tooltip",{"_index":5747,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["top",{"_index":1103,"title":{},"breadcrumb":{},"description":{"general/genai.html":{}},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/workloads.html":{}}}],["topic",{"_index":23,"title":{},"breadcrumb":{},"description":{"general/index.html":{}},"body":{"404.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/index.html":{},"general/logging.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["topic=projects/secur",{"_index":6658,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["topic=scc",{"_index":6667,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["topic_id",{"_index":8979,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["topolog",{"_index":3854,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/network.html":{},"oci/genai.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["toport",{"_index":3351,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["tor",{"_index":3147,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["toset([\"bg01",{"_index":2157,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{}}}],["toset([\"breakglass",{"_index":8970,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["toset([\"breakglass01",{"_index":4546,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["toset(var.ga_eligible_user_object_id",{"_index":4619,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["toset(var.global_admin_object_id",{"_index":4482,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["toset(var.known_bad_cidr",{"_index":3423,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["toset(var.member_account_id",{"_index":3791,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["tostring(parse_json(entities)[0].nam",{"_index":5730,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["tostring(parse_json(properties).requestbodi",{"_index":3997,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["tostring(parse_json(properties_s).contentfilterresults.indirect_attack.filt",{"_index":4290,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["tostring(parse_json(properties_s).contentfilterresults.jailbreak.filt",{"_index":4288,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["tostring(targetresources[0].displaynam",{"_index":4637,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["tostring(targetresources[2].userprincipalnam",{"_index":4638,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["total",{"_index":2695,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/iam.html":{},"compliance-matrix.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/ir.html":{}}}],["toto",{"_index":7402,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["totp",{"_index":1551,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/iam.html":{},"general/methodology.html":{},"oci/iam.html":{}}}],["totp/authent",{"_index":4521,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["totp/u2f",{"_index":2144,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["totp_en",{"_index":8866,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["totp_set",{"_index":8872,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["totpen",{"_index":8882,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["touch",{"_index":570,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/ir.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["toward",{"_index":1352,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"general/methodology.html":{}}}],["tower",{"_index":8112,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["toxic",{"_index":6188,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["tpm",{"_index":5514,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["tr",{"_index":584,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"oci/iam.html":{}}}],["trace",{"_index":1254,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/network.html":{},"general/ir.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["trace.assessments[*].topicpolicy.topics[*].act",{"_index":1241,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["traceabl",{"_index":6236,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"general/genai.html":{}}}],["track",{"_index":1261,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"compliance-matrix.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["tractabl",{"_index":8826,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["tradecraft",{"_index":8345,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["tradeoff",{"_index":9345,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["tradit",{"_index":7808,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"general/network.html":{}}}],["traf",{"_index":3533,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["traffic",{"_index":203,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/network.html":{},"oci/genai.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["trail",{"_index":547,"title":{},"breadcrumb":{},"description":{"aws/logging.html":{},"general/logging.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/genai.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"index.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["trail'",{"_index":2949,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["trail</cod",{"_index":2903,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["trailbucket",{"_index":2934,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["trailbucketnam",{"_index":2919,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["trailkey",{"_index":2936,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["trailkmskeyarn",{"_index":2920,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["trailkmskeyarn</cod",{"_index":2930,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["trailnam",{"_index":2923,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["train",{"_index":999,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{},"oci/iam.html":{}}}],["training/corpu",{"_index":6269,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["transact",{"_index":5233,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["transaction/capac",{"_index":5244,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["transaction_log_retention_day",{"_index":6053,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["transcrib",{"_index":4441,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/compliance-frameworks.html":{}}}],["transcript",{"_index":3610,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["transfer",{"_index":5303,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{}}}],["transform",{"_index":2149,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["transit",{"_index":112,"title":{},"breadcrumb":{},"description":{"general/data.html":{},"general/network.html":{}},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/index.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["translat",{"_index":5094,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/network.html":{}}}],["transmiss",{"_index":8008,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["transmit",{"_index":8735,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["transpar",{"_index":4170,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"general/genai.html":{},"oci/data.html":{}}}],["transport",{"_index":8273,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["transpos",{"_index":5526,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["travel",{"_index":4801,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"general/data.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{}}}],["travers",{"_index":1436,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/network.html":{},"gcp/network.html":{},"general/ir.html":{},"general/network.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["treat",{"_index":114,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["treat_missing_data",{"_index":2181,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["treatment",{"_index":3543,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["tree",{"_index":5552,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"general/ir.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["trend",{"_index":9240,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["tri",{"_index":2214,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"azure/network.html":{},"general/ir.html":{},"general/network.html":{},"oci/ir.html":{}}}],["triag",{"_index":2247,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/workloads.html":{},"azure/ir.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/ir.html":{},"general/methodology.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["trick",{"_index":1337,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["trigger",{"_index":1283,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/ir.html":{}}}],["trigger_oper",{"_index":4776,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["trigger_region",{"_index":6707,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["trigger_threshold",{"_index":4778,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["triggerrespond",{"_index":9057,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["trip",{"_index":2747,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"compliance-matrix.html":{}}}],["trivial",{"_index":1642,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"gcp/ir.html":{}}}],["trm",{"_index":7975,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["trojan",{"_index":3136,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["troubleshoot",{"_index":4447,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["true",{"_index":270,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["true\"</cod",{"_index":9151,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["true</cod",{"_index":392,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/network.html":{},"gcp/data.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["true}'</cod",{"_index":4220,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["truli",{"_index":8607,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["trust",{"_index":1294,"title":{},"breadcrumb":{},"description":{"azure/workloads.html":{},"general/network.html":{}},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["trust_polici",{"_index":5699,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["trusted_launch_requir",{"_index":5591,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["trustedaccountid",{"_index":1984,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["trustedlaunch",{"_index":5536,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["trustpolici",{"_index":5718,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["trustworthi",{"_index":3892,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{}}}],["truth",{"_index":2677,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/logging.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"oci/network.html":{}}}],["tsv",{"_index":1128,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{}}}],["tsv)/providers/microsoft.security/regulatorycompliancestandards/ci",{"_index":5296,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["tsv)</code",{"_index":4187,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["ttl",{"_index":3572,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/network.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["ttl=300",{"_index":7311,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["tuesday",{"_index":2056,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{}}}],["tune",{"_index":1258,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/logging.html":{},"azure/iam.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"general/genai.html":{},"general/logging.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["tunnel",{"_index":5635,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/workloads.html":{},"general/network.html":{}}}],["tunneling_en",{"_index":5656,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["tupl",{"_index":2620,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["turn",{"_index":225,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/network.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["twelv",{"_index":8145,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{},"general/methodology.html":{},"oci/iam.html":{}}}],["twenti",{"_index":7638,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/ir.html":{}}}],["twice",{"_index":5396,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["two",{"_index":140,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["twofold",{"_index":8266,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["ty",{"_index":7777,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["type",{"_index":363,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{},"search.html":{}}}],["type\":\"ocir",{"_index":9578,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["type,values=interfac",{"_index":1452,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["type=\"2sv_dis",{"_index":6461,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["type=\"2sv_enrol",{"_index":6462,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["type=a",{"_index":7310,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["type=application/json",{"_index":4665,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["type=cluster</cod",{"_index":2852,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["type=cos_containerd",{"_index":6971,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["type=n2",{"_index":7418,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["type=pd",{"_index":5967,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["type=region",{"_index":6019,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["typescript",{"_index":394,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["typescript\">import",{"_index":395,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["typic",{"_index":1619,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["typo",{"_index":8220,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["typo'd",{"_index":7512,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["typolog",{"_index":3693,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["typosquat",{"_index":3697,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"gcp/workloads.html":{},"general/workloads.html":{}}}],["u",{"_index":1801,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"azure/ir.html":{},"gcp/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["u.",{"_index":7619,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["u.nam",{"_index":8985,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["uami",{"_index":4937,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["ubla",{"_index":5831,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["ubla_org",{"_index":5847,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["ubuntu",{"_index":3614,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{}}}],["ubuntu:22.04",{"_index":5687,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["uefi",{"_index":5521,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/workloads.html":{}}}],["uefiset",{"_index":5603,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["ui",{"_index":6597,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"general/iam.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["uid",{"_index":8434,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{},"oci/iam.html":{}}}],["uid/gid",{"_index":7471,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["ul",{"_index":8205,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{},"search.html":{}}}],["umbrella",{"_index":3119,"title":{},"breadcrumb":{},"description":{"gcp/workloads.html":{},"oci/workloads.html":{}},"body":{"aws/logging.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"oci/workloads.html":{}}}],["un",{"_index":1426,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/data.html":{},"oci/logging.html":{}}}],["unabl",{"_index":9175,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["unaccept",{"_index":8777,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["unaddress",{"_index":7123,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["unaffect",{"_index":707,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{},"general/threat-model.html":{}}}],["unambigu",{"_index":8318,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["unannounc",{"_index":7735,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["unapprov",{"_index":1347,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["unassign",{"_index":5329,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["unattribut",{"_index":2826,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/genai.html":{}}}],["unaudit",{"_index":7097,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["unauthent",{"_index":2477,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["unauthor",{"_index":1187,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/logging.html":{},"aws/workloads.html":{},"general/data.html":{}}}],["unauthoris",{"_index":4361,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/genai.html":{}}}],["unauthorizedaccess",{"_index":3134,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["unauthorizedaccess:ec2/maliciousipcaller.custom",{"_index":2245,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["unauthorizedaccess:iamuser/toripcal",{"_index":3150,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["unavail",{"_index":2097,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/iam.html":{},"general/kubernetes.html":{}}}],["unavoid",{"_index":2485,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/iam.html":{}}}],["unawar",{"_index":3395,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["unback",{"_index":7998,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["unbind",{"_index":6727,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["unbound",{"_index":338,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"gcp/genai.html":{},"general/genai.html":{},"general/iam.html":{},"general/methodology.html":{}}}],["unc5537",{"_index":8155,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{}}}],["unchalleng",{"_index":5555,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["unchang",{"_index":6264,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"general/ir.html":{}}}],["uncheck",{"_index":8456,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["unclassifi",{"_index":7738,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["uncoordin",{"_index":7901,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{}}}],["uncov",{"_index":3815,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/kubernetes.html":{}}}],["undecrypt",{"_index":5031,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["under",{"_index":560,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/logging.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["underli",{"_index":790,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/network.html":{}}}],["underneath",{"_index":4180,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["underpin",{"_index":8039,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["understand",{"_index":7858,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["understood",{"_index":8259,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["undetect",{"_index":2692,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/logging.html":{},"azure/genai.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/ir.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["undiscov",{"_index":1879,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["undo",{"_index":6873,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["unencrypt",{"_index":706,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/kubernetes.html":{},"azure/genai.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/logging.html":{}}}],["unexecut",{"_index":6585,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["unexpect",{"_index":1335,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"general/workloads.html":{}}}],["unexpectedli",{"_index":7351,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["unfamiliar",{"_index":4173,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/iam.html":{}}}],["unfeder",{"_index":8959,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["unfilt",{"_index":1256,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{},"general/genai.html":{}}}],["unfix",{"_index":7397,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["unforgiv",{"_index":7965,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["unglamor",{"_index":7949,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["unifi",{"_index":997,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/workloads.html":{},"general/logging.html":{}}}],["uniform",{"_index":5795,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{}}}],["uniform_bucket_level_access",{"_index":5803,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{}}}],["uniformbucketlevelaccess",{"_index":5862,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{}}}],["uniformli",{"_index":7806,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{},"general/kubernetes.html":{}}}],["unilater",{"_index":7769,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["unimped",{"_index":1878,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["unintend",{"_index":1284,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"azure/genai.html":{},"general/genai.html":{}}}],["unintent",{"_index":7831,"title":{},"breadcrumb":{},"description":{},"body":{"general/genai.html":{}}}],["uninvolv",{"_index":8363,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["union",{"_index":5228,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"general/data.html":{},"oci/network.html":{}}}],["uniqu",{"_index":3400,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/network.html":{}}}],["unique_writer_ident",{"_index":6259,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["uniquestring(targetresourceid",{"_index":5499,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["unit",{"_index":2883,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/iam.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/ir.html":{},"general/threat-model.html":{},"oci/data.html":{}}}],["unit'",{"_index":6594,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["unit_count",{"_index":8788,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["unit_shap",{"_index":8789,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["unitcount",{"_index":8783,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["univers",{"_index":4653,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/data.html":{}}}],["unix",{"_index":2755,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["unknown",{"_index":5336,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"azure/network.html":{}}}],["unless",{"_index":91,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["unlik",{"_index":4421,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"general/genai.html":{},"general/shared-responsibility.html":{}}}],["unlimit",{"_index":4212,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["unlock",{"_index":4870,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"gcp/ir.html":{},"gcp/network.html":{},"oci/kubernetes.html":{}}}],["unlog",{"_index":3619,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["unmanag",{"_index":896,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/iam.html":{}}}],["unmap",{"_index":5746,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["unnecessari",{"_index":8401,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["unnecessarili",{"_index":7791,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["unnot",{"_index":7570,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"oci/workloads.html":{}}}],["unobserv",{"_index":7571,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{},"oci/logging.html":{}}}],["unpatch",{"_index":3306,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["unpaus",{"_index":2330,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["unplan",{"_index":5377,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["unreach",{"_index":2470,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/network.html":{},"gcp/data.html":{},"general/ir.html":{},"oci/workloads.html":{}}}],["unread",{"_index":2631,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/data.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{}}}],["unrecover",{"_index":8605,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["unredact",{"_index":4389,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"general/genai.html":{}}}],["unrel",{"_index":1053,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["unremedi",{"_index":5285,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["unreport",{"_index":5335,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["unresolv",{"_index":8075,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["unrestrict",{"_index":1047,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"gcp/workloads.html":{},"general/data.html":{},"oci/genai.html":{}}}],["unsaf",{"_index":1430,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/workloads.html":{},"gcp/genai.html":{},"general/data.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["unsanct",{"_index":1778,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/network.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{}}}],["unscan",{"_index":5684,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"oci/workloads.html":{}}}],["unseen",{"_index":6527,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["unset",{"_index":6002,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/kubernetes.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["unsign",{"_index":5538,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["unsupport",{"_index":8177,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{},"oci/network.html":{}}}],["untag",{"_index":3724,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["untaggedmanifest",{"_index":5691,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["untarget",{"_index":3309,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["unten",{"_index":7091,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["untest",{"_index":7794,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["until",{"_index":802,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/ir.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["untrust",{"_index":6913,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/network.html":{},"oci/ir.html":{},"oci/kubernetes.html":{}}}],["unus",{"_index":2098,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"gcp/ir.html":{},"general/iam.html":{},"general/threat-model.html":{}}}],["unusu",{"_index":7941,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{},"general/logging.html":{},"general/workloads.html":{},"oci/logging.html":{}}}],["unverifi",{"_index":6908,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"oci/kubernetes.html":{}}}],["unwind",{"_index":3869,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{},"oci/data.html":{}}}],["unwrap",{"_index":5057,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"oci/kubernetes.html":{}}}],["unwrapkey",{"_index":4045,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{}}}],["up",{"_index":143,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["upd1",{"_index":7646,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/ir.html":{},"general/methodology.html":{},"general/workloads.html":{}}}],["updat",{"_index":1269,"title":{},"breadcrumb":{},"description":{"azure/workloads.html":{}},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["update_trigger_payload_typ",{"_index":5712,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["updateaccesskey",{"_index":1668,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["updateagent\",\"createagent\",\"updateactiongroup\",\"createactiongroup",{"_index":1342,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["updateassumerolepolici",{"_index":2003,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["updateauthenticationfactorset",{"_index":8889,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["updateauthtoken",{"_index":9001,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["updateautonomousdatabas",{"_index":9425,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["updatebast",{"_index":9561,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["updatebootvolum",{"_index":8642,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["updatebucket",{"_index":8552,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["updateclust",{"_index":6848,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"oci/kubernetes.html":{}}}],["updateclusterconfig",{"_index":2558,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["updateconfigur",{"_index":9276,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["updatecontainerimagesignatur",{"_index":9609,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["updatecontainerrepositori",{"_index":9608,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["updateendpoint",{"_index":8729,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["updatefunctioncod",{"_index":2975,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["updateguardrail\",\"deleteguardrailversion\",\"createguardrailvers",{"_index":1415,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["updateidentityprovid",{"_index":8920,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["updateimagepolicyconfig",{"_index":9215,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["updateinst",{"_index":9501,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["updatekey",{"_index":8593,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["updatelog",{"_index":8771,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/logging.html":{}}}],["updateloggroup",{"_index":9298,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["updatenetworksecuritygroupsecurityrul",{"_index":9413,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["updateorganizationconfigur",{"_index":3812,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["updateorganizationset",{"_index":7147,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["updatepolici",{"_index":6945,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"gcp/network.html":{},"oci/genai.html":{},"oci/iam.html":{}}}],["updateprivateendpoint",{"_index":9424,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["updateresponderrecip",{"_index":9055,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["updateroutet",{"_index":9372,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["updatesecuritylist",{"_index":9412,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["updateshieldedinstanceconfig",{"_index":7464,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["updatesignonpolici",{"_index":8892,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["updatetrail",{"_index":2961,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["updateusercap",{"_index":8845,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["updatevault",{"_index":9426,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["updatevcn",{"_index":9370,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["updatevolum",{"_index":8641,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["updateworkloadidentitypoolprovid",{"_index":6532,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["upgrad",{"_index":3864,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"oci/kubernetes.html":{}}}],["upload",{"_index":639,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/logging.html":{},"gcp/ir.html":{},"oci/iam.html":{},"oci/workloads.html":{}}}],["upn",{"_index":4529,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["upper",{"_index":1521,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["upstream",{"_index":1424,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/threat-model.html":{},"oci/network.html":{}}}],["upward",{"_index":1759,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["urgent",{"_index":3396,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"aws/workloads.html":{}}}],["uri",{"_index":3051,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["uri='https://token.actions.githubusercontent.com",{"_index":6487,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["url",{"_index":3544,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/genai.html":{},"general/compliance-frameworks.html":{},"general/methodology.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["url></cod",{"_index":8904,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["urn:ietf:params:scim:schemas:core:2.0:us",{"_index":8992,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["urn:ietf:params:scim:schemas:oracle:idcs:authenticationfactorset",{"_index":8865,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["urn:ietf:params:scim:schemas:oracle:idcs:identityprovid",{"_index":8909,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["us",{"_index":11,"title":{},"breadcrumb":{},"description":{"404.html":{}},"body":{"404.html":{},"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["usabl",{"_index":73,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/kubernetes.html":{},"general/workloads.html":{},"oci/iam.html":{}}}],["usag",{"_index":949,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/genai.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/logging.html":{},"general/genai.html":{}}}],["usageplan",{"_index":975,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["usagerolearn",{"_index":951,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["use_legacy_sql=fals",{"_index":6785,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["use_partitioned_t",{"_index":7068,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["useexplicitdryrunspec",{"_index":6171,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["user",{"_index":276,"title":{},"breadcrumb":{},"description":{"azure/kubernetes.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["user'",{"_index":1362,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"azure/iam.html":{},"gcp/iam.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["user.enabledisableaccount.al",{"_index":4808,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["user/group",{"_index":1833,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/kubernetes.html":{}}}],["user:alice@example.com",{"_index":7493,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["user:breakglass",{"_index":6616,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["user=app",{"_index":6030,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["user@host",{"_index":3624,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["user\\/break",{"_index":2205,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["user_id",{"_index":4606,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["user_id=$(az",{"_index":4600,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["user_nam",{"_index":2161,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["user_principal_nam",{"_index":4548,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["useract",{"_index":9008,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["userassign",{"_index":4084,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{}}}],["userassignedident",{"_index":4085,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["userid",{"_index":4693,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["userident",{"_index":2570,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{}}}],["useridentity.accountid",{"_index":1617,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["useridentity.arn",{"_index":458,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["useridentity.typ",{"_index":1599,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["useridentity.usernam",{"_index":1760,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["usermanag",{"_index":4310,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{}}}],["usernam",{"_index":815,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/workloads.html":{},"general/iam.html":{},"general/methodology.html":{},"oci/ir.html":{}}}],["username/password",{"_index":4652,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["userprincipalnam",{"_index":4512,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["userpromptanalysi",{"_index":4258,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["userresourc",{"_index":8848,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["users'].conditions.users\"</cod",{"_index":4543,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["users'].state\"</cod",{"_index":4667,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["users.list?projection=ful",{"_index":6464,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["users.tokens.delet",{"_index":6473,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["users/{id",{"_index":4791,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["users[].usernam",{"_index":1800,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["usual",{"_index":2813,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"general/logging.html":{},"general/shared-responsibility.html":{}}}],["utc",{"_index":9067,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{},"oci/logging.html":{}}}],["util",{"_index":8438,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["uuid\"},\"resources\":[\"secrets\"]}]'</cod",{"_index":2640,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["uuidgen",{"_index":4815,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["ux",{"_index":8719,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["v",{"_index":3248,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/workloads.html":{}}}],["v0.13.0",{"_index":8079,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["v1",{"_index":5029,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"general/shared-responsibility.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["v1.0",{"_index":2458,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"oci/kubernetes.html":{}}}],["v1.1",{"_index":5760,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"general/genai.html":{}}}],["v1.11.0",{"_index":2644,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/kubernetes.html":{}}}],["v1.2",{"_index":2545,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/kubernetes.html":{}}}],["v1.2.3",{"_index":9571,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["v1.3.0",{"_index":6805,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"general/kubernetes.html":{}}}],["v1.30.0",{"_index":9113,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["v1.30.1",{"_index":9131,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["v1.8.0",{"_index":2540,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"compliance-matrix.html":{},"general/kubernetes.html":{},"oci/kubernetes.html":{}}}],["v1.9.0",{"_index":5768,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{}}}],["v1.compute.disks.insert",{"_index":5994,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["v1.compute.firewalls.insert",{"_index":7288,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["v1.compute.firewalls.patch",{"_index":7289,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["v1.compute.instances.updateshieldedinstanceconfig",{"_index":7458,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["v1.compute.networks.insert",{"_index":7236,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["v1.compute.regiondisks.insert",{"_index":5995,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["v1.compute.serviceattachments.insert",{"_index":7336,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["v1.compute.subnetworks.patch",{"_index":7376,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["v1/v2",{"_index":5520,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["v2",{"_index":1055,"title":{},"breadcrumb":{},"description":{"azure/kubernetes.html":{},"azure/logging.html":{}},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/workloads.html":{}}}],["v2.0.0",{"_index":2539,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{},"compliance-matrix.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/compliance-frameworks.html":{},"general/index.html":{},"general/kubernetes.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["v2024.03.15",{"_index":3701,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["v2:0",{"_index":1030,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["v3",{"_index":5293,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["v3')].{name:nam",{"_index":5290,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["v3.0.0",{"_index":95,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"general/index.html":{}}}],["v3.0.0)n/an/an/a",{"_index":3486,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["v3.0.0/regulatorycompliancecontrols?api",{"_index":5297,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["v3.1.0",{"_index":413,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["v3.1.02025",{"_index":7713,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["v3.x",{"_index":8502,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["v33",{"_index":7382,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["v4.0",{"_index":7746,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"general/logging.html":{}}}],["v4.0.0",{"_index":5794,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/index.html":{}}}],["v5",{"_index":7636,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["v5.0.0",{"_index":412,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["v5.0.02026",{"_index":7712,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["v6.0.0",{"_index":411,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["v6.0.02026",{"_index":7710,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["v7.0.0",{"_index":282,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["v7.0.02026",{"_index":7709,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["v8",{"_index":8107,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{},"general/workloads.html":{}}}],["valid",{"_index":764,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/ir.html":{}}}],["validatingadmissionwebhook",{"_index":5126,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["validatingwebhookconfigur",{"_index":8051,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["valu",{"_index":484,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{}}}],["value=0",{"_index":6610,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["value=ir+bg01@example.com,type=work,primary=tru",{"_index":2142,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["value[0].id",{"_index":4466,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["value[?displayname=='ca001",{"_index":4666,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["value[?displayname=='requir",{"_index":4542,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["value[].{name:nam",{"_index":5343,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["value[].{upn:userprincipalname,id:id,type:\"@odata.typ",{"_index":4468,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["value_typ",{"_index":6624,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["valuetyp",{"_index":9035,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["vanish",{"_index":2316,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/logging.html":{}}}],["vapouris",{"_index":4016,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["var",{"_index":3833,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{}}}],["var.account_nam",{"_index":4223,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["var.activity_log_diag_policy_definition_id",{"_index":5208,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["var.ad_1",{"_index":9230,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["var.ad_nam",{"_index":8629,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["var.adb_admin_password",{"_index":8667,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["var.admin_ssh_public_key",{"_index":5583,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["var.agent_instruct",{"_index":1312,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["var.agent_nam",{"_index":1307,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["var.aks_admin_group_oid",{"_index":5138,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["var.allowed_model_id",{"_index":1068,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["var.app_project_id",{"_index":7434,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["var.app_service_account_email",{"_index":7444,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["var.app_service_principal_id",{"_index":4368,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["var.app_subnet_cidr",{"_index":1481,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["var.app_subnet_id",{"_index":5572,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["var.app_subnet_self_link",{"_index":7442,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["var.artifact_kms_key_id",{"_index":7533,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["var.auditors_group_id",{"_index":1735,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["var.central_law_id",{"_index":5270,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["var.cis_azure_v3_policy_set_definition_id",{"_index":5302,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["var.compartment_id",{"_index":9111,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["var.customer_data_bucket_ocid",{"_index":9293,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["var.dedicated_cluster_ocid",{"_index":8724,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["var.default_domain_ocid",{"_index":8860,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["var.deny_paas_public_initiative_id",{"_index":5453,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["var.deny_storage_public_initiative_id",{"_index":3944,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["var.eks_cluster_nam",{"_index":1981,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["var.endpoint_nam",{"_index":8727,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["var.fn_source_bucket",{"_index":6697,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["var.forensic_cmek_id",{"_index":6748,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["var.foundation_model_id",{"_index":1311,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["var.genai_compartment_ocid",{"_index":8711,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["var.github_pat",{"_index":5709,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["var.golden_ami_id",{"_index":3589,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["var.guardrail_nam",{"_index":1206,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["var.hardened_image_ocid",{"_index":9462,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["var.home_region",{"_index":9089,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["var.host_project_id",{"_index":7220,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["var.image_signing_key_version_ocid",{"_index":9604,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["var.inference_group_nam",{"_index":8683,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["var.initial_admin_email",{"_index":8806,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["var.initial_admin_nam",{"_index":8805,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["var.ip_plan_policy_definition_id",{"_index":5378,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["var.ir_compartment_ocid",{"_index":9046,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["var.ir_functions_application_ocid",{"_index":9050,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["var.ir_partner_service_principal_object_id",{"_index":4905,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["var.ir_vault_key_ocid",{"_index":9091,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["var.keys_project_id",{"_index":5926,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["var.loc",{"_index":4224,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/kubernetes.html":{}}}],["var.log_analytics_workspace_id",{"_index":4398,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["var.log_bucket_kms_key",{"_index":7061,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["var.logging_compartment_id",{"_index":9251,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["var.management_cidr",{"_index":2486,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/kubernetes.html":{},"oci/kubernetes.html":{}}}],["var.model_ocid",{"_index":8726,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["var.network_compartment_id",{"_index":9363,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["var.ol9_image_ocid",{"_index":8640,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["var.operator_ephemeral_ssh_pubkey",{"_index":9549,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["var.oracle_managed_activity_detector_ocid",{"_index":9318,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["var.oracle_managed_config_detector_ocid",{"_index":9316,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["var.oracle_managed_responder_ocid",{"_index":9320,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["var.oracle_managed_responder_recipe_ocid",{"_index":9027,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["var.org_id",{"_index":6615,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/logging.html":{}}}],["var.organization_id",{"_index":6369,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["var.os_namespac",{"_index":9252,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["var.pagerduty_channel_id",{"_index":6629,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["var.payer_account_id",{"_index":2904,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["var.platform_team_group_oid",{"_index":5142,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["var.precomputed_signature_b64",{"_index":9606,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["var.private_subnet_id",{"_index":1464,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"oci/data.html":{}}}],["var.project_id",{"_index":6106,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{}}}],["var.project_id}.svc.id.goog",{"_index":6855,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["var.project_number}@gcp",{"_index":6326,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["var.published_image_ocid",{"_index":9602,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["var.rag_source_bucket",{"_index":6288,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["var.region",{"_index":6291,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/kubernetes.html":{},"oci/genai.html":{}}}],["var.region_key}.ocir.io/${var.tenancy_namespace}/ir/playbook:latest",{"_index":9051,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["var.regulated_storage_account_id",{"_index":5265,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["var.regulated_vault_key_ocid",{"_index":9296,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["var.resource_group_nam",{"_index":4225,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["var.root_compartment_ocid",{"_index":8680,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["var.sec_project_id",{"_index":7054,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["var.security_account_id",{"_index":3172,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/workloads.html":{}}}],["var.security_compartment_id",{"_index":9589,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["var.security_ops_project",{"_index":6678,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["var.signing_message_b64",{"_index":9607,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["var.sql_admin_password",{"_index":4193,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["var.subnet_id",{"_index":4345,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["var.svc_project_id",{"_index":5851,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["var.target_account_id",{"_index":1738,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["var.tenancy_admin_group_ocid",{"_index":8974,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["var.tenancy_namespac",{"_index":9090,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["var.tenancy_ocid",{"_index":8512,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["var.trusted_launch_initiative_id",{"_index":5592,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["var.vault_key_ocid",{"_index":9253,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["var.vcn_ocid",{"_index":8739,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["var.vendor_service_attach",{"_index":7373,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["var.vpc_id",{"_index":1459,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{}}}],["var.vpc_network",{"_index":6300,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["var.workload_compartment_id",{"_index":8514,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["var/run",{"_index":8073,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["var/run/secrets/pods.eks.amazonaws.com/serviceaccount/ek",{"_index":2591,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["variabl",{"_index":1639,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["variables={secret_arn=arn:aws:secretsmanager:eu",{"_index":3837,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["variant",{"_index":486,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"azure/iam.html":{},"gcp/network.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/kubernetes.html":{}}}],["varieti",{"_index":8269,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}],["vastli",{"_index":7983,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["vault",{"_index":2686,"title":{},"breadcrumb":{},"description":{"azure/data.html":{},"azure/kubernetes.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/kubernetes.html":{}},"body":{"aws/kubernetes.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"general/iam.html":{},"general/ir.html":{},"general/network.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["vault'",{"_index":8482,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["vault_key_ocid",{"_index":9242,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{},"oci/workloads.html":{}}}],["vault_key_us",{"_index":9295,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["vault_key_version_ocid",{"_index":9581,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["vault_mgmt_endpoint",{"_index":8576,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["vault_mgmt_endpoint\"</cod",{"_index":8581,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["vault_typ",{"_index":8565,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/kubernetes.html":{}}}],["vaultresourceid",{"_index":4146,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["vcn",{"_index":7981,"title":{},"breadcrumb":{},"description":{"oci/logging.html":{},"oci/network.html":{}},"body":{"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["vcn:${var.vcn_ocid};${var.private_subnet_cidr",{"_index":8671,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["vcn_app_prod",{"_index":9365,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["vcn_default",{"_index":9390,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["vcn_id",{"_index":8738,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{},"oci/kubernetes.html":{},"oci/network.html":{}}}],["vcn_ocid",{"_index":9350,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["vcnid",{"_index":9129,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{},"oci/network.html":{}}}],["vcnocid",{"_index":9122,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{},"oci/network.html":{}}}],["vector",{"_index":304,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["vendor",{"_index":4737,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/workloads.html":{},"gcp/network.html":{},"general/index.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/workloads.html":{}}}],["vendor'",{"_index":2129,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"oci/ir.html":{}}}],["verb",{"_index":2691,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"general/kubernetes.html":{},"oci/genai.html":{}}}],["verb=creat",{"_index":2553,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/kubernetes.html":{}}}],["verb=patch",{"_index":4992,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["verbatim",{"_index":7705,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/genai.html":{},"general/methodology.html":{},"oci/iam.html":{}}}],["verdict",{"_index":8731,"title":{},"breadcrumb":{},"description":{},"body":{"oci/genai.html":{}}}],["veri",{"_index":2063,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"gcp/logging.html":{},"general/ir.html":{}}}],["verif",{"_index":6350,"title":{},"breadcrumb":{},"description":{"oci/kubernetes.html":{}},"body":{"gcp/iam.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/network.html":{},"general/workloads.html":{},"oci/index.html":{},"oci/kubernetes.html":{}}}],["verifi",{"_index":77,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["verify)2.x",{"_index":3012,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["verify)3.x",{"_index":3013,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["verify)4.x",{"_index":423,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["verify)5.x",{"_index":422,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/logging.html":{}}}],["verify)6.x",{"_index":841,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{}}}],["verify)n/a",{"_index":5953,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["verify)n/an/a",{"_index":4154,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["verify)n/an/an/a",{"_index":3084,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["verizon",{"_index":7869,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/methodology.html":{}}}],["versa",{"_index":75,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"general/shared-responsibility.html":{}}}],["version",{"_index":252,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["version\":\"2012",{"_index":1969,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["version=2019",{"_index":5298,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["version=2024",{"_index":4206,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{}}}],["version=postgres_15",{"_index":6015,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["version_templ",{"_index":5932,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["versioning_configur",{"_index":2356,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["versioning_en",{"_index":4891,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["versioningconfigur",{"_index":2379,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["versionless",{"_index":4144,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["versiontempl",{"_index":6336,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["versu",{"_index":5061,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"gcp/logging.html":{},"general/logging.html":{},"general/shared-responsibility.html":{}}}],["vertex",{"_index":1013,"title":{"gcp/genai.html":{}},"breadcrumb":{},"description":{"gcp/genai.html":{}},"body":{"aws/genai.html":{},"azure/genai.html":{},"compliance-matrix.html":{},"gcp/genai.html":{},"gcp/index.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["vertex_ai",{"_index":6142,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["vertex_ai_audit_sink",{"_index":6254,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["vertex_ai_data_access",{"_index":6250,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["vertex_ai_key",{"_index":6322,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["vertex_ai_keyr",{"_index":6321,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["vertex_ai_kms_access",{"_index":6324,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["vertex_ai_us",{"_index":6109,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["vertex_ai_workload",{"_index":6105,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["vertexai",{"_index":6191,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["vertexai.generative_model",{"_index":6192,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["vertexai.init(project=project_id",{"_index":6197,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["vertexsa",{"_index":6115,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["vertexsa.email.apply(",{"_index":6120,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["vertexuserbind",{"_index":6117,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["vet",{"_index":7757,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["veto",{"_index":9343,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["vhd",{"_index":4112,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["via",{"_index":162,"title":{},"breadcrumb":{},"description":{"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/data.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["viabl",{"_index":7299,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{},"general/data.html":{},"oci/workloads.html":{}}}],["vice",{"_index":74,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/network.html":{},"general/shared-responsibility.html":{}}}],["victim",{"_index":4712,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"gcp/genai.html":{},"general/threat-model.html":{}}}],["vidar",{"_index":8365,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["view",{"_index":3031,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"compliance-matrix.html":{},"gcp/logging.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["viewer",{"_index":6743,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"gcp/kubernetes.html":{}}}],["viewing)</li",{"_index":9635,"title":{},"breadcrumb":{},"description":{},"body":{"search.html":{}}}],["vintag",{"_index":1887,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["violat",{"_index":1194,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{},"azure/genai.html":{},"azure/workloads.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/kubernetes.html":{}}}],["violenc",{"_index":1366,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/genai.html":{},"oci/genai.html":{}}}],["virtual",{"_index":1550,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["virtual_machine_threat_detect",{"_index":7162,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["virtual_network_id",{"_index":5491,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["virtual_network_nam",{"_index":5650,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["virtual_network_subnet_id",{"_index":3935,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["virtual_priv",{"_index":8566,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["virtualmachin",{"_index":5345,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{},"azure/workloads.html":{}}}],["visibility=priv",{"_index":7308,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["visibl",{"_index":1445,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/workloads.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["visual",{"_index":8186,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["vlan",{"_index":5640,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["vm",{"_index":4105,"title":{},"breadcrumb":{},"description":{"azure/ir.html":{},"azure/workloads.html":{},"gcp/workloads.html":{}},"body":{"azure/data.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["vm\"}}]'</code",{"_index":4820,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["vm'",{"_index":4115,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/ir.html":{},"gcp/ir.html":{},"gcp/workloads.html":{}}}],["vm.json",{"_index":4809,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{}}}],["vm.standard.e4.flex",{"_index":9227,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{},"oci/workloads.html":{}}}],["vm.standard.e5.flex",{"_index":8614,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/workloads.html":{}}}],["vm.yaml",{"_index":7416,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["vm_size",{"_index":4953,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["vmname",{"_index":5593,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["vms/vmss",{"_index":4117,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{}}}],["vmsize",{"_index":4977,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/workloads.html":{}}}],["vnet",{"_index":3898,"title":{},"breadcrumb":{},"description":{"azure/network.html":{}},"body":{"azure/data.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/workloads.html":{}}}],["vnetnam",{"_index":5380,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{}}}],["vnetsubnetid",{"_index":4979,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["vnic",{"_index":9237,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{},"oci/network.html":{}}}],["vocabulari",{"_index":7622,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{},"general/ir.html":{}}}],["voic",{"_index":6644,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"general/iam.html":{},"general/methodology.html":{}}}],["vol",{"_index":7751,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{},"oci/data.html":{}}}],["vol_ocid",{"_index":8620,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["volatil",{"_index":7982,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["volum",{"_index":685,"title":{},"breadcrumb":{},"description":{"oci/data.html":{},"oci/ir.html":{}},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["volume'",{"_index":777,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"oci/data.html":{}}}],["volumetr",{"_index":3227,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"oci/logging.html":{}}}],["vote",{"_index":8170,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["vpc",{"_index":188,"title":{},"breadcrumb":{},"description":{"aws/genai.html":{},"aws/logging.html":{},"aws/network.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/logging.html":{},"gcp/network.html":{}},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{}}}],["vpc\"</code",{"_index":6067,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["vpc'",{"_index":3241,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"gcp/network.html":{}}}],["vpc_app_prod",{"_index":7219,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["vpc_config",{"_index":2484,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["vpc_default_security_group_clos",{"_index":3268,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["vpc_deny_admin_from_internet",{"_index":7276,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["vpc_endpoint_typ",{"_index":1462,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{}}}],["vpc_id",{"_index":1458,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/network.html":{}}}],["vpc_sc_deni",{"_index":6164,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["vpcblockpublicaccessoptions.{mode:internetgatewayblockmode,state:state}'</cod",{"_index":3468,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["vpcblockpublicaccessstack",{"_index":3483,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["vpcbpa",{"_index":3485,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["vpcbpapolici",{"_index":3479,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["vpcendpoints[].{id:vpcendpointid,vpc:vpcid,state:state,dns:dnsentries[0].dnsnam",{"_index":1453,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["vpcendpointtyp",{"_index":1492,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/network.html":{}}}],["vpcid",{"_index":1482,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/kubernetes.html":{},"aws/network.html":{}}}],["vpcs[].[vpcid",{"_index":3247,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["vpcsubnet",{"_index":2526,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{}}}],["vpn",{"_index":2473,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/data.html":{},"azure/workloads.html":{},"gcp/kubernetes.html":{},"general/network.html":{},"oci/genai.html":{},"oci/workloads.html":{}}}],["vs",{"_index":3555,"title":{},"breadcrumb":{},"description":{"gcp/logging.html":{},"oci/network.html":{}},"body":{"aws/workloads.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["vss",{"_index":9010,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["vtpm",{"_index":5519,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{}}}],["vtpm_enabl",{"_index":5580,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["vtpmenabl",{"_index":5605,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["vtpmenabled\\\":fals",{"_index":5633,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["vu",{"_index":5736,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["vuln",{"_index":5714,"title":{},"breadcrumb":{},"description":{},"body":{"azure/workloads.html":{}}}],["vulner",{"_index":2332,"title":{},"breadcrumb":{},"description":{"gcp/workloads.html":{},"oci/logging.html":{},"oci/workloads.html":{}},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["vx.x.x",{"_index":5752,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["vx.y.z",{"_index":5744,"title":{},"breadcrumb":{},"description":{},"body":{"compliance-matrix.html":{}}}],["w",{"_index":9526,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["waf",{"_index":2012,"title":{},"breadcrumb":{},"description":{"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}},"body":{"aws/index.html":{},"aws/workloads.html":{},"azure/index.html":{},"azure/network.html":{},"gcp/network.html":{},"general/network.html":{},"general/threat-model.html":{},"index.html":{},"oci/index.html":{},"oci/network.html":{}}}],["wafv2",{"_index":3209,"title":{},"breadcrumb":{},"description":{"aws/network.html":{}},"body":{"aws/network.html":{}}}],["wait",{"_index":2889,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/logging.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"general/data.html":{}}}],["walk",{"_index":1143,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/logging.html":{},"general/index.html":{},"general/ir.html":{},"general/methodology.html":{},"general/threat-model.html":{}}}],["wall",{"_index":5180,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["wallet",{"_index":8648,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{}}}],["wallet.zip",{"_index":8657,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["wallet_pw",{"_index":8656,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["wan",{"_index":5365,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"general/network.html":{}}}],["want",{"_index":2967,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/shared-responsibility.html":{},"oci/iam.html":{},"oci/network.html":{}}}],["warehous",{"_index":8369,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["warm",{"_index":7940,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["warn",{"_index":8035,"title":{},"breadcrumb":{},"description":{"general/kubernetes.html":{}},"body":{"general/kubernetes.html":{},"search.html":{}}}],["warning\">requir",{"_index":9103,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["warrant",{"_index":2212,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/logging.html":{},"general/methodology.html":{},"oci/data.html":{},"oci/logging.html":{}}}],["wast",{"_index":7726,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["watch",{"_index":6163,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"gcp/ir.html":{},"gcp/workloads.html":{},"general/workloads.html":{}}}],["watchdog",{"_index":4412,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/logging.html":{}}}],["watchlist",{"_index":4690,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["wave",{"_index":248,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["way",{"_index":2583,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/network.html":{},"azure/iam.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/data.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/logging.html":{}}}],["wayback",{"_index":8470,"title":{},"breadcrumb":{},"description":{},"body":{"index.html":{}}}],["weak",{"_index":3313,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{},"azure/data.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["weaken",{"_index":1240,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"azure/logging.html":{},"gcp/data.html":{},"general/genai.html":{},"oci/iam.html":{}}}],["weaker",{"_index":1431,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["weakli",{"_index":8040,"title":{},"breadcrumb":{},"description":{},"body":{"general/kubernetes.html":{}}}],["weaponis",{"_index":4431,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{}}}],["web",{"_index":50,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"oci/network.html":{}}}],["webauthn",{"_index":7892,"title":{},"breadcrumb":{},"description":{},"body":{"general/iam.html":{},"general/ir.html":{},"general/methodology.html":{}}}],["webhook",{"_index":4997,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"general/kubernetes.html":{},"oci/ir.html":{}}}],["webident",{"_index":2002,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{}}}],["websit",{"_index":5887,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"oci/logging.html":{}}}],["week",{"_index":1263,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/workloads.html":{},"gcp/ir.html":{},"oci/logging.html":{}}}],["weekend",{"_index":2984,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{}}}],["weekli",{"_index":1771,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"general/logging.html":{},"general/methodology.html":{}}}],["weigh",{"_index":9346,"title":{},"breadcrumb":{},"description":{},"body":{"oci/network.html":{}}}],["weight",{"_index":2079,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/genai.html":{},"general/genai.html":{},"oci/genai.html":{}}}],["welcom",{"_index":8228,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["well",{"_index":2249,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/ir.html":{}}}],["went",{"_index":2873,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/genai.html":{},"gcp/logging.html":{}}}],["weren't",{"_index":3830,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["west",{"_index":577,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/network.html":{},"general/network.html":{},"oci/kubernetes.html":{}}}],["west1",{"_index":5837,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{}}}],["west1.gk",{"_index":7524,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["west1/keyrings/app",{"_index":7515,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["west1/keyrings/forensic/cryptokeys/forens",{"_index":6738,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{}}}],["west1/keyrings/kr",{"_index":5921,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["west1/serviceattachments/vendor",{"_index":7360,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["west1:sql",{"_index":6026,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{}}}],["westeu",{"_index":3912,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["westeurop",{"_index":4121,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{}}}],["what'",{"_index":7569,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["whatev",{"_index":1710,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"gcp/iam.html":{},"gcp/workloads.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["whenev",{"_index":6847,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/methodology.html":{}}}],["wherea",{"_index":1178,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{}}}],["wherev",{"_index":8274,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{},"index.html":{}}}],["whether",{"_index":56,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["whichev",{"_index":4254,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"gcp/data.html":{},"general/methodology.html":{}}}],["whitelisted_ip",{"_index":8670,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{}}}],["whitepap",{"_index":7923,"title":{},"breadcrumb":{},"description":{},"body":{"general/index.html":{},"general/methodology.html":{}}}],["whoever",{"_index":3901,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"general/iam.html":{}}}],["whole",{"_index":2885,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"azure/logging.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/methodology.html":{}}}],["wholli",{"_index":8320,"title":{},"breadcrumb":{},"description":{},"body":{"general/shared-responsibility.html":{}}}],["whose",{"_index":539,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["wi_dis",{"_index":9164,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["wickr",{"_index":7957,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["wide",{"_index":193,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["wide_cli",{"_index":9562,"title":{},"breadcrumb":{},"description":{},"body":{"oci/workloads.html":{}}}],["widen",{"_index":324,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/iam.html":{},"aws/kubernetes.html":{},"aws/network.html":{},"azure/kubernetes.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["wider",{"_index":8267,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{},"oci/network.html":{}}}],["wif",{"_index":6474,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{},"gcp/kubernetes.html":{}}}],["wif_imperson",{"_index":6510,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["wiki",{"_index":7733,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["wild",{"_index":5401,"title":{},"breadcrumb":{},"description":{},"body":{"azure/network.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["wildcard",{"_index":1035,"title":{},"breadcrumb":{},"description":{},"body":{"aws/genai.html":{},"aws/workloads.html":{},"gcp/iam.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/kubernetes.html":{},"general/methodology.html":{}}}],["willing",{"_index":8356,"title":{},"breadcrumb":{},"description":{},"body":{"general/threat-model.html":{}}}],["win",{"_index":3420,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["window",{"_index":523,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["winrm",{"_index":3374,"title":{},"breadcrumb":{},"description":{},"body":{"aws/network.html":{}}}],["wire",{"_index":2225,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["wish",{"_index":3575,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["wit",{"_index":4589,"title":{},"breadcrumb":{},"description":{},"body":{"azure/iam.html":{},"azure/ir.html":{}}}],["within",{"_index":316,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["without",{"_index":446,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["won",{"_index":7948,"title":{},"breadcrumb":{},"description":{},"body":{"general/ir.html":{}}}],["word",{"_index":3542,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{},"azure/workloads.html":{},"index.html":{},"oci/workloads.html":{}}}],["work",{"_index":1525,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/workloads.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/methodology.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{},"search.html":{}}}],["workbook",{"_index":8130,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["worker",{"_index":2480,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"gcp/kubernetes.html":{},"general/kubernetes.html":{},"oci/workloads.html":{}}}],["workflow",{"_index":2875,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/compliance-frameworks.html":{},"general/data.html":{},"general/iam.html":{},"general/logging.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["workforc",{"_index":6578,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/ir.html":{},"oci/iam.html":{}}}],["worklo",{"_index":9336,"title":{},"breadcrumb":{},"description":{},"body":{"oci/logging.html":{}}}],["workload",{"_index":1123,"title":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"general/workloads.html":{},"oci/workloads.html":{}},"breadcrumb":{"aws/workloads.html":{},"azure/workloads.html":{},"gcp/workloads.html":{},"general/workloads.html":{},"oci/workloads.html":{}},"description":{"aws/index.html":{},"aws/workloads.html":{},"azure/index.html":{},"azure/kubernetes.html":{},"azure/workloads.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/kubernetes.html":{},"gcp/workloads.html":{},"general/index.html":{},"general/workloads.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/workloads.html":{}},"body":{"aws/genai.html":{},"aws/iam.html":{},"aws/index.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/index.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/index.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/data.html":{},"general/genai.html":{},"general/iam.html":{},"general/index.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/threat-model.html":{},"general/workloads.html":{},"index.html":{},"oci/data.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["workload'",{"_index":1892,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/ir.html":{},"azure/network.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"general/iam.html":{},"general/network.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["workload@${project_id}.iam.gserviceaccount.com",{"_index":6098,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{}}}],["workload_compartment_ocid",{"_index":8574,"title":{},"breadcrumb":{},"description":{},"body":{"oci/data.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["workload_ident",{"_index":6856,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["workload_identity_app",{"_index":9158,"title":{},"breadcrumb":{},"description":{},"body":{"oci/kubernetes.html":{}}}],["workload_identity_config",{"_index":6852,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["workload_identity_en",{"_index":5012,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["workload_identity_pool_id",{"_index":6494,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["workload_identity_pool_provider_id",{"_index":6497,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["workload_pool",{"_index":6853,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["workloadident",{"_index":5021,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["workloadidentity\\\":{\\\"enabled\\\":fals",{"_index":5026,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["workloadidentityconfig",{"_index":6865,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{},"oci/kubernetes.html":{}}}],["workloadidentityconfig.workloadpool",{"_index":6868,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["workloadidentitypool",{"_index":6517,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["workloadidentitypoolprovid",{"_index":6518,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/iam.html":{}}}],["workloadmetadataconfig",{"_index":6978,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["workloadmetadataconfig.mod",{"_index":6878,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["workloadpool",{"_index":6866,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/kubernetes.html":{}}}],["workloads'].id",{"_index":5110,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{}}}],["workloads.html",{"_index":7686,"title":{},"breadcrumb":{},"description":{},"body":{"general/compliance-frameworks.html":{}}}],["workspac",{"_index":2096,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"oci/ir.html":{}}}],["workspaceid",{"_index":4401,"title":{},"breadcrumb":{},"description":{},"body":{"azure/genai.html":{},"azure/logging.html":{}}}],["workstat",{"_index":3850,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/iam.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/workloads.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{}}}],["world",{"_index":3904,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/network.html":{},"oci/network.html":{}}}],["worm",{"_index":2373,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{}}}],["wors",{"_index":2321,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/network.html":{},"azure/network.html":{},"gcp/network.html":{},"general/logging.html":{},"oci/data.html":{},"oci/network.html":{}}}],["worst",{"_index":2981,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"general/ir.html":{}}}],["worth",{"_index":4930,"title":{},"breadcrumb":{},"description":{},"body":{"azure/ir.html":{},"azure/logging.html":{},"gcp/ir.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{}}}],["worthi",{"_index":8421,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["wrap",{"_index":2629,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"azure/data.html":{},"azure/genai.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/kubernetes.html":{},"general/data.html":{},"oci/data.html":{},"oci/kubernetes.html":{}}}],["wrapkey",{"_index":4044,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/kubernetes.html":{}}}],["wrapper",{"_index":6233,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"oci/iam.html":{}}}],["writabl",{"_index":6094,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/genai.html":{},"general/workloads.html":{}}}],["write",{"_index":660,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/ir.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/genai.html":{},"azure/iam.html":{},"azure/ir.html":{},"azure/logging.html":{},"azure/network.html":{},"azure/workloads.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"general/data.html":{},"general/genai.html":{},"general/ir.html":{},"general/kubernetes.html":{},"general/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["writer",{"_index":5132,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/workloads.html":{},"general/logging.html":{}}}],["writer=$(gcloud",{"_index":7049,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/logging.html":{}}}],["writeup",{"_index":8214,"title":{},"breadcrumb":{},"description":{},"body":{"general/methodology.html":{}}}],["written",{"_index":671,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"azure/data.html":{},"azure/logging.html":{},"gcp/data.html":{},"gcp/ir.html":{},"general/genai.html":{},"general/iam.html":{},"general/ir.html":{},"general/logging.html":{},"general/methodology.html":{},"index.html":{},"oci/iam.html":{},"oci/ir.html":{}}}],["wrong",{"_index":2874,"title":{},"breadcrumb":{},"description":{},"body":{"aws/logging.html":{},"aws/network.html":{},"azure/kubernetes.html":{},"azure/logging.html":{},"azure/network.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"gcp/network.html":{},"general/compliance-frameworks.html":{},"general/genai.html":{}}}],["wrote",{"_index":5234,"title":{},"breadcrumb":{},"description":{},"body":{"azure/logging.html":{}}}],["x",{"_index":2422,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"aws/logging.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{}}}],["xdr",{"_index":5092,"title":{},"breadcrumb":{},"description":{},"body":{"azure/kubernetes.html":{},"azure/logging.html":{}}}],["xk",{"_index":7761,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["xss",{"_index":7199,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{},"general/genai.html":{}}}],["xt",{"_index":7756,"title":{},"breadcrumb":{},"description":{},"body":{"general/data.html":{}}}],["xyz",{"_index":3839,"title":{},"breadcrumb":{},"description":{},"body":{"aws/workloads.html":{}}}],["xz",{"_index":8437,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["y",{"_index":1897,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"azure/iam.html":{},"gcp/data.html":{},"general/methodology.html":{},"general/workloads.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/logging.html":{},"oci/workloads.html":{}}}],["y%m%dt%h%m%sz",{"_index":9072,"title":{},"breadcrumb":{},"description":{},"body":{"oci/ir.html":{}}}],["yaml",{"_index":2679,"title":{},"breadcrumb":{},"description":{},"body":{"aws/kubernetes.html":{},"aws/logging.html":{},"azure/kubernetes.html":{},"gcp/data.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/workloads.html":{}}}],["yaml\">apivers",{"_index":5856,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/logging.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"oci/kubernetes.html":{}}}],["yaml\">awstemplateformatvers",{"_index":381,"title":{},"breadcrumb":{},"description":{},"body":{"aws/data.html":{},"aws/genai.html":{},"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{}}}],["yara",{"_index":8141,"title":{},"breadcrumb":{},"description":{},"body":{"general/logging.html":{}}}],["ye",{"_index":1776,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"oci/genai.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/logging.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["year",{"_index":1626,"title":{},"breadcrumb":{},"description":{},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/logging.html":{},"azure/data.html":{},"azure/ir.html":{},"azure/logging.html":{},"gcp/genai.html":{},"gcp/ir.html":{},"gcp/logging.html":{},"general/data.html":{},"general/iam.html":{},"general/logging.html":{},"general/threat-model.html":{},"oci/data.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/logging.html":{}}}],["yield",{"_index":4036,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"gcp/data.html":{},"general/threat-model.html":{}}}],["yourself",{"_index":8795,"title":{},"breadcrumb":{},"description":{},"body":{"oci/iam.html":{}}}],["yubikey",{"_index":2101,"title":{},"breadcrumb":{},"description":{},"body":{"aws/ir.html":{},"oci/ir.html":{}}}],["yum/apt",{"_index":7391,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/workloads.html":{}}}],["yyyi",{"_index":8448,"title":{},"breadcrumb":{},"description":{},"body":{"general/workloads.html":{}}}],["zero",{"_index":1621,"title":{},"breadcrumb":{},"description":{"general/network.html":{}},"body":{"aws/iam.html":{},"aws/ir.html":{},"aws/kubernetes.html":{},"aws/logging.html":{},"aws/network.html":{},"aws/workloads.html":{},"azure/data.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"compliance-matrix.html":{},"gcp/data.html":{},"gcp/genai.html":{},"gcp/iam.html":{},"gcp/ir.html":{},"gcp/kubernetes.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/iam.html":{},"general/ir.html":{},"general/network.html":{},"general/shared-responsibility.html":{},"general/workloads.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/ir.html":{},"oci/kubernetes.html":{},"oci/network.html":{},"oci/workloads.html":{}}}],["zone",{"_index":3036,"title":{},"breadcrumb":{},"description":{"oci/genai.html":{},"oci/logging.html":{}},"body":{"aws/logging.html":{},"aws/network.html":{},"azure/kubernetes.html":{},"azure/network.html":{},"gcp/data.html":{},"gcp/network.html":{},"gcp/workloads.html":{},"general/ir.html":{},"general/logging.html":{},"general/network.html":{},"oci/genai.html":{},"oci/iam.html":{},"oci/index.html":{},"oci/logging.html":{},"oci/network.html":{}}}],["zone=europ",{"_index":5965,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/data.html":{},"gcp/workloads.html":{}}}],["zone=googleapi",{"_index":7309,"title":{},"breadcrumb":{},"description":{},"body":{"gcp/network.html":{}}}],["zr",{"_index":3933,"title":{},"breadcrumb":{},"description":{},"body":{"azure/data.html":{},"azure/network.html":{}}}],["zscaler",{"_index":8255,"title":{},"breadcrumb":{},"description":{},"body":{"general/network.html":{}}}]],"pipeline":["stemmer"]},"documents":[{"id":"404.html","url":"404.html","title":"Page not found — Cloud Hardening Guide","breadcrumb":"Home Not found","description":"The page you requested doesn't exist on this site. Use the navigation to find what you need.","body":"Page not found The page you requested doesn't exist on this site. It may have been renamed, never existed, or you may have followed an outdated link. Use the section index in the sidebar to navigate to the topic you were looking for, or return to the home page below. Return to the home page"},{"id":"aws/data.html","url":"aws/data.html","title":"AWS Data Protection Hardening — Cloud Hardening Guide","breadcrumb":"Home AWS Data","description":"AWS data protection: S3 Block Public Access account-level, SSE-KMS with CMKs, EBS encryption-by-default, RDS encryption, KMS key policies, key rotation, Macie.","body":"AWS Data Protection Hardening Overview This page covers Amazon Web Services data protection across the storage and key-management surfaces that decide whether plaintext can leak from an AWS estate. Scope is the AWS commercial regions; AWS GovCloud (US) and the China regions inherit the same controls but expose a different key-material partition (KMS keys in aws-us-gov are not usable from commercial accounts and vice versa) — re-verify partition caveats before applying the IaC below outside commercial. CIS sub-IDs and NIST / ISO mappings reference the AWS commercial benchmark unless explicitly annotated as a post-v3.0.0 feature or a best-practice recommendation that the current benchmark has not yet codified. The cross-cutting principles — classification, encryption at rest, key management, and the separation of key custody from data custody — are explained in the General Data Protection page; this page maps them to AWS primitives. Encryption in transit is canonically treated in General Network — encryption in transit and AWS-specifically in AWS Network Hardening; this page does not re-author that material. Severity assignments follow the rubric documented in methodology; equivalence callouts at the bottom of each control point to the matching control on the Azure, GCP, and OCI sibling pages, and the compliance-frameworks page describes why each control row carries the same seven framework columns. Two anti-conflation callouts up front, because both pairs get muddled in audit reports and IaC reviews and the distinction matters for control design. First: S3 Block Public Access (BPA) has three scopes that are routinely confused. Bucket-level BPA is set per bucket via aws s3api put-public-access-block and protects that bucket only. Account-level BPA is set per account via the entirely different aws s3control put-public-access-block command (note the service: s3control, not s3api) and is a region-independent invariant that overrides any bucket-level setting in the account. Organization-level enforcement is achieved by an SCP that denies s3:PutAccountPublicAccessBlock removal and s3:PutBucketPublicAccessBlock with permissive payloads. Control aws-data-01 targets the account-level invariant pinned by an SCP — the highest leverage of the three. Second: S3 BPA is distinct from VPC Block Public Access (see aws-net-04). Both carry the \"Block Public Access\" name and both are region-wide invariants, but they protect entirely different resource families — S3 BPA fences bucket ACLs and bucket policies against public grants; VPC BPA fences VPCs against Internet Gateway-mediated traffic. Both must be on. Conflating them in a control catalogue (a real failure mode this site has seen in customer benchmark scorecards) means one of the two ends up disabled by accident. Order matters. Controls 01–04 are foundational data-at-rest invariants: lock public access to S3 at the account, force default KMS-CMK encryption on every new bucket, enable EBS encryption-by-default region-by-region, and encrypt every RDS instance with a customer-managed key. Controls 05–06 turn to the keys themselves: least-privilege key policies (so that having permission to use data and permission to decrypt data are separate grants) and automatic annual rotation. Control 07 closes the loop with Amazon Macie discovering PII that slipped into otherwise-controlled buckets. KMS keys used here are audited via CloudTrail data events — cross-reference the AWS-internal pointer to AWS Logging Hardening (control aws-log-02 CloudTrail S3 data events) once that page ships in Wave 2. Optional control aws-data-08 (S3 versioning + MFA-delete) is deferred per the 06-RESEARCH open question on regulated-bucket lifecycle rules. aws-data-01-s3-bpa-account ! CRITICAL PREVENTIVE Enable Amazon S3 Block Public Access at the account level in every AWS account, with all four sub-settings (BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, RestrictPublicBuckets) set to true, and pin the setting with an organization-wide SCP that denies any principal in any member account from removing it. Account-level BPA is a region-independent invariant managed through the s3control API — distinct from per-bucket BPA which is managed through s3api — and overrides any bucket-level grant that would otherwise expose objects (AWS S3 User Guide — Block Public Access (accessed 2026-05)). It is the single highest-leverage S3 misconfiguration mitigation AWS exposes; CIS AWS Foundations v7.0.0 codifies it as control 2.1.4. The control deliberately uses the SCP pin (not just the account toggle) because every Capital-One-class incident in recent history followed the same template: a single bucket misconfigured by a single engineer in a single account where the platform team had not foreseen this account's emergence. MITIGATES: Public exposure of S3 buckets via permissive bucket ACLs, public bucket policies, or \"Authenticated Users\" group grants that resolve to every AWS principal globally — the canonical S3 data-leak class. ATTACK VECTOR: An engineer (or a Terraform module bundled by an over-eager community author) sets acl = \"public-read\" on a bucket that holds customer data, or attaches a bucket policy with Principal: \"*\". Search tooling indexes the bucket within hours; the data leaves the organisation before anyone reads the CloudTrail event. Account-level BPA refuses to apply the public grant in the first place — the API call to widen access returns AccessDenied from the BPA evaluator before the policy even reaches the bucket. BLAST RADIUS: Per account when on: every bucket in the account, current and future, is gated. SCP-pinning extends the blast radius reduction to every account in the Organization. With the control off: every bucket in the account is governed solely by bucket-level correctness, and one misconfigured bucket can expose unbounded objects. Remediation — AWS CLI <code class=\"language-bash\"># Account-level BPA — note the service is s3control (NOT s3api) and the account-id is required. aws s3control put-public-access-block \\ --account-id 111122223333 \\ --public-access-block-configuration \\ BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true # Verify (note the same service distinction). aws s3control get-public-access-block --account-id 111122223333 # Bucket-level BPA is a DIFFERENT command (kept for awareness; account-level is the canonical control). # aws s3api put-public-access-block --bucket my-bucket --public-access-block-configuration ...</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) # Account-level BPA — once-per-account invariant. resource \"aws_s3_account_public_access_block\" \"this\" { block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true } # Org-wide SCP pinning: deny removal of the account-level invariant from any member account. resource \"aws_organizations_policy\" \"deny_disable_s3_account_bpa\" { name = \"deny-disable-s3-account-bpa\" type = \"SERVICE_CONTROL_POLICY\" content = jsonencode({ Version = \"2012-10-17\" Statement = [{ Sid = \"DenyDisableAccountBpa\" Effect = \"Deny\" Action = [ \"s3:PutAccountPublicAccessBlock\", \"s3:DeleteAccountPublicAccessBlock\" ] Resource = \"*\" Condition = { StringNotEquals = { \"aws:PrincipalArn\" = \"arn:aws:iam::${var.platform_account_id}:role/PlatformDataAdmin\" } } }] }) }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: Account-level S3 Block Public Access — denies any bucket from ever becoming public. Resources: AccountBpa: Type: AWS::S3::AccountPublicAccessBlock Properties: AccountId: !Ref AWS::AccountId BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true</code> Remediation — AWS CDK (TypeScript) <code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib'; import { aws_s3 as s3 } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export class AccountS3BpaStack extends cdk.Stack { constructor(scope: Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); new s3.CfnAccountPublicAccessBlock(this, 'AccountBpa', { accountId: this.account, blockPublicAcls: true, blockPublicPolicy: true, ignorePublicAcls: true, restrictPublicBuckets: true, }); } }</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 2.1.43.x (verify)5.x (verify)4.x (verify) AC-3; AC-6; SC-7A.5.10; A.8.3CLD.9.5.1 Log signals CloudTrail s3:PutAccountPublicAccessBlock events where the request reduces any of the four flags (BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, RestrictPublicBuckets) from true to false — disables the account-level guard so per-bucket public access becomes possible again. CloudTrail s3:DeletePublicAccessBlock at bucket scope — relies on the account-level block being false to actually allow public access, so this event paired with the account-level disable is the full regression chain. CloudTrail s3:PutBucketPolicy where the new policy has a Principal:\"*\" statement without a Condition on aws:SourceVpce, aws:SourceIp, or aws:PrincipalOrgID — the per-bucket equivalent that takes effect once the BPA guard is off. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.publicAccessBlockConfiguration, requestParameters.bucketName, requestParameters.policy, userIdentity.arn | filter eventSource = \"s3.amazonaws.com\" and eventName in [\"PutAccountPublicAccessBlock\",\"DeletePublicAccessBlock\",\"PutPublicAccessBlock\",\"PutBucketPolicy\"] | filter @message like /\"BlockPublicAcls\":false/ or @message like /\"RestrictPublicBuckets\":false/ or @message like /\"Principal\":\"\\*\"/ | sort @timestamp desc | limit 100</code> The CloudWatch Logs Insights query catches all three regression paths in a single sweep; the raw-message regex is necessary because publicAccessBlockConfiguration is a nested JSON object and field-typed filters miss the boolean values inside it on most CloudTrail event variants. Alert threshold Any PutAccountPublicAccessBlock with any flag set to false — page immediately; the account-level BPA is the fleet-protection backstop and disabling any flag widens every bucket's potential exposure. DeletePublicAccessBlock at bucket scope on any non-data-distribution bucket — high-priority ticket; the bucket should either be tagged public-distribution=true with documented justification or remain locked down. Bucket policy with Principal:\"*\" and no condition — page; the bucket is now reachable by any anonymous caller and the data-classification tag determines whether the response is a containment incident or a routine misconfiguration ticket. Initial response Restore the account-level BPA with aws s3control put-public-access-block --account-id {acct} --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true. For the per-bucket case, re-apply the canonical bucket policy from IaC and immediately enable aws s3api put-public-access-block at bucket scope as defence-in-depth. Pull S3 server-access logs and CloudTrail data-event logs for the exposed bucket during the gap window, enumerate every GetObject request from outside the org's VPC-endpoint set, and open an incident via general/ir.html for each accessed object — every such object is a candidate exfiltration target and data-owners must be notified per the bucket's classification tag. References AWS S3 — block public access reference (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-data-02-s3-default-encryption-kms-cmk ! HIGH PREVENTIVE Set the default encryption on every S3 bucket to aws:kms with a customer-managed CMK — not the AWS-managed aws/s3 key. Since January 2023, AWS encrypts every new S3 object with at least SSE-S3 by default, so the question is no longer \"is encryption on\" but \"whose key is it\". The AWS-managed aws/s3 key has a key policy AWS controls; rotating it, revoking it, or applying granular grants to it is impossible from the customer side. A customer-managed CMK (referenced by ARN in the bucket's encryption configuration) puts the customer in control of the key policy, the rotation schedule (covered in aws-data-06), the deletion window, and the audit trail (each Decrypt/GenerateDataKey call is logged in CloudTrail) (AWS S3 User Guide — default bucket encryption (accessed 2026-05)). CIS AWS Foundations v7.0.0 codifies SSE on every bucket as 2.1.1; the CMK requirement is the hardened reading of that control. MITIGATES: Compromise of S3 plaintext via the provider plane (e.g. lawful-process compulsion targeting AWS-controlled keys); inability to revoke decrypt rights from a compromised account; absence of per-key audit trail. ATTACK VECTOR: An attacker (or insider) with s3:GetObject on a bucket reads its objects. Under SSE-S3 or SSE-KMS with the AWS-managed key, the read succeeds with no additional gate beyond the S3 IAM check. Under SSE-KMS with a customer-managed CMK whose key policy enumerates allowed role ARNs explicitly, the read also requires kms:Decrypt on the CMK — a separate authorisation surface that can be revoked instantly without touching the S3 ACL graph. BLAST RADIUS: Per bucket: every object in the bucket either has a customer-managed-CMK gate on read or it does not. Per account (via default encryption configuration on every bucket): all future PUT operations inherit the configured encryption. Remediation — AWS CLI <code class=\"language-bash\"># Set default encryption on a bucket to SSE-KMS with a customer-managed CMK. aws s3api put-bucket-encryption \\ --bucket my-regulated-bucket \\ --server-side-encryption-configuration '{ \"Rules\": [{ \"ApplyServerSideEncryptionByDefault\": { \"SSEAlgorithm\": \"aws:kms\", \"KMSMasterKeyID\": \"arn:aws:kms:eu-west-1:111122223333:key/abcd1234-...\" }, \"BucketKeyEnabled\": true }] }' # Audit: every bucket missing aws:kms with a CMK ARN. aws s3api list-buckets --query 'Buckets[].Name' --output text | tr '\\t' '\\n' | while read b; do aws s3api get-bucket-encryption --bucket \"$b\" 2>/dev/null \\ | grep -q '\"SSEAlgorithm\": \"aws:kms\"' || echo \"MISSING-CMK $b\" done</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) resource \"aws_kms_key\" \"data_bucket\" { description = \"CMK for regulated S3 buckets\" deletion_window_in_days = 30 enable_key_rotation = true } resource \"aws_kms_alias\" \"data_bucket\" { name = \"alias/data-bucket-cmk\" target_key_id = aws_kms_key.data_bucket.key_id } resource \"aws_s3_bucket\" \"regulated\" { bucket = \"my-regulated-bucket\" } resource \"aws_s3_bucket_server_side_encryption_configuration\" \"regulated\" { bucket = aws_s3_bucket.regulated.id rule { apply_server_side_encryption_by_default { sse_algorithm = \"aws:kms\" kms_master_key_id = aws_kms_key.data_bucket.arn } bucket_key_enabled = true } }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: S3 bucket using SSE-KMS with a customer-managed CMK and bucket key enabled. Parameters: BucketName: Type: String KmsKeyArn: Type: String Resources: EncryptedBucket: Type: AWS::S3::Bucket Properties: BucketName: !Ref BucketName BucketEncryption: ServerSideEncryptionConfiguration: - BucketKeyEnabled: true ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms KMSMasterKeyID: !Ref KmsKeyArn PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 2.1.13.x (verify)5.x (verify)4.x (verify) SC-13; SC-28A.8.24; A.5.34n/a Log signals CloudTrail s3:PutBucketEncryption events where requestParameters.serverSideEncryptionConfiguration.rules[0].applyServerSideEncryptionByDefault.sSEAlgorithm shifts from aws:kms to AES256 — drops the CMK-controlled key surface and falls back to S3-managed keys, breaking the key-policy enforcement boundary that downstream IAM relies on. PutBucketEncryption with aws:kms retained but kmsMasterKeyID changed to an alias not in the canonical CMK allow-list — silently re-keys the bucket against a key whose policy may be more permissive. s3:DeleteBucketEncryption events — removes the default-encryption setting entirely; new object uploads still encrypt at rest (S3 enforces this) but with S3-managed keys, the same fallback as AES256. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.bucketName, requestParameters.serverSideEncryptionConfiguration, userIdentity.arn | filter eventSource = \"s3.amazonaws.com\" and eventName in [\"PutBucketEncryption\",\"DeleteBucketEncryption\"] | filter eventName = \"DeleteBucketEncryption\" or @message like /\"SSEAlgorithm\":\"AES256\"/ or @message like /\"SSEAlgorithm\":null/ | sort @timestamp desc | limit 100</code> The CloudWatch Logs Insights query addresses both regression variants; for the CMK-swap case, layer in a second query that joins against the canonical CMK alias list maintained as an SSM Parameter Store value, since the alias-to-key-id resolution can drift over time. Alert threshold Any PutBucketEncryption shifting to AES256 in production — page immediately; the CMK key-policy layer disappears at that point and the bucket's data is effectively re-keyed to S3-managed at the next write. CMK alias swap to a key outside the allow-list — high-priority ticket within 30 minutes; the destination key's policy may grant decrypt to broader principals and the data's effective access boundary widens. DeleteBucketEncryption — page; same severity as the AES256 shift and indicates an operator believes encryption is not required for the bucket, which is never the org-policy default. Initial response Restore the encryption configuration with aws s3api put-bucket-encryption --bucket {name} --server-side-encryption-configuration file://canonical-encryption.json referencing the canonical CMK alias; confirm via get-bucket-encryption read-back. For objects written during the gap window, identify them via S3 Inventory or by listing objects with a LastModified timestamp inside the window; re-encrypt with the canonical CMK via in-place copy (aws s3 cp s3://{bucket}/{key} s3://{bucket}/{key} --sse aws:kms --sse-kms-key-id {alias}). Open an incident per general/ir.html if the bucket holds regulated data (PII, PHI, financial); the data-owner must be notified of the encryption-key change because key-rotation audit trails and BYOK attestations cover the canonical CMK but not the S3-managed fallback. References AWS S3 — default encryption reference (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-data-03-ebs-encryption-by-default ! HIGH PREVENTIVE Enable EBS encryption-by-default in every region of every AWS account, and reference a customer-managed CMK as the default EBS key (not the AWS-managed aws/ebs key) so that the key policy, rotation schedule, and audit trail sit with the customer. Once on, every new EBS volume — root and data — is created encrypted with the configured CMK with no additional caller action; every new EBS snapshot is encrypted; every AMI built from an encrypted volume inherits encryption (Amazon EC2 — EBS encryption (accessed 2026-05)). The setting is per-region (not per-account global) — a single API call disables the invariant for that region, so the enable loop must iterate every active region and the configuration must be re-checked when AWS launches a new region. CIS AWS Foundations v7.0.0 codifies the default-encryption requirement as 2.2.1. MITIGATES: Plaintext recovery from a detached EBS volume or snapshot — whether obtained via an over-broad ec2:CreateSnapshot + ec2:ModifySnapshotAttribute share to an attacker account, or via lawful-process compulsion at the storage layer. ATTACK VECTOR: An attacker with ec2:CreateSnapshot on an EBS volume creates a snapshot and shares it with an external account they control. Without encryption-by-default, the snapshot is shareable and readable by the external account. With encryption-by-default and a customer-managed CMK whose key policy does not grant kms:Decrypt to the external account, the snapshot share still succeeds but the external account cannot decrypt the contents — a separate authorisation surface again. BLAST RADIUS: Per region per account: every future EBS volume / snapshot / AMI in the region inherits encryption. Existing unencrypted volumes are unaffected — explicit migration via snapshot-and-restore is required (re-verify the post-enable migration runbook before claiming compliance). Remediation — AWS CLI <code class=\"language-bash\"># Enable encryption-by-default per region. for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do aws ec2 enable-ebs-encryption-by-default --region \"$region\" # Point the per-region default to a customer-managed CMK (not aws/ebs). aws ec2 modify-ebs-default-kms-key-id \\ --region \"$region\" \\ --kms-key-id alias/ebs-default-cmk done # Verify per region. aws ec2 get-ebs-encryption-by-default --region eu-west-1 aws ec2 get-ebs-default-kms-key-id --region eu-west-1</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) resource \"aws_kms_key\" \"ebs_default\" { description = \"EBS default encryption CMK (per region)\" deletion_window_in_days = 30 enable_key_rotation = true } resource \"aws_kms_alias\" \"ebs_default\" { name = \"alias/ebs-default-cmk\" target_key_id = aws_kms_key.ebs_default.key_id } resource \"aws_ebs_encryption_by_default\" \"this\" { enabled = true } resource \"aws_ebs_default_kms_key\" \"this\" { key_arn = aws_kms_key.ebs_default.arn }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: AWS Config managed rule asserting EBS encryption-by-default is enabled in the region. Resources: EbsEncryptionByDefaultRule: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: ec2-ebs-encryption-by-default Source: Owner: AWS SourceIdentifier: EC2_EBS_ENCRYPTION_BY_DEFAULT</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 2.2.17.x (verify)4.x (verify)5.x (verify) SC-28; SC-13A.8.24n/a Log signals CloudTrail ec2:DisableEbsEncryptionByDefault events at region scope — turns off the default-on guard so subsequent CreateVolume calls land an unencrypted volume unless the caller explicitly opts in. CloudTrail ec2:ModifyEbsDefaultKmsKeyId changing the default key to an alias outside the org's data-encryption CMK allow-list — silently re-keys all subsequently-created volumes against a different key whose policy may not be aligned with the data classification. CloudTrail ec2:CreateVolume events where responseElements.volume.encrypted is false — direct evidence of an unencrypted volume creation, useful as backstop signal when the regional default was flipped but the modifier event was missed. Query <code class=\"language-sql\">fields @timestamp, eventName, awsRegion, requestParameters.kmsKeyId, responseElements.volume.encrypted, responseElements.volume.volumeId, userIdentity.arn | filter eventSource = \"ec2.amazonaws.com\" and eventName in [\"DisableEbsEncryptionByDefault\",\"ModifyEbsDefaultKmsKeyId\",\"CreateVolume\"] | filter eventName != \"CreateVolume\" or responseElements.volume.encrypted = false | sort @timestamp desc | limit 100</code> The CloudWatch Logs Insights query covers all three signals in one pass; for the CreateVolume backstop, layer in a daily inventory job that runs describe-volumes --filters Name=encrypted,Values=false and reports any volume that survived past its expected ephemeral lifetime. Alert threshold Any DisableEbsEncryptionByDefault in production — page immediately and re-enable within minutes; the regional default is the fleet-wide guard and every subsequent volume creation post-disable lands unencrypted. Default-key change to an alias outside the data-encryption CMK allow-list — high-priority ticket within 30 minutes; the new default key's policy needs validation against the data-encryption posture. CreateVolume with encrypted=false in production — page; the volume must be terminated or migrated to an encrypted snapshot before any sensitive data lands on it. Initial response Re-enable EBS encryption-by-default in every affected region with aws ec2 enable-ebs-encryption-by-default --region {region}; restore the canonical default-CMK with modify-ebs-default-kms-key-id. Inventory unencrypted volumes via aws ec2 describe-volumes --filters Name=encrypted,Values=false Name=tag:env,Values=prod; for each volume, create an encrypted snapshot (aws ec2 create-snapshot with --encrypted), then create a replacement volume from the encrypted snapshot, swap the volume on the EC2 instance during the next maintenance window, and delete the unencrypted source after the swap commits. Open an incident via general/ir.html if any unencrypted volume holds data classified above public; treat the data as having been at risk during the volume's unencrypted lifetime and notify data-owners per the classification. References AWS EC2 — EBS encryption reference (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-data-04-rds-encryption-at-rest ! HIGH PREVENTIVE Encrypt every Amazon RDS instance and Aurora cluster at rest with a customer-managed CMK; encrypt Performance Insights data with the same CMK family; enable deletion protection. RDS encryption at rest is set at instance creation and cannot be toggled on an existing unencrypted instance — the documented migration is snapshot → copy snapshot with encryption → restore from copy, which requires a maintenance window and capacity for two copies of the database during the migration (Amazon RDS — encryption at rest (accessed 2026-05)). This single property makes \"encrypt RDS at creation\" a foundational invariant: missing it at provisioning time creates technical debt that is materially expensive to repay. CIS AWS Foundations v7.0.0 codifies the requirement as 2.3.1. MITIGATES: Plaintext recovery from RDS underlying storage, automated backups, snapshots, and Performance Insights metric storage — for the same provider-plane and lawful-process reasons enumerated in aws-data-02 and aws-data-03. ATTACK VECTOR: An attacker with rds:CreateDBSnapshot and rds:ModifyDBSnapshotAttribute shares an unencrypted snapshot to a foreign account and restores. With CMK encryption, the snapshot share is refused for unencrypted snapshots-of-encrypted-instances (RDS forbids it) and the foreign account, lacking kms:Decrypt on the CMK, cannot restore even if a share somehow succeeded. BLAST RADIUS: Per instance / cluster: encryption is a creation-time property; existing instances remain unencrypted until explicitly migrated. Per account: every new RDS instance going through the platform's IaC catalogue inherits encryption when the modules default to it. Remediation — AWS CLI <code class=\"language-bash\"># Audit: every RDS instance without storage encryption. aws rds describe-db-instances \\ --query 'DBInstances[?StorageEncrypted==`false`].[DBInstanceIdentifier,Engine]' \\ --output table # New instance: encryption-at-rest with CMK, performance-insights encryption, deletion protection. aws rds create-db-instance \\ --db-instance-identifier prod-orders \\ --engine postgres --engine-version 16.3 \\ --db-instance-class db.r6i.large \\ --allocated-storage 100 \\ --storage-encrypted \\ --kms-key-id arn:aws:kms:eu-west-1:111122223333:key/abcd1234-... \\ --enable-performance-insights \\ --performance-insights-kms-key-id arn:aws:kms:eu-west-1:111122223333:key/abcd1234-... \\ --deletion-protection \\ --master-username postgres \\ --master-user-password \"$(aws secretsmanager get-random-password --output text)\" # Existing unencrypted instance: documented snapshot → copy-with-encryption → restore path. # (Requires a maintenance window; not in-place.)</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) resource \"aws_kms_key\" \"rds\" { description = \"RDS encryption-at-rest CMK\" deletion_window_in_days = 30 enable_key_rotation = true } resource \"aws_db_instance\" \"prod_orders\" { identifier = \"prod-orders\" engine = \"postgres\" engine_version = \"16.3\" instance_class = \"db.r6i.large\" allocated_storage = 100 storage_encrypted = true kms_key_id = aws_kms_key.rds.arn performance_insights_enabled = true performance_insights_kms_key_id = aws_kms_key.rds.arn performance_insights_retention_period = 731 deletion_protection = true backup_retention_period = 30 username = \"postgres\" manage_master_user_password = true master_user_secret_kms_key_id = aws_kms_key.rds.arn }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: AWS Config managed rule asserting all RDS DB instances are encrypted at rest. Resources: RdsStorageEncryptedRule: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: rds-storage-encrypted Source: Owner: AWS SourceIdentifier: RDS_STORAGE_ENCRYPTED Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 2.3.14.x (verify)6.x (verify)5.x (verify) SC-28; SC-13A.8.24n/a Log signals CloudTrail rds:CreateDBInstance or rds:CreateDBCluster events where requestParameters.storageEncrypted is false — RDS does not allow toggling encryption after creation, so the at-launch signal is the only practical detection point and there is no in-flight remediation other than snapshot-restore. CloudTrail rds:ModifyDBInstance where requestParameters.publiclyAccessible flips to true on a previously-private instance — adjacent posture regression that frequently accompanies the encryption-at-rest gap and matters for the data-exposure response. CloudTrail rds:RestoreDBInstanceFromDBSnapshot where the source snapshot was unencrypted and the restore creates a new unencrypted instance — alternative path to unencrypted RDS that bypasses the CreateDBInstance filter. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.dBInstanceIdentifier, requestParameters.storageEncrypted, requestParameters.publiclyAccessible, requestParameters.kmsKeyId, userIdentity.arn | filter eventSource = \"rds.amazonaws.com\" and eventName in [\"CreateDBInstance\",\"CreateDBCluster\",\"RestoreDBInstanceFromDBSnapshot\",\"ModifyDBInstance\"] | filter requestParameters.storageEncrypted = false or requestParameters.publiclyAccessible = true | sort @timestamp desc | limit 100</code> The CloudWatch Logs Insights query catches both regression paths; for the snapshot-restore case, layer in a second query on rds:CopyDBSnapshot events where the copy is created without kmsKeyId (the copy is the only step that can introduce encryption to a previously-unencrypted snapshot). Alert threshold Any CreateDBInstance or CreateDBCluster with storageEncrypted=false in production — page immediately; the instance cannot be encrypted after creation and the only path is snapshot-copy-encrypted + restore, which means downtime to fix. ModifyDBInstance with publiclyAccessible=true on any RDS instance holding data classified above public — page; the data is now Internet-reachable subject only to the security-group and master-credential gate. RestoreDBInstanceFromDBSnapshot from an unencrypted snapshot — high-priority ticket; the restore creates a new unencrypted instance and the operator should have used a copy-encrypted intermediate snapshot. Initial response For unencrypted production instances: create an encrypted snapshot via aws rds copy-db-snapshot --kms-key-id {alias}, restore the encrypted snapshot to a new instance, swap the application's connection string in a maintenance window, then delete the unencrypted source after verifying the encrypted replacement is fully caught up. For publicly-accessible RDS, immediately modify with aws rds modify-db-instance --no-publicly-accessible --apply-immediately; the change is non-disruptive but DNS propagation can take minutes during which the previous public endpoint may still resolve. Open an incident via general/ir.html; pull VPC Flow Logs for the RDS ENI during the public-access window and enumerate every inbound flow from outside the corporate egress CIDRs — each is a candidate adversary connection that may have authenticated against the master credentials. References AWS RDS — encryption at rest reference (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-data-05-kms-key-policy-least-priv ! CRITICAL PREVENTIVE Author each customer-managed KMS key policy to grant kms:Decrypt and kms:GenerateDataKey only to specific role ARNs that have a documented need, retain the root-account grant for break-glass administration (do not remove it — without it the key becomes unmanageable if the only admin role is lost), and set a deletion window of at least 30 days. The key policy is the single authority on who can use a CMK — IAM permissions are not sufficient on their own; both layers must agree (AWS KMS Developer Guide — key policies (accessed 2026-05)). The most common antipattern (audited against the Phase 5 IAM rubric of least privilege) is the open Principal: \"*\" with a kms:ViaService condition, which permits decrypt by any principal that can route a call via the named service. CRITICAL because a permissive key policy nullifies every other data-at-rest control on this page: encryption with a key that anyone can decrypt is theatre. MITIGATES: Privilege escalation to plaintext via a permissive key policy; loss of administrative access via accidental removal of the root grant; rushed key deletion during a panic incident before a forensic image is captured. ATTACK VECTOR: An attacker assumes a low-privilege role in the account. The role has no direct s3:GetObject on the regulated bucket, but the bucket's CMK has a key policy granting kms:Decrypt to Principal: \"*\" with no condition narrower than aws:PrincipalAccount. The attacker calls kms:Decrypt on ciphertext exfiltrated by an indirect path (e.g. via CloudTrail logs or replication targets) and recovers plaintext. BLAST RADIUS: Per CMK: every object encrypted under the key, including snapshots and replicas. Recovery from a permissive policy requires re-encrypting the data under a properly-scoped key — a costly operation at scale. Remediation — AWS CLI <code class=\"language-bash\"># Inspect existing key policy. aws kms get-key-policy --key-id alias/data-bucket-cmk --policy-name default \\ | jq -r .Policy | jq . # Replace with a least-privilege policy. cat > /tmp/key-policy.json <<'JSON' { \"Version\": \"2012-10-17\", \"Statement\": [ { \"Sid\": \"RootAccountBreakGlass\", \"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:root\"}, \"Action\": \"kms:*\", \"Resource\": \"*\" }, { \"Sid\": \"AppRoleEncryptDecrypt\", \"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:role/app-prod\"}, \"Action\": [\"kms:Decrypt\", \"kms:GenerateDataKey\", \"kms:DescribeKey\"], \"Resource\": \"*\" } ] } JSON aws kms put-key-policy \\ --key-id alias/data-bucket-cmk \\ --policy-name default \\ --policy file:///tmp/key-policy.json</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) data \"aws_caller_identity\" \"current\" {} resource \"aws_kms_key\" \"data_bucket\" { description = \"CMK for regulated S3 buckets (least-privilege policy)\" deletion_window_in_days = 30 enable_key_rotation = true policy = jsonencode({ Version = \"2012-10-17\" Statement = [ { Sid = \"RootAccountBreakGlass\" Effect = \"Allow\" Principal = { AWS = \"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root\" } Action = \"kms:*\" Resource = \"*\" }, { Sid = \"AppRoleEncryptDecrypt\" Effect = \"Allow\" Principal = { AWS = [ \"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/app-prod\" ] } Action = [ \"kms:Decrypt\", \"kms:GenerateDataKey\", \"kms:DescribeKey\" ] Resource = \"*\" } ] }) }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: KMS CMK with a least-privilege key policy — admin and usage principals separated, no Principal '*'. Parameters: AdminRoleArn: Type: String UsageRoleArn: Type: String Resources: AppCmk: Type: AWS::KMS::Key Properties: Description: Application-scoped CMK with admin/usage separation. EnableKeyRotation: true KeyPolicy: Version: '2012-10-17' Statement: - Sid: EnableAccountRoot Effect: Allow Principal: AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' Action: kms:* Resource: '*' - Sid: AdminPlane Effect: Allow Principal: AWS: !Ref AdminRoleArn Action: - kms:Create* - kms:Describe* - kms:Enable* - kms:List* - kms:Put* - kms:Update* - kms:Revoke* - kms:Disable* - kms:Get* - kms:Delete* - kms:TagResource - kms:UntagResource - kms:ScheduleKeyDeletion - kms:CancelKeyDeletion Resource: '*' - Sid: UsagePlane Effect: Allow Principal: AWS: !Ref UsageRoleArn Action: - kms:Encrypt - kms:Decrypt - kms:ReEncrypt* - kms:GenerateDataKey* - kms:DescribeKey Resource: '*'</code> Remediation — AWS CDK (TypeScript) <code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib'; import { aws_kms as kms, aws_iam as iam } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export interface AppCmkProps extends cdk.StackProps { adminRoleArn: string; usageRoleArn: string; "},{"id":"aws/genai.html","url":"aws/genai.html","title":"AWS Bedrock GenAI Hardening — Cloud Hardening Guide","breadcrumb":"Home AWS GenAI","description":"AWS Bedrock GenAI hardening: IAM least privilege, Guardrails content filter, VPC endpoints, invocation logging, CloudTrail, prompt attack detection, Agent role scoping, Knowledge Base auth, cross-region inference, org enforcement.","body":"AWS Bedrock GenAI Hardening Overview This page covers Amazon Bedrock — the managed model API service that provides access to foundation models from Amazon, Anthropic, Meta, Mistral, and others via a unified inference API. In scope: Bedrock managed model API, Bedrock Guardrails, Bedrock Agents, and Bedrock Knowledge Bases. Not in scope: Amazon SageMaker training and self-hosted models (these have separate hardening surfaces not covered here). For the underlying threat model and cross-cutting GenAI security principles that apply to all managed LLM API services, see General GenAI Hardening. Key infrastructure prerequisites are covered on sibling pages: aws-iam-08 — SCP deny-list at Organizations (SCP pattern used in multiple controls on this page) and AWS Network (VPC endpoint pattern for aws-genai-03). Controls are ordered severity-descending: three CRITICAL PREVENTIVE controls appear first (IAM least privilege, prompt attack detection, Agent role scoping), followed by six HIGH controls, then one MEDIUM control. Equivalence links to Azure OpenAI, GCP Vertex AI, and OCI Generative AI controls are HTML comments during authoring and will be made live in the Phase 14 Wave 4 seal. aws-genai-01-iam-least-privilege ! CRITICAL PREVENTIVE Scope bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream IAM permissions to specific model ARNs (e.g., arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-3-5-sonnet-20241022-v2:0). Never grant bedrock:InvokeModel with resource *. Use condition keys bedrock:ModelId and bedrock:InferenceProfileArn to restrict callers to approved model versions. Attach policies to roles, not IAM users. Wildcard resource grants allow a compromised role to pivot to any model — including expensive frontier models with larger capability profiles than the intended use case. MITIGATES: LLM06:2025 excessive agency via over-privileged IAM role and LLM08:2025 vector-database abuse through unrestricted model access. ATTACK VECTOR: Compromised application role with wildcard bedrock:InvokeModel allows pivoting to any model including expensive or high-capability foundation models that are not part of the approved application design. BLAST RADIUS: Unbounded model invocation costs and access to models with different capability profiles; attacker can invoke large-context models with exfiltration payloads or use Bedrock capacity for unrelated compute abuse. Remediation — AWS CLI <code class=\"language-bash\"># AWS CLI v2 — enumerate available foundation models aws bedrock list-foundation-models \\ --output json \\ --query 'modelSummaries[].{id:modelId,provider:providerName,status:modelLifecycle.status}' # Simulate effective permissions for a role aws iam simulate-principal-policy \\ --policy-source-arn \"${ROLE_ARN}\" \\ --action-names bedrock:InvokeModel \\ --resource-arns \"arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-3-5-sonnet-20241022-v2:0\" \\ --query 'EvaluationResults[].{action:EvalActionName,decision:EvalDecision}'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 resource \"aws_iam_policy\" \"bedrock_invoke_scoped\" { name = \"bedrock-invoke-scoped\" description = \"Allow InvokeModel only on approved Bedrock model ARNs\" policy = jsonencode({ Version = \"2012-10-17\" Statement = [ { Sid = \"AllowScopedBedrockInvoke\" Effect = \"Allow\" Action = [ \"bedrock:InvokeModel\", \"bedrock:InvokeModelWithResponseStream\" ] Resource = [ \"arn:aws:bedrock:${var.region}::foundation-model/${var.allowed_model_id}\" ] Condition = { StringEquals = { \"bedrock:ModelId\" = var.allowed_model_id } } } ] }) } resource \"aws_iam_role_policy_attachment\" \"bedrock_invoke_attachment\" { role = aws_iam_role.app_role.name policy_arn = aws_iam_policy.bedrock_invoke_scoped.arn }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: Least-privilege IAM role allowing a single application to invoke a single Bedrock model. Parameters: AppPrincipalArn: Type: String AllowedModelId: Type: String Default: anthropic.claude-3-5-sonnet-20241022-v2:0 Resources: BedrockInvokerRole: Type: AWS::IAM::Role Properties: RoleName: bedrock-app-invoker AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: !Ref AppPrincipalArn Action: sts:AssumeRole ManagedPolicyArns: - !Ref BedrockInvokeOnlyPolicy BedrockInvokeOnlyPolicy: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: bedrock-invoke-one-model PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - bedrock:InvokeModel - bedrock:InvokeModelWithResponseStream Resource: !Sub 'arn:aws:bedrock:${AWS::Region}::foundation-model/${AllowedModelId}'</code> Remediation — AWS CDK (TypeScript) <code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib'; import { aws_iam as iam } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export interface BedrockInvokerProps extends cdk.StackProps { appPrincipalArn: string; allowedModelId: string; } export class BedrockInvokerStack extends cdk.Stack { constructor(scope: Construct, id: string, props: BedrockInvokerProps) { super(scope, id, props); const policy = new iam.ManagedPolicy(this, 'BedrockInvokeOneModel', { managedPolicyName: 'bedrock-invoke-one-model', statements: [ new iam.PolicyStatement({ actions: ['bedrock:InvokeModel', 'bedrock:InvokeModelWithResponseStream'], resources: [`arn:aws:bedrock:${this.region}::foundation-model/${props.allowedModelId}`], }), ], }); new iam.Role(this, 'BedrockInvokerRole', { roleName: 'bedrock-app-invoker', assumedBy: new iam.ArnPrincipal(props.appPrincipalArn), managedPolicies: [policy], }); } }</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) AC-2; AC-6; IA-2 A.5.15; A.5.18 CLD.12.1.5 LLM06:2025; LLM08:2025 Information Security Art. 55 (in force 2025-08-02) Log signals CloudTrail iam:AttachUserPolicy or iam:AttachRolePolicy events granting bedrock-runtime:* or bedrock:* to principals outside the documented AI-platform allow-list — opens the foundation-model invocation surface to non-AI workloads or human users, defeating the IAM-scoping intent. CloudTrail bedrock-runtime:InvokeModel events whose userIdentity.arn matches a principal not enumerated in the canonical allow-list TSV — the SDK call path indicates the over-permissioned principal is actually exercising the model invocation surface, which is the actionable second-order signal. CloudTrail iam:CreateRole followed within minutes by iam:PutRolePolicy with a permission statement including bedrock-runtime:InvokeModel on Resource:\"*\" — the role-creation pattern frequently used to grant a one-off principal access to Bedrock without going through the platform team. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.userName, requestParameters.roleName, requestParameters.policyArn, requestParameters.policyDocument, userIdentity.arn | filter eventSource = \"iam.amazonaws.com\" and eventName in [\"AttachUserPolicy\",\"AttachRolePolicy\",\"PutRolePolicy\",\"PutUserPolicy\"] | filter @message like /bedrock-runtime/ or @message like /\"bedrock:\\*\"/ or @message like /BedrockFullAccess/ | sort @timestamp desc | limit 50</code> The CloudWatch Logs Insights filter pattern-matches on the bedrock IAM action namespace; pair with a daily Lambda that walks every principal with bedrock-runtime permissions via iam:SimulatePrincipalPolicy and diffs the resulting set against the AI-platform allow-list TSV maintained in the IaC repository. Alert threshold Any principal acquiring bedrock-runtime:* or BedrockFullAccess outside the AI-platform allow-list — page immediately; the bedrock-runtime surface includes high-cost model invocations and the principal can incur material spend before detection if alerting lags. An InvokeModel call from a principal outside the allow-list — high-priority ticket within 15 minutes; the over-permissioned principal is actively using the privilege rather than just holding it. Role-create-then-policy-attach sequence (within 5 minutes of role-create) granting bedrock permissions — page; the rapid sequence is a deliberate side-step of the platform team's review process. Initial response Detach the over-privileged policy with aws iam detach-role-policy or detach-user-policy; if the principal was created specifically for the over-privileged access, delete the role / user after archiving its CloudTrail trail for forensic review. Inventory the principal's InvokeModel calls during the over-privileged window via CloudTrail; enumerate model IDs, regions, and request sizes to scope the cost-impact and the data-leakage surface (inputText payloads frequently contain sensitive prompt content). Open an incident via general/ir.html if the inputText payloads contained customer data or proprietary content; the model provider's invocation log retains the prompts for the foundation-model provider's diagnostic retention window and may require a customer-data-deletion request to be filed. References AWS Bedrock — IAM permissions reference (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI aws-genai-06-guardrails-prompt-attack ! CRITICAL PREVENTIVE Enable Bedrock Guardrails prompt attack detection policy. Prompt attack detection requires the Standard tier of Bedrock Guardrails. Basic tier does not include this capability. Verify your guardrail tier in the Bedrock console before relying on this control. Standard tier applies a separate ML classifier to detect jailbreak attempts, prompt injection, and prompt leakage before the prompt reaches the foundation model. This is DISTINCT from the content filter policy (aws-genai-02): prompt attack detection is an input-layer classification that identifies adversarial instructions attempting to override the system prompt, whereas the content filter moderates harm categories in outputs. Both must be configured — neither alone is sufficient. MITIGATES: LLM01:2025 direct and indirect prompt injection attacks. ATTACK VECTOR: Adversarial input crafted to override the system prompt, exfiltrate context window contents, or cause the model to execute unauthorized tool calls. Includes jailbreak phrases, role-play overrides, and encoded injection payloads that bypass system-prompt constraints. BLAST RADIUS: System-prompt override enabling data exfiltration from the RAG context window, agentic tool misuse through injected instructions, and generation of policy-violating content after bypass. Remediation — AWS CLI <code class=\"language-bash\"># AWS CLI v2 — check if prompt attack detection is configured on a guardrail aws bedrock get-guardrail \\ --guardrail-id \"${GUARDRAIL_ID}\" \\ --query \"promptAttackConfig\" # Create a guardrail with prompt attack detection enabled (Standard tier) # The tier must be STANDARD for prompt attack detection to be available aws bedrock create-guardrail \\ --name \"prod-guardrail\" \\ --blocked-input-messaging \"This input has been flagged and cannot be processed.\" \\ --blocked-outputs-messaging \"This output has been filtered.\" \\ --prompt-attack-filter-strength HIGH</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Note: prompt attack detection requires Bedrock Guardrails Standard tier. # Verify the tier argument name against the Terraform Registry for hashicorp/aws # at the version pinned in your configuration (~> 5.60.0 minimum recommended). resource \"aws_bedrock_guardrail\" \"prompt_attack\" { name = var.guardrail_name blocked_input_messaging = \"This input has been flagged and cannot be processed.\" blocked_outputs_messaging = \"This output has been filtered.\" prompt_attack_policy_config { filters_config { type = \"PROMPT_ATTACK\" input_strength = \"HIGH\" } } }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: Bedrock Guardrail with HIGH-strength PROMPT_ATTACK filter and minimal content baseline. Resources: PromptAttackGuardrail: Type: AWS::Bedrock::Guardrail Properties: Name: prompt-attack-guardrail BlockedInputMessaging: Your input was blocked because it appears to attempt prompt injection. BlockedOutputsMessaging: The model response was blocked due to a guardrail violation. ContentPolicyConfig: FiltersConfig: - Type: PROMPT_ATTACK InputStrength: HIGH OutputStrength: NONE</code> Remediation — AWS CDK (TypeScript) <code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib'; import { aws_bedrock as bedrock } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export class PromptAttackGuardrailStack extends cdk.Stack { constructor(scope: Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); new bedrock.CfnGuardrail(this, 'PromptAttackGuardrail', { name: 'prompt-attack-guardrail', blockedInputMessaging: 'Your input was blocked because it appears to attempt prompt injection.', blockedOutputsMessaging: 'The model response was blocked due to a guardrail violation.', contentPolicyConfig: { filtersConfig: [ { type: 'PROMPT_ATTACK', inputStrength: 'HIGH', outputStrength: 'NONE' }, ], }, }); } }</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) SI-10; SI-15 A.8.28 n/a LLM01:2025 Information Integrity Art. 55 (in force 2025-08-02) Log signals CloudTrail bedrock:DeleteGuardrail events on production guardrails whose name matches the canonical naming convention — destroys the prompt-attack filter outright; subsequent invocations route directly to the foundation model without input filtering. CloudTrail bedrock:UpdateGuardrail events where the diff removes a contentPolicyConfig.filtersConfig entry of type PROMPT_ATTACK, or where strength is downgraded from HIGH to NONE / LOW — silently weakens the prompt-attack filter while the guardrail remains in place. Bedrock invocation logs (CloudWatch Logs group configured via aws-genai-04-invocation-logging) where the amazon-bedrock-guardrails-trace.assessments[*].topicPolicy.topics[*].action shifts from BLOCKED to NONE at the rate level — passive signal that the guardrail is being bypassed at invocation time even when the configuration looks intact. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.guardrailIdentifier, requestParameters.name, requestParameters.contentPolicyConfig, userIdentity.arn | filter eventSource = \"bedrock.amazonaws.com\" and eventName in [\"DeleteGuardrail\",\"UpdateGuardrail\",\"CreateGuardrail\"] | filter @message like /PROMPT_ATTACK/ or eventName = \"DeleteGuardrail\" | sort @timestamp desc | limit 50</code> The CloudWatch Logs Insights filter targets prompt-attack-relevant guardrail mutations; downstream the invocation-time signal can be queried against the Bedrock invocation log group using the structured amazon-bedrock-guardrails-trace JSON. Alert threshold Any DeleteGuardrail on a production guardrail — page immediately; downstream applications using the guardrail in their invocation parameters will fail-open to unfiltered model responses at the moment of delete. Prompt-attack filter strength downgrade — high-priority ticket within 15 minutes; the downgrade may be a deliberate tuning step but should always trace to an experiment-tracking ticket with a documented test result. Invocation-trace BLOCKED-to-NONE rate shift above 10% week-over-week — informational; promote to incident if the shift exceeds 50% since it indicates either a configuration regression or an attacker successfully tuning their prompts to evade the filter. Initial response Restore the guardrail from IaC with aws bedrock update-guardrail or create-guardrail referencing the canonical configuration; confirm via get-guardrail that the PROMPT_ATTACK filter is present with the expected strength. Audit the Bedrock invocation logs during the gap window for any prompt patterns matching known prompt-injection / jailbreak idioms (instruction-override, role-impersonation, system-prompt-leakage); these prompts were unfiltered and the corresponding model outputs may contain leaked instructions or sensitive content. Open an incident via general/ir.html if any unfiltered invocation produced a response that the guardrail would have blocked; the downstream consumer of the response may have acted on adversary-controlled content and the consumer's recent actions need a manual review. References AWS Bedrock — guardrails prompt-attack filter (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI aws-genai-07-agent-execution-role-scoping ! CRITICAL PREVENTIVE Scope Bedrock Agent action-group execution roles to the minimum required ARNs — no wildcard * in Resource for Lambda function invocations, S3 objects, or API Gateway endpoints. Each action group should have its own least-privileged IAM role. Bedrock Agents inherit the execution role's permissions during orchestration; an over-permissioned role enables an adversary who can inject into the agent's reasoning trace to trigger unintended tool calls across the full scope of the wildcard permission. See aws-iam-07 — permission boundaries for the permission boundary pattern that provides an additional containment layer for delegated roles. MITIGATES: LLM06:2025 excessive agency through over-permissioned agent execution role and LLM08:2025 tool misuse via unrestricted action group permissions. ATTACK VECTOR: Indirect prompt injection causes the Bedrock Agent to call sensitive action groups with an over-permissioned execution role — the injected instruction is treated as legitimate agent orchestration, triggering Lambda invocations or S3 object access beyond the intended scope. BLAST RADIUS: Full access to all Lambda functions or S3 objects permitted by the wildcard role — enabling data exfiltration, infrastructure modification, or lateral movement to other AWS services via the execution role's permissions. Remediation — AWS CLI <code class=\"language-bash\"># AWS CLI v2 — inspect Bedrock Agent action group configuration aws bedrock-agent get-agent-action-group \\ --agent-id \"${AGENT_ID}\" \\ --agent-version \"DRAFT\" \\ --action-group-id \"${AG_ID}\" \\ --query \"{name:actionGroupName,executor:actionGroupExecutor,state:actionGroupState}\" # Verify the execution role trust policy restricts to Bedrock Agent service principal aws iam get-role \\ --role-name \"${AGENT_EXECUTION_ROLE_NAME}\" \\ --query \"Role.AssumeRolePolicyDocument\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 resource \"aws_iam_role\" \"bedrock_agent_role\" { name = \"bedrock-agent-execution-role\" assume_role_policy = jsonencode({ Version = \"2012-10-17\" Statement = [{ Effect = \"Allow\" Principal = { Service = \"bedrock.amazonaws.com\" } Action = \"sts:AssumeRole\" }] }) } resource \"aws_iam_role_policy\" \"agent_lambda_scoped\" { name = \"agent-lambda-scoped\" role = aws_iam_role.bedrock_agent_role.id policy = jsonencode({ Version = \"2012-10-17\" Statement = [{ Effect = \"Allow\" Action = [\"lambda:InvokeFunction\"] Resource = [aws_lambda_function.action_group_handler.arn] }] }) } resource \"aws_bedrockagent_agent\" \"this\" { agent_name = var.agent_name agent_resource_role_arn = aws_iam_role.bedrock_agent_role.arn foundation_model = var.foundation_model_id instruction = var.agent_instruction }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: Bedrock Agent execution role scoped to one agent ARN with no broad bedrock:* grants. Parameters: AgentName: Type: String AllowedModelId: Type: String Resources: AgentExecutionRole: Type: AWS::IAM::Role Properties: RoleName: !Sub 'bedrock-agent-${AgentName}-exec' AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: bedrock.amazonaws.com Action: sts:AssumeRole Condition: StringEquals: aws:SourceAccount: !Ref AWS::AccountId ArnLike: aws:SourceArn: !Sub 'arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:agent/*' ManagedPolicyArns: - !Ref AgentExecPolicy AgentExecPolicy: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: !Sub 'bedrock-agent-${AgentName}-exec-policy' PolicyDocument: Version: '2012-10-17' Statement: - Sid: InvokeOneModel Effect: Allow Action: bedrock:InvokeModel Resource: !Sub 'arn:aws:bedrock:${AWS::Region}::foundation-model/${AllowedModelId}'</code> Remediation — AWS CDK (TypeScript) <code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib'; import { aws_iam as iam } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export interface AgentRoleProps extends cdk.StackProps { agentName: string; allowedModelId: string; } export class AgentExecutionRoleStack extends cdk.Stack { constructor(scope: Construct, id: string, props: AgentRoleProps) { super(scope, id, props); const policy = new iam.ManagedPolicy(this, 'AgentExecPolicy', { managedPolicyName: `bedrock-agent-${props.agentName}-exec-policy`, statements: [ new iam.PolicyStatement({ sid: 'InvokeOneModel', actions: ['bedrock:InvokeModel'], resources: [`arn:aws:bedrock:${this.region}::foundation-model/${props.allowedModelId}`], }), ], }); new iam.Role(this, 'AgentExecutionRole', { roleName: `bedrock-agent-${props.agentName}-exec`, assumedBy: new iam.ServicePrincipal('bedrock.amazonaws.com', { conditions: { StringEquals: { 'aws:SourceAccount': this.account }, ArnLike: { 'aws:SourceArn': `arn:aws:bedrock:${this.region}:${this.account}:agent/*` }, }, }), managedPolicies: [policy], }); } }</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) AC-2; AC-6; AC-17 A.5.15; A.5.18 n/a LLM06:2025; LLM08:2025 Information Security Art. 55 (in force 2025-08-02) Log signals CloudTrail bedrock-agent:UpdateAgent or bedrock-agent:CreateAgent events whose requestParameters.agentResourceRoleArn resolves to a role with effective policies including iam:*, sts:AssumeRole on broad principals, or any *FullAccess managed policy. CloudTrail bedrock-agent:UpdateActionGroup events introducing a new actionGroupExecutor.lambda Lambda ARN whose function role has not been pre-approved for agent-tool execution — the action-group Lambda is the agent's tool-use surface and its IAM blast radius bounds the agent's effective capabilities. CloudWatch Logs entries from the agent's invocation log group where the agent invoked a Lambda action-group function and the function returned an unexpected resource interaction (e.g. modified an unrelated S3 bucket, attempted KMS decrypt outside its policy) — operational signal that an agent has been tricked into using its tools for unauthorized actions. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.agentId, requestParameters.agentName, requestParameters.agentResourceRoleArn, requestParameters.actionGroupExecutor, userIdentity.arn | filter eventSource = \"bedrock-agent.amazonaws.com\" and eventName in [\"UpdateAgent\",\"CreateAgent\",\"UpdateActionGroup\",\"CreateActionGroup\"] | sort @timestamp desc | limit 50</code> The CloudWatch Logs Insights query catches the agent-config mutation events; pair with a Lambda that on a daily cadence simulates each agent's execution role via iam:SimulatePrincipalPolicy against the documented agent-tool action set and reports any deviation from the expected minimal action surface. Alert threshold Any agent created or updated with an execution role outside the agent-execution-role allow-list — page immediately; the agent's autonomous tool-use blast radius is bounded by the role's policy graph and broad permissions there are equivalent to giving an LLM admin keys. Action-group Lambda introduced with an unapproved IAM role — high-priority ticket within 30 minutes; the action-group function is the agent's call-out point and any new function should go through the platform team's tool-onboarding review. Agent invocation log entry showing unexpected resource interaction — page; this is the canonical signal of a prompt-injection attack that successfully redirected the agent's tool use toward an attacker-chosen target. Initial response Pause the agent immediately via aws bedrock-agent update-agent setting agentResourceRoleArn to a minimal-deny stub role; this stops the agent from executing any further tool calls without removing the agent's invocation surface (so consumers see explicit denials rather than silent gaps). Restore the canonical execution role from IaC and re-validate the agent's action-group Lambda ARNs against the allow-list; if any action-group Lambda was modified during the gap window, revert it from source control and re-deploy. Open an incident via general/ir.html; pull the agent's invocation logs for the gap window and enumerate every tool call that resulted in a resource mutation — each mutation needs a manual review against the prompt that initiated it to confirm whether the action was the user's intent or an attacker's prompt-injection payload. References AWS Bedrock — Agents permissions reference (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI aws-genai-02-guardrails-content-filter ! HIGH PREVENTIVE Configure Bedrock Guardrails content filter policy with explicit harm-category thresholds for HATE, SEXUAL, VIOLENCE, INSULTS, MISCONDUCT, and PROMPT_ATTACK set to HIGH or MEDIUM for both input and output. Configure PII redaction using sensitive_information_policy_config with pii_entities_config per entity type (EMAIL → ANONYMIZE; AWS_ACCESS_KEY → BLOCK). This is a separate Guardrails configuration block from prompt attack detection (aws-genai-06): the content filter policy moderates harm categories in prompts and completions, whereas prompt attack detection is an input-layer classifier for adversarial injection patterns. Anti-pattern: Setting any harm category filter strength to NONE is equivalent to the BLOCK_NONE anti-pattern documented in General GenAI — Common Misconfigurations. Any policy deviation must be risk-accepted with compensating controls documented. All harm categories should be set to HIGH or at minimum MEDIUM for both input and output. MITIGATES: LLM01:2025 jailbreak producing harmful output after bypassing system prompt constraints and LLM02:2025 harmful or sensitive content disclosure including PII in completions. ATTACK VECTOR: Adversarial prompt elicits hate speech, sexual, or violence content; PII included in model completion reveals personal data from training corpus or RAG context documents. BLAST RADIUS: Regulatory exposure under data protection law if PII is disclosed in completions; reputational harm from harmful content generation; potential data protection violation if EU-resident data is disclosed without lawful basis. Audit — AWS CLI <code class=\"language-bash\"># AWS CLI v2 — check content filter policy thresholds on a guardrail aws bedrock get-guardrail \\ --guardrail-id \"${GUARDRAIL_ID}\" \\ --output json | jq '.contentPolicy' # List all guardrails in the account to verify coverage aws bedrock list-guardrails \\ --output json \\ --query 'guardrails[].{id:guardrailId,name:name,version:version,status:status}'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 (min 5.60.0 for pii_entities_config input_action/output_action) resource \"aws_bedrock_guardrail\" \"this\" { name = var.guardrail_name blocked_input_messaging = \"I cannot process that input.\" blocked_outputs_messaging = \"I cannot provide that output.\" sensitive_information_policy_config { pii_entities_config { type = \"EMAIL\" input_action = \"ANONYMIZE\" output_action = \"ANONYMIZE\" } pii_entities_config { type = \"AWS_ACCESS_KEY\" input_action = \"BLOCK\" output_action = \"BLOCK\" } pii_entities_config { type = \"NAME\" input_action = \"ANONYMIZE\" output_action = \"ANONYMIZE\" } } content_policy_config { filters_config { type = \"HATE\" input_strength = \"HIGH\" output_strength = \"HIGH\" } filters_config { type = \"SEXUAL\" input_strength = \"HIGH\" output_strength = \"HIGH\" } filters_config { type = \"VIOLENCE\" input_strength = \"HIGH\" output_strength = \"HIGH\" } filters_config { type = \"INSULTS\" input_strength = \"MEDIUM\" output_strength = \"HIGH\" } filters_config { type = \"MISCONDUCT\" input_strength = \"MEDIUM\" output_strength = \"HIGH\" } } }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: Bedrock Guardrail enforcing HIGH-strength content filters on hate/insults/sexual/violence/misconduct. Resources: ContentFilterGuardrail: Type: AWS::Bedrock::Guardrail Properties: Name: content-filter-guardrail BlockedInputMessaging: Your message was blocked by a content filter. BlockedOutputsMessaging: The model response was blocked by a content filter. ContentPolicyConfig: FiltersConfig: - Type: HATE InputStrength: HIGH OutputStrength: HIGH - Type: INSULTS InputStrength: HIGH OutputStrength: HIGH - Type: SEXUAL InputStrength: HIGH OutputStrength: HIGH - Type: VIOLENCE InputStrength: HIGH OutputStrength: HIGH - Type: MISCONDUCT InputStrength: HIGH OutputStrength: HIGH</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) SI-15; SC-28 A.8.28; A.5.34 CLD.6.3.1 LLM01:2025; LLM02:2025 Dangerous/Violent Content; Data Privacy Art. 55 (in force 2025-08-02) Log signals CloudTrail bedrock:UpdateGuardrail events removing or downgrading any of the standard content-filter categories (VIOLENCE, HATE, SEXUAL, INSULTS, MISCONDUCT) — drops the topical-output filter and exposes downstream consumers to unfiltered model responses in those categories. CloudTrail bedrock:DeleteGuardrailVersion events on a published version still referenced by production agents or applications — leaves applications pointing at a now-missing version, which fails-open in some SDK error paths. Bedrock invocation logs (the CloudWatch Logs group from aws-genai-04) where the guardrail trace shows category-level action=NONE on responses that previously returned action=BLOCKED for similar inputs — passive operational signal of filter weakening. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.guardrailIdentifier, requestParameters.contentPolicyConfig.filtersConfig, requestParameters.guardrailVersion, userIdentity.arn | filter eventSource = \"bedrock.amazonaws.com\" and eventName in [\"UpdateGuardrail\",\"DeleteGuardrailVersion\",\"CreateGuardrailVersion\"] | filter @message like /VIOLENCE/ or @message like /HATE/ or @message like /SEXUAL/ or @message like /MISCONDUCT/ | sort @timestamp desc | limit 50</code> The CloudWatch Logs Insights filter pattern-matches on the content-filter category names; the regex over the JSON payload is faster than a typed filter because filtersConfig is a list whose category strings are easier to surface via raw-message matching. Alert threshold Any content-filter category downgrade to NONE in production — page immediately; the corresponding downstream consumer (chatbot, agent, RAG application) is now exposed to unfiltered output in that category which may violate the org's acceptable-use policy. DeleteGuardrailVersion on a version still referenced by production traffic — page; the version deletion is irreversible and applications referencing it will fail or fail-open until they are reconfigured to point at a newer version. Invocation-trace action=BLOCKED rate dropping below the 7-day baseline by more than 50% — informational; the drop may indicate either upstream input changes or filter weakening, and the operational team should investigate which before escalating. Initial response Restore the content-filter configuration from IaC with aws bedrock update-guardrail referencing the canonical filtersConfig; create a new published version and update production applications to reference it before deleting the un-canonical interim version. For invocation-trace shifts, sample a stratified set of responses from the post-shift window and run them through the canonical guardrail in evaluation mode (aws bedrock-runtime apply-guardrail) to identify which responses would now be flagged — these are the candidate consumer-exposed unsafe responses. Open an incident via general/ir.html for the consumer-exposure case; the responses that the weaker guardrail let through may have been shown to end users and the resulting consumer-facing content needs a manual review against the org's content policy. References AWS Bedrock — guardrails content filters (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI aws-genai-03-vpc-endpoint ! HIGH PREVENTIVE Create VPC Interface Endpoints for com.amazonaws.<region>.bedrock-runtime (inference) and com.amazonaws.<region>.bedrock (control plane) to route inference traffic through the AWS backbone, never traversing the public internet. Deny public Bedrock invocations via SCP using the aws:SourceVpc condition key to enforce that all bedrock:InvokeModel calls originate from within an approved VPC. Without this control, prompts, completions, and system prompts traverse corporate egress infrastructure where they may be logged, inspected, or intercepted. See aws-net-05 — VPC endpoints / PrivateLink for the general VPC endpoint pattern. MITIGATES: LLM10:2025 network-level exposure of inference traffic including confidential system prompts and RAG context. ATTACK VECTOR: Inference traffic (prompts, completions, system prompts) traverses corporate egress proxy or ISP network segments where it can be logged or inspected. An attacker with visibility to egress traffic captures full model interactions including proprietary system prompt content. BLAST RADIUS: Full prompt and completion content exposure including confidential system prompts, PII in RAG context, and proprietary business logic embedded in model instructions. Remediation — AWS CLI <code class=\"language-bash\"># AWS CLI v2 — check for existing Bedrock VPC endpoints aws ec2 describe-vpc-endpoints \\ --filters \"Name=service-name,Values=com.amazonaws.${REGION}.bedrock-runtime\" \\ \"Name=vpc-endpoint-type,Values=Interface\" \\ --query 'VpcEndpoints[].{id:VpcEndpointId,vpc:VpcId,state:State,dns:DnsEntries[0].DnsName}' # Verify both service names are available in the target region aws ec2 describe-vpc-endpoint-services \\ --service-names \\ \"com.amazonaws.${REGION}.bedrock-runtime\" \\ \"com.amazonaws.${REGION}.bedrock\" \\ --query 'ServiceDetails[].{name:ServiceName,available:ServiceType[0].ServiceType}'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 resource \"aws_vpc_endpoint\" \"bedrock_runtime\" { vpc_id = var.vpc_id service_name = \"com.amazonaws.${var.region}.bedrock-runtime\" vpc_endpoint_type = \"Interface\" subnet_ids = var.private_subnet_ids security_group_ids = [aws_security_group.bedrock_endpoint_sg.id] private_dns_enabled = true } resource \"aws_vpc_endpoint\" \"bedrock_control\" { vpc_id = var.vpc_id service_name = \"com.amazonaws.${var.region}.bedrock\" vpc_endpoint_type = \"Interface\" subnet_ids = var.private_subnet_ids security_group_ids = [aws_security_group.bedrock_endpoint_sg.id] private_dns_enabled = true } resource \"aws_security_group\" \"bedrock_endpoint_sg\" { name = \"bedrock-endpoint-sg\" description = \"Allow HTTPS from application subnets to Bedrock VPC endpoints\" vpc_id = var.vpc_id ingress { from_port = 443 to_port = 443 protocol = \"tcp\" cidr_blocks = var.app_subnet_cidrs } }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: VPC interface endpoint for Bedrock Runtime, restricted to the application VPC. Parameters: VpcId: Type: AWS::EC2::VPC::Id SubnetIds: Type: List<AWS::EC2::Subnet::Id> SecurityGroupId: Type: AWS::EC2::SecurityGroup::Id Resources: BedrockRuntimeEndpoint: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref VpcId ServiceName: !Sub 'com.amazonaws.${AWS::Region}.bedrock-runtime' VpcEndpointType: Interface SubnetIds: !Ref SubnetIds SecurityGroupIds: - !Ref SecurityGroupId PrivateDnsEnabled: true</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) SC-7; AC-17 A.8.20; A.8.22 CLD.13.1.4 LLM10:2025 Information Security Art. 55 (in force 2025-08-02) Log signals CloudTrail ec2:DeleteVpcEndpoints events targeting com.amazonaws.{region}.bedrock-runtime or com.amazonaws.{region}.bedrock interface endpoints — removes the private-network path so Bedrock API calls fall back to the public endpoint via NAT, exposing prompt traffic to potential SSL-interception or DNS-hijack attacks. CloudTrail ec2:ModifyVpcEndpoint where the endpoint policy "},{"id":"aws/iam.html","url":"aws/iam.html","title":"AWS IAM Hardening — Cloud Hardening Guide","breadcrumb":"Home AWS IAM","description":"AWS IAM hardening: root MFA, IAM Identity Center, SCPs, permission boundaries, Access Analyzer, credential audit.","body":"AWS IAM Hardening Overview This page covers Amazon Web Services Identity & Access Management hardening across the surfaces that determine whether an attacker who lands a credential can pivot to full account takeover. AWS exposes a larger root-and-Organizations surface than the other three providers in this guide, so the control inventory here is ten items rather than the eight on the Azure, GCP, and OCI sibling pages — the additional controls reflect AWS's root-account model and its Service Control Policy (SCP) machinery at the Organizations layer. Scope is commercial AWS regions; AWS GovCloud (US) and the China regions inherit the same controls but require region-specific endpoints (for example iam.us-gov.amazonaws.com) and have their own STS partitions. CIS sub-IDs and NIST/ISO mappings throughout this page reference the AWS commercial benchmark unless noted. The mental model: AWS IAM is the product of identity policies (what a principal can do, attached to users, groups, roles), resource policies (who can touch a resource, attached to S3 buckets, KMS keys, etc.), Service Control Policies (organisation-wide upper bound on what any principal in a member account may do), and permission boundaries (per-principal upper bound used when delegating admin rights). The cross-cutting principles — least privilege, separation of duties, credential rotation, secrets management, MFA — are explained in the General IAM page; this page maps them to AWS primitives. Severity assignments follow the rubric documented in methodology, in particular the worked example EX-MFA-01 which derives a CRITICAL PREVENTIVE for the canonical phishing-resistant MFA case. Equivalence callouts at the bottom of each control point to the matching control on the Azure, GCP, and OCI pages so a reader can compare modelling across providers. Order matters in this list. Controls 01–04 are CRITICAL PREVENTIVE and address the single biggest residual risk in nearly every audited AWS account: standing credentials with MFA gaps. Controls 05–08 are HIGH/MEDIUM PREVENTIVE and progressively replace long-lived credentials with short-lived role assumption, then fence the blast radius with permission boundaries and SCPs. Controls 09–10 are DETECTIVE: IAM Access Analyzer continuously discovers unintended external access; credential-report auditing surfaces drift in users that pre-date later preventive controls. Reviewing the compliance-frameworks page first will clarify why each control row lists CIS, NIST 800-53 rev5, and ISO 27001/27017 cells in the same order across all four provider pages. aws-iam-01-root-mfa ! CRITICAL PREVENTIVE Enable a hardware FIDO2 security key (or, at minimum, a virtual TOTP device backed up offline) as the MFA device on the root user of every AWS account, including every member account of an AWS Organization. AWS announced in 2024 that root-user MFA is becoming mandatory for the management account and is being progressively rolled out across member accounts; planning teams should treat this as an in-flight enforcement rather than an optional best practice (AWS Security Blog — root MFA mandate announcement 2024 (accessed 2026-05)). The principle is reinforced in the General IAM — MFA section and the severity derivation is worked end-to-end in methodology EX-MFA-01. MITIGATES: Full AWS account takeover via compromised root credentials (phishing, password reuse, leaked recovery email). ATTACK VECTOR: Attacker obtains the root password from a credential dump or phishing kit and signs in to the console without a second factor; from the root session they create access keys, attach AdministratorAccess to a new IAM user, or modify the AccountContact email to lock out the legitimate owner. BLAST RADIUS: The entire AWS account: every region, every service, every linked Organization member account reachable via OrganizationAccountAccessRole; root can disable CloudTrail and rotate KMS keys, destroying both forensic evidence and customer data. Remediation — AWS CLI <code class=\"language-bash\"># Hardware/virtual root MFA is registered through the console (Security credentials # > Multi-factor authentication). The CLI cannot enrol the root user's MFA device # because the root principal cannot be assumed programmatically. After enrolment, # verify from any admin-credentialed session: aws iam get-account-summary \\ --query 'SummaryMap.AccountMFAEnabled' \\ --output text # Expected: 1</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Root MFA enrolment itself is a console action; this SCP enforces the # organisational invariant \"no root action without MFA present\" against # every member account. resource \"aws_organizations_policy\" \"deny_root_without_mfa\" { name = \"deny-root-without-mfa\" type = \"SERVICE_CONTROL_POLICY\" content = jsonencode({ Version = \"2012-10-17\" Statement = [{ Sid = \"DenyRootWithoutMFA\" Effect = \"Deny\" Action = \"*\" Resource = \"*\" Condition = { Bool = { \"aws:MultiFactorAuthPresent\" = \"false\" } StringLike = { \"aws:PrincipalArn\" = \"arn:aws:iam::*:root\" } } }] }) }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: SCP enforcing \"no root action without MFA present\" across member accounts. Parameters: OrgRootId: Type: String Description: AWS Organizations root or OU id to attach the SCP to. Resources: DenyRootWithoutMfa: Type: AWS::Organizations::Policy Properties: Name: deny-root-without-mfa Type: SERVICE_CONTROL_POLICY TargetIds: - !Ref OrgRootId Content: Version: '2012-10-17' Statement: - Sid: DenyRootWithoutMFA Effect: Deny Action: '*' Resource: '*' Condition: Bool: aws:MultiFactorAuthPresent: 'false' StringLike: aws:PrincipalArn: 'arn:aws:iam::*:root'</code> Remediation — AWS CDK (TypeScript) <code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib'; import { aws_organizations as orgs } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export class DenyRootWithoutMfaStack extends cdk.Stack { constructor(scope: Construct, id: string, props: cdk.StackProps & { orgRootId: string }) { super(scope, id, props); new orgs.CfnPolicy(this, 'DenyRootWithoutMfa', { name: 'deny-root-without-mfa', type: 'SERVICE_CONTROL_POLICY', targetIds: [props.orgRootId], content: JSON.stringify({ Version: '2012-10-17', Statement: [{ Sid: 'DenyRootWithoutMFA', Effect: 'Deny', Action: '*', Resource: '*', Condition: { Bool: { 'aws:MultiFactorAuthPresent': 'false' }, StringLike: { 'aws:PrincipalArn': 'arn:aws:iam::*:root' }, }, }], }), }); } }</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.51.1.11.11.1 IA-2(1); AC-6(7)A.5.17; A.8.5n/a Log signals CloudTrail ConsoleLogin entries where userIdentity.type = \"Root\" and additionalEventData.MFAUsed = \"No\". CloudTrail EnableMFADevice / DeactivateMFADevice targeting the root principal in any member account. IAM credential-report deltas where mfa_active flips for the <root_account> row between report runs. Query <code class=\"language-sql\">fields @timestamp, userIdentity.type, eventName, additionalEventData.MFAUsed, sourceIPAddress, awsRegion | filter userIdentity.type = \"Root\" | filter eventName = \"ConsoleLogin\" or eventName like /MFADevice/ | sort @timestamp desc | limit 200</code> Run in CloudWatch Logs Insights against the CloudTrail organisation-trail log group. Pin to the management account first, then pivot per-member-account via cross-account log delivery. Alert threshold Any single ConsoleLogin with userIdentity.type = \"Root\" AND MFAUsed = \"No\" — page on first occurrence. Any DeactivateMFADevice on a root principal during a 24h window — page on first occurrence. Baseline calibration: tune over a 30-day window using stats count() by userIdentity.accountId to confirm expected root-login cadence per account (typically near zero). Initial response Verify the login against the documented break-glass ticket and the named individual who holds the root hardware key; if no ticket exists, treat as confirmed compromise. Force root credential rotation: trigger the documented root-password reset flow + re-enrol the hardware MFA device via the AWS console; rotate any root-tagged signing keys. Escalate per general/ir.html — open an incident, snapshot CloudTrail + Config + GuardDuty findings for the affected account, and run the SCP audit (aws-iam-08-scp-deny-list) to confirm preventive guards still apply. References AWS CloudTrail — Console sign-in event reference (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-iam-02-root-keys-removed ! CRITICAL PREVENTIVE The root user must hold zero long-lived access keys. AWS has documented for many years that the root user should be used only for the small set of actions that nothing else can perform (closing the account, changing payment instruments, registering as a seller); using a root access key for routine workload calls is the highest-leverage credential compromise possible (AWS IAM User Guide — security best practices (accessed 2026-05)). Confirm both that no key currently exists and that the account-wide policy forbids creating one. MITIGATES: Long-lived programmatic compromise of the root principal (committed-to-Git access keys, key exposed via SSRF to instance metadata, leaked through a laptop image). ATTACK VECTOR: A root access key sits in a developer's ~/.aws/credentials, in CI environment variables, or in a backup image; an attacker exfiltrates it and authenticates non-interactively, bypassing the MFA control in aws-iam-01-root-mfa entirely because programmatic access keys do not present MFA challenges by default. BLAST RADIUS: Identical to root console compromise — entire account, every region, every service — but with no human-in-the-loop friction and trivial to script. Remediation — AWS CLI <code class=\"language-bash\"># Audit: confirm root has zero access keys (uses credential-report data). aws iam generate-credential-report aws iam get-credential-report \\ --query 'Content' --output text \\ | base64 -d \\ | awk -F, 'NR==1 || $1==\"<root_account>\"' \\ | cut -d, -f1,9,11 # Expect access_key_1_active=false and access_key_2_active=false. # If a root key exists, delete it (must be run as root from the console / CLI): aws iam delete-access-key --access-key-id <AKIA...></code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Organisation-wide SCP denying the CreateAccessKey API when the calling # principal is the root user of any member account. resource \"aws_organizations_policy\" \"deny_root_create_access_key\" { name = \"deny-root-create-access-key\" type = \"SERVICE_CONTROL_POLICY\" content = jsonencode({ Version = \"2012-10-17\" Statement = [{ Sid = \"DenyRootCreateAccessKey\" Effect = \"Deny\" Action = [\"iam:CreateAccessKey\", \"iam:UpdateAccessKey\"] Resource = \"*\" Condition = { StringLike = { \"aws:PrincipalArn\" = \"arn:aws:iam::*:root\" } } }] }) }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: SCP forbidding any IAM action that creates access keys for the root principal. Parameters: OrgRootId: Type: String Resources: DenyRootKeyCreation: Type: AWS::Organizations::Policy Properties: Name: deny-root-access-key-creation Type: SERVICE_CONTROL_POLICY TargetIds: - !Ref OrgRootId Content: Version: '2012-10-17' Statement: - Sid: DenyRootAccessKeyCreate Effect: Deny Action: - iam:CreateAccessKey - iam:UpdateAccessKey Resource: '*' Condition: StringLike: aws:PrincipalArn: 'arn:aws:iam::*:root'</code> Remediation — AWS CDK (TypeScript) <code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib'; import { aws_organizations as orgs } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export class DenyRootKeyCreationStack extends cdk.Stack { constructor(scope: Construct, id: string, props: cdk.StackProps & { orgRootId: string }) { super(scope, id, props); new orgs.CfnPolicy(this, 'DenyRootKeyCreation', { name: 'deny-root-access-key-creation', type: 'SERVICE_CONTROL_POLICY', targetIds: [props.orgRootId], content: JSON.stringify({ Version: '2012-10-17', Statement: [{ Sid: 'DenyRootAccessKeyCreate', Effect: 'Deny', Action: ['iam:CreateAccessKey', 'iam:UpdateAccessKey'], Resource: '*', Condition: { StringLike: { 'aws:PrincipalArn': 'arn:aws:iam::*:root' }, }, }], }), }); } }</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.41.1.31.11.1 AC-6; IA-5(1)A.5.17; A.8.2n/a Log signals CloudTrail CreateAccessKey where userIdentity.type = \"Root\" — any successful invocation regardless of source IP. CloudTrail UpdateAccessKey targeting an access-key whose owning user resolves to the root principal (cross-reference requestParameters.userName against the credential-report root row). IAM credential-report deltas where access_key_1_active or access_key_2_active flips from false to true on the <root_account> row between consecutive scheduled report runs. Query <code class=\"language-sql\">fields @timestamp, eventName, userIdentity.arn, sourceIPAddress, requestParameters.userName, errorCode | filter eventName in [\"CreateAccessKey\",\"UpdateAccessKey\"] | filter userIdentity.type = \"Root\" or requestParameters.userName like /:root$/ | sort @timestamp desc | limit 50</code> Target the CloudWatch Logs Insights query at the organisation-trail log group; pivot the same filter into each member-account trail when the SCP denies the call so that the deny itself is the high-confidence signal. Alert threshold Any successful CreateAccessKey from a root principal — page on first occurrence; the expected steady-state rate is exactly zero. Any CreateAccessKey denied by the SCP from aws-iam-08-scp-deny-list — informational alert per occurrence, batched at 1-hour cadence (SCP denials confirm the preventive guard fired and may correlate with phishing reconnaissance). Tune: feed the prior 30 days into a static allow-list of approved automation principals; deviation against that list is the actionable signal. Initial response Pull the credential report immediately and confirm whether access_key_1_active or access_key_2_active is now true on the root row; capture the CSV as forensic evidence before any remediation touches the account. If the key was created: delete it via aws iam delete-access-key using the root console session (programmatic deletion requires the root key the attacker just created — coordinate with the named root-key holder); then re-confirm the SCP from aws-iam-08-scp-deny-list is attached to every OU. Open an incident per general/ir.html; correlate the CloudTrail event source IP against known break-glass jump-host CIDRs and treat any deviation as confirmed compromise. References AWS IAM User Guide — deleting root access keys (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-iam-03-identity-center ! HIGH PREVENTIVE Human access to AWS accounts should flow through IAM Identity Center — the service formerly known as AWS SSO, which AWS renamed in 2022; new content should never use the old name (AWS IAM Identity Center user guide (accessed 2026-05)). Identity Center federates from an upstream identity provider (Okta, Entra ID, JumpCloud, Identity Center's own directory) and issues short-lived role-session credentials per account through permission sets, replacing long-lived IAM users for humans. MITIGATES: Standing IAM-user credentials for humans (passwords + access keys) accumulating across accounts as the organisation grows; orphaned users surviving employee departures. ATTACK VECTOR: A long-lived IAM user provisioned for a now-departed contractor still has console access and an access key the offboarding ticket missed; the credential is reused months later from a personal device that has since been compromised. BLAST RADIUS: Bounded by whatever permission set the user held — typically broad in small organisations where IAM-user-per-employee is the historical pattern; eliminated entirely when humans only receive ephemeral Identity Center sessions. Remediation — AWS CLI <code class=\"language-bash\"># Create a permission set scoped to a managed policy. aws sso-admin create-permission-set \\ --instance-arn arn:aws:sso:::instance/<SSOINS_ID> \\ --name ReadOnlyAuditors \\ --session-duration PT4H # Attach the managed policy and assign to a group in a member account. aws sso-admin attach-managed-policy-to-permission-set \\ --instance-arn arn:aws:sso:::instance/<SSOINS_ID> \\ --permission-set-arn arn:aws:sso:::permissionSet/<PS_ID> \\ --managed-policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 data \"aws_ssoadmin_instances\" \"this\" {} resource \"aws_ssoadmin_permission_set\" \"read_only\" { name = \"ReadOnlyAuditors\" instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] session_duration = \"PT4H\" } resource \"aws_ssoadmin_managed_policy_attachment\" \"read_only\" { instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] managed_policy_arn = \"arn:aws:iam::aws:policy/ReadOnlyAccess\" permission_set_arn = aws_ssoadmin_permission_set.read_only.arn } resource \"aws_ssoadmin_account_assignment\" \"read_only_auditors\" { instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] permission_set_arn = aws_ssoadmin_permission_set.read_only.arn principal_id = var.auditors_group_id principal_type = \"GROUP\" target_id = var.target_account_id target_type = \"AWS_ACCOUNT\" }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: AWS IAM Identity Center permission set with session duration and managed policy boundary. Parameters: InstanceArn: Type: String Description: IAM Identity Center instance ARN (sso:DescribeInstances). Resources: ReadOnlyPermissionSet: Type: AWS::SSO::PermissionSet Properties: Name: org-read-only Description: SSO permission set granting AWS-managed ReadOnlyAccess. InstanceArn: !Ref InstanceArn SessionDuration: PT1H ManagedPolicies: - arn:aws:iam::aws:policy/ReadOnlyAccess</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.211.1.4best-practicesbest-practices AC-2(1); IA-2A.5.16; A.5.18n/a Log signals CloudTrail ConsoleLogin where userIdentity.type = \"IAMUser\" (rather than the expected AssumedRole reaching the account from an Identity Center permission-set role) — surfaces humans bypassing the federated path. CloudTrail sso:DisassociatePermissionSet, sso:DeleteAccountAssignment, or sso-admin:DeletePermissionSet — covers tampering with the Identity Center configuration itself. Standing IAM-user inventory drift: scheduled query of iam:ListUsers result-count crossing a static baseline upward indicates new long-lived human accounts being created outside Identity Center. Query <code class=\"language-sql\">fields @timestamp, eventName, userIdentity.type, userIdentity.userName, recipientAccountId, sourceIPAddress | filter eventName = \"ConsoleLogin\" and userIdentity.type = \"IAMUser\" | filter userIdentity.userName not like /^break-glass-/ | stats count() as logins by userIdentity.userName, recipientAccountId | sort logins desc</code> This CloudWatch Logs Insights query groups direct IAM-user console sign-ins by user and member account, with the documented break-glass naming convention stripped out so the residual set is precisely the deviation surface. Alert threshold Any IAM-user console sign-in outside the documented break-glass naming convention — page on the first event in a 24h window per identity, then suppress further pages from the same identity for 24h to avoid flap during remediation. Net-new IAM users created in any member account between Identity Center adoption date and the present — informational digest at weekly cadence, escalate if the digest is non-empty for two consecutive weeks. Baseline calibration: window the prior 30 days of ConsoleLogin events, list distinct IAMUser identities, validate the list against the IT-onboarding ledger before tightening the page rule. Initial response Confirm via the named individual whether the IAM-user sign-in is a sanctioned break-glass session; if yes, capture the change-management ticket ID and close as documented exception. If unsanctioned: disable the IAM user's console password via aws iam delete-login-profile, deactivate any attached access keys, and provision the human's correct Identity Center group membership instead. Run the orphan-IAM-user audit (cross-reference aws iam list-users against the HRIS active-employee list) and forward the diff to general/ir.html as an IAM-hygiene finding rather than an active incident if no credential abuse is evident. References AWS IAM Identity Center — logging API calls with CloudTrail (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-iam-04-mfa-iam-users ! CRITICAL PREVENTIVE For accounts that still contain IAM users with console passwords — typically legacy accounts pre-dating Identity Center, plus break-glass users — every such user must have an MFA device enrolled and a policy condition that denies all actions until MFA is presented. CIS AWS Foundations v7.0.0 control 1.10 mandates this for any IAM user with a console password (CIS Amazon Web Services Foundations Benchmark v3.0.0 — Jan 2024 release (accessed 2026-05)). MITIGATES: Console-password compromise of IAM users via phishing, credential stuffing, or password reuse from a third-party breach. ATTACK VECTOR: A developer reuses their corporate password on a SaaS app that is later breached; the leaked credential pair is replayed against the AWS console sign-in endpoint and succeeds because MFA was never enrolled on the IAM user. BLAST RADIUS: Bounded by the policies attached to the user / its groups; in practice often equivalent to PowerUserAccess because legacy IAM users tend to have accumulated broad inline policies. Remediation — AWS CLI <code class=\"language-bash\"># List users with console passwords and check whether each has an MFA device. aws iam list-users --query 'Users[].UserName' --output text \\ | tr '\\t' '\\n' \\ | while read u; do pw=$(aws iam get-login-profile --user-name \"$u\" 2>/dev/null && echo yes || echo no) mfa=$(aws iam list-mfa-devices --user-name \"$u\" \\ --query 'length(MFADevices)' --output text) printf '%s\\tconsole=%s\\tmfa_devices=%s\\n' \"$u\" \"$pw\" \"$mfa\" done</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Group-attached policy denying every action when MFA is not present in the # session. Attach to every group containing IAM users with console access. resource \"aws_iam_group_policy\" \"require_mfa\" { name = \"require-mfa\" group = aws_iam_group.console_users.name policy = jsonencode({ Version = \"2012-10-17\" Statement = [{ Sid = \"DenyAllExceptListedIfNoMFA\" Effect = \"Deny\" NotAction = [ \"iam:CreateVirtualMFADevice\", \"iam:EnableMFADevice\", \"iam:GetUser\", \"iam:ListMFADevices\", \"iam:ListVirtualMFADevices\", \"iam:ResyncMFADevice\", \"sts:GetSessionToken\" ] Resource = \"*\" Condition = { BoolIfExists = { \"aws:MultiFactorAuthPresent\" = \"false\" } } }] }) } resource \"aws_iam_account_password_policy\" \"strong\" { minimum_password_length = 14 require_symbols = true require_numbers = true require_uppercase_characters = true require_lowercase_characters = true allow_users_to_change_password = true password_reuse_prevention = 24 max_password_age = 90 }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: IAM managed policy denying every action when MFA is not present, attached at user/group level. Resources: DenyAllExceptMfaSelfService: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: deny-all-without-mfa PolicyDocument: Version: '2012-10-17' Statement: - Sid: AllowSelfServiceMfaManagement Effect: Allow Action: - iam:ChangePassword - iam:GetUser - iam:CreateVirtualMFADevice - iam:EnableMFADevice - iam:ListMFADevices - iam:ResyncMFADevice Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:user/${!aws:username}' - Sid: DenyAllExceptMfa Effect: Deny NotAction: - iam:ChangePassword - iam:CreateVirtualMFADevice - iam:EnableMFADevice - iam:GetUser - iam:ListMFADevices - iam:ResyncMFADevice - sts:GetSessionToken Resource: '*' Condition: BoolIfExists: aws:MultiFactorAuthPresent: 'false'</code> Remediation — AWS CDK (TypeScript) <code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib'; import { aws_iam as iam } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export class DenyAllWithoutMfaStack extends cdk.Stack { constructor(scope: Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); new iam.ManagedPolicy(this, 'DenyAllWithoutMfa', { managedPolicyName: 'deny-all-without-mfa', document: new iam.PolicyDocument({ statements: [ new iam.PolicyStatement({ sid: 'AllowSelfServiceMfaManagement', effect: iam.Effect.ALLOW, actions: [ 'iam:ChangePassword', 'iam:GetUser', 'iam:CreateVirtualMFADevice', 'iam:EnableMFADevice', 'iam:ListMFADevices', 'iam:ResyncMFADevice', ], resources: [`arn:aws:iam::${this.account}:user/\\${aws:username}`], }), new iam.PolicyStatement({ sid: 'DenyAllExceptMfa', effect: iam.Effect.DENY, notActions: [ 'iam:ChangePassword', 'iam:CreateVirtualMFADevice', 'iam:EnableMFADevice', 'iam:GetUser', 'iam:ListMFADevices', 'iam:ResyncMFADevice', 'sts:GetSessionToken', ], resources: ['*'], conditions: { BoolIfExists: { 'aws:MultiFactorAuthPresent': 'false' }, }, }), ], }), }); } }</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.101.1.21.21.7 IA-2(1)A.5.17; A.8.5n/a Log signals CloudTrail ConsoleLogin where userIdentity.type = \"IAMUser\" and additionalEventData.MFAUsed = \"No\" — direct evidence of a console password authenticating without a second factor. CloudTrail DeactivateMFADevice or DeleteVirtualMFADevice on an IAM user that still holds an active LoginProfile — covers an attacker (or a careless user) stripping the second factor. Credential-report row where password_enabled = true and mfa_active = false for any user — periodic-snapshot complement to the streaming events. Query <code class=\"language-sql\">fields @timestamp, eventName, userIdentity.userName, additionalEventData.MFAUsed, sourceIPAddress, awsRegion | filter eventName = \"ConsoleLogin\" | filter userIdentity.type = \"IAMUser\" | filter additionalEventData.MFAUsed = \"No\" | sort @timestamp desc | limit 200</code> Pair the CloudWatch Logs Insights query with a daily scheduled job that re-parses the IAM credential report and emits a counter metric for rows with password_enabled=true,mfa_active=false; alarm when the counter is non-zero. Alert threshold ConsoleLogin with MFAUsed = \"No\" for an IAM user — page on first occurrence; CIS 1.10 implies steady-state zero so the detection is binary. Credential-report row count with password_enabled=true AND mfa_active=false > 0 — daily digest with severity proportional to the row count (0 = silent, 1-5 = ticket, 6+ = page). Tune the streaming page rule by suppressing 5 minutes after a successful EnableMFADevice by the same user (allows the legitimate enrol-then-sign-in sequence to complete without flapping). Initial response Open the user's IAM record and confirm whether they are mid-enrolment for a new device (cross-reference the helpdesk queue for a pending MFA-replacement ticket). If no enrolment ticket exists: revoke active sessions by detaching the deny-without-MFA policy temporarily, force a password reset via aws iam update-login-profile --password-reset-required, and require MFA enrolment on the next sign-in via the helpdesk-mediated path. If a DeactivateMFADevice event preceded the sign-in: treat as a credential-takeover precursor and engage general/ir.html for a full session review across all the user's federated entitlements. References AWS IAM User Guide — using MFA in AWS (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-iam-05-key-rotation ! MEDIUM DETECTIVE Any remaining long-lived IAM access keys must be rotated at most every 90 days. Severity is MEDIUM and the type is DETECTIVE rather than PREVENTIVE because rotation does not prevent compromise of an already-active key — an attacker who exfiltrates a fresh key has 90 days of unimpeded use — it bounds the window during which an undiscovered compromise remains usable, and the rotation cadence itself surfaces stale credentials whose owners have left (AWS IAM User Guide — security best practices (accessed 2026-05)). The strategic answer is to eliminate long-lived keys entirely via aws-iam-06-role-assumption; this control is the compensating audit for what remains. MITIGATES: Indefinite usability of a compromised access key after the original compromise channel (laptop theft, leaked Git commit) is closed. ATTACK VECTOR: A 2022-vintage access key sits in a docker image layer published to a public ECR repository; the key was never rotated because nobody owned the workload; an attacker pulls the image, extracts the key, and uses it three years later because it still works. BLAST RADIUS: Whatever the user / role attached to the key can do — typically the workload's full IAM scope; the rotation control limits time-on-target, not power. Remediation — AWS CLI <code class=\"language-bash\"># List keys older than 90 days across all users. aws iam list-users --query 'Users[].UserName' --output text \\ | tr '\\t' '\\n' \\ | while read u; do aws iam list-access-keys --user-name \"$u\" \\ --query 'AccessKeyMetadata[?CreateDate<=`'\"$(date -u -d '90 days ago' +%Y-%m-%dT%H:%M:%SZ)\"'`].[UserName,AccessKeyId,CreateDate]' \\ --output text done</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # AWS Config managed rule that flags access keys older than 90 days. resource \"aws_config_config_rule\" \"access_keys_rotated\" { name = \"access-keys-rotated\" source { owner = \"AWS\" source_identifier = \"ACCESS_KEYS_ROTATED\" } input_parameters = jsonencode({ maxAccessKeyAge = \"90\" }) }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: AWS Config managed rule flagging IAM access keys older than the rotation threshold. Resources: AccessKeyRotationRule: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: access-keys-rotated-90d Description: Flags IAM access keys not rotated within maxAccessKeyAge days. Source: Owner: AWS SourceIdentifier: ACCESS_KEYS_ROTATED InputParameters: !Sub '{\"maxAccessKeyAge\":\"90\"}'</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.141.1.61.41.14 IA-5(1)A.5.17; A.8.2n/a Log signals AWS Config rule ACCESS_KEYS_ROTATED emits a NON_COMPLIANT evaluation against any IAM-user resource whose attached access-key CreateDate is older than the configured 90-day threshold. IAM credential-report rows where access_key_1_last_rotated (or _2_) is more than 90 days behind the report timestamp — periodic-snapshot complement. Last-used recency gap: access-key whose access_key_1_last_used_date trails access_key_1_last_rotated by more than 30 days while still active — flags dormant keys whose owners likely no longer exist. Query <code class=\"language-sql\">fields @timestamp, configurationItem.resourceName, newEvaluationResult.complianceType, configRuleName | filter configRuleName = \"access-keys-rotated\" | filter newEvaluationResult.complianceType = \"NON_COMPLIANT\" | stats count() as findings by configurationItem.resourceName | sort findings desc</code> Run the CloudWatch Logs Insights query against the Config-delivery log group; mirror the same recency gap inside a weekly Lambda that re-pulls get-credential-report and emits a CloudWatch metric per non-compliant user. Alert threshold Non-zero count of NON_COMPLIANT users on the weekly Config evaluation cadence — informational ticket per user with rotation-required acknowledgement deadline of 14 days. Key age > 180 days (double the policy threshold) — escalate to page; treat the workload owner's silence as confirmation the credential is orphaned. Behavioural anomaly band: a key whose 30-day moving-average call volume drops to zero while still active for > 60 days — strong dormancy signal independent of the rotation clock. Initial response Map the non-compliant access-key back to its workload via tag workload-id on the parent IAM user; consult the workload's owning team's on-call rotation rather than the original key creator (who may have left). Pursue elimination first: replace the long-lived key with the role-assumption path from aws-iam-06-role-assumption; if elimination is impossible in the audit window, rotate via aws iam create-access-key + cutover + aws iam delete-access-key on the prior key. Forward the residual long-lived-key inventory monthly to the cloud-platform steering group per general/ir.html as a recurring hygiene metric, not an incident. References AWS Config managed rule — access-keys-rotated (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-iam-06-role-assumption ! HIGH PREVENTIVE Workload-to-AWS authentication should use IAM roles assumed via STS, not long-lived IAM-user access keys baked into application configuration. The role-assumption surface covers EC2 instance profiles, ECS task roles, Lambda execution roles, and (for Kubernetes workloads on EKS) EKS Pod Identity — the 2023-introduced and now-preferred mechanism — alongside IRSA (IAM Roles for Service Accounts), which remains supported and is the only option in some older clusters (AWS IAM User Guide — security best practices (accessed 2026-05)). Combined with aws-iam-05-key-rotation, eliminating long-lived keys reduces the credential-rotation problem to \"rotate the role's trust policy when the trust relationship changes\", which is rare. MITIGATES: Static IAM-user keys embedded in source, container images, CI variables, or Kubernetes Secrets — the dominant credential-exfiltration vector observed in cloud breach post-mortems (see General threat model). ATTACK VECTOR: A workload uses a hard-coded access key from a Secret mounted into a pod; an SSRF on a sibling pod exfiltrates the secret; because the credential is long-lived and has no session policy, the attacker uses it indefinitely from arbitrary network locations. BLAST RADIUS: Whatever the IAM user's policies allow — typically the workload's data-plane scope plus, through misconfiguration, ambient privilege from broad *:Describe* grants useful for reconnaissance. Remediation — AWS CLI <code class=\"language-bash\"># Create an EC2-assumable role with a workload-scoped policy attached. aws iam create-role \\ --role-name app-runtime-role \\ --assume-role-policy-document '{ \"Version\":\"2012-10-17\", \"Statement\":[{ \"Effect\":\"Allow\", \"Principal\":{\"Service\":\"ec2.amazonaws.com\"}, \"Action\":\"sts:AssumeRole\" }] }' aws iam attach-role-policy \\ --role-name app-runtime-role \\ --policy-arn arn:aws:iam::<ACCOUNT_ID>:policy/app-runtime-policy # Attach via instance profile. aws iam create-instance-profile --instance-profile-name app-runtime-profile aws iam add-role-to-instance-profile \\ --instance-profile-name app-runtime-profile \\ --role-name app-runtime-role</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 resource \"aws_iam_role\" \"app_runtime\" { name = \"app-runtime-role\" assume_role_policy = jsonencode({ Version = \"2012-10-17\" Statement = [{ Effect = \"Allow\" Principal = { Service = \"ec2.amazonaws.com\" } Action = \"sts:AssumeRole\" }] }) } resource \"aws_iam_instance_profile\" \"app_runtime\" { name = \"app-runtime-profile\" role = aws_iam_role.app_runtime.name } # For EKS, prefer Pod Identity (2023+) over IRSA: resource \"aws_eks_pod_identity_association\" \"app\" { cluster_name = var.eks_cluster_name namespace = \"default\" service_account = \"app\" role_arn = aws_iam_role.app_runtime.arn }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: Cross-account IAM role with external-id condition and short session duration. Parameters: TrustedAccountId: Type: String ExternalId: Type: String NoEcho: true Resources: CrossAccountAuditorRole: Type: AWS::IAM::Role Properties: RoleName: cross-account-auditor MaxSessionDuration: 3600 AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: !Sub 'arn:aws:iam::${TrustedAccountId}:root' Action: sts:AssumeRole Condition: StringEquals: sts:ExternalId: !Ref ExternalId Bool: aws:MultiFactorAuthPresent: 'true' ManagedPolicyArns: - arn:aws:iam::aws:policy/SecurityAudit</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 best-practices1.1.6best-practicesbest-practices IA-5(7); AC-6A.5.15; A.5.16CLD.6.3.1 Log signals CloudTrail sts:AssumeRole events where userIdentity.type = \"IAMUser\" — long-lived IAM-user keys still acting as the on-ramp to role sessions; the desirable shape is FederatedUser or WebIdentity. CloudTrail UpdateAssumeRolePolicy mutating an existing role's trust policy to widen Principal to an external account or to \"*\", especially without an sts:ExternalId condition. EKS Pod Identity drift: eks:DescribePodIdentityAssociation revealing service-account-to-role bindings whose target role was not provisioned through the c"},{"id":"aws/index.html","url":"aws/index.html","title":"AWS Hardening — Cloud Hardening Guide","breadcrumb":"Home AWS","description":"AWS security hardening reference: IAM, network, data protection, logging & detection, workloads, and incident response.","body":"AWS Hardening This section covers Amazon Web Services hardening across the six security domains. Each domain page maps cross-cutting principles (covered in the General section) onto specific AWS services and configuration primitives. Content is authored progressively: IAM ships first as a pilot (Phase 5), followed by Network, Data Protection, Logging & Detection, Workloads, and Incident Response in subsequent phases. Domains IAM — root MFA, IAM Identity Center, SCPs, permission boundaries, Access Analyzer Network — VPC design, security groups, NACLs, VPC endpoints, WAF, Shield, Route53 DNSSEC Data Protection — S3 Block Public Access, SSE-KMS, EBS/RDS encryption, Macie, KMS key policies Logging & Detection — CloudTrail, Config, GuardDuty, Security Hub, VPC Flow Logs, CloudWatch alarms Workloads — EC2 IMDSv2, SSM Session Manager, ECR, Inspector, Lambda least privilege, EKS hardening Incident Response — break-glass, evidence preservation, EventBridge containment, CloudTrail forensics GenAI Security — Bedrock IAM least privilege, Guardrails content filter + prompt attack, VPC endpoints, invocation logging, CloudTrail data events, Agent role scoping, Knowledge Base auth, cross-region inference controls, org-level enforcement Kubernetes — EKS private cluster, EKS Pod Identity, KMS envelope encryption, Cluster Access Management API, IMDSv2 + hop-limit 1, CloudWatch Container Insights, EKS-managed add-ons, network policy, Bottlerocket/AL2023, Pod Security Standards This page is a Phase 2 stub. Section overview content arrives in later phases."},{"id":"aws/ir.html","url":"aws/ir.html","title":"AWS Incident Response Hardening — Cloud Hardening Guide","breadcrumb":"Home AWS Incident Response","description":"AWS incident response: break-glass IAM, EventBridge auto-containment, evidence preservation with S3 Object Lock, CloudTrail Lake forensics, EC2 isolation and credential rotation playbooks.","body":"AWS Incident Response Hardening Overview This page covers Amazon Web Services incident response (IR) hardening — the controls that decide whether the organisation can contain, investigate, and recover from an AWS-resident incident inside a defensible time window, and whether the resulting forensic record will hold up to subsequent regulatory or legal scrutiny. Scope is the AWS commercial regions; AWS GovCloud (US) and the China regions inherit the same controls but route through different partition endpoints (for example IAM under iam.amazonaws-us-gov.com and CloudTrail Lake event data stores that cannot replicate cross-partition). Re-verify partition caveats before applying any of the IaC below to a non-commercial region. Cross-cutting IR lifecycle principles — preparation, detection, containment, eradication, recovery, lessons learned, and evidence preservation — are documented on the General Incident Response page against NIST SP 800-61 rev 3 (April 2025 CSF 2.0 community profile). This page does not re-author the lifecycle; it maps the lifecycle to AWS primitives and to the specific posture controls that make each lifecycle phase executable in an AWS account. Severity assignments follow the rubric documented in methodology; equivalence callouts at the bottom of each control point to the matching control on the Azure, GCP, and OCI sibling pages so a reader can compare break-glass, automated-response, and forensic-retention models across providers. AWS IR posture splits cleanly into two stacks. The detective stack — CloudTrail, GuardDuty, Security Hub, AWS Config, VPC Flow Logs, CloudWatch alarms — lives on the AWS Logging page; it is what tells you an incident is happening. The responsive stack — break-glass identities, EventBridge + Lambda containment automation, S3 Object Lock evidence buckets, CloudTrail Lake forensic event data stores, and documented runbooks — lives here; it is what you do once you know. The handoff between the two stacks is concrete and AWS-internal: a GuardDuty finding crossing the severity≥7 threshold fires an EventBridge rule that invokes a Lambda quarantine function (aws-ir-02); a forensic question about who-touched-what at 03:00 last Tuesday is answered by a CloudTrail Lake SQL query (aws-ir-04). Every IR control on this page assumes the corresponding logging control on the AWS Logging page is in place; if it is not, the IR control degrades to a manual playbook with insufficient telemetry to drive it. Order matters. Control 01 is the preparation invariant that gates everything else: without a pre-provisioned break-glass identity, the very first incident that takes out the federated identity provider — exactly the scenario IR exists to handle — locks responders out of the AWS account at the moment they need it most. Control 02 is the automation layer that compresses time-to-contain from human-response-time minutes to seconds. Control 03 is the evidence invariant — without write-once-read-many evidence storage, an attacker with sufficient privileges can erase the very logs that would prove what happened. Controls 04–06 are the responsive playbooks themselves: CloudTrail Lake for retrospective forensic SQL, EC2 isolation for \"we think this instance is compromised, take it off the network without destroying state\", and credential rotation for \"an access key landed in a public GitHub repo\". Control 07 (optional) closes the lessons-learned loop with quarterly tabletop exercises so the playbooks above are tested before they are needed. One housekeeping note on the compliance table that follows every control. Most IR controls are playbook-driven and process-bound rather than state-driven — CIS Foundations Benchmarks across all four providers are weighted toward configurable state (encryption, public access, logging enabled) and only lightly cover the IR domain. Expect the CIS columns on this page to read (best-practices) or n/a for most controls; NIST SP 800-53 rev5 IR family (IR-4 Incident Handling, IR-5 Incident Monitoring, IR-6 Incident Reporting, IR-8 Incident Response Plan, plus AU-9 / AU-11 for evidence) and ISO/IEC 27001:2022 (A.5.24 information-security incident management, A.5.26 response to incidents, A.5.28 collection of evidence) are the primary mappings. The compliance-frameworks page explains why each row still carries the same seven framework columns even when several read n/a — the column layout is corpus-wide for diff-grade reading across domains. aws-ir-01-break-glass-account ! CRITICAL PREVENTIVE Pre-provision at least two break-glass identities that are reachable when the organisation's primary federated identity provider (IAM Identity Center backed by Okta, Entra ID, Ping, or Google Workspace) is unavailable, compromised, or otherwise unusable. The canonical pattern is a dedicated IAM Identity Center permission set bound to a small number (two to four) of named human responders whose user records live inside Identity Center rather than being federated from the IdP, each protected by a hardware MFA device (YubiKey or equivalent) physically stored in two separate locked safes in two separate buildings. Every console sign-in or CLI assume-role with the break-glass permission set fires a CloudWatch alarm to SNS, PagerDuty, and the security on-call channel within seconds (AWS Security Incident Response Guide — Preparation (accessed 2026-05)). The same alarm fabric is documented in aws-log-07; this control adds the break-glass-specific filter. The principle is reinforced in General IR — preparation: the very first incident that takes out the IdP is exactly the scenario IR exists to handle, and an IdP-only access model has zero recovery path in that scenario. Quarterly access tests — a named responder retrieves their YubiKey from the safe, signs into the AWS Organization management account, performs a single read-only API call, signs out — keep the credential, the MFA device, and the alarm pipeline all known-working. Tests that have not been performed in the last 90 days are tracked on the security team's drift dashboard. MITIGATES: Loss of administrative access to the AWS Organization during the exact incident class IR exists to handle — IdP outage, IdP compromise (Okta 2022/2023 incidents, Entra ID token-theft chains), or accidental misconfiguration of the IdP-to-Identity-Center trust that locks every federated user out of AWS. ATTACK VECTOR: An attacker who compromises the IdP can either lock legitimate responders out (revoke their IdP entitlements) or assume their identities (forged SAML assertions, Midnight Blizzard / Storm-0558-style token forgery). Without a non-federated break-glass identity, responders have no out-of-band path to the AWS console at the precise moment they need to revoke the federated trust and contain the blast radius. Equally common: a botched IdP config push removes the IAM Identity Center SAML attribute mapping and no human can authenticate to AWS until the IdP team rolls back — which they may not be able to do quickly if the IdP itself is the incident. BLAST RADIUS: The entire AWS Organization. Without break-glass, the time-to-recover an Organization-wide IdP failure is bounded below by the IdP vendor's recovery time, which can be hours to days for severe incidents and is outside the AWS customer's control. With break-glass, recovery time is bounded by the responder's drive-to-the-safe time plus a single SAML provider replacement — typically under an hour. Remediation — AWS CLI <code class=\"language-bash\"># Create a dedicated break-glass permission set in IAM Identity Center. # Session duration deliberately short (1 hour) so a forgotten session expires fast. aws sso-admin create-permission-set \\ --instance-arn \"$IDC_INSTANCE_ARN\" \\ --name BreakGlassAdmin \\ --description \"Emergency-only; every use alarms\" \\ --session-duration PT1H # Attach the AWS managed AdministratorAccess policy (break-glass needs full reach). aws sso-admin attach-managed-policy-to-permission-set \\ --instance-arn \"$IDC_INSTANCE_ARN\" \\ --permission-set-arn \"$PS_ARN\" \\ --managed-policy-arn arn:aws:iam::aws:policy/AdministratorAccess # Provision the named human responder as a non-federated Identity Center user. aws identitystore create-user \\ --identity-store-id \"$IDS_ID\" \\ --user-name break-glass-responder-01 \\ --display-name \"Break-Glass Responder 01\" \\ --emails Value=ir+bg01@example.com,Type=Work,Primary=true \\ --name FamilyName=Responder,GivenName=BreakGlass # Enrol the hardware MFA device. The TOTP/U2F enrolment uses the Identity Center # console; CLI enrolment of FIDO2 hardware tokens is not currently supported and # must be completed interactively by the human responder during initial setup. # CloudWatch alarm on every assume-role with the break-glass permission set. aws logs put-metric-filter \\ --log-group-name aws-cloudtrail-logs \\ --filter-name BreakGlassAssumeRole \\ --filter-pattern '{ $.eventName = \"AssumeRoleWithSAML\" && $.requestParameters.roleArn = \"*BreakGlassAdmin*\" }' \\ --metric-transformations metricName=BreakGlassUse,metricNamespace=Security,metricValue=1</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS Security Incident Response Guide (accessed 2026-05) # Break-glass permission set in IAM Identity Center. resource \"aws_ssoadmin_permission_set\" \"break_glass\" { name = \"BreakGlassAdmin\" description = \"Emergency-only; every use alarms\" instance_arn = local.idc_instance_arn session_duration = \"PT1H\" } resource \"aws_ssoadmin_managed_policy_attachment\" \"break_glass_admin\" { instance_arn = local.idc_instance_arn managed_policy_arn = \"arn:aws:iam::aws:policy/AdministratorAccess\" permission_set_arn = aws_ssoadmin_permission_set.break_glass.arn } # Named non-federated responder identities. resource \"aws_identitystore_user\" \"break_glass\" { for_each = toset([\"bg01\", \"bg02\"]) identity_store_id = local.identity_store_id user_name = \"break-glass-responder-${each.key}\" display_name = \"Break-Glass Responder ${each.key}\" name { family_name = \"Responder\" given_name = \"BreakGlass\" } emails { value = \"ir+${each.key}@example.com\" type = \"Work\" primary = true } } # Alarm on every assume-role with the break-glass permission set. resource \"aws_cloudwatch_log_metric_filter\" \"break_glass_use\" { name = \"BreakGlassAssumeRole\" log_group_name = \"aws-cloudtrail-logs\" pattern = \"{ $.eventName = \\\"AssumeRoleWithSAML\\\" && $.requestParameters.roleArn = \\\"*BreakGlassAdmin*\\\" }\" metric_transformation { name = \"BreakGlassUse\" namespace = \"Security\" value = \"1\" } } resource \"aws_cloudwatch_metric_alarm\" \"break_glass_use\" { alarm_name = \"break-glass-use\" comparison_operator = \"GreaterThanOrEqualToThreshold\" evaluation_periods = 1 threshold = 1 period = 60 metric_name = \"BreakGlassUse\" namespace = \"Security\" statistic = \"Sum\" treat_missing_data = \"notBreaching\" alarm_actions = [aws_sns_topic.security_oncall.arn] }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: Break-glass IAM role gated by MFA and audited via CloudTrail; assumable only from an emergency-responder principal. Parameters: EmergencyResponderArn: Type: String Resources: BreakGlassRole: Type: AWS::IAM::Role Properties: RoleName: break-glass-emergency MaxSessionDuration: 3600 AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: !Ref EmergencyResponderArn Action: sts:AssumeRole Condition: Bool: aws:MultiFactorAuthPresent: 'true' NumericLessThan: aws:MultiFactorAuthAge: '900' ManagedPolicyArns: - arn:aws:iam::aws:policy/AdministratorAccess</code> Remediation — AWS CDK (TypeScript) <code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib'; import { aws_iam as iam } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export interface BreakGlassProps extends cdk.StackProps { emergencyResponderArn: string; } export class BreakGlassRoleStack extends cdk.Stack { constructor(scope: Construct, id: string, props: BreakGlassProps) { super(scope, id, props); new iam.Role(this, 'BreakGlassRole', { roleName: 'break-glass-emergency', maxSessionDuration: cdk.Duration.hours(1), assumedBy: new iam.ArnPrincipal(props.emergencyResponderArn).withConditions({ Bool: { 'aws:MultiFactorAuthPresent': 'true' }, NumericLessThan: { 'aws:MultiFactorAuthAge': '900' }, }), managedPolicies: [ iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess'), ], }); } }</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 (best-practices)n/an/an/a IR-4; AC-2(8); AC-6A.5.24; A.5.26CLD.9.5.1 Log signals CloudTrail console-sign-in events for the dedicated break-glass IAM user — the steady-state usage rate is exactly zero and any login is by definition a break-glass activation that must be reconciled against the on-call documented ticket within minutes. CloudTrail sts:AssumeRole events whose roleArn matches the break-glass role's ARN and whose sourceIPAddress is outside the documented break-glass jump-host CIDR set. CloudTrail iam:CreateAccessKey on the break-glass user — the documented operating model says the break-glass user has hardware-MFA console access only; programmatic-key creation indicates either a deliberate posture deviation or an attacker pivoting from a stolen session. Query <code class=\"language-sql\">fields @timestamp, eventName, userIdentity.arn, sourceIPAddress, requestParameters.roleArn, responseElements.ConsoleLogin | filter (eventName = \"ConsoleLogin\" and userIdentity.arn like /:user\\/break-glass/) or (eventName = \"AssumeRole\" and requestParameters.roleArn like /:role\\/BreakGlass/) or (eventName = \"CreateAccessKey\" and requestParameters.userName = \"break-glass\") | sort @timestamp desc | limit 50</code> The CloudWatch Logs Insights query routes all three break-glass signals into a single result set; downstream PagerDuty integration should treat any row as severity-1 by default and rely on the documented-ticket reconciliation flow to downgrade false positives. Alert threshold Any console-sign-in by the break-glass user — page immediately and ring the on-call IC; the legitimate usage rate is so low that even a single login warrants out-of-band confirmation from the named hardware-MFA holder. An AssumeRole on the break-glass role from outside the documented jump-host CIDR — page; treat as confirmed compromise of either the user's MFA hardware or the jump-host until proven otherwise. Any CreateAccessKey on the break-glass user — page; this is the canonical signal of an attacker trying to establish persistence after a successful break-glass authentication. Initial response Confirm the activation against the documented break-glass ticket via out-of-band channel (phone call to the named hardware-MFA holder, not Slack); if the holder did not authenticate, treat as confirmed compromise and disable the user immediately via aws iam update-user --user-name break-glass --no-cli-input-json + aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AWSDenyAll. Pull the full CloudTrail trail of the break-glass session — every API call made under the user's session — and reconstruct intent against the documented break-glass scenario; any deviation from the documented scenario is a forensic data point. After the break-glass episode closes, rotate the user's password and MFA registration via the documented rotation playbook; the hardware MFA device may need re-enrolment depending on the org's break-glass post-use protocol described in general/ir.html. References AWS IAM — break-glass account guidance (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-ir-02-eventbridge-auto-containment ! HIGH RESPONSIVE Wire EventBridge rules in the security-tooling account (the delegated GuardDuty administrator) so that every GuardDuty finding with severity >= 7 — the CRITICAL band in GuardDuty's 1–10 scale — invokes a Lambda quarantine function within seconds. The quarantine function performs three deterministic actions in order: replace the offending EC2 instance's security groups with a single deny-all SG, detach the IAM instance profile, and create an EBS snapshot of every attached volume tagged with the GuardDuty finding ID for forensic chain-of-custody (AWS Incident Response Playbooks repository (accessed 2026-05)). The detective half of this loop lives on the AWS Logging page as aws-log-04-guardduty-org; without org-wide GuardDuty with all data sources enabled, this control has nothing to fire on. EventBridge is preferred over GuardDuty's built-in \"auto-archive\" or \"auto-suppression\" features because it gives the security team a programmable handoff: the rule can route by finding type, by resource type, by account ID, by severity, or by an arbitrary JSON-path expression on the finding payload, and the downstream target can be Lambda, Step Functions, SNS, SQS, or a partner SaaS via API Destinations. The 1-minute SLO on EventBridge delivery (Amazon EventBridge quotas (accessed 2026-05)) bounds time-to-contain at low single-digit minutes for the entire automation chain — finding emission to quarantine completion. MITIGATES: The gap between detection and containment during compromise of an EC2 instance — a window in which the attacker is actively pivoting, exfiltrating data, or escalating privilege via the instance's IAM role. Without automation, time-to-contain is bounded below by the on-call responder's pager-to-keyboard time (15–45 minutes typical); with automation, it is bounded by EventBridge delivery latency (seconds). ATTACK VECTOR: GuardDuty raises a UnauthorizedAccess:EC2/MaliciousIPCaller.Custom or Backdoor:EC2/C&CActivity.B!DNS finding at severity 8. In the manual-response path, the finding sits in the Security Hub queue until a human triages it, the human SSHes (or SSMs) to the instance, the human runs commands to isolate the instance, and by the time all of that completes the attacker has already exfiltrated whatever was reachable from the instance's IAM role. The window typical attackers operate inside is well under the manual-response time. BLAST RADIUS: Per compromised instance — the quarantine function's actions are scoped to a single EC2 instance ID extracted from the GuardDuty finding payload. A buggy quarantine function that mis-targets is bounded by the same scope; the function will not (and per the IaC below, structurally cannot) touch a resource not named in the finding. Remediation — AWS CLI <code class=\"language-bash\"># EventBridge rule on GuardDuty severity>=7 findings. aws events put-rule \\ --name guardduty-critical-findings \\ --event-pattern '{ \"source\": [\"aws.guardduty\"], \"detail-type\": [\"GuardDuty Finding\"], \"detail\": { \"severity\": [{ \"numeric\": [\">=\", 7] }] } }' \\ --state ENABLED # Target: the quarantine Lambda. EventBridge passes the full finding as input. aws events put-targets \\ --rule guardduty-critical-findings \\ --targets \"Id=quarantine,Arn=arn:aws:lambda:eu-west-1:111111111111:function:gd-quarantine\" # Grant EventBridge permission to invoke the Lambda. aws lambda add-permission \\ --function-name gd-quarantine \\ --statement-id eventbridge-invoke \\ --action lambda:InvokeFunction \\ --principal events.amazonaws.com \\ --source-arn arn:aws:events:eu-west-1:111111111111:rule/guardduty-critical-findings</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS IR Playbooks repository (accessed 2026-05) # Deny-all SG that quarantined instances are attached to. resource \"aws_security_group\" \"quarantine\" { name = \"ir-quarantine\" description = \"Deny-all SG for quarantined instances; no ingress or egress rules\" vpc_id = aws_vpc.workload.id tags = { Purpose = \"ir-quarantine\" } } # Quarantine Lambda — reads the finding, snapshots EBS, detaches instance # profile, swaps SGs. Function source lives in the security tooling repo. resource \"aws_lambda_function\" \"gd_quarantine\" { function_name = \"gd-quarantine\" role = aws_iam_role.gd_quarantine.arn handler = \"index.handler\" runtime = \"python3.12\" filename = \"build/gd-quarantine.zip\" timeout = 60 environment { variables = { QUARANTINE_SG_ID = aws_security_group.quarantine.id } } } # EventBridge rule on GuardDuty severity>=7. resource \"aws_cloudwatch_event_rule\" \"gd_critical\" { name = \"guardduty-critical-findings\" event_pattern = jsonencode({ source = [\"aws.guardduty\"] \"detail-type\" = [\"GuardDuty Finding\"] detail = { severity = [{ numeric = [\">=\", 7] }] } }) } resource \"aws_cloudwatch_event_target\" \"gd_quarantine\" { rule = aws_cloudwatch_event_rule.gd_critical.name target_id = \"quarantine\" arn = aws_lambda_function.gd_quarantine.arn } resource \"aws_lambda_permission\" \"eventbridge_invoke\" { statement_id = \"eventbridge-invoke\" action = \"lambda:InvokeFunction\" function_name = aws_lambda_function.gd_quarantine.function_name principal = \"events.amazonaws.com\" source_arn = aws_cloudwatch_event_rule.gd_critical.arn }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: EventBridge rule routing high-severity GuardDuty findings to an SSM Automation runbook. Parameters: ContainmentRoleArn: Type: String Resources: HighSevGuardDutyRule: Type: AWS::Events::Rule Properties: Name: guardduty-high-sev-containment EventPattern: source: - aws.guardduty detail-type: - GuardDuty Finding detail: severity: - numeric: ['>=', 7] Targets: - Id: ssm-containment Arn: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:automation-definition/AWS-IsolateEC2Instance:$DEFAULT' RoleArn: !Ref ContainmentRoleArn</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 (best-practices)n/an/an/a IR-4(1); IR-4(7); SI-4(7)A.5.26CLD.12.4.5 Log signals CloudTrail events:DeleteRule targeting the canonical EventBridge rule that fans GuardDuty findings into the auto-containment Lambda — destroys the auto-response pipeline at the routing layer, leaving findings flowing to the Security Hub queue but not triggering any automated action. CloudTrail events:DisableRule on the same rule — leaves the rule visible but inert; the absence-of-fire signal is harder to spot than a deletion because the rule still appears in the EventBridge console. Lambda function-error CloudWatch metric on the auto-containment function exceeding zero over a rolling 5-minute window — the function may be receiving events but failing to execute its containment actions, producing a silent failure mode that the rule-disable detection misses. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.name, requestParameters.eventBusName, requestParameters.functionName, userIdentity.arn | filter eventSource in [\"events.amazonaws.com\",\"lambda.amazonaws.com\"] and eventName in [\"DeleteRule\",\"DisableRule\",\"RemoveTargets\",\"DeleteFunction\",\"UpdateFunctionConfiguration\"] | filter requestParameters.name like /guardduty-/ or requestParameters.functionName like /^auto-containment-/ | sort @timestamp desc | limit 100</code> The CloudWatch Logs Insights query covers both EventBridge-side and Lambda-side mutations; for the silent-failure case, pair with a CloudWatch alarm on the Lambda's Errors metric with a threshold at zero so any error fires within one evaluation period. Alert threshold Any DeleteRule on the canonical GuardDuty fan-out rule — page immediately; the auto-response capability vanishes at the moment of the delete and every subsequent finding lacks the documented containment hook. DisableRule on the same — page within 5 minutes; the rule is in the inert state and re-enable is a one-click action that the operator should perform after confirming the intent of the disable. Lambda errors above zero for two consecutive 5-minute periods — high-priority ticket; the function is receiving events but its containment actions are failing, producing a partial-coverage state that may be worse than the all-or-nothing disable cases. Initial response Restore the EventBridge rule from IaC with aws events put-rule and re-attach the Lambda target via put-targets; verify the chain end-to-end by injecting a synthetic GuardDuty finding via aws guardduty create-sample-findings and confirming the Lambda fires. For Lambda-error cases, retrieve the recent CloudWatch Logs entries from the function's log group and identify the root cause (commonly an IAM policy drift on the function's role, a missing target-resource ARN in the containment logic, or a downstream API throttle); fix and redeploy the function from IaC. Pull the GuardDuty findings backlog (aws guardduty list-findings) for the gap window and manually trigger the containment actions for each finding that the pipeline missed; document the gap-of-coverage as a finding for the next IR post-mortem per general/ir.html. References AWS EventBridge — rules and targets reference (accessed 2026-05) Pair-control: aws-log-04-guardduty-org · Cross-provider equivalence: Azure · GCP · OCI Pair-control: aws-log-04-guardduty-org (detective half). Equivalent on: Azure · GCP · OCI aws-ir-03-evidence-preservation ! CRITICAL RESPONSIVE Stand up a dedicated forensic AWS account (separate Organization OU, no shared roles with workload accounts) that owns an S3 evidence bucket configured with Object Lock in Compliance mode and a default retention of at least one year — preferably seven years to align with the CloudTrail Lake retention pattern documented in aws-ir-04. Object Lock Compliance mode is write-once-read-many at the API level: not even the root user of the account can delete or shorten the retention of an object during its retention window (Amazon S3 Object Lock overview (accessed 2026-05)). When an incident is declared, cross-account replication is enabled (or, if pre-configured, simply unpaused) from the CloudTrail log bucket, the VPC Flow Logs bucket, and any GuardDuty / Macie / Security Hub findings export bucket into the forensic account's evidence bucket. The combination — separate account, separate trust, Object Lock Compliance — defeats the credential-compromise-leads-to-log-deletion attacker chain that any same-account log store is vulnerable to. The principle is documented in General IR — forensics & evidence preservation and codified in the AWS Customer Playbook Framework (accessed 2026-05) evidence-collection playbook. Compliance mode is preferred over Governance mode for evidence: Governance allows users with the s3:BypassGovernanceRetention permission to override the lock, which directly contradicts the threat model — the very privileges an attacker is most likely to acquire are the ones that would let them disable Governance. Compliance mode has no such bypass. MITIGATES: Anti-forensics — an attacker with administrative privileges in the breached account deleting CloudTrail logs, VPC Flow Logs, or GuardDuty findings to cover their tracks. Also mitigates inadvertent loss (a misconfigured lifecycle policy that ages logs to deletion before retention requirements are met) and regulatory non-compliance with PCI-DSS, HIPAA, and SOX evidence-retention requirements. ATTACK VECTOR: An attacker assumes a privileged role in the workload account via stolen credentials or a chained role-assumption. They run aws s3 rm --recursive s3://my-cloudtrail-logs/ or aws cloudtrail delete-trail; if the logs lived in the same account under the same trust boundary, the evidence vanishes. Even Object Lock in Governance mode is bypassable by the same compromised admin. Same-account log storage is a single point of failure for forensic reconstruction. BLAST RADIUS: Without this control, the entire forensic record for an incident is at the mercy of the breached account's admins. With this control, the forensic record is reachable only from an account whose trust boundary was not breached, and the records themselves cannot be deleted until their retention expires — even by the root user of the forensic account. Remediation — AWS CLI <code class=\"language-bash\"># Create the evidence bucket with Object Lock enabled at create time. # Object Lock can ONLY be enabled at bucket creation; existing buckets # cannot be retrofitted via API (must recreate or use AWS Support). aws s3api create-bucket \\ --bucket ir-evidence-prod-eu-west-1 \\ --region eu-west-1 \\ --create-bucket-configuration LocationConstraint=eu-west-1 \\ --object-lock-enabled-for-bucket # Enable versioning (required for Object Lock). aws s3api put-bucket-versioning \\ --bucket ir-evidence-prod-eu-west-1 \\ --versioning-configuration Status=Enabled # Apply Object Lock Compliance mode with 1-year default retention. aws s3api put-object-lock-configuration \\ --bucket ir-evidence-prod-eu-west-1 \\ --object-lock-configuration '{ \"ObjectLockEnabled\": \"Enabled\", \"Rule\": { \"DefaultRetention\": { \"Mode\": \"COMPLIANCE\", \"Years\": 1 } } }' # Cross-account replication: CloudTrail log bucket (workload account) replicates # into the evidence bucket (forensic account). Pre-configured but pausable so # replication can be triggered explicitly at incident-declaration time. aws s3api put-bucket-replication \\ --bucket workload-cloudtrail-logs \\ --replication-configuration file://replication.json</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS Customer Playbook Framework — Evidence collection (accessed 2026-05) # Evidence bucket in the forensic account with Object Lock Compliance mode. resource \"aws_s3_bucket\" \"evidence\" { bucket = \"ir-evidence-prod-eu-west-1\" object_lock_enabled = true tags = { Purpose = \"ir-evidence\", Account = \"forensic\" } } resource \"aws_s3_bucket_versioning\" \"evidence\" { bucket = aws_s3_bucket.evidence.id versioning_configuration { status = \"Enabled\" } } resource \"aws_s3_bucket_object_lock_configuration\" \"evidence\" { bucket = aws_s3_bucket.evidence.id rule { default_retention { mode = \"COMPLIANCE\" years = 1 } } } # Block all public access on the evidence bucket (defence in depth). resource \"aws_s3_bucket_public_access_block\" \"evidence\" { bucket = aws_s3_bucket.evidence.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true } # Cross-account replication from workload CloudTrail bucket into evidence. resource \"aws_s3_bucket_replication_configuration\" \"ct_to_evidence\" { provider = aws.workload bucket = aws_s3_bucket.workload_cloudtrail.id role = aws_iam_role.replication.arn rule { id = \"ct-to-evidence\" status = \"Enabled\" filter {} destination { bucket = aws_s3_bucket.evidence.arn storage_class = \"STANDARD_IA\" account = local.forensic_account_id access_control_translation { owner = \"Destination\" } } delete_marker_replication { status = \"Disabled\" } } }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: WORM-mode evidence S3 bucket with Object Lock (compliance), KMS-CMK encryption, and account BPA. Parameters: EvidenceBucketName: Type: String EvidenceKmsKeyArn: Type: String Resources: EvidenceBucket: Type: AWS::S3::Bucket Properties: BucketName: !Ref EvidenceBucketName ObjectLockEnabled: true ObjectLockConfiguration: ObjectLockEnabled: Enabled Rule: DefaultRetention: Mode: COMPLIANCE Days: 2555 VersioningConfiguration: Status: Enabled BucketEncryption: ServerSideEncryptionConfiguration: - BucketKeyEnabled: true ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms KMSMasterKeyID: !Ref EvidenceKmsKeyArn PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true</code> Remediation — AWS CDK (TypeScript) <code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib'; import { aws_s3 as s3, aws_kms as kms } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export interface EvidenceBucketProps extends cdk.StackProps { evidenceBucketName: string; evidenceKmsKeyArn: string; } export class EvidenceBucketStack extends cdk.Stack { constructor(scope: Construct, id: string, props: EvidenceBucketProps) { super(scope, id, props); const key = kms.Key.fromKeyArn(this, 'EvidenceKey', props.evidenceKmsKeyArn); new s3.Bucket(this, 'EvidenceBucket', { bucketName: props.evidenceBucketName, objectLockEnabled: true, objectLockDefaultRetention: s3.ObjectLockRetention.compliance(cdk.Duration.days(2555)), versioned: true, encryption: s3.BucketEncryption.KMS, encryptionKey: key, bucketKeyEnabled: true, blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, }); } }</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 (best-practices)n/an/an/a AU-11; IR-4(7); SI-7A.5.28; A.8.13CLD.12.4.5 Log signals CloudTrail s3:PutBucketLifecycleConfiguration events on the evidence-preservation S3 bucket where the new lifecycle rule introduces a Transition to Glacier or an Expiration at an interval shorter than the org's documented retention floor (typically 7 years for SOC 2, longer for HIPAA). CloudTrail s3:DeleteObject or s3:DeleteObjectVersion within the evidence bucket — the bucket should be Object-Lock-enabled in compliance mode, so any successful delete (rather than a denied delete) indicates either the lock has been compromised or the operator is targeting non-locked objects. CloudTrail s3:PutObjectLegalHold with legalHold.status=OFF on objects previously held — removes the manual hold that supplements the Object Lock retention and frequently used to ready objects for deletion outside the retention window. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.bucketName, requestParameters.key, requestParameters.lifecycleConfiguration, requestParameters.legalHold, userIdentity.arn | filter eventSource = \"s3.amazonaws.com\" and eventName in [\"PutBucketLifecycleConfiguration\",\"DeleteObject\",\"DeleteObjectVersion\",\"PutObjectLegalHold\",\"PutObjectRetention\"] | filter requestParameters.bucketName like /-evidence-/ or requestParameters.bucketName like /-forensic-/ | sort @timestamp desc | limit 100</code> The CloudWatch Logs Insights query is bucket-scoped via name-pattern matching; maintain the evidence-bucket name pattern as a managed lookup so the filter does not drift when a new bucket joins the evidence-preservation set. Alert threshold Any lifecycle-rule change on an evidence bucket — page immediately; the rule shape is a compliance control and any change must trace to a documented retention-policy decision approved by Legal / Compliance. Successful object-delete on an evidence bucket — page; the Object Lock should have prevented the delete and a successful one indicates either lock-mode regression or pre-existing non-locked objects that should not have been in the bucket to begin with. Legal-hold removal — page; the hold is the legal-team's signal that the object must remain available and removal outside a Legal-approved release is a deliberate evidence-tampering attempt. Initial response For lifecycle-rule changes, restore from IaC with aws s3api put-bucket-lifecycle-configuration --bucket {name} --lifecycle-configuration file://canonical-lifecycle.json; verify via get-bucket-lifecycle-configuration. For successful object-deletes, recover from the bucket's versioning history via aws s3api list-object-versions + restore-marker-removal; if the bucket lacked versioning at the time of delete, the object is lost and the incident escalates to confirmed evidence destruction. Open an incident via general/ir.html and engage Legal / Compliance immediately if any successful evidence-delete is confirmed; the org's regulatory disclosure obligations may require notification of the affected investigation's data subjects. References AWS S3 — Object Lock reference (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-ir-04-cloudtrail-lake-forensics ! HIGH RESPONSIVE Stand up a CloudTrail Lake event data store at Organization scope with a seven-year (2557-day) retention period and pre-write a SQL query library that answers the most common forensic questions: which principal touched resource X between time A and time B, what API calls originated from suspicious source-IP S, when was KMS key K last disabled and by whom, which IAM role had its trust policy modified during the incident window. CloudTrail Lake is a columnar store backed by Apache Iceberg that lets responders run ANSI SQL against management events, S3 / Lambda data events, AWS Config configuration items, and Audit Manager evidence with sub-minute query latency on multi-billion-row datasets (AWS CloudTrail Lake documentation (accessed 2026-05)). The base CloudTrail org-trail control (aws-log-08-cloudtrail-lake) is the detective half: it ensures the Lake store exists and is ingesting. This control is the responsive half: it makes the store usable under IR time pressure by pre-writing and version-controlling the saved-query library so a responder does not have to write SQL from scratch at 03:00 on a Saturday. The two-control split is deliberate — the AWS Logging page owns \"the Lake is collecting\"; this page owns \"the Lake is queryable under stress\". MITIGATES: Inability to reconstruct attacker actions during post-incident investigation. CloudTrail S3 logs in raw JSON are queryable only via Athena, which requires schema gymnastics and partition projection setup that no responder will do under incident time pressure. Without a pre-built forensic query library, the investigation lags the incident by hours-to-days. ATTACK VECTOR: An incident is declared at 09:00 Monday. The responder needs to know: did the compromised IAM role assume any other roles, what S3 objects did it read, did it call iam:CreateAccessKey or kms:Disable? In the no-Lake path the responder writes Athena DDL against partit"},{"id":"aws/kubernetes.html","url":"aws/kubernetes.html","title":"AWS EKS Hardening — Cloud Hardening Guide","breadcrumb":"Home AWS Kubernetes","description":"AWS Elastic Kubernetes Service (EKS) hardening: private endpoint, EKS Pod Identity, KMS envelope encryption, Cluster Access Management API, IMDSv2 hop-limit 1, CloudWatch control-plane logs, EKS-managed add-ons, Bottlerocket / AL2023 nodes, network policy default-deny, Pod Security Standards.","body":"AWS EKS Hardening Overview This page covers hardening controls for Amazon Elastic Kubernetes Service (EKS). Both EKS Standard managed node groups and EKS Auto Mode are addressed — mode-specific differences are noted in per-control callouts immediately below each control header. Where a control is enforced by default in EKS Auto Mode, the callout identifies it; where Standard mode requires explicit configuration, the callout shows the Terraform or aws eks incantation. See general/kubernetes.html for the cross-cutting threat model, cluster-baseline principles, and common misconfigurations that apply to all providers. Controls are ordered by TSV anchor (01..10) which clusters by topic for cross-provider equivalence; severity ordering is approximately CRITICAL → HIGH → MEDIUM. Terraform examples use hashicorp/aws ~> 5.0. The sealed v1.0 AWS pages use the same provider pin. Supporting IAM prerequisites — including the EKS Pod Identity trust policy template — are on aws/iam.html; VPC patterns (private subnets, NAT egress) are on aws/network.html; CloudWatch sink configuration is on aws/logging.html. aws-k8s-01 ! CRITICAL PREVENTIVE EKS Standard: Pass endpoint_public_access = false and endpoint_private_access = true at cluster creation. For required external access, scope public_access_cidrs to a CIDR allow-list. Most VPC config is immutable post-create. EKS Auto Mode: The same private-endpoint configuration is supported. Node management is automated, but control-plane endpoint configuration is identical to Standard mode. Enable a private EKS cluster endpoint so the kube-apiserver is unreachable from the public internet. Combine with public_access_cidrs if external access is genuinely required (CI runners, admin VPNs). A public kube-apiserver is the number-one Kubernetes breach vector — any leaked kubeconfig credential is immediately usable from the internet without network-level barriers. MITIGATES: Public kube-apiserver exploitation — unauthenticated, stolen-token, or stale-kubeconfig access from anywhere on the internet. ATTACK VECTOR: Attacker recovers a leaked kubeconfig from a developer laptop, GitHub repo, or CI environment variable; issues kubectl exec or kubectl get secrets from any internet host. BLAST RADIUS: Full cluster administrative access — pod execution, secret exfiltration, workload modification, lateral movement to AWS APIs via worker-node or Pod Identity role. Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 resource \"aws_eks_cluster\" \"hardened\" { name = \"hardened-cluster\" role_arn = aws_iam_role.eks_cluster.arn version = \"1.30\" vpc_config { subnet_ids = var.private_subnet_ids endpoint_public_access = false endpoint_private_access = true # If public access is unavoidable, scope to a narrow allow-list: # public_access_cidrs = [var.management_cidr] } access_config { authentication_mode = \"API\" bootstrap_cluster_creator_admin_permissions = false } enabled_cluster_log_types = [\"api\", \"audit\", \"authenticator\", \"controllerManager\", \"scheduler\"] encryption_config { provider { key_arn = aws_kms_key.eks_secrets.arn } resources = [\"secrets\"] } }</code> Remediation — aws eks <code class=\"language-bash\">aws eks create-cluster \\ --name hardened-cluster \\ --role-arn arn:aws:iam::ACCOUNT:role/eks-cluster-role \\ --resources-vpc-config \\ endpointPublicAccess=false,endpointPrivateAccess=true,subnetIds=subnet-aaa,subnet-bbb \\ --access-config authenticationMode=API,bootstrapClusterCreatorAdminPermissions=false \\ --kubernetes-version 1.30</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: EKS cluster with private-only API endpoint, KMS envelope encryption, and audit logs enabled. Parameters: ClusterName: Type: String ClusterRoleArn: Type: String ClusterKmsKeyArn: Type: String SubnetIds: Type: List<AWS::EC2::Subnet::Id> SecurityGroupIds: Type: List<AWS::EC2::SecurityGroup::Id> Resources: PrivateEksCluster: Type: AWS::EKS::Cluster Properties: Name: !Ref ClusterName Version: '1.31' RoleArn: !Ref ClusterRoleArn ResourcesVpcConfig: SubnetIds: !Ref SubnetIds SecurityGroupIds: !Ref SecurityGroupIds EndpointPublicAccess: false EndpointPrivateAccess: true EncryptionConfig: - Provider: KeyArn: !Ref ClusterKmsKeyArn Resources: - secrets Logging: ClusterLogging: EnabledTypes: - Type: api - Type: audit - Type: authenticator - Type: controllerManager - Type: scheduler</code> Remediation — AWS CDK (TypeScript) <code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib'; import { aws_eks as eks, aws_ec2 as ec2, aws_iam as iam, aws_kms as kms } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export interface PrivateEksProps extends cdk.StackProps { clusterName: string; vpc: ec2.IVpc; clusterKmsKeyArn: string; } export class PrivateEksClusterStack extends cdk.Stack { constructor(scope: Construct, id: string, props: PrivateEksProps) { super(scope, id, props); new eks.Cluster(this, 'PrivateCluster', { clusterName: props.clusterName, version: eks.KubernetesVersion.V1_31, vpc: props.vpc, vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }], endpointAccess: eks.EndpointAccess.PRIVATE, secretsEncryptionKey: kms.Key.fromKeyArn(this, 'ClusterKmsKey', props.clusterKmsKeyArn), clusterLogging: [ eks.ClusterLoggingTypes.API, eks.ClusterLoggingTypes.AUDIT, eks.ClusterLoggingTypes.AUTHENTICATOR, eks.ClusterLoggingTypes.CONTROLLER_MANAGER, eks.ClusterLoggingTypes.SCHEDULER, ], }); } }</code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.8.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 aws-k8s-01 CRITICAL PREVENTIVE AWS EKS n/a (managed control plane) n/a (verify against CIS EKS Benchmark v1.8.0 PDF) AC-17; SC-7; SC-8 A.8.20; A.8.22 CLD.13.1.4 NIST SP 800-190 §4.4.1 NSA/CISA Kubernetes Hardening Guide v1.2 §2 (Network separation) Log signals CloudTrail eks:UpdateClusterConfig events where requestParameters.resourcesVpcConfig.endpointPublicAccess flips from false to true, or where publicAccessCidrs widens beyond the corporate egress allow-list (matching 0.0.0.0/0 is the canonical regression). EKS audit log entries in /aws/eks/{cluster}/cluster where verb=create and requestObject.kind=Endpoints originate from a sourceIPs not enumerated in the documented administrator CIDR list — indicates the control plane is now reachable from an unexpected network. Config rule eks-endpoint-no-public-access evaluating NON_COMPLIANT on any cluster resource — feeds Security Hub for fleet-wide correlation. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.name, requestParameters.resourcesVpcConfig.endpointPublicAccess, requestParameters.resourcesVpcConfig.publicAccessCidrs, userIdentity.arn, sourceIPAddress | filter eventSource = \"eks.amazonaws.com\" and eventName = \"UpdateClusterConfig\" | filter requestParameters.resourcesVpcConfig.endpointPublicAccess = true | sort @timestamp desc | limit 100</code> Run the CloudWatch Logs Insights query over the org-trail log group spanning all member accounts; the EKS control-plane API surface is the only attack path that this control closes, so a single hit warrants paging the on-call cluster-operator. Alert threshold Any endpointPublicAccess=true flip on a production cluster — page immediately; cluster tag env=prod drives the routing. A publicAccessCidrs value of 0.0.0.0/0 — block via SCP-deny preview before alert fan-out and treat the change attempt itself as the incident. Three or more UpdateClusterConfig calls touching the VPC config block within a rolling 24 hours from the same principal — suggests configuration churn rather than a one-shot regression and merits a change-management review. Initial response Revert the cluster config with aws eks update-cluster-config --name {cluster} --resources-vpc-config endpointPublicAccess=false; capture the CloudTrail eventID and the userIdentity SAML assertion as forensic ledger entries. Pivot to VPC Flow Logs for the cluster's ENI subnet over the exposure window and enumerate every inbound TCP 443 flow from non-corporate CIDRs; cross-check the source IPs against GuardDuty findings filtered on resource.eksClusterDetails. Open an incident via general/ir.html if any inbound flow appears, and rotate cluster certificates (aws eks update-cluster-version path) to invalidate any kubeconfig captured during the public window. References AWS EKS — cluster endpoint access control (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent controls in other providers: GKE private cluster + authorized networks, AKS private cluster, OKE private API endpoint. aws-k8s-02 ! HIGH PREVENTIVE EKS Standard: EKS Pod Identity (GA Nov 2023) is the recommended pattern for new clusters. Install the eks-pod-identity-agent managed add-on, then create aws_eks_pod_identity_association resources mapping K8s ServiceAccounts to IAM roles. EKS Auto Mode: The Pod Identity agent is pre-installed and managed by EKS Auto. Create associations the same way; no agent-DaemonSet management required. Bind Kubernetes ServiceAccounts to AWS IAM Roles via EKS Pod Identity associations. Pod Identity eliminates the per-cluster OIDC provider, uses cluster-scoped associations (not per-pod annotations), and provides faster credential rotation than the legacy IRSA pattern. The default Node IAM role should be least-privilege and decoupled from per-workload AWS permissions; pod-scoped IAM is granted via Pod Identity associations. Migration from IRSA: Existing IRSA workloads (which use the per-cluster OIDC provider plus the eks.amazonaws.com/role-arn ServiceAccount annotation) remain supported. IRSA is the legacy migration path; new clusters should adopt Pod Identity, and existing clusters can migrate workload-by-workload by creating a Pod Identity association and removing the IRSA annotation. MITIGATES: Over-privileged pod compromise — a pod inheriting node-role permissions or a broadly-scoped IRSA role can call any AWS API the role can access. ATTACK VECTOR: Attacker exploits a pod vulnerability (RCE, SSRF), reads the projected SA token at /var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token, exchanges it for AWS STS credentials, calls AWS APIs. BLAST RADIUS: All AWS resources granted to the bound IAM role — S3 buckets, DynamoDB tables, KMS keys, other workloads in the same account. Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 resource \"aws_iam_role\" \"app\" { name = \"eks-app-role\" assume_role_policy = jsonencode({ Version = \"2012-10-17\" Statement = [{ Effect = \"Allow\" Principal = { Service = \"pods.eks.amazonaws.com\" } Action = [\"sts:AssumeRole\", \"sts:TagSession\"] }] }) } resource \"aws_eks_pod_identity_association\" \"app\" { cluster_name = aws_eks_cluster.hardened.name namespace = \"production\" service_account = \"app-sa\" role_arn = aws_iam_role.app.arn } # Install the Pod Identity agent add-on (EKS Standard only — EKS Auto manages this) resource \"aws_eks_addon\" \"pod_identity_agent\" { cluster_name = aws_eks_cluster.hardened.name addon_name = \"eks-pod-identity-agent\" }</code> Remediation — aws eks <code class=\"language-bash\">aws eks create-addon \\ --cluster-name hardened-cluster \\ --addon-name eks-pod-identity-agent aws eks create-pod-identity-association \\ --cluster-name hardened-cluster \\ --namespace production \\ --service-account app-sa \\ --role-arn arn:aws:iam::ACCOUNT:role/eks-app-role</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: EKS Pod Identity association binding a Kubernetes service account to a least-priv IAM role. Parameters: ClusterName: Type: String Namespace: Type: String ServiceAccount: Type: String PodRoleArn: Type: String Resources: PodIdentityAssociation: Type: AWS::EKS::PodIdentityAssociation Properties: ClusterName: !Ref ClusterName Namespace: !Ref Namespace ServiceAccount: !Ref ServiceAccount RoleArn: !Ref PodRoleArn</code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.8.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 aws-k8s-02 HIGH PREVENTIVE AWS EKS n/a (managed control plane) n/a (verify against CIS EKS Benchmark v1.8.0 PDF) IA-2; AC-6; IA-5 A.5.15; A.5.18 n/a NIST SP 800-190 §4.4.2 NSA/CISA Kubernetes Hardening Guide v1.2 §4 (IAM/RBAC) Log signals CloudTrail eks:CreatePodIdentityAssociation attaching a role whose attached policies include AdministratorAccess, iam:*, or any AWS-managed *FullAccess policy — the association binds that role to every pod matching the service-account selector, so over-privileged associations widen blast radius for any container compromise. EKS audit events where a service-account token request resolves a pod-identity role-arn that does not appear in the canonical pod-identity-association-allowlist.tsv maintained by the platform team. CloudTrail sts:AssumeRole for a pod-identity-bound role originating from a node-group ENI whose pod CIDR has not been registered for that role — points to either a mislabelled service account or token replay. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.clusterName, requestParameters.namespace, requestParameters.serviceAccount, requestParameters.roleArn, userIdentity.arn | filter eventSource = \"eks.amazonaws.com\" and eventName = \"CreatePodIdentityAssociation\" | parse requestParameters.roleArn /arn:aws:iam::(?<acct>\\d+):role\\/(?<role>.+)/ | filter role like /Admin/ or role like /FullAccess/ or role = \"OrganizationAccountAccessRole\" | sort @timestamp desc | limit 50</code> The CloudWatch Logs Insights regex extracts the role short-name from the ARN so the filter can pattern-match against an organisation-wide naming blocklist; couple this query with a daily diff of pod-identity-associations against the allow-list TSV. Alert threshold Any association attaching a role with iam:* in its policy graph — page immediately, even on lower environments, because the role's pod-execution surface is identical to a CI-runner with break-glass keys. An association whose namespace + serviceAccount tuple is not in the platform allow-list — high-priority ticket within one business hour for the cluster owner. Sustained association-create rate above the 30-day p99 baseline — informational; correlate with platform-team change tickets before escalating. Initial response Delete the offending association with aws eks delete-pod-identity-association --cluster-name {cluster} --association-id {id} and force pod restarts in the affected namespace so the token cache invalidates. Capture the IAM role's effective policy with aws iam simulate-principal-policy against a representative set of read/write actions and attach the simulator output to the incident record. If the role grants iam:* or sts:AssumeRole on broader principals, escalate per general/ir.html and audit CloudTrail for any sts:AssumeRole traffic from the association during the exposure window — those calls were authenticated against the over-privileged role. References AWS EKS — Pod Identity associations (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent controls in other providers: GKE Workload Identity Federation, AKS Workload Identity, OKE Workload Identity. aws-k8s-03 ! HIGH PREVENTIVE EKS Standard: Envelope encryption is configured at cluster create time and is immutable for the lifetime of the cluster — choose the KMS customer-managed CMK before creation. Enable automatic CMK rotation on the key. EKS Auto Mode: Same configuration model. The customer manages CMK lifecycle (rotation, revocation, grants); EKS uses the CMK to encrypt the Data Encryption Key that wraps Kubernetes Secrets in etcd. Enable envelope encryption for Kubernetes Secrets using a customer-managed KMS key (CMK). This adds a layer on top of AWS-managed at-rest encryption and gives the customer control over the key lifecycle. Without envelope encryption, AWS holds the encryption key for etcd; with envelope encryption, revoking the CMK (via KMS policy or key disable) makes Secrets unreadable cluster-wide. MITIGATES: Secrets exposure if AWS-managed encryption layer is compromised, or if an AWS-internal actor reads etcd snapshot data directly. ATTACK VECTOR: Cloud-provider-layer compromise or insider reads unencrypted etcd snapshot data; does not require Kubernetes API access. BLAST RADIUS: All Kubernetes Secrets — ServiceAccount tokens, TLS keys, database passwords, API keys stored as Secret objects. Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 resource \"aws_kms_key\" \"eks_secrets\" { description = \"EKS envelope encryption CMK\" enable_key_rotation = true deletion_window_in_days = 30 } resource \"aws_kms_alias\" \"eks_secrets\" { name = \"alias/eks-secrets\" target_key_id = aws_kms_key.eks_secrets.key_id } resource \"aws_eks_cluster\" \"hardened\" { name = \"hardened-cluster\" # ... vpc_config, role_arn ... encryption_config { provider { key_arn = aws_kms_key.eks_secrets.arn } resources = [\"secrets\"] } }</code> Remediation — aws eks <code class=\"language-bash\">aws eks create-cluster \\ --name hardened-cluster \\ --role-arn arn:aws:iam::ACCOUNT:role/eks-cluster-role \\ --resources-vpc-config subnetIds=subnet-aaa,subnet-bbb,endpointPublicAccess=false,endpointPrivateAccess=true \\ --encryption-config '[{\"provider\":{\"keyArn\":\"arn:aws:kms:REGION:ACCOUNT:key/KEY-UUID\"},\"resources\":[\"secrets\"]}]'</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: AWS Config managed rule asserting every EKS cluster uses KMS envelope encryption for secrets. Resources: EksSecretsEncryptedRule: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: eks-secrets-encrypted Source: Owner: AWS SourceIdentifier: EKS_SECRETS_ENCRYPTED Scope: ComplianceResourceTypes: - AWS::EKS::Cluster</code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.8.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 aws-k8s-03 HIGH PREVENTIVE AWS EKS CIS Kubernetes Benchmark v1.11.0 §1.2 (etcd encryption) n/a (verify against CIS EKS Benchmark v1.8.0 PDF) SC-28; IA-5 A.8.24; A.8.10 n/a NIST SP 800-190 §4.3.2 NSA/CISA Kubernetes Hardening Guide v1.2 §5 (Secrets) Log signals CloudTrail kms:DisableKey or kms:ScheduleKeyDeletion on the CMK referenced by the cluster's encryptionConfig.provider.keyArn — secret material in etcd becomes unreadable as soon as the key is disabled, with cluster-wide blast radius. CloudTrail kms:PutKeyPolicy on the envelope CMK where the new policy removes the kms:Decrypt permission for the EKS service-linked principal eks.amazonaws.com or the cluster's IAM role. EKS audit log secrets.create or secrets.update requests that return a 500 status with body containing \"Internal error occurred: rpc error: code = Internal desc = failed to encrypt\" — the kube-apiserver KMS plugin is failing to reach the CMK. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.keyId, requestParameters.pendingWindowInDays, userIdentity.arn, sourceIPAddress, errorCode | filter eventSource = \"kms.amazonaws.com\" and eventName in [\"DisableKey\",\"ScheduleKeyDeletion\",\"PutKeyPolicy\"] | filter requestParameters.keyId in [\"alias/eks-envelope-prod\",\"alias/eks-envelope-stage\"] | sort @timestamp desc | limit 50</code> Maintain the CMK alias allow-list as a managed lookup so the CloudWatch Logs Insights filter does not drift; the alias name is the only stable handle because key-id rotation can occur during automated re-key flows. Alert threshold Any DisableKey on a production EKS envelope alias — page immediately and freeze any concurrent change-management work touching the cluster. ScheduleKeyDeletion with pendingWindowInDays < 30 on an envelope CMK — treat as confirmed sabotage attempt; the 30-day floor is the AWS-recommended grace window and any shorter value is a deliberate compress-the-blast-radius signal. PutKeyPolicy events on envelope CMKs — informational at create time but correlate against the prior policy hash; deviations that remove kms:Decrypt for the EKS principal are immediate-page. Initial response Re-enable the CMK with aws kms enable-key --key-id {alias} or cancel the pending deletion via aws kms cancel-key-deletion; if the policy was modified, restore from the IaC repository (Terraform state, not the live console) so policy drift is closed at the source of truth. Validate cluster-secret read-back with kubectl get secret -n kube-system aws-auth -o yaml | head (the legacy aws-auth ConfigMap is convenient as a known-present etcd object even though access-entry API is the non-deprecated control-plane path) — a working decrypt confirms the encryption path recovered; an EOF or 500 means etcd entries remain unreadable and a restore-from-backup may be required. Open an incident via general/ir.html and pivot CloudTrail to enumerate every principal that called kms:Decrypt on the envelope CMK over the prior 24 hours to bound the read-side exposure. References AWS EKS — enable envelope encryption for cluster secrets (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent controls in other providers: GKE Cloud KMS secrets encryption, AKS KMS etcd encryption, OKE Vault CMK secrets encryption. aws-k8s-04 ! HIGH DETECTIVE EKS Standard: All five control-plane log types are off by default. Enable all five explicitly — api, audit, authenticator, controllerManager, scheduler — to CloudWatch Logs. Without the audit log, lateral movement via kubectl exec is invisible. EKS Auto Mode: Same five log types apply. Enable them in the cluster spec; EKS Auto delivers them to CloudWatch with the same retention and IAM controls. Enable EKS control-plane logging (five log types) to CloudWatch Logs. The audit log is the most critical — it records every kube-apiserver request including the calling identity, verb, resource, and response code. CloudWatch Container Insights complements this with worker-node and pod-level telemetry and can be enabled as a Container Insights monitoring add-on. MITIGATES: Undetected lateral movement — attackers using stolen ServiceAccount tokens or compromised pod identities leave no forensic trail without the audit log. ATTACK VECTOR: Attacker uses a stolen SA token to run kubectl exec, kubectl get secrets, or modify RBAC; with audit logs disabled, the activity is invisible to defenders. BLAST RADIUS: Total loss of forensic capability — incidents cannot be reconstructed, attacker dwell time is unbounded. Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 resource \"aws_eks_cluster\" \"hardened\" { name = \"hardened-cluster\" # ... role_arn, vpc_config ... enabled_cluster_log_types = [ \"api\", \"audit\", \"authenticator\", \"controllerManager\", \"scheduler\" ] } resource \"aws_cloudwatch_log_group\" \"eks\" { name = \"/aws/eks/hardened-cluster/cluster\" retention_in_days = 365 kms_key_id = aws_kms_key.logs.arn }</code> Remediation — aws eks <code class=\"language-bash\">aws eks update-cluster-config \\ --name hardened-cluster \\ --logging '{\"clusterLogging\":[{\"types\":[\"api\",\"audit\",\"authenticator\",\"controllerManager\",\"scheduler\"],\"enabled\":true}]}'</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: CloudWatch Logs metric filter alarming on EKS audit log access-denied spikes. Parameters: AuditLogGroupName: Type: String AlarmTopicArn: Type: String Resources: AccessDeniedMetricFilter: Type: AWS::Logs::MetricFilter Properties: LogGroupName: !Ref AuditLogGroupName FilterPattern: '{ $.responseStatus.code = 403 }' MetricTransformations: - MetricName: EksAuditAccessDenied MetricNamespace: Security/EKS MetricValue: '1' AccessDeniedAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: eks-audit-access-denied-spike MetricName: EksAuditAccessDenied Namespace: Security/EKS Statistic: Sum Period: 300 EvaluationPeriods: 1 Threshold: 20 ComparisonOperator: GreaterThanThreshold AlarmActions: - !Ref AlarmTopicArn</code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.8.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 aws-k8s-04 HIGH DETECTIVE AWS EKS CIS Kubernetes Benchmark v1.11.0 §1.2.22 (audit policy) n/a (verify against CIS EKS Benchmark v1.8.0 PDF) AU-2; AU-12; SI-4 A.8.15; A.8.16 CLD.12.4.5 NIST SP 800-190 §4.4.3 NSA/CISA Kubernetes Hardening Guide v1.2 §6 (Audit logging) Log signals CloudTrail eks:UpdateClusterConfig where requestParameters.logging.clusterLogging contains any entry with enabled=false for api, audit, authenticator, controllerManager, or scheduler — turning off any of the five log streams is the most common precursor to evading detection in a subsequent breach. Absence-of-signal: the /aws/eks/{cluster}/cluster log group ingest rate (per-minute bytes) drops to zero or below 1% of the trailing 7-day baseline while the cluster's CloudWatch ContainerInsights metrics still report active workloads — indicates the audit pipeline is silently broken even if the configuration claims it is enabled. CloudTrail logs:DeleteLogGroup targeting /aws/eks/{cluster}/cluster — destroys the audit trail itself rather than disabling the source. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.name, requestParameters.logging.clusterLogging, userIdentity.arn, sourceIPAddress | filter eventSource = \"eks.amazonaws.com\" and eventName = \"UpdateClusterConfig\" | filter requestParameters.logging.clusterLogging.0.enabled = false or requestParameters.logging.clusterLogging.1.enabled = false | sort @timestamp desc | limit 100</code> Pair the CloudWatch Logs Insights query with a CloudWatch metric alarm on IncomingBytes for the cluster log group with a static threshold at 10% of the 7-day rolling mean — the absence-of-signal alarm fires when an operator masks the disable by sending traffic elsewhere. Alert threshold Any disable of the audit stream — page immediately; the audit log is the primary forensic source and disabling it is treated identically to disabling CloudTrail at the org level. Disable of api, authenticator, controllerManager, or scheduler — high-priority ticket per stream and per cluster within 30 minutes. Log-group ingest below 10% of 7-day baseline for two consecutive 5-minute windows — informational at first instance, escalate to page on the third consecutive trip. Initial response Re-enable every log stream with aws eks update-cluster-config --name {cluster} --logging '{\"clusterLogging\":[{\"types\":[\"api\",\"audit\",\"authenticator\",\"controllerManager\",\"scheduler\"],\"enabled\":true}]}' and confirm the change committed by reading back describe-cluster. Cross-reference the disable timestamp against EKS audit-log entries surviving in the pre-disable window for any verb-create activity on RBAC, secrets, or workload resources — anything between the disable and re-enable is a forensic gap that must be reconstructed from node-level logs. Open an incident per general/ir.html; preserve the prior log-group's retention setting, and if DeleteLogGroup was the disable vector, restore the deleted group from any cross-account log-archive sink before re-enabling. References AWS EKS — control-plane log types and enabling (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent controls in other providers: GKE Cloud Audit Logs, AKS control-plane audit logs (diagnostic settings), OKE OCI Audit Logging. aws-k8s-05 ! HIGH PREVENTIVE EKS Standard: Managed node groups inherit IMDS settings from the launch template — set http_tokens = \"required\" and http_put_response_hop_limit = 1. Pods using EKS Pod Identity do not need IMDS access at all; the agent uses a Unix socket. EKS Auto Mode: IMDSv2 enforcement and hop-limit 1 are the default; verify with aws ec2 describe-instances --instance-ids i-... --query 'Reservations[].Instances[].MetadataOptions'. Enforce IMDSv2 (http_tokens=required) and a hop-limit of 1 on all worker nodes. Hop-limit 1 prevents containerized workloads from reaching the IMDS endpoint at 169.254.169.254, which would otherwise grant the container the same node IAM role permissions as the host. The worker-node IAM role itself must be least-privilege (the AWS-managed AmazonEKSWorkerNodePolicy + AmazonEC2ContainerRegistryReadOnly + AmazonEKS_CNI_Policy attachments only — no application-level IAM grants). MITIGATES: Container-to-IMDS lateral movement — a compromised pod escapes to node-level IAM permissions by calling the IMDS endpoint. ATTACK VECTOR: Attacker exploits a pod (SSRF, RCE), reaches http://169.254.169.254/latest/meta-data/iam/security-credentials/, retrieves node-role STS credentials, calls AWS APIs as the node role. BLAST RADIUS: All AWS resources granted to the worker-node IAM role — typically ECR pull, CloudWatch Logs PutLogEvents, and any custom grants attached by mistake. Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 resource \"aws_launch_template\" \"nodes\" { name_prefix = \"eks-nodes-\" image_id = data.aws_ssm_parameter.bottlerocket_ami.value instance_type = \"m6i.large\" metadata_options { http_endpoint = \"enabled\" http_tokens = \"required\" # IMDSv2 only http_put_response_hop_limit = 1 # block from inside containers instance_metadata_tags = \"disabled\" } } resource \"aws_eks_node_group\" \"main\" { cluster_name = aws_eks_cluster.hardened.name node_group_name = \"bottlerocket-ng\" node_role_arn = aws_iam_role.node.arn subnet_ids = var.private_subnet_ids launch_template { id = aws_launch_template.nodes.id version = aws_launch_template.nodes.latest_version } scaling_config { desired_size = 3; min_size = 3; max_size = 6 } }</code> Remediation — aws ec2 <code class=\"language-bash\"># Enforce on a running instance (CI/diagnostic use; prefer launch-template config) aws ec2 modify-instance-metadata-options \\ --instance-id i-0abc123 \\ --http-tokens required \\ --http-put-response-hop-limit 1 \\ --http-endpoint enabled</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: EC2 launch template forcing IMDSv2 + hop-limit 2 for EKS managed node group instances. Resources: NodeLaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateName: eks-node-imdsv2 LaunchTemplateData: MetadataOptions: HttpEndpoint: enabled HttpTokens: required HttpPutResponseHopLimit: 2 InstanceMetadataTags: enabled</code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.8.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 aws-k8s-05 HIGH PREVENTIVE AWS EKS CIS Kubernetes Benchmark v1.11.0 §4.2 (kubelet/node config) n/a (verify against CIS EKS Benchmark v1.8.0 PDF) AC-3; AC-6; SC-7 A.8.20; A.5.15 CLD.9.5.2 NIST SP 800-190 §4.4.4 NSA/CISA Kubernetes Hardening Guide v1.2 §4 (Worker node hardening) Log signals CloudTrail ec2:ModifyInstanceMetadataOptions on instances whose resourceArn matches the cluster's node-group launch-template, with requestParameters.httpTokens set to optional or httpEndpoint set to enabled alongside httpPutResponseHopLimit > 1 — the IMDSv1 fallback opens the SSRF pivot from compromised pods to node IAM credentials. EKS audit-log requests where a pod accesses metadata addresses indirectly via a side-car proxy that returns IMDSv1 responses — usually paired with a service-account that lacks pod-identity, indicating workloads still rely on node-role credentials. VPC Flow Logs egress to 169.254.169.254/32 from pod CIDR ranges with action=ACCEPT while the corresponding security group is expected to deny — confirms the metadata path is reachable from the pod network namespace. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.instanceId, requestParameters.httpTokens, requestParameters.httpPutResponseHopLimit, userIdentity.arn | filter eventSource = \"ec2.amazonaws.com\" and eventName = \"ModifyInstanceMetadataOptions\" | filter requestParameters.httpTokens = \"optional\" or requestParameters.httpPutResponseHopLimit > 1 | sort @timestamp desc | limit 100</code> Join the CloudWatch Logs Insights output against the node-group's instance-id set by tag eks:nodegroup-name; instances outside the node-group should be filtered out so the alert focuses on EKS-managed compute exclusively. Alert threshold Any httpTokens=optional on a production node-group instance — page immediately; the IMDSv1 fallback re-opens the pod-to-node credential bridge that this control specifically closes. httpPutResponseHopLimit set above 1 — high-priority ticket; hop-limit 2 is the canonical signal that pods (which are one network hop further) should reach the metadata service. More than 10 pod-CIDR-sourced flows to 169.254.169.254 within an hour while IMDSv2 is enforced — informational; usually indicates a workload still calling IMDS via a hard-coded SDK path that should be migrated to pod-identity. Initial response Re-enforce IMDSv2 on the offending node with aws ec2 modify-instance-metadata-options --instance-id {id} --http-tokens required --http-put-response-hop-limit 1 and re-bake the node-group launch-template so the next scale-up inherits the hardened defaults. Use VPC Flow Logs to enumerate every pod-CIDR connection that hit the metadata IP during the relaxation window; cross-reference the source pod identities against pod-identity association coverage to identify workloads still on the legacy path. Open an incident per general/ir.html if any unattributed traffic appears, rotate the node IAM role's session credentials, and review sts:AssumeRole CloudTrail for the node role during the exposure window to find any pod-originated token use. References AWS EC2 — configuring instance metadata service v2 (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent controls in other providers: GKE legacy metadata + ABAC disable, AKS IMDS NetworkPolicy block, OCI IAM least-privilege cluster access. aws-k8s-06 ! HIGH PREVENTIVE EKS Standard: Configure authentication_mode = \"API\" (Cluster Access Management API only) at cluster creation; use aws_eks_access_entry to map IAM principals to Kubernetes groups. A dedicated security group on worker nodes restricts ingress to the cluster security group only. EKS Auto Mode: The same access model applies; node security groups are managed by EKS Auto with a least-privilege baseline. This control bundles two access-control concerns: (a) Cluster Access Management API access entries — the modern primary mechanism for mapping AWS IAM identities to Kubernetes RBAC — and (b) security-group segmentation between the EKS-managed control plane and worker nodes. The aws-auth ConfigMap is deprecated as the primary EKS access mechanism — new clusters MUST use Cluster Access Management API access entries via aws eks create-access-entry. The legacy aws-auth path remains supported for backward compatibility only, and the aws-auth ConfigMap is invisible to access-entry tooling. MITIGATES: (a) Over-broad cluster-admin grants from copy-paste aws-auth ConfigMap entries (legacy/deprecated path); (b) east-west lateral movement at the security-group layer between worker nodes. ATTACK VECTOR: Attacker assumes an IAM role that was carelessly mapped to system:masters in the deprecated aws-auth ConfigMap, or pivots between worker nodes on the same flat SG. BLAST RADIUS: Full cluster-admin via misconfigured legacy ConfigMap, or arbitrary east-west traffic between worker nodes. Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 resource \"aws_eks_cluster\" \"hardened\" { name = \"hardened-cluster\" # ... role_arn, vpc_config ... access_config { authentication_mode = \"API\" # NOT \"API_AND_CONFIG_MAP\" bootstrap_cluster_creator_admin_permissions = false } } resource \"aws_eks_access_entry\" \"admin\" { cluster_name = aws_eks_cluster.hardened.name principal_arn = aws_iam_role.cluster_admin.arn type = \"STANDARD\" } resource \"aws_eks_access_policy_association\" \"admin\" { cluster_name = aws_eks_cluster.hardened.name principal_arn = aws_iam_role.cluster_admin.arn policy_arn = \"arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy\" access_scope { type = \"cluster\" } } resource \"aws_security_group\" \"nodes\" { name = \"eks-nodes-sg\" description = \"EKS worker node SG\" vpc_id = var.vpc_id } resource \"aws_security_group_rule\" \"nodes_from_cluster\" { type = \"ingress\" from_port = 0 to_port = 65535 protocol = \"tcp\" security_group_id = aws_security_group.nodes.id source_security_group_id = aws_eks_cluster.hardened.vpc_config[0].cluster_security_group_id }</code> Remediation — aws eks <code class=\"language-bash\">aws eks create-access-entry \\ --cluster-name hardened-cluster \\ --principal-arn arn:aws:iam::ACCOUNT:role/ClusterAdmin \\ --type STANDARD aws eks associate-access-policy \\ --cluster-name hardened-cluster \\ --principal-arn arn:aws:iam::ACCOUNT:role/ClusterAdmin \\ --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy \\ --access-scope type=cluster</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: EKS node security group permitting only cluster-SG ingress on the kubelet port range. Parameters: VpcId: Type: AWS::EC2::VPC::Id ClusterSecurityGroupId: Type: AWS::EC2::SecurityGroup::Id Resources: NodeSg: Type: AWS::EC2::SecurityGroup Properties: GroupName: eks-"},{"id":"aws/logging.html","url":"aws/logging.html","title":"AWS Logging & Detection Hardening — Cloud Hardening Guide","breadcrumb":"Home AWS Logging & Detection","description":"AWS logging & detection: CloudTrail org trail with Object Lock, S3 data events, AWS Config, GuardDuty, Security Hub, VPC Flow Logs, CloudWatch alarms, CloudTrail Lake.","body":"AWS Logging & Detection Hardening Overview This page covers Amazon Web Services logging and detection across the surfaces that decide whether an attacker who lands in the environment can move undetected. Scope is the AWS commercial regions; AWS GovCloud (US) and the China regions inherit the same controls but expose different region endpoints, different CloudTrail home regions, and different partitions — re-verify the regional table before applying any of the IaC below to a non-commercial partition. CIS sub-IDs and NIST / ISO mappings throughout this page reference the AWS commercial benchmark unless explicitly annotated as a post-v3.0.0 feature or a best-practice recommendation that the current benchmark has not yet codified. The AWS detective stack is the product of six layered services that each answer a different question. AWS CloudTrail answers who called which API at what time — the audit log of every management-plane and (when configured) data-plane call across the account. AWS Config answers what does the resource look like right now and how has it changed — a resource-state inventory plus configuration-history timeline. Amazon GuardDuty answers does this look like an attack — managed threat detection that correlates CloudTrail, VPC Flow Logs, DNS query logs, EKS audit logs, and Malware Protection findings against AWS's threat-intelligence feeds. AWS Security Hub answers what is broken across our entire estate against an external standard — a finding aggregator that ingests GuardDuty, Inspector, Macie, IAM Access Analyzer, and Config rules and benchmarks them against CIS, AWS Foundational Security Best Practices (FSBP), and PCI DSS. VPC Flow Logs answer what packets moved between which ENIs — a network-layer record that fills the gap CloudTrail leaves between API calls. Amazon CloudWatch answers did the metric we care about just cross a threshold — the metric-and-alarm layer that closes the loop from log to page. These six together provide the full record; cross-link the cross-cutting principles at General Logging — log integrity (immutable audit), centralization, and SIEM & detection engineering. Order matters. Controls 01–02 build the audit log of last resort: one org-wide CloudTrail with all six toggles (multi-region, organization-trail, log-file-validation, KMS-encrypted, S3 Object Lock Compliance mode, management plus S3 plus Lambda data events) so the canonical \"who did what\" record survives both attacker tampering and accidental deletion. Control 03 enables Config across every region of every account so resource-state history is captured continuously. Control 04 turns on GuardDuty as the managed threat-detection engine. Control 05 layers Security Hub on top to aggregate findings and benchmark them against external standards. Control 06 covers VPC Flow Logs for the network-layer record that CloudTrail does not produce. Control 07 puts CloudWatch alarms on the canonical \"things-went-wrong\" signals so detection actually pages a human. Control 08 ships CloudTrail Lake as the forensic SQL store — paired with aws-ir-04 on the IR page, which walks the forensic query workflow that consumes this store. Pairing note: the GuardDuty → Security Hub → EventBridge pipeline is the operational backbone of detection-and-response. GuardDuty findings flow into Security Hub via the built-in integration; Security Hub findings (and CRITICAL GuardDuty findings directly) drive EventBridge rules that trigger automated containment as aws-ir-02 on the IR page. Treat this page (which establishes the signal sources) and the IR page (which acts on them) as a single design pair. aws-log-01-cloudtrail-org-trail ! CRITICAL DETECTIVE Run exactly one organization-wide AWS CloudTrail with all six hardening toggles simultaneously enabled: (1) multi-region so every region's API activity is captured even in regions the organisation does not consciously use; (2) organization-trail so every member account in the AWS Organization is recorded under a single trail definition the member cannot disable; (3) log-file-validation so each delivered log file carries an HMAC-signed digest CloudTrail can verify offline; (4) KMS-encrypted with a customer-managed CMK so log access requires both S3 read and KMS Decrypt; (5) S3 Object Lock in Compliance mode on the destination bucket with at least a one-year retention so an attacker (or a panicked engineer) cannot delete or overwrite log objects even with root credentials; (6) event selectors covering management events plus S3 data events plus Lambda data events so the trail records the data-plane calls that management events alone miss (AWS CloudTrail User Guide — creating a trail (accessed 2026-05)). Missing any of these six is the canonical CloudTrail misconfiguration; the IaC below shows them as a single coherent unit. This is the audit log of last resort — without it, incident response is reconstructing intent from secondary signals. MITIGATES: Loss or tampering of the canonical AWS audit record during or after compromise; gaps in regional coverage that let an attacker operate in an unused region undetected; deletion of evidence by an attacker who reached root or by an insider attempting to cover an action. ATTACK VECTOR: An attacker who has obtained AdministratorAccess (or root) credentials runs aws cloudtrail stop-logging and aws s3 rm --recursive against the log bucket — or simply pivots to us-west-1 because the org's trail is single-region. With organization-trail enabled, only the management account can stop logging (and that action itself is logged to the trail). With S3 Object Lock in Compliance mode, the bucket's existing log objects cannot be deleted before their retention expires — even by the bucket owner, even by root. With multi-region, regional pivots produce log entries. With log-file-validation, any post-delivery tampering is detectable. BLAST RADIUS: Whole-Organization: a single misconfigured trail leaves every account blind. A correctly configured trail with all six toggles caps the blast radius of \"evidence destruction\" to \"must wait Object Lock retention period\" — typically longer than any organisation's tolerance for an active intruder. Remediation — AWS CLI <code class=\"language-bash\"># Pre-step: create the KMS CMK for trail encryption (separate region per partition). aws kms create-key \\ --description \"CloudTrail org trail encryption CMK\" \\ --key-usage ENCRYPT_DECRYPT # Create the org trail with all six hardening toggles in one call. aws cloudtrail create-trail \\ --name org-audit-trail \\ --s3-bucket-name org-cloudtrail-logs-111122223333 \\ --is-multi-region-trail \\ --is-organization-trail \\ --enable-log-file-validation \\ --kms-key-id arn:aws:kms:eu-west-1:111122223333:key/<cmk-id> # Event selectors: management + S3 data + Lambda data events. aws cloudtrail put-event-selectors \\ --trail-name org-audit-trail \\ --advanced-event-selectors '[ {\"Name\":\"Management events\",\"FieldSelectors\":[ {\"Field\":\"eventCategory\",\"Equals\":[\"Management\"]}]}, {\"Name\":\"All S3 data events\",\"FieldSelectors\":[ {\"Field\":\"eventCategory\",\"Equals\":[\"Data\"]}, {\"Field\":\"resources.type\",\"Equals\":[\"AWS::S3::Object\"]}]}, {\"Name\":\"All Lambda data events\",\"FieldSelectors\":[ {\"Field\":\"eventCategory\",\"Equals\":[\"Data\"]}, {\"Field\":\"resources.type\",\"Equals\":[\"AWS::Lambda::Function\"]}]} ]' # Start logging. aws cloudtrail start-logging --name org-audit-trail</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) # Destination bucket: Object Lock Compliance mode, 365-day retention. resource \"aws_s3_bucket\" \"trail\" { bucket = \"org-cloudtrail-logs-${var.payer_account_id}\" object_lock_enabled = true } resource \"aws_s3_bucket_object_lock_configuration\" \"trail\" { bucket = aws_s3_bucket.trail.id rule { default_retention { mode = \"COMPLIANCE\" days = 365 } } } resource \"aws_s3_bucket_server_side_encryption_configuration\" \"trail\" { bucket = aws_s3_bucket.trail.id rule { apply_server_side_encryption_by_default { sse_algorithm = \"aws:kms\" kms_master_key_id = aws_kms_key.trail.arn } } } resource \"aws_kms_key\" \"trail\" { description = \"CloudTrail org trail CMK\" enable_key_rotation = true deletion_window_in_days = 30 } resource \"aws_cloudtrail\" \"org\" { name = \"org-audit-trail\" s3_bucket_name = aws_s3_bucket.trail.id is_multi_region_trail = true is_organization_trail = true enable_log_file_validation = true kms_key_id = aws_kms_key.trail.arn include_global_service_events = true advanced_event_selector { name = \"Management events\" field_selector { field = \"eventCategory\" equals = [\"Management\"] } } advanced_event_selector { name = \"All S3 data events\" field_selector { field = \"eventCategory\" equals = [\"Data\"] } field_selector { field = \"resources.type\" equals = [\"AWS::S3::Object\"] } } advanced_event_selector { name = \"All Lambda data events\" field_selector { field = \"eventCategory\" equals = [\"Data\"] } field_selector { field = \"resources.type\" equals = [\"AWS::Lambda::Function\"] } } }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: Organization-wide CloudTrail multi-region trail with log-file validation and KMS-encrypted destination. Parameters: TrailBucketName: Type: String TrailKmsKeyArn: Type: String Resources: OrgTrail: Type: AWS::CloudTrail::Trail Properties: TrailName: org-management-events S3BucketName: !Ref TrailBucketName IsLogging: true IsMultiRegionTrail: true IsOrganizationTrail: true EnableLogFileValidation: true IncludeGlobalServiceEvents: true KMSKeyId: !Ref TrailKmsKeyArn</code> Remediation — AWS CDK (TypeScript) <code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib'; import { aws_cloudtrail as ct, aws_s3 as s3, aws_kms as kms } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export interface OrgTrailProps extends cdk.StackProps { trailBucketName: string; trailKmsKeyArn: string; } export class OrgTrailStack extends cdk.Stack { constructor(scope: Construct, id: string, props: OrgTrailProps) { super(scope, id, props); const bucket = s3.Bucket.fromBucketName(this, 'TrailBucket', props.trailBucketName); const key = kms.Key.fromKeyArn(this, 'TrailKey', props.trailKmsKeyArn); new ct.Trail(this, 'OrgTrail', { trailName: 'org-management-events', bucket, encryptionKey: key, isMultiRegionTrail: true, isOrganizationTrail: true, enableFileValidation: true, includeGlobalServiceEvents: true, }); } }</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 3.1; 3.2; 3.4; 3.55.1; 5.22.1; 2.23.1; 3.2 AU-2; AU-3; AU-6; AU-9A.8.15; A.5.28CLD.12.4.5 Log signals CloudTrail cloudtrail:StopLogging on the organisation trail's ARN — the most direct evasion path; once stopped, subsequent API activity does not land in the org sink for the duration the trail remains stopped. CloudTrail cloudtrail:UpdateTrail where requestParameters.isMultiRegionTrail flips to false, or where requestParameters.isOrganizationTrail changes from true to false — silently narrows the trail's scope without stopping it. CloudTrail cloudtrail:DeleteTrail targeting the org-trail name; correlate with concurrent iam:CreateRole or sts:AssumeRole events in the same management-account session as an attacker preparing follow-on activity. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.name, requestParameters.isMultiRegionTrail, requestParameters.isOrganizationTrail, userIdentity.arn, sourceIPAddress, errorCode | filter eventSource = \"cloudtrail.amazonaws.com\" and eventName in [\"StopLogging\",\"UpdateTrail\",\"DeleteTrail\"] | filter requestParameters.name = \"org-management-trail\" or requestParameters.name like /-org-trail$/ | sort @timestamp desc | limit 50</code> Pin the CloudWatch Logs Insights filter to the canonical trail name(s) maintained in the management-account IaC; trail names are durable identifiers and a name mismatch is itself a signal that an unexpected trail-management call landed. Alert threshold Any StopLogging on the org trail — page immediately and treat as a confirmed evasion attempt; the steady-state rate of legitimate stops is zero. UpdateTrail flipping isMultiRegionTrail or isOrganizationTrail to false — page within five minutes; the scope contraction is the equivalent of stopping for the affected regions/accounts. DeleteTrail — page immediately and trigger automatic re-creation from the management-account Terraform state, then audit every CloudTrail event in the trail's S3 bucket for the prior 24 hours before the delete to bound the forensic window. Initial response Re-start the trail with aws cloudtrail start-logging --name {trail-arn} from the management account; if deleted, run the Terraform apply that re-creates the org trail rather than recreating manually so configuration drift closes at the source. Pull the CloudTrail Lake (aws-log-08-cloudtrail-lake) event-data-store covering the same window and reconcile gap-of-coverage against the now-restored trail — Lake retention is independent of the live trail and is the canonical forensic source during evasion windows. Open an incident per general/ir.html and rotate any IAM credentials whose principal performed the trail mutation; the act of touching the trail strongly implies the principal expects to do something next they do not want logged. References AWS CloudTrail — organisation trails (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-log-02-cloudtrail-s3-data-events ! HIGH DETECTIVE Enable CloudTrail data events on every S3 bucket that holds sensitive content (PII, regulated data, audit logs themselves, secrets backups) and on every customer-facing or privilege-elevated Lambda function. Management events alone record bucket-level calls — CreateBucket, PutBucketPolicy, DeleteBucket — but they do not record GetObject or PutObject against bucket contents. Without data events, an attacker who lifts an IAM role with s3:GetObject on a sensitive bucket can exfiltrate every object without leaving any CloudTrail entry that names the objects accessed (AWS CloudTrail User Guide — logging data events (accessed 2026-05)). The same gap exists for Lambda: management events log CreateFunction and UpdateFunctionCode, but not the per-invocation record of which principal invoked the function with which payload. Note: data events are billed per event delivered, so blanket enablement across petabyte-scale data lakes can be cost-prohibitive — scope event selectors to the buckets where the audit-trail value justifies the cost (PII buckets, audit-log buckets, secrets-manager backup buckets, anywhere a single unauthorized read is a security incident). MITIGATES: Silent data exfiltration via S3 GetObject by a compromised role; silent Lambda invocation by an attacker chaining IAM privileges; the post-incident \"we cannot tell which objects were read\" gap that turns a credential compromise into a worst-case data-breach assumption. ATTACK VECTOR: An attacker compromises a CI/CD role with s3:GetObject on the customer-data bucket and downloads the full dataset over a weekend. Without data events, the only CloudTrail record is the AssumeRole call — incident response cannot prove which objects (or how many) were read, and the organisation must notify customers based on the worst-case assumption. With S3 data events on the bucket, every GetObject is logged with the object key, the source IP, the user agent, and the assumed-role session — incident response can produce an exact list. BLAST RADIUS: Per bucket / per function selected: data-event coverage matches the scope of the event selector. Sensitive buckets explicitly listed; petabyte data-lakes deliberately excluded to manage cost. Remediation — AWS CLI <code class=\"language-bash\"># Add S3 data events on the PII bucket and Lambda data events on customer-facing fns. aws cloudtrail put-event-selectors \\ --trail-name org-audit-trail \\ --advanced-event-selectors '[ {\"Name\":\"Management\",\"FieldSelectors\":[ {\"Field\":\"eventCategory\",\"Equals\":[\"Management\"]}]}, {\"Name\":\"S3 sensitive bucket data events\",\"FieldSelectors\":[ {\"Field\":\"eventCategory\",\"Equals\":[\"Data\"]}, {\"Field\":\"resources.type\",\"Equals\":[\"AWS::S3::Object\"]}, {\"Field\":\"resources.ARN\",\"StartsWith\":[ \"arn:aws:s3:::pii-prod-eu-west-1/\", \"arn:aws:s3:::audit-archive-eu-west-1/\"]}]}, {\"Name\":\"Lambda customer-facing data events\",\"FieldSelectors\":[ {\"Field\":\"eventCategory\",\"Equals\":[\"Data\"]}, {\"Field\":\"resources.type\",\"Equals\":[\"AWS::Lambda::Function\"]}, {\"Field\":\"resources.ARN\",\"StartsWith\":[ \"arn:aws:lambda:eu-west-1:111122223333:function:public-api-\"]}]} ]'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) # Scoped data events as a second trail (keeps the org trail's blanket selector # unaffected while letting per-bucket selectors evolve independently). resource \"aws_cloudtrail\" \"sensitive_data_events\" { name = \"sensitive-data-events\" s3_bucket_name = aws_s3_bucket.trail.id is_multi_region_trail = true enable_log_file_validation = true kms_key_id = aws_kms_key.trail.arn event_selector { read_write_type = \"All\" include_management_events = false data_resource { type = \"AWS::S3::Object\" values = [ \"arn:aws:s3:::pii-prod-eu-west-1/\", \"arn:aws:s3:::audit-archive-eu-west-1/\", ] } } event_selector { read_write_type = \"All\" include_management_events = false data_resource { type = \"AWS::Lambda::Function\" values = [ \"arn:aws:lambda:eu-west-1:111122223333:function:public-api-checkout\", \"arn:aws:lambda:eu-west-1:111122223333:function:public-api-auth\", ] } } }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: CloudTrail trail capturing S3 object-level data events on sensitive buckets. Parameters: TrailBucketName: Type: String SensitiveBucketArn: Type: String Resources: S3DataEventsTrail: Type: AWS::CloudTrail::Trail Properties: TrailName: s3-data-events S3BucketName: !Ref TrailBucketName IsLogging: true IsMultiRegionTrail: true AdvancedEventSelectors: - Name: S3 object-level reads/writes FieldSelectors: - Field: eventCategory Equals: [Data] - Field: resources.type Equals: [AWS::S3::Object] - Field: resources.ARN StartsWith: [!Ref SensitiveBucketArn]</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 3.x (verify)5.x (verify)2.x (verify)3.x (verify) AU-2; AU-12A.8.15CLD.12.4.5 Log signals CloudTrail PutEventSelectors events removing S3 data-event selectors — drops object-level visibility on previously-monitored buckets without touching the management-event trail itself; the most common silent regression. PutEventSelectors where the dataResources.values array no longer includes the canonical arn:aws:s3:::*/ prefix or a documented per-bucket list — narrows coverage to a subset and lets the operator quietly exclude buckets they expect to access. Absence-of-signal: the S3 data-event ingestion volume (per-bucket per-day object-level events) drops to zero on a bucket that historically receives traffic, with no corresponding drop in S3 server-access-log records for that bucket. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.trailName, requestParameters.eventSelectors, requestParameters.advancedEventSelectors, userIdentity.arn | filter eventSource = \"cloudtrail.amazonaws.com\" and eventName = \"PutEventSelectors\" | filter requestParameters.trailName like /-org-trail$/ or requestParameters.trailName like /-data-events-trail$/ | sort @timestamp desc | limit 50</code> Pair the CloudWatch Logs Insights query with a daily diff job that captures the current GetEventSelectors output and compares against the previous day's snapshot; the diff is the most reliable signal because PutEventSelectors overwrites the entire selector list and the CloudTrail event payload reflects the post-state only. Alert threshold Any PutEventSelectors on the data-events trail that reduces the resource-ARN coverage — page immediately; the reduction is the policy change and warrants reverting to the prior selectors via IaC. A new selector with readWriteType=WriteOnly introduced on a bucket previously monitored as All — high-priority ticket; the read-side is the canonical exfiltration signal and dropping it is a frequent evasion pattern. Per-bucket S3 data-event ingestion rate falling below 5% of the 7-day baseline while S3 server-access logs remain steady — informational; promote to incident if the divergence persists for two consecutive 1-hour windows. Initial response Restore selectors from the IaC repository with aws cloudtrail put-event-selectors --trail-name {arn} --event-selectors file://canonical-selectors.json; confirm via get-event-selectors read-back before closing the ticket. Use CloudTrail Lake to reconstruct the S3 data-event view for the affected bucket over the coverage-gap window — Lake captures data events independently of the live trail's selectors if the Lake event-data-store was configured for them. Open an incident via general/ir.html if the gap aligns with any S3 server-access-log entries showing GetObject from non-corporate CIDRs; treat each such object as a candidate exfiltration target and notify data-owners per the bucket's classification tag. References AWS CloudTrail — logging data events for S3 (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-log-03-config-org-enabled ! HIGH DETECTIVE Enable AWS Config in every region of every account in the organization, with both a Configuration Recorder (capturing every supported resource type) and a Delivery Channel (shipping snapshots and configuration-history items to a central S3 bucket), and apply a Conformance Pack of detective rules that benchmark resource state against the organisation's policy (AWS Config Developer Guide — conformance packs (accessed 2026-05)). Config answers a question CloudTrail cannot: what does this resource look like right now, and how has it changed. CloudTrail records the API calls; Config records the resulting resource state and runs continuous evaluation against rules. The two are complementary — CloudTrail is the timeline of intent, Config is the timeline of result. The conformance-pack approach is the AWS-recommended pattern for declaring \"these N rules must evaluate non-compliant resources to NON_COMPLIANT and create a finding\"; it ships as a single YAML document so the policy set is version-controlled in the same repo as the rest of the landing-zone. Without Config the organisation has no resource-state inventory, no continuous-compliance signal, and no input for the resource-change correlations that GuardDuty (aws-log-04) and Security Hub (aws-log-05) consume. MITIGATES: Slow-drift misconfiguration (an SG opened \"temporarily\" months ago and forgotten); silent infrastructure changes by an attacker who avoids the high-noise API surface (e.g. adding a new IAM access key under an existing role); inability to answer \"what state was the resource in on date X\" during a forensic investigation. ATTACK VECTOR: An attacker creates an additional IAM access key on a service-role-like user that already exists, and uses the key for persistence. CloudTrail records the CreateAccessKey call but the call may be lost in API noise; Config records the changed resource state and evaluates the new key against the conformance pack's \"iam-user-no-policies-check\" or \"access-keys-rotated\" rule, surfacing the change in the Config dashboard and (via Security Hub aggregation) in the central console. BLAST RADIUS: Per region per account: missing Config in any region means resource-state changes in that region are invisible. The conformance-pack approach guarantees the same rule-set evaluates in every region, eliminating the \"rules diverged\" failure mode of per-account scripts. Remediation — AWS CLI <code class=\"language-bash\"># Enable the recorder (capture every supported resource type and global resources). aws configservice put-configuration-recorder --configuration-recorder '{ \"name\":\"default\", \"roleARN\":\"arn:aws:iam::111122223333:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig\", \"recordingGroup\":{ \"allSupported\":true, \"includeGlobalResourceTypes\":true}}' # Delivery channel: ship to the central S3 bucket. aws configservice put-delivery-channel --delivery-channel '{ \"name\":\"default\", \"s3BucketName\":\"org-config-history-111122223333\", \"configSnapshotDeliveryProperties\":{\"deliveryFrequency\":\"One_Hour\"}}' # Start recording. aws configservice start-configuration-recorder --configuration-recorder-name default # Deploy a conformance pack across the organization. aws configservice put-organization-conformance-pack \\ --organization-conformance-pack-name org-security-baseline \\ --template-s3-uri s3://org-config-packs/security-baseline.yaml</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) resource \"aws_config_configuration_recorder\" \"this\" { name = \"default\" role_arn = aws_iam_role.config.arn recording_group { all_supported = true include_global_resource_types = true } } resource \"aws_config_delivery_channel\" \"this\" { name = \"default\" s3_bucket_name = aws_s3_bucket.config.id snapshot_delivery_properties { delivery_frequency = \"One_Hour\" } depends_on = [aws_config_configuration_recorder.this] } resource \"aws_config_configuration_recorder_status\" \"this\" { name = aws_config_configuration_recorder.this.name is_enabled = true depends_on = [aws_config_delivery_channel.this] } resource \"aws_config_organization_conformance_pack\" \"baseline\" { name = \"org-security-baseline\" template_s3_uri = \"s3://org-config-packs/security-baseline.yaml\" delivery_s3_bucket = aws_s3_bucket.config.id }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: AWS Config recorder and delivery channel for all-resource recording in the account. Parameters: ConfigRoleArn: Type: String ConfigBucketName: Type: String Resources: ConfigRecorder: Type: AWS::Config::ConfigurationRecorder Properties: Name: org-config-recorder RoleARN: !Ref ConfigRoleArn RecordingGroup: AllSupported: true IncludeGlobalResourceTypes: true ConfigDeliveryChannel: Type: AWS::Config::DeliveryChannel Properties: Name: org-config-channel S3BucketName: !Ref ConfigBucketName</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 3.x (verify)n/an/an/a CM-8; CM-3A.8.9CLD.12.4.5 Log signals CloudTrail config:StopConfigurationRecorder events targeting the org-level recorder — halts per-resource compliance evaluation; downstream Config-rule alarms then go silent rather than firing, which is the worst evasion outcome because absence of alerts is interpreted as cleanliness. CloudTrail config:DeleteConfigurationRecorder or config:DeleteDeliveryChannel — destroys the recorder/sink rather than pausing it; equally bad from a coverage standpoint and additionally erases the delivery configuration that the IaC re-apply needs as input. CloudTrail config:PutConfigurationRecorder where recordingGroup.allSupported flips from true to false, or where recordingGroup.resourceTypes drops resource types previously enumerated — narrows recorder scope silently. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.configurationRecorderName, requestParameters.recordingGroup.allSupported, requestParameters.recordingGroup.resourceTypes, userIdentity.arn | filter eventSource = \"config.amazonaws.com\" and eventName in [\"StopConfigurationRecorder\",\"DeleteConfigurationRecorder\",\"DeleteDeliveryChannel\",\"PutConfigurationRecorder\"] | sort @timestamp desc | limit 100</code> Run the CloudWatch Logs Insights query against the management-account org-trail log group; Config service events fan in there because the recorder is configured at the delegated-administrator account scope. Alert threshold Any StopConfigurationRecorder or DeleteConfigurationRecorder in production — page immediately; the recorder is a tenancy-wide control and disabling it blinds every Config rule downstream. PutConfigurationRecorder flipping allSupported to false — high-priority ticket; the narrowed scope might be a deliberate cost optimisation but should never land outside a tracked change. DeleteDeliveryChannel events — page; without a delivery channel the recorded snapshots cannot land in S3 even if the recorder is still running, producing a delayed-failure profile that masquerades as healthy. Initial response Re-start the recorder with aws configservice start-configuration-recorder --configuration-recorder-name {name} or re-create from IaC if deleted; confirm describe-configuration-recorder-status reports lastStatus=SUCCESS before clearing the alarm. Trigger a fleet-wide re-evaluation with aws configservice start-config-rules-evaluation on all org-managed rules so the gap-in-coverage is closed and any newly-non-compliant resources surface within minutes rather than at the next scheduled evaluation. Open an incident per general/ir.html and inventory the resources created during the recorder-off window via CloudTrail RunInstances, CreateBucket, CreateDBInstance, etc. — these resources were created without Config-rule evaluation and need a manual posture review before they enter steady-state. References AWS Config — stopping and starting the recorder (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-log-04-guardduty-org ! CRITICAL DETECTIVE Enable Amazon GuardDuty across the entire AWS Organization via a delegated administrator account, with every data source turned on as a single umbrella: CloudTrail management-event analysis (always-on), VPC Flow Logs and DNS query log analysis, S3 protection (S3 data-event analysis), EKS protection (EKS audit log analysis), Malware Protection (agentless EBS volume scanning), RDS Protection (login-event analysis on Aurora MySQL and Aurora PostgreSQL), and Lambda Protection (network activity analysis) (Amazon GuardDuty User Guide — what is GuardDuty (accessed 2026-05)). GuardDuty is managed threat detection — AWS runs and tunes the detection models, AWS curates the threat-intelligence feeds, and the organisation only pays for the data analysed. There is no on-prem analogue to switch off, no rule library to maintain, and no reason to operate the data sources as separately-enabled controls — they share a single detector resource, a single delegated-admin model, and a single org-configuration. Treat the data sources as facets of one umbrella control; do not split into five sub-controls (Open Question §8 resolution). GuardDuty surfaces findings under broad categories — Recon:*, UnauthorizedAccess:*, Backdoor:*, Trojan:*, Stealth:*, CryptoCurrency:*, Impact:*, PenTest:*, Policy:* — and the underlying full finding-type strings change as AWS adds detectors, so reference the category prefixes rather than enumerating the full finding-type list (Pitfall 9). GuardDuty findings flow into Security Hub by default and into EventBridge as native events. MITIGATES: Late or missed detection of credential compromise, EC2 cryptomining, malware on EBS volumes, EKS pod-escape attempts, RDS brute-force attacks, Lambda outbound C2 traffic, and Tor-network egress from workload ENIs. ATTACK VECTOR: An attacker who phishes an engineer's IAM session calls AssumeRole from a never-before-seen IP on the Tor network and starts probing the organisation's S3 buckets. GuardDuty's UnauthorizedAccess:IAMUser/TorIPCaller and Recon:IAMUser/UserPermissions finding categories trigger within minutes; the finding propagates to Security Hub and, via the EventBridge pipeline of aws-ir-02, into automated containment. BLAST RADIUS: Whole-Organization when delegated-admin-enabled with auto_enable_organization_members = \"ALL\" and every data source on: new member accounts inherit detection automatically, and findings from any account land in the same central pane. Remediation — AWS CLI <code class=\"language-bash\"># In the Organizations management account: delegate GuardDuty admin. aws guardduty enable-organization-admin-account \\ --admin-account-id 222233334444 # In the delegated-admin account: enable the detector with all features. DETECTOR_ID=$(aws guardduty create-detector \\ --enable \\ --finding-publishing-frequency FIFTEEN_MINUTES \\ --features \\ Name=S3_DATA_EVENTS,Status=ENABLED \\ Name=EKS_AUDIT_LOGS,Status=ENABLED \\ Name=EBS_MALWARE_PROTECTION,Status=ENABLED \\ Name=RDS_LOGIN_EVENTS,Status=ENABLED \\ Name=LAMBDA_NETWORK_LOGS,Status=ENABLED \\ --query DetectorId --output text) # Auto-enrol every existing and future member account. aws guardduty update-organization-configuration \\ --detector-id \"$DETECTOR_ID\" \\ --auto-enable-organization-members ALL \\ --features \\ Name=S3_DATA_EVENTS,AutoEnable=NEW \\ Name=EKS_AUDIT_LOGS,AutoEnable=NEW \\ Name=EBS_MALWARE_PROTECTION,AutoEnable=NEW \\ Name=RDS_LOGIN_EVENTS,AutoEnable=NEW \\ Name=LAMBDA_NETWORK_LOGS,AutoEnable=NEW</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) # In the Organizations management account. resource \"aws_guardduty_organization_admin_account\" \"this\" { admin_account_id = var.security_account_id } # In the delegated-admin (security) account. resource \"aws_guardduty_detector\" \"this\" { enable = true finding_publishing_frequency = \"FIFTEEN_MINUTES\" } resource \"aws_guardduty_detector_feature\" \"s3\" { detector_id = aws_guardduty_detector.this.id name = \"S3_DATA_EVENTS\" status = \"ENABLED\" } resource \"aws_guardduty_detector_feature\" \"eks\" { detector_id = aws_guardduty_detector.this.id name = \"EKS_AUDIT_LOGS\" status = \"ENABLED\" } resource \"aws_guardduty_detector_feature\" \"ebs_malware\" { detector_id = aws_guardduty_detector.this.id name = \"EBS_MALWARE_PROTECTION\" status = \"ENABLED\" } resource \"aws_guardduty_detector_feature\" \"rds\" { detector_id = aws_guardduty_detector.this.id name = \"RDS_LOGIN_EVENTS\" status = \"ENABLED\" } resource \"aws_guardduty_detector_feature\" \"lambda\" { detector_id = aws_guardduty_detector.this.id name = \"LAMBDA_NETWORK_LOGS\" status = \"ENABLED\" } resource \"aws_guardduty_organization_configuration\" \"this\" { detector_id = aws_guardduty_detector.this.id auto_enable_organization_members = \"ALL\" }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: GuardDuty detector with all current protection plans enabled (S3, EKS audit + runtime, malware, RDS, Lambda). Resources: GuardDutyDetector: Type: AWS::GuardDuty::Detector Properties: Enable: true FindingPublishingFrequency: FIFTEEN_MINUTES Features: - Name: S3_DATA_EVENTS Status: ENABLED - Name: EKS_AUDIT_LOGS Status: ENABLED - Name: EBS_MALWARE_PROTECTION Status: ENABLED - Name: RDS_LOGIN_EVENTS Status: ENABLED - Name: LAMBDA_NETWORK_LOGS Status: ENABLED - Name: EKS_RUNTIME_MONITORING Status: ENABLED AdditionalConfiguration: - Name: EKS_ADDON_MANAGEMENT Status: ENABLED</code> Remediation — AWS CDK (TypeScript) <code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib'; import { aws_guardduty as gd } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export class GuardDutyDetectorStack extends cdk.Stack { constructor(scope: Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); new gd.CfnDetector(this, 'Detector', { enable: true, findingPublishingFrequency: 'FIFTEEN_MINUTES', features: [ { name: 'S3_DATA_EVENTS', status: 'ENABLED' }, { name: 'EKS_AUDIT_LOGS', status: 'ENABLED' }, { name: 'EBS_MALWARE_PROTECTION', status: 'ENABLED' }, { name: 'RDS_LOGIN_EVENTS', status: 'ENABLED' }, { name: 'LAMBDA_NETWORK_LOGS', status: 'ENABLED' }, { name: 'EKS_RUNTIME_MONITORING', status: 'ENABLED', additionalConfiguration: [ { name: 'EKS_ADDON_MANAGEMENT', status: 'ENABLED' }, ], }, ], }); } }</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 (best-practices; CIS-aligned)n/an/an/a SI-4; SI-4(2); SI-4(4)A.8.16CLD.12.4.5 Log signals CloudTrail guardduty:DeleteDetector on the delegated-administrator detector — destroys the org-wide finding aggregator and breaks fan-out to all member accounts; the most catastrophic single call against this control. CloudTrail guardduty:UpdateDetector where requestParameters.enable is false, or where the dataSources map disables S3 logs, Kubernetes audit logs, malware protection, or RDS login events — silently narrows feature coverage without disabling the detector itself. CloudTrail guardduty:DisassociateMembers or guardduty:DeleteMembers on member accounts — drops accounts out of the org aggregator one at a time, harder to spot than a single global disable. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.detectorId, requestParameters.enable, requestParameters.dataSources, requestParameters.accountIds, userIdentity.arn | filter eventSource = \"guardduty.amazonaws.com\" and eventName in [\"DeleteDetector\",\"UpdateDetector\",\"DisassociateMembers\",\"DeleteMembers\"] | sort @timestamp desc | limit 100</code> Filter the CloudWatch Logs Insights query at the GuardDuty delegated-administrator account's CloudTrail log group; cross-account aggregations route through that account and the delegated-admin context is the canonical source of truth for org-level GuardDuty state. Alert threshold Any DeleteDetector on the delegated-administrator detector — page immediately; the org-wide finding flow stops at the moment of the delete and the"},{"id":"aws/network.html","url":"aws/network.html","title":"AWS Network Hardening — Cloud Hardening Guide","breadcrumb":"Home AWS Network","description":"AWS network hardening: VPC design, security groups, NACLs, VPC endpoints, VPC Block Public Access, WAFv2, Shield Advanced, Route53 DNSSEC, egress controls.","body":"AWS Network Hardening Overview This page covers Amazon Web Services network hardening across the surfaces that decide whether an attacker who reaches the network edge can pivot inward, exfiltrate data, or sustain disruption. Scope is the AWS commercial regions; AWS GovCloud (US) and the China regions inherit the same controls but expose a different region table and a different STS partition (for example endpoints under amazonaws-us-gov.com) — re-verify region-table caveats before applying any of the IaC below to a non-commercial partition. CIS sub-IDs and NIST / ISO mappings throughout this page reference the AWS commercial benchmark unless explicitly annotated as a post-v3.0.0 feature or a best-practice recommendation that the current benchmark has not yet codified. The AWS network model is the product of VPCs (regional, RFC1918-addressed virtual networks), subnets (AZ-scoped CIDR slices with a single route table), route tables (deciding whether a subnet is public, private, or isolated), Internet Gateways and NAT Gateways (controlled north-south paths), Security Groups (stateful ENI-attached firewalls), Network ACLs (stateless subnet-attached firewalls), and VPC endpoints (Gateway and Interface flavours that keep AWS-service traffic on the private fabric). The cross-cutting principles — segmentation, default-deny, private connectivity, egress filtering, DNS integrity — are explained in the General Network page; this page maps them to AWS primitives. Severity assignments follow the rubric documented in methodology; equivalence callouts at the bottom of each control point to the matching control on the Azure, GCP, and OCI sibling pages so a reader can compare modelling across providers, and the compliance-frameworks page describes why each control row carries the same seven framework columns. Two anti-conflation callouts up front, because both pairs get conflated in audit reports and architecture reviews and the distinction matters for control design. First: Network ACLs and Security Groups are complementary, not alternatives. Security Groups are stateful and ENI-scoped (covered as aws-net-02); NACLs are stateless and subnet-scoped (covered as aws-net-03). They sit at different layers of the packet path and have different failure modes — a misconfigured SG rule can be neutralised by an explicit-deny at the NACL, and vice versa. Reviewers who insist on \"pick one\" are wrong; pick both, with different roles. Second: AWS WAFv2 and AWS Shield Advanced are complementary, not alternatives. WAFv2 is an L7 inspection engine that filters HTTP and HTTPS payloads (covered as aws-net-06); Shield Advanced is an L3/L4 volumetric-attack mitigation tier with 24/7 Shield Response Team engagement (covered as aws-net-07). One filters application-layer abuse; the other absorbs network-layer flooding. The bundled price tag and the overlapping product page in the AWS console obscure the architectural distinction — they answer different threat-model questions and need separate controls. Order matters. Controls 01–04 are foundational invariants: remove the default VPC, lock admin ports against the internet, build defence-in-depth at the subnet layer, and enable VPC Block Public Access so future IGW attachment cannot silently turn a private subnet public. Controls 05 takes private connectivity off the public internet via VPC endpoints. Controls 06–07 protect internet-facing entry points at L7 and L3/L4 respectively. Control 08 ensures authoritative DNS for the organisation's public zones is integrity-signed. Control 09 closes the egress loop: even if east-west is locked down, an unfiltered NAT Gateway is a one-way exfiltration channel for any compromised workload. aws-net-01-default-vpc-removed ! MEDIUM PREVENTIVE Delete the default VPC in every region of every AWS account and deploy explicit non-default VPCs per workload. The default VPC ships in every region with a /16 CIDR (172.31.0.0/16), one public subnet per AZ, an Internet Gateway already attached, and a default route to the IGW — none of which match a hardened landing-zone design (AWS VPC User Guide — default VPC and subnets (accessed 2026-05)). The principle is reinforced in the General Network — segmentation section: a network the organisation did not consciously design is a network whose blast radius the organisation cannot reason about. MITIGATES: Accidental public exposure of resources launched into the always-present default VPC by developers who did not realise they were attaching to an internet-routed subnet. ATTACK VECTOR: An engineer runs aws ec2 run-instances without an explicit --subnet-id; AWS places the instance in the default VPC's public subnet, assigns a public IP, and the instance becomes internet-reachable on whatever ports its SG opens. The same pattern happens with managed services that default to \"the VPC\" (RDS, Lambda VPC config, ElastiCache) when no explicit VPC is passed. BLAST RADIUS: Per-region, per-account: any resource launched without an explicit VPC parameter for as long as the default VPC exists. Compounds across hundreds of regions in a multi-account Organization. Remediation — AWS CLI <code class=\"language-bash\"># Inventory: list every region's default VPC. for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do aws ec2 describe-vpcs \\ --region \"$region\" \\ --filters Name=is-default,Values=true \\ --query 'Vpcs[].[VpcId]' --output text \\ | awk -v r=\"$region\" 'NF{print r\"\\t\"$1}' done # Per region: detach IGW, delete subnets/route-tables/IGW/VPC. Delete the VPC last. aws ec2 delete-vpc --region eu-west-1 --vpc-id vpc-0abc123def4567890</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) # Organisation-wide SCP denying CreateDefaultVpc so deleted defaults stay deleted. resource \"aws_organizations_policy\" \"deny_create_default_vpc\" { name = \"deny-create-default-vpc\" type = \"SERVICE_CONTROL_POLICY\" content = jsonencode({ Version = \"2012-10-17\" Statement = [{ Sid = \"DenyCreateDefaultVpc\" Effect = \"Deny\" Action = [\"ec2:CreateDefaultVpc\", \"ec2:CreateDefaultSubnet\"] Resource = \"*\" }] }) } # Workload VPCs are declared explicitly; no aws_default_vpc resource is ever # imported, so Terraform will not adopt a default VPC if one reappears. resource \"aws_vpc\" \"workload\" { cidr_block = \"10.40.0.0/16\" enable_dns_hostnames = true enable_dns_support = true tags = { Name = \"workload-prod-eu-west-1\" } }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: AWS Config managed rule asserting no default VPC exists in the region. Resources: NoDefaultVpcRule: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: ec2-no-default-vpc Source: Owner: AWS SourceIdentifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 5.x (verify)n/an/an/a SC-7; CM-2A.8.20; A.8.22CLD.9.5.1 Log signals CloudTrail ec2:CreateDefaultVpc events — the call only succeeds if the account currently has no default VPC, so a successful invocation is by definition the regression event. Source-IP is rarely relevant; the userIdentity ARN is the actionable column. CloudTrail ec2:CreateVpc events whose responseElements.vpc.isDefault is true — alternative path that achieves the same outcome via the lower-level API. Config rule vpc-default-security-group-closed reporting NON_COMPLIANT on a default SG that was previously absent — surfaces when the default VPC has been re-created and is now in scope for evaluation. Query <code class=\"language-sql\">fields @timestamp, eventName, awsRegion, userIdentity.arn, sourceIPAddress, responseElements.vpc.vpcId, responseElements.vpc.isDefault | filter eventSource = \"ec2.amazonaws.com\" and eventName in [\"CreateDefaultVpc\",\"CreateVpc\"] | filter eventName = \"CreateDefaultVpc\" or responseElements.vpc.isDefault = true | sort @timestamp desc | limit 50</code> The CloudWatch Logs Insights query collapses both creation paths into a single result set so the alert pipeline does not need a per-event-name branch; the awsRegion column is meaningful because default-VPC creation is per-region and the audit posture must cover every region the account is allowed to operate in. Alert threshold Any successful default-VPC creation in any region — page immediately; the documented steady-state is zero default VPCs across the org and any creation is a deliberate deviation. A region newly enabled (CloudTrail account:EnableRegion) followed within 24 hours by CreateDefaultVpc from the same principal — page; the pairing suggests the enabler is trying to use the newly-opened region's auto-default behaviour as cover. Any iam:PassRole or ec2:AssociateRoute activity referencing a VPC ID whose describe-vpcs reports IsDefault=true in production accounts — informational; promotes to high if the account is supposed to be 100% non-default. Initial response Delete the default VPC with aws ec2 delete-vpc --vpc-id {id}; this requires removing default subnets, default route-table associations, and the default internet gateway in order — the org's deletion playbook captures the exact sequence. Inventory resources that were launched into the default VPC during its lifespan via aws ec2 describe-instances --filters Name=vpc-id,Values={id} and the equivalent for ENIs and load-balancers — these resources need to be relocated or terminated, not left orphaned. Open an incident via general/ir.html and rotate any IAM credentials whose principal performed the creation; the creator typically intended to launch something into the default VPC immediately and the launched workload's identity needs to be traced. References AWS VPC — default VPC reference (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-net-02-sg-no-admin-internet-ingress ! CRITICAL PREVENTIVE No Security Group in any account may permit ingress from 0.0.0.0/0 or ::/0 on administrative ports (SSH 22, RDP 3389, MySQL 3306, PostgreSQL 5432, Oracle 1521, MongoDB 27017, Redis 6379, and any other database / management port the organisation uses). Security Groups are stateful, ENI-attached, default-deny firewalls — the most directly enforceable per-instance boundary AWS exposes (AWS VPC User Guide — Security Groups (accessed 2026-05)). This is the canonical \"open the internet to my database\" misconfiguration, and Shodan-style scanners find these exposures within minutes of an SG rule being saved. SGs differ from NACLs (aws-net-03) on two axes that the control design relies on: SGs are stateful (response traffic is automatically allowed) and they evaluate at the ENI rather than the subnet, so they apply per-resource not per-CIDR. MITIGATES: Direct internet exposure of management planes and databases — leading to credential brute force, exploitation of unpatched RCE in admin services (Confluence, ElasticSearch, MongoDB pre-auth), and untargeted ransomware. ATTACK VECTOR: An engineer opens 0.0.0.0/0 on port 22 \"temporarily\" to debug; the rule is never reverted. Within hours, distributed brute-force traffic from compromised residential IPs begins probing for SSH passwords or weak keys. Database admin ports are worse: many database engines pre-authentication CVEs (CVE-2017-7494 Samba, CVE-2018-7600 Drupalgeddon analogues, MongoDB pre-3.6 default-no-auth) turn an open port into immediate unauthenticated code execution. BLAST RADIUS: Every ENI that uses the offending SG, in every account and region the SG (or a copy of it via cross-account templating) is applied to. Pre-authentication exploitation in databases means data exfiltration from the affected database instance is the assumed outcome until proven otherwise. Remediation — AWS CLI <code class=\"language-bash\"># Audit: every SG with ingress from 0.0.0.0/0 on common admin ports. aws ec2 describe-security-groups \\ --filters Name=ip-permission.cidr,Values=0.0.0.0/0 \\ Name=ip-permission.from-port,Values=22,3389,3306,5432,1521,27017,6379 \\ --query 'SecurityGroups[].[GroupId,GroupName,VpcId]' \\ --output table # Revoke the offending rule (example: SSH from 0.0.0.0/0). aws ec2 revoke-security-group-ingress \\ --group-id sg-0abc123def4567890 \\ --protocol tcp --port 22 --cidr 0.0.0.0/0 # Continuous enforcement: AWS Config managed rule. aws configservice put-config-rule --config-rule '{ \"ConfigRuleName\":\"restricted-common-ports\", \"Source\":{\"Owner\":\"AWS\",\"SourceIdentifier\":\"RESTRICTED_INCOMING_TRAFFIC\"}}'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) # Workload SG: ingress only from a known bastion/jump SG, never the internet. resource \"aws_security_group\" \"app\" { name = \"app-tier\" description = \"Application tier — admin ports never internet-exposed\" vpc_id = aws_vpc.workload.id } resource \"aws_vpc_security_group_ingress_rule\" \"ssh_from_bastion\" { security_group_id = aws_security_group.app.id referenced_security_group_id = aws_security_group.bastion.id ip_protocol = \"tcp\" from_port = 22 to_port = 22 description = \"SSH from bastion SG only\" } # Config rule + remediation for drift catch. resource \"aws_config_config_rule\" \"restricted_common_ports\" { name = \"restricted-common-ports\" source { owner = \"AWS\" source_identifier = \"RESTRICTED_INCOMING_TRAFFIC\" } input_parameters = jsonencode({ blockedPort1 = \"22\", blockedPort2 = \"3389\", blockedPort3 = \"3306\", blockedPort4 = \"5432\", blockedPort5 = \"1521\" }) }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: Restrictive security group — no admin-port (22/3389) ingress from 0.0.0.0/0. Parameters: VpcId: Type: AWS::EC2::VPC::Id AdminCidr: Type: String Description: Internal CIDR allowed to reach admin ports (never 0.0.0.0/0). Resources: AdminSafeSg: Type: AWS::EC2::SecurityGroup Properties: GroupName: admin-safe-sg GroupDescription: Admin ports restricted to internal CIDR. VpcId: !Ref VpcId SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: !Ref AdminCidr - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref AdminCidr</code> Remediation — AWS CDK (TypeScript) <code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib'; import { aws_ec2 as ec2 } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export interface AdminSafeSgProps extends cdk.StackProps { vpc: ec2.IVpc; adminCidr: string; } export class AdminSafeSgStack extends cdk.Stack { constructor(scope: Construct, id: string, props: AdminSafeSgProps) { super(scope, id, props); const sg = new ec2.SecurityGroup(this, 'AdminSafeSg', { vpc: props.vpc, description: 'Admin ports restricted to internal CIDR.', allowAllOutbound: false, }); sg.addIngressRule(ec2.Peer.ipv4(props.adminCidr), ec2.Port.tcp(22), 'SSH from internal CIDR'); sg.addIngressRule(ec2.Peer.ipv4(props.adminCidr), ec2.Port.tcp(3389), 'RDP from internal CIDR'); } }</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 5.2; 5.36.1; 6.23.6; 3.72.1; 2.2 SC-7(5); SC-7A.8.20; A.8.22CLD.9.5.1 Log signals CloudTrail ec2:AuthorizeSecurityGroupIngress events whose requestParameters.ipPermissions.items array contains an ipRanges entry with cidrIp=0.0.0.0/0 alongside a fromPort in the administrative-port set: 22 (SSH), 3389 (RDP), 5985-5986 (WinRM), 5432 (Postgres direct), 3306 (MySQL direct), 1433 (MSSQL direct), 6379 (Redis direct), 27017 (MongoDB direct). The IPv6 variant: ipv6Ranges.cidrIpv6=::/0 on the same admin-port set — IPv6 ingress is frequently overlooked in the IPv4-focused security-group authoring habits. Config rule restricted-ssh or restricted-common-ports evaluating NON_COMPLIANT on any production security-group — backstop for cases where the operator authored the rule via the console rather than the CLI and the CloudTrail filter missed an idiom variant. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.groupId, requestParameters.ipPermissions, userIdentity.arn, sourceIPAddress | filter eventSource = \"ec2.amazonaws.com\" and eventName = \"AuthorizeSecurityGroupIngress\" | filter @message like /0\\.0\\.0\\.0\\/0/ or @message like /::\\/0/ | filter @message like /\"fromPort\":22/ or @message like /\"fromPort\":3389/ or @message like /\"fromPort\":5985/ or @message like /\"fromPort\":1433/ | sort @timestamp desc | limit 50</code> The CloudWatch Logs Insights filter uses raw-message regex against the ipPermissions JSON because port and CIDR live inside a nested array; this is the canonical pattern for security-group event analysis and is faster than a fully-typed filter for ad-hoc investigations. Alert threshold Any admin-port + Internet-CIDR rule introduced on a production security-group — page immediately; the change is high-confidence wrong and an SCP-deny is the correct preventive (already in place via aws-iam-08-scp-deny-list). An admin-port rule introduced on a non-production security-group — high-priority ticket within one business hour; non-production exposures still constitute an attack surface and frequently serve as the pivot point in real incidents. More than three admin-port + Internet rule attempts denied by SCP within 24 hours from the same principal — page; the repeated attempts indicate the principal is either probing the preventive or unaware of the SCP and warrants an urgent conversation. Initial response Revoke the rule with aws ec2 revoke-security-group-ingress using the rule-id from the CloudTrail event; replace it (if the operator's intent was legitimate) with a rule referencing a corporate-egress CIDR or a peer security-group rather than an Internet CIDR. Pull VPC Flow Logs for the security-group's ENIs over the exposure window and enumerate every ACCEPT flow on the affected port from non-corporate CIDRs — every such flow is a candidate active-attack data point. Open an incident via general/ir.html if any inbound flow was observed; correlate against GuardDuty findings on the same instances and rotate any credentials reachable from the exposed workload. References AWS VPC — security-group rules reference (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-net-03-nacl-explicit-deny ! HIGH PREVENTIVE Use Network ACLs as a defence-in-depth tier under Security Groups. Apply default-deny egress on private subnets and explicit-deny rules for known-bad CIDRs (threat intelligence feeds, sanctions lists, the organisation's own dropped-prefix set) at the NACL layer (AWS VPC User Guide — Network ACLs (accessed 2026-05)). NACLs are stateless and subnet-scoped: every flow needs both an inbound and a corresponding outbound rule, and the rule list applies to every ENI in the subnet without exception. This pair of properties is exactly what makes NACLs the right tier for blanket subnet-wide policy that you do not want a single SG misconfiguration to bypass — the SG sits behind the NACL on the packet path, so a permissive SG cannot re-open something a NACL has explicitly denied. NACLs are AWS-unique; Azure NSGs are stateful (so they play the SG role, not the NACL role), GCP's hierarchical firewall policies and OCI's security lists are the closest functional analogs (see equivalence callout). MITIGATES: An SG misconfiguration (or a credential-compromise leading to deliberate SG widening) that opens lateral pivots or egress channels that subnet-wide policy should always have forbidden. ATTACK VECTOR: An attacker who lands code execution on one EC2 instance modifies that instance's SG to permit outbound traffic to an attacker-controlled IP for exfiltration. With a NACL default-deny egress rule pinning the subnet's allowed destinations to (NAT Gateway → known-good prefix list), the SG widening has no effect — the subnet's stateless egress filter blocks the flow. BLAST RADIUS: Per-subnet: every ENI in the subnet inherits the NACL ruleset. Limiting blast radius to \"what the subnet should ever do\" caps the cost of a single-instance compromise. Remediation — AWS CLI <code class=\"language-bash\"># Create a NACL and attach to the private subnet. ACL_ID=$(aws ec2 create-network-acl \\ --vpc-id vpc-0abc123def4567890 \\ --query 'NetworkAcl.NetworkAclId' --output text) # Allow ephemeral inbound (stateless rules: must be explicit). aws ec2 create-network-acl-entry \\ --network-acl-id \"$ACL_ID\" --rule-number 100 \\ --protocol tcp --port-range From=1024,To=65535 \\ --cidr-block 0.0.0.0/0 --rule-action allow # Default-deny egress except explicit allow to the NAT prefix. aws ec2 create-network-acl-entry \\ --network-acl-id \"$ACL_ID\" --rule-number 100 --egress \\ --protocol tcp --port-range From=443,To=443 \\ --cidr-block 10.40.0.0/16 --rule-action allow # Explicit deny known-bad CIDR (example). aws ec2 create-network-acl-entry \\ --network-acl-id \"$ACL_ID\" --rule-number 50 \\ --protocol -1 --cidr-block 198.51.100.0/24 --rule-action deny</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) resource \"aws_network_acl\" \"private\" { vpc_id = aws_vpc.workload.id subnet_ids = aws_subnet.private[*].id tags = { Name = \"private-tier-acl\" } } # Explicit-deny known-bad CIDRs first (lower rule numbers win). resource \"aws_network_acl_rule\" \"deny_known_bad\" { for_each = toset(var.known_bad_cidrs) network_acl_id = aws_network_acl.private.id rule_number = 50 + index(var.known_bad_cidrs, each.value) rule_action = \"deny\" protocol = \"-1\" cidr_block = each.value } # Egress: allow only HTTPS to the NAT-fronted prefix list, deny everything else. resource \"aws_network_acl_rule\" \"egress_https_only\" { network_acl_id = aws_network_acl.private.id rule_number = 200 egress = true rule_action = \"allow\" protocol = \"tcp\" from_port = 443 to_port = 443 cidr_block = \"0.0.0.0/0\" }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: Subnet network ACL with explicit deny rules for known-bad ingress. Parameters: VpcId: Type: AWS::EC2::VPC::Id Resources: HardenedNacl: Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref VpcId DenyTorExitNodes: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: !Ref HardenedNacl RuleNumber: 100 Protocol: -1 RuleAction: deny Egress: false CidrBlock: 192.0.2.0/24</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 5.x (verify)n/an/an/a SC-7; AC-4A.8.20; A.8.22CLD.9.5.1 Log signals CloudTrail ec2:DeleteNetworkAclEntry targeting a deny-rule entry on a NACL whose VPC tag indicates production — removes a stateless deny barrier and shifts enforcement entirely onto the stateful security-group layer below. CloudTrail ec2:CreateNetworkAclEntry with requestParameters.ruleAction=allow and requestParameters.cidrBlock=0.0.0.0/0 at a low rule-number (NACLs evaluate by number ascending) — effectively overrides any deny entry with a higher number that the operator intended to keep. CloudTrail ec2:ReplaceNetworkAclAssociation swapping a subnet's NACL from the locked-down custom NACL back to the VPC's default NACL — the default NACL permits all traffic and is a frequent escape hatch for operators wanting to bypass the custom rules without explicitly modifying them. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.networkAclId, requestParameters.ruleNumber, requestParameters.ruleAction, requestParameters.cidrBlock, userIdentity.arn | filter eventSource = \"ec2.amazonaws.com\" and eventName in [\"DeleteNetworkAclEntry\",\"CreateNetworkAclEntry\",\"ReplaceNetworkAclEntry\",\"ReplaceNetworkAclAssociation\"] | sort @timestamp desc | limit 100</code> The CloudWatch Logs Insights query covers all four mutation paths in one pass; downstream alert routing branches on eventName because the severity tier differs (delete-deny is paging-priority; allow-with-low-number is high-priority). Alert threshold Any delete of a deny-rule entry on a production NACL — page; the deny entries are deliberately authored and the steady-state mutation rate is essentially zero. An allow-rule at rule-number below 100 with cidrBlock=0.0.0.0/0 — high-priority ticket; the low rule-number means it evaluates before most other rules and effectively becomes an \"allow all\" override. ReplaceNetworkAclAssociation reverting a subnet to the default NACL — page; the default NACL is permit-all and any subnet swapped back to it has lost the entire NACL-layer enforcement until a follow-up association is made. Initial response Restore the deny entry from IaC: aws ec2 create-network-acl-entry --network-acl-id {id} --rule-number {n} --protocol {p} --rule-action deny --cidr-block {cidr}; for association reverts, re-associate the subnet with the custom NACL via replace-network-acl-association. Inspect VPC Flow Logs for the affected subnet during the gap window — flows that would have been NACL-denied appear as ACCEPT records with security-group-only enforcement and need a manual review against the SG rule set. Open an incident per general/ir.html if the gap window aligns with any GuardDuty finding on instances in the subnet; the NACL deletion is often paired with a follow-on instance compromise attempt. References AWS VPC — network ACLs reference (accessed 2026-05) Cross-provider equivalence: Azure NSG outbound default · GCP hierarchical firewall · OCI security list Closest analog (NACL is AWS-unique; see overview anti-conflation prose): Azure NSG outbound default · GCP hierarchical firewall · OCI security list aws-net-04-vpc-block-public-access ! CRITICAL PREVENTIVE Enable VPC Block Public Access (BPA) in block-bidirectional mode in every region of every account, and pin the setting with an SCP that denies disabling it. VPC BPA is a Nov 2024 feature that fences every VPC in a region against internet traffic through Internet Gateways and egress-only IGWs in a single per-region setting — independent of any SG, NACL, or route-table configuration (AWS VPC User Guide — Block Public Access (accessed 2026-05)). This is the network-equivalent of S3 Block Public Access (covered as aws-data-01 on the AWS Data page): a region-wide invariant that catches every future misconfiguration in a single setting, including the cases where a workload owner attaches an IGW to a subnet that the platform team thought was permanently private. Note: VPC BPA is distinct from S3 BPA — they protect different resource families and both must be on. The CIS AWS Foundations Benchmark v3.0.0 (Jan 2024) predates the feature, so the CIS cell reads n/a (post-v3.0.0); re-verify at writing time in case a benchmark patch has added a sub-ID. MITIGATES: Accidental public exposure via IGW attachment, route-table edits, or misconfigured SG rules that the platform team did not catch in review. ATTACK VECTOR: A workload team attaches an IGW to a VPC that was supposed to remain private (perhaps under deadline pressure during an incident), adds a 0.0.0.0/0 route to the route table of a subnet hosting an internal-only service, and the service becomes internet-reachable. SG and NACL controls may catch this; VPC BPA stops it deterministically at the regional fabric. BLAST RADIUS: Per region per account when on: zero internet-reachable resources via IGW; when off: every VPC, subnet, ENI in the region governed only by SG/NACL/route-table correctness. Remediation — AWS CLI <code class=\"language-bash\"># Enable VPC Block Public Access in block-bidirectional mode, per region, per account. for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do aws ec2 modify-vpc-block-public-access-options \\ --region \"$region\" \\ --internet-gateway-block-mode block-bidirectional done # Verify. aws ec2 describe-vpc-block-public-access-options --region eu-west-1 \\ --query 'VpcBlockPublicAccessOptions.{Mode:InternetGatewayBlockMode,State:State}'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) resource \"aws_vpc_block_public_access_options\" \"this\" { internet_gateway_block_mode = \"block-bidirectional\" } # SCP pinning: deny any principal in any member account from disabling BPA. resource \"aws_organizations_policy\" \"deny_disable_vpc_bpa\" { name = \"deny-disable-vpc-bpa\" type = \"SERVICE_CONTROL_POLICY\" content = jsonencode({ Version = \"2012-10-17\" Statement = [{ Sid = \"DenyDisableVpcBpa\" Effect = \"Deny\" Action = [ \"ec2:DisableVpcBlockPublicAccess\", \"ec2:ModifyVpcBlockPublicAccessOptions\" ] Resource = \"*\" Condition = { StringNotEquals = { \"aws:PrincipalArn\" = \"arn:aws:iam::${var.platform_account_id}:role/PlatformNetworkAdmin\" } } }] }) }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: VPC Block Public Access (declarative policy banning IGW/EGW attachment org-wide). Parameters: OrgId: Type: String Resources: VpcBpaPolicy: Type: AWS::EC2::VPCBlockPublicAccessOptions Properties: InternetGatewayBlockMode: block-bidirectional</code> Remediation — AWS CDK (TypeScript) <code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib'; import { aws_ec2 as ec2 } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export class VpcBlockPublicAccessStack extends cdk.Stack { constructor(scope: Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); new ec2.CfnVPCBlockPublicAccessOptions(this, 'VpcBpa', { internetGatewayBlockMode: 'block-bidirectional', }); } }</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/a (post-v3.0.0)n/an/an/a SC-7; CM-7A.8.20; A.8.22CLD.9.5.1 Log signals CloudTrail ec2:ModifyVpcBlockPublicAccessOptions where requestParameters.internetGatewayBlockMode shifts from block-bidirectional or block-ingress to off — disables the account-level public-access guard entirely. CloudTrail ec2:CreateVpcBlockPublicAccessExclusion events — adds a per-VPC or per-subnet carve-out from the account-level block; legitimate carve-outs exist but every new one warrants review since the steady-state count is small and bounded. CloudTrail ec2:DeleteVpcBlockPublicAccessExclusion against an exclusion previously authored by IaC — removes an exclusion the org expects to persist, often as a side-effect of a half-applied Terraform run that left manual state behind. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.internetGatewayBlockMode, requestParameters.exclusionId, requestParameters.resourceArn, userIdentity.arn | filter eventSource = \"ec2.amazonaws.com\" and eventName in [\"ModifyVpcBlockPublicAccessOptions\",\"CreateVpcBlockPublicAccessExclusion\",\"DeleteVpcBlockPublicAccessExclusion\",\"ModifyVpcBlockPublicAccessExclusion\"] | sort @timestamp desc | limit 100</code> The CloudWatch Logs Insights query covers both the account-level switch and the per-VPC exclusion surface; pair with a daily completeness check that lists describe-vpc-block-public-access-options per region and asserts block-bidirectional. Alert threshold Any internetGatewayBlockMode shift to off — page immediately; the account-wide control is a fleet-protection backstop and disabling it widens the blast radius of every other network-misconfiguration class simultaneously. Any new exclusion created in production — high-priority ticket within 30 minutes; the exclusion's scope (account / VPC / subnet) drives the severity, with account-wide being page-priority. An exclusion deletion that does not correspond to a tracked change-management ticket — informational; the deletion narrows the exclusion surface (which is desirable) but indicates IaC drift that should be reconciled. Initial response Restore the block-mode with aws ec2 modify-vpc-block-public-access-options --internet-gateway-block-mode block-bidirectional; confirm via describe-vpc-block-public-access-options read-back. Inventory IGWs and public subnets created during the off-window via CloudTrail ec2:CreateInternetGateway + ec2:AttachInternetGateway + ec2:AssociateRouteTable — these resources may now violate the restored bidirectional block and need cleanup before the next eventually-consistent enforcement sweep terminates them implicitly. Open an incident via general/ir.html if any public-facing workload was launched during the window; the workload's Internet exposure during the off-window is a candidate attack-surface review and the workload's reachable secrets need rotation per aws-ir-06-credential-rotation-playbook. References AWS VPC — block public access reference (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-net-05-vpc-endpoints-privatelink ! HIGH PREVENTIVE Route AWS-service traffic through VPC endpoints rather than the public internet, and pin the requirement with an SCP that denies traffic egressing the VPC for in-region service calls. AWS exposes two endpoint flavours: Gateway endpoints for S3 and DynamoDB (free; added to the subnet route table as a prefix-list target) and Interface endpoints (also called PrivateLink) for everything else (priced per-endpoint per-hour; surface as ENIs in the VPC). Properly endpoint-routed traffic never crosses the IGW or NAT — it stays on the AWS private fabric, with endpoint-policy least-privilege as an additional perimeter beyond IAM (AWS PrivateLink documentation (accessed 2026-05)). The principle is reinforced in General Network — zero trust: never traverse a network you do not control. Note: this control covers AWS-service traffic specifically; egress filtering for third-party destinations is the subject of aws-net-09. MITIGATES: Service-call traffic traversing the public internet where TLS is the only barrier; SSRF/IMDS-style exfil paths via NAT Gateway; cross-account confused-deputy patterns where lack of endpoint-policy controls means IAM is the only gate. ATTACK VECTOR: A workload calls s3:GetObject through the NAT Gateway over the public S3 endpoint. An attacker who compromises the instance can equally call S3 — including buckets in other AWS accounts the IAM role can reach — and exfiltrate via the same NAT path. Endpoint policy (aws:SourceVpce) lets the bucket owner deny any read that did not arrive via a sanctioned VPC endpoint. BLAST RADIUS: Per service, per VPC: every workload in the VPC that calls the service is either constrained to endpoint paths or not. Endpoint policies bound what any principal can do via that endpoint, capping blast radius on the resource side too. Remediation — AWS CLI <code class=\"language-bash\"># Gateway endpoint for S3 (free; route-table modification). aws ec2 create-vpc-endpoint \\ --vpc-id vpc-0abc123def4567890 \\ --service-name com.amazonaws.eu-west-1.s3 \\ --vpc-endpoint-type Gateway \\ --route-table-ids rtb-0123456789abcdef0 # Interface endpoint for KMS (PrivateLink; ENI in each AZ subnet). aws ec2 create-vpc-endpoint \\ --vpc-id vpc-0abc123def4567890 \\ --service-name com.amazonaws.eu-west-1.kms \\ --vpc-endpoint-type Interface \\ --subnet-ids subnet-0aaa subnet-0bbb \\ --security-group-ids sg-0endpoint \\ --private-dns-enabled</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) resource \"aws_vpc_endpoint\" \"s3_gateway\" { vpc_id = aws_vpc.workload.id service_name = \"com.amazonaws.${var.region}.s3\" vpc_endpoint_type = \"Gateway\" route_table_ids = aws_route_table.private[*].id policy = jsonencode({ Version = \"2012-10-17\" Statement = [{ Sid = \"AllowOnlyOurBuckets\" Effect = \"Allow\" Principal = \"*\" Action = [\"s3:GetObject\", \"s3:PutObject\", \"s3:ListBucket\"] Resource = [ \"arn:aws:s3:::${var.workload_bucket}\", \"arn:aws:s3:::${var.workload_bucket}/*\" ] }] }) } resource \"aws_vpc_endpoint\" \"kms_interface\" { vpc_id = aws_vpc.workload.id service_name = \"com.amazonaws.${var.region}.kms\" vpc_endpoint_type = \"Interface\" subnet_ids = aws_subnet.private[*].id security_group_ids = [aws_security_group.endpoint.id] private_dns_enabled = true }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: VPC interface endpoints for S3, KMS, and SSM (PrivateLink) — keeps service traffic off the public Internet. Parameters: VpcId: Type: AWS::EC2::VPC::Id SubnetIds: Type: List<AWS::EC2::Subnet::Id> SecurityGroupId: Type: AWS::EC2::SecurityGroup::Id Resources: KmsEndpoint: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref VpcId ServiceName: !Sub 'com.amazonaws.${AWS::Region}.kms' VpcEndpointType: Interface SubnetIds: !Ref SubnetIds SecurityGroupIds: - !Ref SecurityGroupId PrivateDnsEnabled: true SsmEndpoint: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref VpcId ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssm' VpcEndpointType: Interface SubnetIds: !Ref SubnetIds SecurityGroupIds: - !Ref SecurityGroupId PrivateDnsEnabled: true</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 5.x (verify)n/an/an/a SC-7(8); AC-4A.8.20; A.8.22CLD.9.5.1 Log signals CloudTrail ec2:ModifyVpcEndpoint where requestParameters.policyDocument is replaced with a permissive document (typically \"Principal\":\"*\" without a Condition on aws:PrincipalAccount or aws:SourceVpce) — opens the endpoint to cross-account principals, defeating the network-isolation intent. CloudTrail ec2:DeleteVpcEndpoints on a previously-required endpoint (commonly com.amazonaws.{region}.s3, ...kms, ...ssm) — the corresponding service traf"},{"id":"aws/workloads.html","url":"aws/workloads.html","title":"AWS Workloads Hardening — Cloud Hardening Guide","breadcrumb":"Home AWS Workloads","description":"AWS workloads hardening: IMDSv2 mandatory, SSM Session Manager, ECR scan-on-push, Amazon Inspector, Lambda least privilege, EKS Pod Identity, EC2 Image Builder golden AMIs, SSM Patch Manager.","body":"AWS Workloads Hardening Overview This page covers Amazon Web Services workload hardening across the compute surfaces that decide whether an attacker who lands code execution on a single instance can pivot to credentials, sibling workloads, or the AWS control plane. Scope is EC2 (instance metadata and remote access), Amazon ECR (container image supply chain), Amazon Inspector (vulnerability assessment), AWS Lambda (function-level least privilege and secrets handling), Amazon EKS (Kubernetes workload identity and control-plane posture), EC2 Image Builder (golden machine images), and AWS Systems Manager Patch Manager (post-deployment patch hygiene). Cross-cutting principles — image hardening, runtime protection, supply-chain integrity, secrets management — are explained in the General Workloads page sections on runtime security and supply chain; this page maps the principles to AWS primitives. One canonical-content cross-link to flag at the top, because authoring this page in isolation would otherwise duplicate ~1500 words of canonical material: secrets management for AWS Lambda is documented on the General IAM — secrets management page, not here. The Phase 4 canonical-content rule (one canonical treatment per cross-cutting topic) lives this rule out in aws-work-05: the control covers Lambda execution-role least privilege and function-URL auth, and cross-links to general/iam.html for the Secrets Manager + KMS reference architecture rather than re-authoring it. The same pattern will recur on aws/data.html (encryption-in-transit cross-links to aws/network.html). Two anti-conflation callouts up front, because both pairs get confused in design reviews. First: SSM Session Manager replaces SSH; bastion hosts are legacy. The default reflex of \"stand up a bastion in a public subnet, allow port 22 from corporate IPs, jump from there\" is obsolete (covered as aws-work-02): Session Manager exposes no public ports, requires no inbound network path, integrates with IAM for per-user authorisation, and writes a full session log to S3 + CloudWatch with optional KMS encryption. Engineers who insist on bastions are reproducing 2014's threat model — pick Session Manager, retire the bastion. Second: EKS Pod Identity (Dec 2023 GA) is the preferred workload-identity mechanism; IRSA is legacy-but-supported. Pod Identity decouples the trust-policy step that IRSA required, scales to many clusters without OIDC-provider sprawl, and is the path AWS is investing in (covered as aws-work-06). IRSA continues to work and existing IRSA deployments need not migrate urgently, but new clusters should default to Pod Identity. The same Pod-Identity-vs-IRSA choice was made on the IAM page for aws-iam-06; this page maintains alignment. Order matters. Controls 01–02 are foundational invariants for every EC2 instance: IMDSv2 mandatory (the SSRF-to-credentials kill-chain mitigation) and SSM as the remote-access plane. Controls 03–04 close the container and vulnerability-assessment loop: ECR scan-on-push at build time, Amazon Inspector for continuous EC2 / ECR / Lambda assessment. Control 05 hardens Lambda functions. Control 06 hardens EKS. Control 07 establishes golden-AMI provenance via EC2 Image Builder. Control 08 handles ongoing patch hygiene via Systems Manager Patch Manager. The page is structured so a reader can skim 01–02 for the everyday EC2 baseline, then dip into 03–08 by service area as needed. Equivalence callouts at the bottom of each control point to the matching control on the Azure, GCP, and OCI sibling pages so a reader can compare modelling across providers, and the compliance-frameworks page describes why each control row carries the same seven framework columns. aws-work-01-imdsv2-mandatory ! CRITICAL PREVENTIVE Configure every EC2 instance with IMDSv2 token-required and hop-limit = 1, and pin the requirement with an organisation-level SCP that denies ec2:RunInstances when ec2:MetadataHttpTokens is not required. IMDSv1 is the unauthenticated, GET-only Instance Metadata Service that any local process — including a web server reflected through an SSRF bug — can call to retrieve the instance role's temporary credentials (Amazon EC2 — IMDSv2 enforcement and hop limit (accessed 2026-05)). IMDSv2 turns the call into a two-step session-token handshake (PUT to obtain a token, GET with the token header) that an SSRF reflection cannot perform because most SSRF payloads can only emit GETs. Hop-limit = 1 means the IMDS response packet has a TTL that decrements to zero after one hop — so a container in the host network namespace can reach it, but a forwarded HTTP request from a non-co-resident attacker cannot. PITFALL 5: hop-limit must be 1 for non-container workloads; the only legitimate reason to raise it to 2 is ECS-on-EC2, where the agent forwards the request through one virtual hop before reaching the IMDS — never raise hop-limit to 2 for general workloads \"in case some app needs it\", because that is exactly the attacker's wish. MITIGATES: SSRF-to-credentials kill chain — an attacker who lands an SSRF bug in any internet-facing or LAN-facing service on the instance steals the instance role's temporary credentials and pivots to whatever the role can do (read S3, assume other roles, call sts:GetCallerIdentity to enumerate the account). ATTACK VECTOR: The Capital One 2019 breach is the canonical case: an SSRF in a web-app WAF mis-rule reflected GETs at http://169.254.169.254/latest/meta-data/iam/security-credentials/<role> on the IMDSv1 endpoint. The response — temporary AWS credentials — flowed back through the SSRF response body to the attacker, who then used them to enumerate S3 and exfiltrate ~100M customer records. IMDSv2 alone defeats this exact pattern because the SSRF cannot emit the PUT to obtain the session token. BLAST RADIUS: Per instance: an instance running IMDSv2-mandatory denies credential theft via SSRF reflection on that instance only. An organisation-level SCP turns the property into a region-wide invariant: every new instance is forced IMDSv2 at create time. Remediation — AWS CLI <code class=\"language-bash\"># Enforce IMDSv2 on an existing instance (hop-limit=1 = non-container workload default). aws ec2 modify-instance-metadata-options \\ --instance-id i-0abc123def4567890 \\ --http-tokens required \\ --http-put-response-hop-limit 1 \\ --http-endpoint enabled # Account-wide default: every new instance launched after this call uses IMDSv2. aws ec2 modify-instance-metadata-defaults \\ --http-tokens required \\ --http-put-response-hop-limit 1 \\ --http-endpoint enabled # Audit: list instances still allowing IMDSv1. aws ec2 describe-instances \\ --filters Name=metadata-options.http-tokens,Values=optional \\ --query 'Reservations[].Instances[].[InstanceId,Tags[?Key==`Name`].Value|[0]]' \\ --output table</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) resource \"aws_instance\" \"workload\" { ami = var.golden_ami_id instance_type = \"m6i.large\" subnet_id = aws_subnet.private[0].id metadata_options { http_tokens = \"required\" # IMDSv2 mandatory http_put_response_hop_limit = 1 # PITFALL 5: 1 for non-container; 2 ONLY for ECS-on-EC2 http_endpoint = \"enabled\" instance_metadata_tags = \"enabled\" } tags = { Name = \"app-prod-01\" } } # Organisation-wide SCP: deny RunInstances unless IMDSv2 required. resource \"aws_organizations_policy\" \"deny_imdsv1_launches\" { name = \"deny-imdsv1-launches\" type = \"SERVICE_CONTROL_POLICY\" content = jsonencode({ Version = \"2012-10-17\" Statement = [{ Sid = \"DenyRunInstancesWithoutImdsV2\" Effect = \"Deny\" Action = \"ec2:RunInstances\" Resource = \"arn:aws:ec2:*:*:instance/*\" Condition = { StringNotEquals = { \"ec2:MetadataHttpTokens\" = \"required\" } } }] }) }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: EC2 launch template mandating IMDSv2 (HttpTokens=required) on every instance launched from it. Resources: ImdsV2LaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateName: imdsv2-mandatory LaunchTemplateData: MetadataOptions: HttpTokens: required HttpEndpoint: enabled HttpPutResponseHopLimit: 2 InstanceMetadataTags: enabled</code> Remediation — AWS CDK (TypeScript) <code class=\"language-typescript\">import * as cdk from 'aws-cdk-lib'; import { aws_ec2 as ec2 } from 'aws-cdk-lib'; import { Construct } from 'constructs'; export class ImdsV2LaunchTemplateStack extends cdk.Stack { constructor(scope: Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); new ec2.CfnLaunchTemplate(this, 'ImdsV2Lt', { launchTemplateName: 'imdsv2-mandatory', launchTemplateData: { metadataOptions: { httpTokens: 'required', httpEndpoint: 'enabled', httpPutResponseHopLimit: 2, instanceMetadataTags: 'enabled', }, }, }); } }</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 4.x (verify)n/an/an/a AC-3; CM-7; SC-8A.8.20; A.8.25CLD.9.5.1 Log signals CloudTrail ec2:ModifyInstanceMetadataOptions events where requestParameters.httpTokens resolves to optional or where requestParameters.httpEndpoint remains enabled with httpPutResponseHopLimit above 1 — the IMDSv1 fallback re-opens the SSRF pivot from compromised containers and SDK clients into the instance role. CloudTrail ec2:RunInstances events whose requestParameters.metadataOptions.httpTokens is optional (default for older AMIs and launch-templates) — surfaces fleet drift at launch time rather than at modification time. Config rule ec2-imdsv2-check evaluating NON_COMPLIANT against production-tagged instances — backstop signal for instances that pre-date the CloudTrail event-window or were modified via the console with the event captured outside the working window. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.instanceId, requestParameters.httpTokens, requestParameters.httpPutResponseHopLimit, requestParameters.metadataOptions.httpTokens, userIdentity.arn | filter eventSource = \"ec2.amazonaws.com\" and eventName in [\"ModifyInstanceMetadataOptions\",\"RunInstances\"] | filter requestParameters.httpTokens = \"optional\" or requestParameters.metadataOptions.httpTokens = \"optional\" or requestParameters.httpPutResponseHopLimit > 1 | sort @timestamp desc | limit 100</code> The CloudWatch Logs Insights query covers both at-modification and at-launch paths; for fleets that rely on auto-scaling launch-templates, also confirm the launch-template itself is hardened via aws ec2 describe-launch-template-versions diff against the IaC. Alert threshold Any httpTokens=optional on a production instance — page immediately; the instance role's credentials are now reachable via IMDSv1 from any compromised process inside the OS. RunInstances launching with httpTokens=optional from a launch-template not in the IaC allow-list — high-priority ticket; the new launch indicates either a manual launch outside the auto-scaling flow or a stale launch-template. httpPutResponseHopLimit above 1 on a non-EKS instance — page; the hop-limit increase has no legitimate use case outside container workloads and is a deliberate signal that the operator wants pod-level access to IMDS. Initial response Re-enforce IMDSv2 with aws ec2 modify-instance-metadata-options --instance-id {id} --http-tokens required --http-put-response-hop-limit 1; for launch-templates, increment the version with the hardened metadata-options and set the new version as default. Pivot to CloudTrail sts:AssumeRole events for the instance's IAM role during the relaxation window and identify any token use from outside the instance's expected workload — pod or container processes accessing the role via IMDSv1 are the canonical abuse pattern. Open an incident per general/ir.html if any unexpected role use is found; rotate the instance role's session credentials via aws iam update-role trust-policy re-sign and follow up with the credential-rotation playbook on any downstream resources the role had access to. References AWS EC2 — IMDSv2 configuration on existing instances (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-work-02-ssm-session-manager ! HIGH PREVENTIVE Replace SSH with AWS Systems Manager Session Manager on every EC2 instance; delete the bastion fleet. Session Manager establishes interactive shells through the SSM control plane, requires no inbound network path to the instance, authenticates via IAM, and writes full session transcripts to S3 + CloudWatch Logs with optional KMS encryption (AWS Systems Manager — Session Manager (accessed 2026-05)). The architectural shift is the entire point: bastion hosts with public IPs and port 22 ingress are obsolete — Session Manager is zero-trust (no implicit network reachability), logged by default, and has no public attack surface. Instances need only the AmazonSSMManagedInstanceCore managed policy on their instance profile and an SSM Agent (pre-installed on all Amazon Linux 2, AL2023, Ubuntu 18.04+, and Windows Server 2016+ AMIs). Severity HIGH PREVENTIVE because the control eliminates an entire category of internet-exposed SSH brute-force attacks and credential-stuffing campaigns against bastion fleets; CRITICAL is reserved for SSRF-class single-step exploitation paths (e.g. aws-work-01). MITIGATES: Internet-exposed SSH brute force, bastion compromise pivots to internal fleet, lateral SSH movement after a single-instance compromise, unlogged shell sessions that defeat post-incident forensics. ATTACK VECTOR: A bastion host is launched in a public subnet with port 22 open to corporate office IPs. An attacker compromises a developer laptop and steals an SSH private key, then connects to the bastion from the legitimate office IP range. From the bastion they SSH to internal instances using the same key (or a forwarded agent). No session log exists; the incident responder cannot reconstruct which commands ran on which host. With Session Manager: no public port 22, IAM-authenticated session, full keystroke-and-output log in S3 (Object-Lock retained) and CloudWatch. BLAST RADIUS: Per fleet: removing the bastion + enforcing Session-Manager-only access caps blast radius of a stolen SSH key to zero AWS instances. Pairs with aws-iam-02 (MFA) so the IAM principal calling StartSession is itself MFA-gated. Remediation — AWS CLI <code class=\"language-bash\"># Start an interactive session (replaces ssh ec2-user@host). aws ssm start-session --target i-0abc123def4567890 # Configure session preferences: KMS-encrypted log shipping to S3 + CloudWatch. aws ssm update-document \\ --name SSM-SessionManagerRunShell \\ --content file://session-prefs.json \\ --document-version '$LATEST' # session-prefs.json sets s3BucketName, s3KeyPrefix, s3EncryptionEnabled=true, # cloudWatchLogGroupName, cloudWatchEncryptionEnabled=true, kmsKeyId=<key>. # Attach the SSM managed policy to the instance role. aws iam attach-role-policy \\ --role-name ec2-workload-role \\ --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) resource \"aws_iam_role\" \"ec2_workload\" { name = \"ec2-workload-role\" assume_role_policy = jsonencode({ Version = \"2012-10-17\" Statement = [{ Effect = \"Allow\" Action = \"sts:AssumeRole\" Principal = { Service = \"ec2.amazonaws.com\" } }] }) } resource \"aws_iam_role_policy_attachment\" \"ssm_core\" { role = aws_iam_role.ec2_workload.name policy_arn = \"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore\" } resource \"aws_iam_instance_profile\" \"ec2_workload\" { name = \"ec2-workload-profile\" role = aws_iam_role.ec2_workload.name } # Session-Manager preferences document: KMS-encrypted S3 + CloudWatch session logs. resource \"aws_ssm_document\" \"session_prefs\" { name = \"SSM-SessionManagerRunShell\" document_type = \"Session\" document_format = \"JSON\" content = jsonencode({ schemaVersion = \"1.0\" description = \"Session-Manager preferences with KMS-encrypted logging\" sessionType = \"Standard_Stream\" inputs = { s3BucketName = aws_s3_bucket.session_logs.id s3KeyPrefix = \"sessions/\" s3EncryptionEnabled = true cloudWatchLogGroupName = aws_cloudwatch_log_group.sessions.name cloudWatchEncryptionEnabled = true kmsKeyId = aws_kms_key.sessions.arn runAsEnabled = false } }) }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: SSM Session Manager preferences forcing KMS encryption and CloudWatch session logging. Parameters: SessionLogGroupName: Type: String SessionKmsKeyArn: Type: String Resources: SessionManagerPreferences: Type: AWS::SSM::Document Properties: Name: SSM-SessionManagerRunShell DocumentType: Session DocumentFormat: JSON Content: schemaVersion: '1.0' description: Session Manager hardened defaults. sessionType: Standard_Stream inputs: cloudWatchLogGroupName: !Ref SessionLogGroupName cloudWatchEncryptionEnabled: true kmsKeyId: !Ref SessionKmsKeyArn runAsEnabled: false</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 (best-practices)n/an/an/a AC-17; AC-17(3); AU-2A.8.5; A.8.15CLD.9.5.1 Log signals CloudTrail ec2:RunInstances events whose requestParameters.keyName is non-empty on instances tagged for SSM-only access — attaching an SSH key-pair to an instance creates the SSH access path even if the security-group denies port 22 today (a later SG edit re-opens it without further alert). VPC Flow Logs ACCEPT records on TCP 22 to any instance's primary ENI — the SSM-only posture means the steady-state SSH traffic to production instances is exactly zero, so any flow is high-signal. CloudTrail ssm:UpdateInstanceInformation failures returning the instance as ConnectionLost while the instance is still running per ec2:DescribeInstances — indicates the SSM agent has been disabled or the instance role's AmazonSSMManagedInstanceCore attachment has been removed, breaking the documented access path. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.keyName, requestParameters.instanceId, responseElements.instancesSet.items.0.tagSet, userIdentity.arn | filter eventSource = \"ec2.amazonaws.com\" and eventName = \"RunInstances\" | filter ispresent(requestParameters.keyName) and requestParameters.keyName != \"\" | sort @timestamp desc | limit 100</code> The CloudWatch Logs Insights query catches the at-launch path; for the in-flight path, run a parallel query on ec2:AuthorizeSecurityGroupIngress filtered to port-22 introductions and join the results against the org's SSM-only tag in a downstream alert-correlation step. Alert threshold Any RunInstances with a non-empty keyName in production — page immediately; the org's launch templates set keyName=null as policy and a non-null value is a deliberate deviation. Inbound TCP 22 flow to a production instance — page; cross-reference the source IP against corporate-egress CIDRs and against any active SSM Session Manager session in progress (Session Manager does not use port 22 so a concurrent SSH flow is high-confidence unauthorized). SSM ConnectionLost persisting for more than 15 minutes while the instance shows healthy in EC2 — high-priority ticket; the documented access path is broken and the operator must restore it before the next maintenance window. Initial response Terminate the SSH path: revoke any port-22 ingress rule on the instance's security-group, and if a key-pair is attached at launch time, remove the public key from ~/.ssh/authorized_keys via an SSM Run Command before rebooting to ensure the key does not persist in the cloud-init data. Re-attach AmazonSSMManagedInstanceCore to the instance role if the SSM agent is reporting ConnectionLost; confirm the agent reconnects by starting a Session Manager session as a smoke test. Pull VPC Flow Logs for the exposure window and enumerate every inbound port-22 flow that succeeded; open an incident per general/ir.html for any flow from outside the corporate egress CIDRs and rotate credentials reachable from the instance's IAM role. References AWS Systems Manager — Session Manager reference (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-work-03-ecr-scan-on-push ! HIGH DETECTIVE Enable enhanced scanning (Inspector v2 powered) on every Amazon ECR repository, set image_tag_mutability = IMMUTABLE, and gate the deployment pipeline so that any image with CRITICAL findings is blocked from production promotion (Amazon ECR User Guide — image scanning configuration (accessed 2026-05)). Enhanced scanning provides continuous CVE assessment, package-vulnerability detail for both OS and application-language ecosystems (npm, PyPI, RubyGems, Go modules, Maven, NuGet), and integrates findings into Amazon Inspector and Security Hub. The IMMUTABLE tag policy means an attacker who somehow lands push permission to myrepo:latest cannot overwrite an already-scanned tag with a back-doored image — the deployment pipeline pulls the same SHA256-pinned image that was scanned. The DETECTIVE typology is deliberate: scanning surfaces unsafe state, the build-pipeline gate is the PREVENTIVE pair (deployment denied on CRITICAL findings). MITIGATES: Deployment of container images with known-CVE base layers (e.g. log4j Log4Shell, Spring4Shell), images built from outdated base images that have accumulated unpatched CVEs since the last build, supply-chain attacks where a typosquatted dependency lands in the image. ATTACK VECTOR: A developer adds a new feature that pulls in transitive dependency colors at version 1.4.1 (the canonical \"colors.js sabotage\" case). The image builds, gets tagged v2024.03.15, is pushed to ECR. Without scan-on-push the image flows to production; with enhanced scanning the CRITICAL finding fires immediately, the deployment-pipeline gate refuses to promote the image, and the on-call engineer sees the finding in Security Hub. BLAST RADIUS: Per repository: every image pushed is scanned; per organisation: enhanced scanning enabled at the Inspector v2 organisation level catches every repo in every member account. Remediation — AWS CLI <code class=\"language-bash\"># Enable enhanced (Inspector v2) scanning at the registry level. aws ecr put-registry-scanning-configuration \\ --scan-type ENHANCED \\ --rules 'scanFrequency=CONTINUOUS_SCAN,repositoryFilters=[{filter=\"*\",filterType=\"WILDCARD\"}]' # Per-repository: scan-on-push + immutable tags + KMS encryption. aws ecr create-repository \\ --repository-name app/api \\ --image-tag-mutability IMMUTABLE \\ --image-scanning-configuration scanOnPush=true \\ --encryption-configuration encryptionType=KMS,kmsKey=arn:aws:kms:eu-west-1:111122223333:key/<id> # List images in a repo with CRITICAL findings. aws ecr describe-image-scan-findings \\ --repository-name app/api \\ --image-id imageTag=v2024.03.15 \\ --query 'imageScanFindings.findingSeverityCounts'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) resource \"aws_ecr_registry_scanning_configuration\" \"enhanced\" { scan_type = \"ENHANCED\" rule { scan_frequency = \"CONTINUOUS_SCAN\" repository_filter { filter = \"*\" filter_type = \"WILDCARD\" } } } resource \"aws_ecr_repository\" \"app_api\" { name = \"app/api\" image_tag_mutability = \"IMMUTABLE\" image_scanning_configuration { scan_on_push = true } encryption_configuration { encryption_type = \"KMS\" kms_key = aws_kms_key.ecr.arn } } # Lifecycle policy: keep last 30 immutable tags, expire untagged after 7 days. resource \"aws_ecr_lifecycle_policy\" \"app_api\" { repository = aws_ecr_repository.app_api.name policy = jsonencode({ rules = [ { rulePriority = 1 description = \"Keep last 30 tagged images\" selection = { tagStatus = \"tagged\" tagPatternList = [\"*\"] countType = \"imageCountMoreThan\" countNumber = 30 } action = { type = \"expire\" } }, { rulePriority = 2 description = \"Expire untagged after 7 days\" selection = { tagStatus = \"untagged\" countType = \"sinceImagePushed\" countUnit = \"days\" countNumber = 7 } action = { type = \"expire\" } } ] }) }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: ECR repository with enhanced (Inspector) scan-on-push and KMS encryption. Parameters: RepoName: Type: String EcrKmsKeyArn: Type: String Resources: ScanOnPushRepo: Type: AWS::ECR::Repository Properties: RepositoryName: !Ref RepoName ImageScanningConfiguration: ScanOnPush: true ImageTagMutability: IMMUTABLE EncryptionConfiguration: EncryptionType: KMS KmsKey: !Ref EcrKmsKeyArn</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 (best-practices)n/an/an/a RA-5; SI-3; SA-11A.8.8; A.8.29CLD.12.4.5 Log signals CloudTrail ecr:PutRegistryScanningConfiguration events where the requestParameters.scanType shifts from ENHANCED to BASIC or where the requestParameters.rules array removes the canonical scan-on-push rule for production repository name patterns. CloudTrail ecr:PutImageScanningConfiguration per-repository where requestParameters.imageScanningConfiguration.scanOnPush flips to false — silently disables scanning for one repository without touching the registry-wide configuration. Inspector finding-export volume from ECR-source findings drops to zero on a repository that historically reports findings — passive signal that scan results stopped arriving even if the configuration looks correct. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.scanType, requestParameters.repositoryName, requestParameters.imageScanningConfiguration.scanOnPush, requestParameters.rules, userIdentity.arn | filter eventSource = \"ecr.amazonaws.com\" and eventName in [\"PutRegistryScanningConfiguration\",\"PutImageScanningConfiguration\"] | filter requestParameters.scanType = \"BASIC\" or requestParameters.imageScanningConfiguration.scanOnPush = false | sort @timestamp desc | limit 50</code> The CloudWatch Logs Insights query targets the two regression paths simultaneously; the scanType=BASIC case is more severe because it strips Inspector-managed CVE feeds and leaves only the older basic-scan engine. Alert threshold Any PutRegistryScanningConfiguration shifting to BASIC in production — page immediately; the registry-wide downgrade affects every repository and removes Inspector CVE coverage instantly. Per-repository scanOnPush=false change — high-priority ticket; the repository's image-push gate is now bypassed and any vulnerability scanning happens (if at all) on a delayed registry scan rather than at the push gate. Inspector finding-stream volume below 10% of trailing-7-day baseline for an ECR repository with active pushes — informational; promote to incident if the divergence persists for 24 hours and the scan configuration appears nominally correct (indicates an Inspector-side issue or service-link misconfiguration). Initial response Restore the scanning configuration with aws ecr put-registry-scanning-configuration --scan-type ENHANCED --rules file://canonical-rules.json; for per-repository overrides, re-set scanOnPush=true via put-image-scanning-configuration. Trigger a manual rescan of all images pushed during the disabled window with aws ecr start-image-scan per image-digest; this surfaces any CVE that would have blocked the push if scanning had been active. Open an incident via general/ir.html if any image with a Critical or High CVE was pushed during the window and has since been deployed; the corresponding workload's runtime exposure needs to be evaluated and a patched image promoted ahead of normal release cadence. References AWS ECR — image scanning reference (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-work-04-inspector-org ! HIGH DETECTIVE Enable Amazon Inspector organisation-wide with the delegated-administrator pattern, covering EC2 instances, ECR repositories, and Lambda functions; route findings into AWS Security Hub for unified triage (Amazon Inspector User Guide — EC2/ECR/Lambda scanning (accessed 2026-05)). A naming caveat that matters for accuracy in audit reports: the product is Amazon Inspector (current name; the older \"AWS Inspector\" branding is no longer correct), and the \"v2\" qualifier was dropped in 2024 — the previous \"Amazon Inspector v2\" is now simply \"Amazon Inspector\". Inspector continuously assesses EC2 (agent-based and agentless modes), ECR images (the same scanning surfaced in aws-work-03), and Lambda functions (package and code scanning). Severity HIGH DETECTIVE because Inspector surfaces unsafe state — CVEs, misconfigurations, public-network-path findings — but is not itself the preventive gate; the build-pipeline integration and the IMDSv2/SCP combination on aws-work-01 are the preventive pairs. MITIGATES: Unpatched CVEs accumulating on running EC2 instances post-deployment, drift between scanned-at-push container images and what is actually running, Lambda functions deployed with vulnerable dependencies, missing visibility into whether internet-routable instances have any of the above. ATTACK VECTOR: A team deploys an EC2 instance from a golden AMI in January. By June the AMI's base packages have accumulated CVEs (kernel, openssl, libc), but no one rebuilds or reboots. Inspector's continuous EC2 assessment flags the now-vulnerable instance, including a CRITICAL kernel CVE; the on-call engineer sees the finding in Security Hub and triggers the SSM Patch Manager workflow (aws-work-08) on the affected fleet. BLAST RADIUS: Per organisation: the delegated-administrator pattern means one account sees findings for every member account in the AWS Organization, eliminating the per-account blind spots that plagued earlier per-account-enabled tools. Remediation — AWS CLI <code class=\"language-bash\"># Designate the delegated administrator (from the Organizations management account). aws inspector2 enable-delegated-admin-account \\ --delegated-admin-account-id 222233334444 # From the delegated admin: enable Inspector for all member accounts, all resource types. aws inspector2 enable \\ --account-ids ALL_MEMBERS \\ --resource-types EC2 ECR LAMBDA LAMBDA_CODE # Verify status. aws inspector2 batch-get-account-status \\ --account-ids 111122223333 222233334444 \\ --query 'accounts[].[accountId,state.status]'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) resource \"aws_inspector2_delegated_admin_account\" \"security\" { account_id = var.security_account_id } resource \"aws_inspector2_organization_configuration\" \"auto_enable\" { auto_enable { ec2 = true ecr = true lambda = true lambda_code = true } } # Per-account explicit enable (member accounts). resource \"aws_inspector2_enabler\" \"member\" { for_each = toset(var.member_account_ids) account_ids = [each.value] resource_types = [\"EC2\", \"ECR\", \"LAMBDA\", \"LAMBDA_CODE\"] }</code> Remediation — CloudFormation <code class=\"language-yaml\">AWSTemplateFormatVersion: '2010-09-09' Description: Inspector v2 enablement for EC2 + ECR + Lambda scanning in the account. Resources: InspectorEnabler: Type: AWS::InspectorV2::Filter Properties: Name: enable-all-scan-types FilterAction: NONE FilterCriteria: Severity: - Comparison: EQUALS Value: HIGH</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 (best-practices)n/an/an/a RA-5; SI-4A.8.8CLD.12.4.5 Log signals CloudTrail inspector2:Disable events where the requestParameters.resourceTypes includes EC2, ECR, or LAMBDA — turns off scanning for the corresponding resource family at the org level. CloudTrail inspector2:DisassociateMember on member accounts — peels accounts out of the org aggregation; the finding stream from those accounts stops flowing to the delegated-administrator account from that point. CloudTrail inspector2:UpdateOrganizationConfiguration where autoEnable for any resource type flips to false — leaves current coverage intact but breaks the onboarding posture for new accounts and resources. Query <code class=\"language-sql\">fields @timestamp, eventName, requestParameters.resourceTypes, requestParameters.accountIds, requestParameters.autoEnable, userIdentity.arn | filter eventSource = \"inspector2.amazonaws.com\" and eventName in [\"Disable\",\"DisassociateMember\",\"UpdateOrganizationConfiguration\",\"DeleteMember\"] | sort @timestamp desc | limit 100</code> Run the CloudWatch Logs Insights query against the delegated-administrator's CloudTrail log group; Inspector org-management events route through that account and the delegated-admin context is the canonical source of truth for org-level Inspector state. Alert threshold Any Disable affecting a resource type in production — page immediately; CVE-feed coverage stops flowing for that resource family at the moment of the disable and re-enabling triggers a full re-scan which takes hours to complete. DisassociateMember or DeleteMember on more than one account in a 24-hour window — page; single-account events may reflect legitimate account closures but multi-account events indicate a sweep. UpdateOrganizationConfiguration with autoEnable=false for any resource type — high-priority ticket within one business hour; the downside surfaces over weeks as new resources / accounts arrive uncovered. Initial response Re-enable scanning with aws inspector2 enable --resource-types EC2,ECR,LAMBDA --account-ids {accounts}; verify via batch-get-account-status that all three resource types report ENABLED for every member account. Restore autoEnable=true via aws inspector2 update-organization-configuration and confirm new-account enrolment by creating a sandbox test account and verifying it auto-enrolls within one hour. Open an incident via general/ir.html; for the gap-of-coverage window, manually trigger a one-shot scan via aws inspector2 enable-delegated-admin-account re-association and inventory any Critical / High findings that surface in the post-restoration sweep — these were latent during the gap. References AWS Inspector — managing multiple accounts (accessed 2026-05) Cross-provider equivalence: Azure · GCP · OCI Equivalent on: Azure · GCP · OCI aws-work-05-lambda-least-priv ! HIGH PREVENTIVE Every AWS Lambda function gets its own least-privileged execution role (no shared \"lambda-default\" role, no *:* wildcards), its function URL (where present) is configured with AuthType = AWS_IAM, its secrets are pulled at runtime from AWS Secrets Manager via KMS-encrypted references rather than baked into environment variables, and production functions carry a reserved_concurrent_executions ceiling that caps blast-radius cost during anomalous traffic (AWS Lambda Developer Guide — execution-role least privilege (accessed 2026-05)). The canonical secrets-management reference architecture — Secrets Manager rotation, KMS key policies, runtime fetching — is documented on the General IAM page (§secrets management), and this control intentionally cross-links rather than re-authoring per the Phase 4 canonical-content rule. Severity HIGH PREVENTIVE because Lambda functions inherit AWS-managed isolation but their execution-role permissions ARE the blast radius if the function is compromised; a function with s3:* on * is functionally an Organisation-wide read-write key in the hands of any attacker who exploits a code bug. MITIGATES: Confused-deputy abuse via over-broad Lambda execution roles; secret leakage via environment-variable dumps in error stacks or log shipping; unauthenticated invocation of internal-purpose Lambda function URLs; runaway costs when a malicious or accidental loop invokes a function unbounded. ATTACK VECTOR: A function ingests JSON from an SQS queue; a deserialisation bug lands code execution inside the function. The execution role has s3:GetObject on arn:aws:s3:::* \"because we weren't sure which buckets it would need\". The attacker enumerates every bucket the account can see and exfiltrates regulated data. With the role scoped to a single bucket prefix, blast radius is one prefix; with secrets in Secrets Manager rather than env vars, the secret fetched at runtime can be rotated and old captured values are invalidated. BLAST RADIUS: Per function: each function's blast radius equals (execution-role permissions) ∩ (Secrets Manager keys it can read) ∩ (KMS keys it can decrypt). Per-function roles keep the intersection minimal. Remediation — AWS CLI <code class=\"language-bash\"># Update an existing function to use a least-priv role and AWS_IAM URL auth. aws lambda update-function-configuration \\ --function-name order-processor \\ --role arn:aws:iam::111122223333:role/lambda-order-processor-role \\ --reserved-concurrent-executions 50 \\ --environment 'Variables={SECRET_ARN=arn:aws:secretsmanager:eu-west-1:111122223333:secret:db/order-xyz}' aws lambda update-function-url-config \\ --function-name order-processor \\ --auth-type AWS_IAM # Audit: list functions whose role is the legacy lambda_basic_execution role. aws lambda list-functions \\ --query 'Functions[?contains(Role,`lambda_basic_execution`)].[FunctionName,Role]' \\ --output table</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AWS provider ~> 5.0 # Source: AWS docs (accessed 2026-05) resource \"aws_iam_role\" \"order_processor\" { name = \"lambda-order-processor-role\" assume_role_policy = jsonencode({ Version = \"2012-10-17\" Statement = [{ Effect = \"Allow\" Action = \"sts:AssumeRole\" Principal = { Service = \"lambda.amazonaws.com\" } }] }) } # Function-scoped policy: no wildcards beyond the function's own pur"},{"id":"azure/data.html","url":"azure/data.html","title":"Azure Data Protection Hardening — Cloud Hardening Guide","breadcrumb":"Home Azure Data Protection","description":"Azure data protection hardening: Storage Account public access disabled across all four toggles, CMK via Key Vault, Disk Encryption Sets, SQL TDE BYOK, Key Vault RBAC, key auto-rotation, Microsoft Purview, immutable blob storage.","body":"Azure Data Protection Hardening Overview This page covers Microsoft Azure data-at-rest hardening across the surfaces that decide whether an attacker who reaches a tenant — through a stolen SAS token, a leaked service-principal secret, a compromised workstation that holds an active az login session, or a confused-deputy chain through a poorly-scoped Storage Account firewall — can actually read, modify, or destroy regulated data. Scope is the Azure commercial regions; Azure Government and Azure operated by 21Vianet (China) inherit the same controls but expose a different regional Key Vault endpoint suffix, a different Microsoft Entra ID (formerly Azure Active Directory) tenant topology, and FIPS-validated HSM SKUs that differ from the commercial Premium tier — re-verify region-table caveats, the Key Vault DNS suffix, and CMK key-source URIs before applying any of the IaC below to a sovereign cloud. CIS sub-IDs and NIST / ISO mappings throughout this page reference the commercial Microsoft Azure Foundations Benchmark v3.0.0 (Feb 2025) unless explicitly annotated as a post-v3.0.0 feature or a best-practice recommendation that the current benchmark has not yet codified. The crosswalk page at compliance frameworks describes how the seven pinned framework columns relate to each other. The Azure data plane is the product of Storage Accounts (the blob/file/queue/table container with its own firewall, identity model, and four independent public-access toggles — covered in detail at azure-data-01), Managed Disks (encrypted at rest by platform-managed keys by default; CMK-at-host via a Disk Encryption Set is the upgrade path for regulated workloads), Azure SQL Database (TDE enabled by default with a service-managed key; BYOK via Key Vault is the upgrade path), Cosmos DB (TDE always-on with platform-managed keys; CMK via Key Vault optional), and Microsoft Purview (the Data Map + Data Catalog scanning service that classifies sensitive content). The cryptographic root for everything regulated is Azure Key Vault — the single PaaS service whose compromise unwinds the encryption guarantees of every CMK-backed resource downstream, and therefore the single PaaS service whose access model must be hardest. The cross-cutting principles — encryption at rest, key management, data classification, data loss prevention, and retention, backup & recovery — are owned by the General Data Protection page; this page maps them to Azure primitives. Encryption in transit lives canonically at General Network — encryption in transit and is not re-authored here (Phase 4 canonical-content rule); the Azure network specifics — Storage Account min_tls_version = \"TLS1_2\", SQL minimum_tls_version = \"1.2\", Front Door TLS termination policy — are covered alongside the Azure network surface at Azure Network Hardening. Three anti-conflation callouts up front. First: Storage Account public access is not one toggle — it is four independent toggles and all four must close. public_network_access_enabled (account-level firewall on or off), allow_blob_public_access (anonymous container/blob access permitted at all), allow_nested_items_to_be_public (containers may be set to anonymous-read even if the account allows it), and network_rules.default_action (default-Allow vs default-Deny when the firewall is on). Setting only the first leaves anonymous blob access on for containers that already have it; setting only the second leaves the public Storage endpoint reachable from any internet host that can present a SAS or account key. The canonical hardened posture closes all four — and that is what azure-data-01 enforces. Second: Key Vault has two access-control modes — RBAC and legacy access policies — and the entire industry has converged on RBAC. Access policies pre-date Azure RBAC and have known security gaps: no Microsoft Entra Privileged Identity Management integration, no fine-grained data-plane role separation (the access-policy permissions enum is coarser than the RBAC built-in roles), and harder lifecycle management at scale. Microsoft now recommends RBAC; the Key Vault ARM API version 2026-02-01+ makes RBAC the default for new vaults (enable_rbac_authorization = true). The control at azure-data-05 codifies this posture and frames access policies only as legacy. Third: The CMK chain across Storage, Managed Disks, and Azure SQL is one cryptographic relationship, not three. Storage encryption (CMK via Key Vault key URI), Managed Disk CMK-at-host (CMK via Disk Encryption Set referencing the same Key Vault key), and SQL TDE BYOK (Server Key Type = AzureKeyVault, referencing the same Key Vault key) all root in the same Key Vault. If the vault is compromised, all three are compromised together. This is why azure-data-05 (RBAC) and azure-data-06 (rotation) are not \"Key Vault controls\" — they are the gating controls for every CMK-backed resource on the page. Order and scope matter. Control 01 is the foundational public-access invariant enforced subscription-wide via Azure Policy assigned at the root management group: every Storage Account closes all four toggles. Controls 02–04 build the CMK chain across the three highest-value regulated data resources (Storage, Managed Disks, SQL). Control 05 is the Key Vault hardening that makes the CMK chain trustworthy; control 06 bounds compromise windows via auto-rotation; control 07 surfaces classification of sensitive data via Microsoft Purview so the controls above can be prioritised; control 08 closes the immutability loop with locked retention policies on regulated containers. Subscription and management-group scope: Azure Policy at the root management group enforces tenant-wide invariants (deny Storage Account creation with public network access on, deny Key Vault creation without RBAC, deny Managed Disk creation without a Disk Encryption Set, require Defender for SQL on every SQL Server) and is the single most important lever for keeping the controls below from drifting out of compliance once dozens of subscriptions and hundreds of resource groups exist. azure-data-01-storage-public-disabled ! CRITICAL PREVENTIVE Every Storage Account in every subscription closes all four independent public-access toggles: public_network_access_enabled = false (account firewall on), allow_blob_public_access = false (anonymous container/blob access prohibited account-wide), allow_nested_items_to_be_public = false (no container may be configured for anonymous read even if the account allowed it), and network_rules { default_action = \"Deny\" } (the firewall denies by default and only the listed VNets / IP ranges / Private Endpoints punch through). Enforce subscription-wide via Azure Policy assigned at the root management group; do not rely on per-account diligence (Microsoft Learn — Storage Account network security (accessed 2026-05)). The principle is reinforced in General Data — encryption at rest and General Network — private connectivity: a Storage Account reachable from the public internet is a Storage Account whose access depends entirely on whoever holds a valid SAS or account key. CRITICAL because misconfiguration is a single toggle away from anonymous blob enumeration — the canonical Azure data-leak pattern, mirrored on AWS as the open-S3-bucket story and on GCP as the world-readable bucket story. This is the highest-leverage Storage Account hardening Azure exposes; the IaC block below is the canonical pattern to copy across every regulated account. MITIGATES: Anonymous blob enumeration; SAS-token / account-key replay from arbitrary internet hosts; cross-tenant pivots where an attacker who acquired a key (via phishing, leaked CI secret, or supply-chain compromise) needs no corporate network path to reach the data plane; misconfigured legacy containers that were public-by-default years ago. ATTACK VECTOR: An engineer creates a Storage Account from the portal with default network settings — the account ends up reachable from any internet host on <name>.blob.core.windows.net, and any container configured for anonymous-read is browsable by name guess or directory-listing probe. A second failure mode: an attacker phishes a developer's GitHub PAT, pulls the team's IaC repo, finds a Storage account key in a stale CI variable, and uses that key from a residential IP — no corporate VPN required because public_network_access_enabled = true is the default. With all four toggles closed and default-Deny on the firewall, even a valid key still requires a network path through a Private Endpoint in a peered VNet — narrowing the attack surface to compromised insider workstations on the corporate network. BLAST RADIUS: Per Storage Account: every blob, file, queue, and table inside the account; every SAS the account has ever issued; every shared-key request from anywhere on the internet. The Azure Policy assignment at root management group flips the default for every future Storage Account in the tenant as well. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Close all four public-access toggles on an existing Storage Account. az storage account update \\ --resource-group rg-data-prod-westeu \\ --name stappprodwesteu001 \\ --public-network-access Disabled \\ --allow-blob-public-access false \\ --default-action Deny \\ --bypass AzureServices \\ --min-tls-version TLS1_2 # allow_nested_items_to_be_public is the ARM-level alias for allowBlobPublicAccess # at account scope; the per-container public-access setting is set on the container # (it cannot be set true if the account-level toggle is false — defense in depth). az storage container set-permission \\ --account-name stappprodwesteu001 \\ --name regulated-data \\ --public-access off \\ --auth-mode login # Add a Private Endpoint subnet to the network ACL allow-list. az storage account network-rule add \\ --resource-group rg-data-prod-westeu \\ --account-name stappprodwesteu001 \\ --vnet-name vnet-app-prod-westeu \\ --subnet snet-pe-data # Audit: list every Storage Account in the tenant that still allows public access # (any of the four toggles open). for sub in $(az account list --query '[].id' -o tsv); do az storage account list --subscription \"$sub\" \\ --query \"[?publicNetworkAccess=='Enabled' || allowBlobPublicAccess==\\`true\\`].{sub:'$sub', name:name, rg:resourceGroup, pna:publicNetworkAccess, abpa:allowBlobPublicAccess, default:networkRuleSet.defaultAction}\" \\ -o tsv done</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn (accessed 2026-05) resource \"azurerm_storage_account\" \"app\" { name = \"stappprodwesteu001\" resource_group_name = azurerm_resource_group.data.name location = azurerm_resource_group.data.location account_tier = \"Standard\" account_replication_type = \"ZRS\" min_tls_version = \"TLS1_2\" # The four independent public-access toggles — all must close. public_network_access_enabled = false allow_nested_items_to_be_public = false shared_access_key_enabled = false # force Entra ID auth where the SDK supports it network_rules { default_action = \"Deny\" # toggle #4 — firewall default-Deny bypass = [\"AzureServices\"] virtual_network_subnet_ids = [azurerm_subnet.pe_data.id] ip_rules = [] # no internet IP allow-list on regulated accounts } # CMK encryption block — paired with azure-data-02 below. identity { type = \"SystemAssigned\" } tags = { tier = \"regulated\", \"data-class\" = \"confidential\" } } # Root-management-group initiative: deny Storage Account creation with public network access on. resource \"azurerm_management_group_policy_assignment\" \"deny_storage_public\" { name = \"deny-storage-public-network-access\" management_group_id = \"/providers/Microsoft.Management/managementGroups/tenant-root\" policy_definition_id = var.deny_storage_public_initiative_id description = \"Storage Accounts must have public_network_access_enabled=false AND allow_blob_public_access=false AND default_action=Deny\" }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Hardened-by-default storage account (3-24 lowercase alphanumeric).') @minLength(3) @maxLength(24) param storageName string param location string = resourceGroup().location resource storage 'Microsoft.Storage/storageAccounts@2024-01-01' = { name: storageName location: location kind: 'StorageV2' sku: { name: 'Standard_GRS' } properties: { supportsHttpsTrafficOnly: true minimumTlsVersion: 'TLS1_2' allowBlobPublicAccess: false publicNetworkAccess: 'Disabled' allowSharedKeyAccess: false networkAcls: { defaultAction: 'Deny' bypass: 'AzureServices' } } } output storageId string = storage.id </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as storage from \"@pulumi/azure-native/storage\"; import * as resources from \"@pulumi/azure-native/resources\"; const rg = new resources.ResourceGroup(\"data-rg\"); new storage.StorageAccount(\"hardened\", { resourceGroupName: rg.name, kind: storage.Kind.StorageV2, sku: { name: storage.SkuName.Standard_GRS }, enableHttpsTrafficOnly: true, minimumTlsVersion: storage.MinimumTlsVersion.TLS1_2, allowBlobPublicAccess: false, publicNetworkAccess: \"Disabled\", allowSharedKeyAccess: false, networkRuleSet: { defaultAction: storage.DefaultAction.Deny, bypass: \"AzureServices\", }, }); </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/a3.7n/an/a AC-3; AC-6; SC-7A.5.10; A.8.3CLD.9.5.1 Log signals AzureActivity Microsoft.Storage/storageAccounts/write where the request body sets allowBlobPublicAccess = true on an account whose tag set marks it production. AzureActivity Microsoft.Storage/storageAccounts/blobServices/containers/write setting publicAccess = \"Container\" or \"Blob\" on a container of an account whose baseline is private-only. StorageBlobLogs anonymous-read events (AuthenticationType = \"Anonymous\") immediately after either of the above — downstream confirmation the regression took effect. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue in (\"Microsoft.Storage/storageAccounts/write\", \"Microsoft.Storage/storageAccounts/blobServices/containers/write\") | extend body = tostring(parse_json(Properties).requestbody) | where body has \"\\\"allowBlobPublicAccess\\\":true\" or body has \"\\\"publicAccess\\\":\\\"Container\\\"\" or body has \"\\\"publicAccess\\\":\\\"Blob\\\"\" | project TimeGenerated, Caller, ResourceId, body | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics; persist as a Sentinel analytics rule with severity High. The S3-bucket-public regression equivalent in Azure is one of the highest-impact data-plane control failures and warrants automated rollback. Alert threshold Account-level allowBlobPublicAccess flip to true on a production-tagged account — page on first occurrence. Container-level publicAccess flip on any container in an account whose baseline is private — page; the resource provider permits both account-level lockdown and per-container override. Initial response Reapply allowBlobPublicAccess=false at the account level via az storage account update; flip the container publicAccess back to None; capture the AzureActivity Caller and timestamp as the rollback ledger. Walk StorageBlobLogs for the exposure window — every anonymous GetBlob against the affected container is a candidate exfiltration event and warrants object-level inventory diffing against the catalog. Escalate per general/ir.html — confirm the Azure Policy Storage account public access should be disallowed initiative is assigned in deny mode at the management-group root. References Microsoft Learn — prevent anonymous public read access to blobs (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-data-02-cmk-keyvault ! HIGH PREVENTIVE Regulated Storage Accounts, Managed Disks, and Azure SQL databases use a customer-managed key (CMK) hosted in Azure Key Vault, with auto-rotation enabled on the key, soft-delete enabled on the vault, and purge-protection enabled so a malicious or accidental delete cannot vapourise the keying material (Microsoft Learn — Storage encryption with customer-managed keys (accessed 2026-05)). For high-sensitivity workloads, use an HSM-backed key (kty = \"RSA-HSM\") in the Premium SKU vault, which holds the key material in an HSM that is FIPS 140-3 Level 3 validated and from which the private key cannot be exported in cleartext. The principle is reinforced in General Data — key management. Anti-conflation: Storage encryption is always on at the platform level with Microsoft-managed keys; CMK is the upgrade that puts the organisation's Key Vault on the cryptographic-erase path (revoke the key → Storage can no longer read the data, even though Microsoft still operates the storage hardware). HIGH PREVENTIVE because CMK reduces the trust boundary from \"Microsoft's key management\" to \"the organisation's Key Vault posture\" — which is only an improvement if the controls in azure-data-05 and azure-data-06 hold. MITIGATES: Insider-Microsoft access to plaintext data via the platform key (theoretically excluded by Microsoft's operational controls but not cryptographically prevented absent CMK); inability to perform cryptographic erasure on demand (subject access requests, legal hold release, contractual obligations); regulatory pressure that requires customer-controlled keys for specific data classes (GDPR Article 32 in some interpretations, HIPAA encryption guidance, PCI DSS 4.0 §3.6). ATTACK VECTOR: A contractual breach or regulatory finding requires the organisation to demonstrate it can render specific historic data permanently unreadable. With platform-managed keys, the only path is to delete the data and rely on Microsoft's erasure SLAs. With CMK and the key in a Key Vault the organisation controls, the organisation revokes the key version, the Storage Account's reads start failing with HTTP 409, and forensic recovery of the ciphertext (even from backup tape) yields nothing because the key is gone. Separately: a Storage Account's cryptographic posture is only as strong as the Key Vault posture upstream of it — which is why azure-data-05 exists. BLAST RADIUS: Per resource: each Storage Account / Managed Disk / SQL database references one key version; rotating the key version on a Key Vault key (manually or via auto-rotation policy) re-encrypts the data encryption key (DEK) on next access while leaving stored ciphertext intact. Revoking the key version breaks reads cleanly and reversibly while the key version remains soft-deleted, irrecoverably after purge. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Create an HSM-backed CMK in a Premium Key Vault (azure-data-05 covers vault setup). az keyvault key create \\ --vault-name kv-app-prod-westeu \\ --name cmk-storage-app-prod \\ --kty RSA-HSM \\ --size 4096 \\ --ops decrypt encrypt sign verify wrapKey unwrapKey # Wire the Storage Account to the CMK via the Storage system-assigned managed identity. STORAGE_MI_PRINCIPAL=$(az storage account show \\ --resource-group rg-data-prod-westeu \\ --name stappprodwesteu001 --query identity.principalId -o tsv) # Grant the Storage MI the data-plane RBAC role on the vault key. az role assignment create \\ --role \"Key Vault Crypto Service Encryption User\" \\ --assignee \"$STORAGE_MI_PRINCIPAL\" \\ --scope $(az keyvault show --name kv-app-prod-westeu --query id -o tsv) # Point the Storage Account at the Key Vault key URI. KEY_URI=$(az keyvault key show --vault-name kv-app-prod-westeu --name cmk-storage-app-prod --query 'key.kid' -o tsv) az storage account update \\ --resource-group rg-data-prod-westeu \\ --name stappprodwesteu001 \\ --encryption-key-source Microsoft.Keyvault \\ --encryption-key-vault \"$KEY_URI\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn (accessed 2026-05) resource \"azurerm_key_vault_key\" \"cmk_storage\" { name = \"cmk-storage-app-prod\" key_vault_id = azurerm_key_vault.app.id key_type = \"RSA-HSM\" key_size = 4096 key_opts = [\"decrypt\", \"encrypt\", \"sign\", \"verify\", \"wrapKey\", \"unwrapKey\"] rotation_policy { automatic { time_before_expiry = \"P30D\" } expire_after = \"P365D\" notify_before_expiry = \"P30D\" } } # Storage Account MI gets Key Vault Crypto Service Encryption User on the vault key. resource \"azurerm_role_assignment\" \"storage_mi_kv\" { scope = azurerm_key_vault.app.id role_definition_name = \"Key Vault Crypto Service Encryption User\" principal_id = azurerm_storage_account.app.identity[0].principal_id } # Wire the Storage Account encryption to the CMK. resource \"azurerm_storage_account_customer_managed_key\" \"app\" { storage_account_id = azurerm_storage_account.app.id key_vault_id = azurerm_key_vault.app.id key_name = azurerm_key_vault_key.cmk_storage.name # key_version omitted = auto-rotate to latest version }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Storage account using CMK from Key Vault.') param storageName string @description('Key Vault URI hosting the CMK.') param keyVaultUri string @description('Key name in the vault.') param keyName string @description('User-assigned identity with Key Vault Crypto Service Encryption User on the vault.') param identityResourceId string param location string = resourceGroup().location resource storage 'Microsoft.Storage/storageAccounts@2024-01-01' = { name: storageName location: location kind: 'StorageV2' sku: { name: 'Standard_GRS' } identity: { type: 'UserAssigned' userAssignedIdentities: { '${identityResourceId}': {} } } properties: { encryption: { keySource: 'Microsoft.Keyvault' keyvaultproperties: { keyvaulturi: keyVaultUri keyname: keyName } identity: { userAssignedIdentity: identityResourceId } } minimumTlsVersion: 'TLS1_2' supportsHttpsTrafficOnly: true } } </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/a3.x; 4.x; 8.xn/an/a SC-13; SC-28A.8.24; A.5.34n/a Log signals AzureActivity Microsoft.Storage/storageAccounts/write where encryption.keySource flips from Microsoft.Keyvault back to Microsoft.Storage — disarms the CMK envelope. AzureActivity Microsoft.KeyVault/vaults/write where enableSoftDelete or enablePurgeProtection is removed on a vault holding a CMK referenced by storage accounts. AzureDiagnostics Category AuditEvent on the Key Vault showing operationName = \"KeyDelete\" on a key referenced as the CMK — downstream coverage failure even if the storage account flag did not change. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue in (\"Microsoft.Storage/storageAccounts/write\", \"Microsoft.KeyVault/vaults/write\") | extend body = tostring(parse_json(Properties).requestbody) | where body has \"\\\"keySource\\\":\\\"Microsoft.Storage\\\"\" or body has \"\\\"enableSoftDelete\\\":false\" or body has \"\\\"enablePurgeProtection\\\":false\" | project TimeGenerated, Caller, ResourceId, body | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. CMK regressions are rare and intentional; persist as a Sentinel analytics rule with severity High and require an attached governance ticket reference. Alert threshold Storage keySource flip back to Microsoft.Storage on a production account — page immediately. Key Vault enablePurgeProtection removal on a vault holding a CMK — page; restoration after a malicious key delete is no longer guaranteed. Initial response Reapply CMK encryption via az storage account update --encryption-key-source Microsoft.Keyvault; verify the next AzureDiagnostics AuditEvent batch on the Key Vault shows the storage identity issuing a successful wrap operation. If a key was deleted, attempt soft-delete recovery via az keyvault key recover; reissue all affected data-plane operations only after the recovery is confirmed. Escalate per general/ir.html — confirm Azure Policy Storage accounts should use customer-managed key for encryption remains assigned in deny mode and that the Key Vault firewall still admits the storage account identity. References Microsoft Learn — customer-managed keys for storage encryption (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-data-03-disk-encryption-set ! HIGH PREVENTIVE Managed Disks attached to VMs and VM scale sets that host regulated data are encrypted at host via a Disk Encryption Set (DES) that references a Key Vault CMK; for the highest-sensitivity tier, use EncryptionAtRestWithPlatformAndCustomerKeys (double-encryption: platform key plus customer key) (Microsoft Learn — Managed Disk encryption overview (accessed 2026-05)). The DES has its own system-assigned managed identity which must be granted the Key Vault Crypto Service Encryption User RBAC role on the vault key — this is the binding between the disk encryption pipeline and the customer's key custody. Anti-conflation: encryption at host (the topic of this control) encrypts the data on the Azure compute hypervisor before it is written to the storage cluster; Azure Disk Encryption (ADE) is the legacy in-guest BitLocker/DM-Crypt pattern that runs inside the VM — ADE is still supported but encryption-at-host via DES is the current recommended architecture (lower operational cost, no guest-side key handling, compatible with all VM SKUs and OSes). HIGH PREVENTIVE because the disk layer is where stolen-VHD or stolen-snapshot attacks land — and a snapshot exported from a CMK-encrypted disk is unreadable without the vault key, while a snapshot from a platform-managed-key disk is readable by anyone with sufficient Azure RBAC. MITIGATES: Stolen-snapshot exfiltration (an attacker with sufficient Azure RBAC exports a managed disk snapshot to a Storage Account they control); platform-side compromise scenarios (theoretical, but contractually required for some regulated workloads); inability to perform cryptographic erasure on a per-disk basis when a VM is decommissioned. ATTACK VECTOR: An attacker compromises an over-privileged Contributor identity (or an SP that should have had Reader). They snapshot a database VM's data disk via az snapshot create, then export the snapshot URL with a SAS to a Storage Account in a tenant they own. With platform-managed keys, the snapshot is cryptographically self-contained — the attacker reads it from their own subscription. With a DES referencing a Key Vault CMK, the snapshot data is still encrypted with the customer's DEK chain — the attacker has ciphertext only, and Key Vault audit logs show no key access from the attacker's tenant. The remediation also makes defensive snapshot copy (forensics, see Azure IR) safe to ship cross-subscription because the disk content remains protected by the customer's key. BLAST RADIUS: Per disk: each Managed Disk references zero or one DES at create time; switching a disk's DES is a re-encryption operation. The DES applies to the OS disk and every data disk attached to VMs/VMSS that use it; revoking the DES managed identity's role assignment on the vault key breaks reads cleanly for every disk under the DES. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Create the Disk Encryption Set bound to a Key Vault CMK. KEY_URI=$(az keyvault key show \\ --vault-name kv-app-prod-westeu \\ --name cmk-disks-app-prod \\ --query 'key.kid' -o tsv) az disk-encryption-set create \\ --resource-group rg-compute-prod-westeu \\ --name des-app-prod \\ --key-url \"$KEY_URI\" \\ --source-vault $(az keyvault show --name kv-app-prod-westeu --query id -o tsv) \\ --encryption-type EncryptionAtRestWithCustomerKey \\ --location westeurope # Grant the DES MI the data-plane role on the vault. DES_MI=$(az disk-encryption-set show \\ --resource-group rg-compute-prod-westeu \\ --name des-app-prod --query identity.principalId -o tsv) az role assignment create \\ --role \"Key Vault Crypto Service Encryption User\" \\ --assignee \"$DES_MI\" \\ --scope $(az keyvault show --name kv-app-prod-westeu --query id -o tsv) # Audit: list every managed disk in the tenant that is NOT attached to a DES. for sub in $(az account list --query '[].id' -o tsv); do az disk list --subscription \"$sub\" \\ --query \"[?encryption.diskEncryptionSetId==null].{sub:'$sub', name:name, rg:resourceGroup, size:diskSizeGB}\" \\ -o tsv done</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn (accessed 2026-05) resource \"azurerm_disk_encryption_set\" \"app\" { name = \"des-app-prod\" resource_group_name = azurerm_resource_group.compute.name location = azurerm_resource_group.compute.location key_vault_key_id = azurerm_key_vault_key.cmk_disks.versionless_id encryption_type = \"EncryptionAtRestWithCustomerKey\" identity { type = \"SystemAssigned\" } } # DES managed identity gets the data-plane role on the vault key. resource \"azurerm_role_assignment\" \"des_mi_kv\" { scope = azurerm_key_vault.app.id role_definition_name = \"Key Vault Crypto Service Encryption User\" principal_id = azurerm_disk_encryption_set.app.identity[0].principal_id } # VM data disk attached via the DES. resource \"azurerm_managed_disk\" \"data\" { name = \"disk-app-data-prod-001\" resource_group_name = azurerm_resource_group.compute.name location = azurerm_resource_group.compute.location storage_account_type = \"Premium_LRS\" create_option = \"Empty\" disk_size_gb = 1024 disk_encryption_set_id = azurerm_disk_encryption_set.app.id }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Disk Encryption Set name.') param desName string @description('Key Vault key URI (versionless).') param keyUrl string @description('Key Vault resource ID.') param vaultResourceId string param location string = resourceGroup().location resource des 'Microsoft.Compute/diskEncryptionSets@2024-03-02' = { name: desName location: location identity: { type: 'SystemAssigned' } properties: { encryptionType: 'EncryptionAtRestWithCustomerKey' rotationToLatestKeyVersionEnabled: true activeKey: { sourceVault: { id: vaultResourceId } keyUrl: keyUrl } } } output desId string = des.id </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/a7.x (verify)n/an/a SC-28; SC-13A.8.24n/a Log signals AzureActivity Microsoft.Compute/disks/write creating a managed disk without an encryption.diskEncryptionSetId reference — defaults to platform-managed key path on a workload that should be CMK-enveloped. AzureActivity Microsoft.Compute/diskEncryptionSets/delete on a DES referenced by production disks — downstream re-wrap operations on those disks will fail. AzureActivity Microsoft.Compute/diskEncryptionSets/write editing the activeKey to point at a Key Vault key outside the documented per-environment vault. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue in (\"Microsoft.Compute/disks/write\", \"Microsoft.Compute/diskEncryptionSets/write\", \"Microsoft.Compute/diskEncryptionSets/delete\") | extend body = tostring(parse_json(Properties).requestbody) | where OperationNameValue endswith \"diskEncryptionSets/delete\" or (OperationNameValue endswith \"/disks/write\" and not(body has \"diskEncryptionSetId\")) | project TimeGenerated, Caller, ResourceId, OperationNameValue, body | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. Disk creation without a DES reference is the most common silent CMK-bypass; pair with an Azure Resource Graph daily reconciliation that lists all disks without a encryption.diskEncryptionSet property. Alert threshold Production disk created without a DES reference — page on first occurrence. DES delete on a set referenced by any disk — page; existing disks survive the delete event but rewrap operations will fail. Initial response Rewrap the disk via az disk update --disk-encryption-set {desId}; confirm the disk's encryption.type property updates to EncryptionAtRestWithCustomerKey. If a DES was deleted, reinstantiate it from the IaC source with the original Key Vault key reference; re-attach to all affected disks within the same maintenance window. Escalate per general/ir.html — confirm the Azure Policy Managed disks should be double encrypted with both platform-managed and customer-managed keys remains assigned at the management-group root. References Microsoft Learn — server-side encryption of managed disks (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-data-04-sql-tde-cmk ! HIGH PREVENTIVE Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse SQL pools use Transparent Data Encryption (TDE) with a customer-managed key (BYOK from Key Vault) rather than the service-managed TDE certificate; SQL auditing is routed to the centralised Log Analytics workspace (LAW) referenced from Azure Logging; the Microsoft Defender for SQL plan is enabled on the server (advanced threat protection, SQL vulnerability assessment, anomalous-access detection) (Microsoft Learn — SQL TDE with BYOK overview (accessed 2026-05)). The server's system-assigned managed identity is granted the Key Vault Crypto Service Encryption User RBAC role on the vault key — the same binding pattern as Storage and Disk Encryption Set. Anti-conflation: TDE encrypts the database files on disk; it is not the same as Always Encrypted (which encrypts specific columns end-to-end with a key the database engine never sees), and it is not the same as TLS in transit (covered canonically at General Network — encryption in transit and enforced on Azure SQL via minimum_tls_version = \"1.2\"). HIGH PREVENTIVE because TDE BYOK gives the organisation the cryptographic-erase lever for an entire database, and Defender for SQL surfaces the most common SQL data-exfiltration patterns (anomalous query exfiltration volumes, login from unfamiliar geographies, vulnerability scanner output of weak DB-level permissions). MITIGATES: Stolen-backup exfiltration (a SQL .bak exported to a malicious destination is still ciphertext without the vault key); insider-Microsoft access to plaintext on the underlying storage; missed SQL injection / credential theft that surfaces in Defender for SQL's anomalous-access alerts; weak DB-level permissions that Defender for SQL's vulnerability assessment surfaces. ATTACK VECTOR: An attacker exploits a SQL injection in an application layer that runs the queries under a least-privilege but data-readable identity, and begins draining the customer-PII table in pages of 10000 rows. With Defender for SQL enabled, the anomalous-query alert (volume + table sensitivity + off-hours timing) fires within minutes and propagates to Microsoft Sentinel via the LAW. With TDE BYOK, even if the attacker pivots to exporting a backup, the backup is ciphertext rooted in a Key Vault the application identity cannot touch. The combined posture buys the IR team time and limits the data-at-rest blast radius. BLAST RADIUS: Per SQL server / managed instance: TDE BYOK is configured at server scope and applies to every database underneath. Defender for SQL is licensed per server (or via the subscription-wide Defender for SQL plan). Auditing destinations are configured at server scope. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Enable system-assigned managed identity on the SQL server. az sql server update \\ --resource-group rg-data-prod-westeu \\ --name sql-app-prod-westeu \\ --identity-type SystemAssigned # Grant the SQL server MI the data-plane role on the vault key. SQL_MI=$(az sql server show \\ --resource-group rg-data-prod-westeu \\ --name sql-app-prod-westeu --query identity.principalId -o tsv) az role assignment create \\ --role \"Key Vault Crypto Service Encryption User\" \\ --assignee \"$SQL_MI\" \\ --scope $(az keyvault show --name kv-app-prod-westeu --query id -o tsv) # Set the TDE key to a Key Vault CMK. KEY_URI=$(az keyvault key show \\ --vault-name kv-app-prod-westeu \\ --name cmk-sql-app-prod --query 'key.kid' -o tsv) az sql server key create \\ --resource-group rg-data-prod-westeu \\ --server sql-app-prod-westeu \\ --kid \"$KEY_URI\" az sql server tde-key set \\ --resource-group rg-data-prod-westeu \\ --server sql-app-prod-westeu \\ --server-key-type AzureKeyVault \\ --kid \"$KEY_URI\" # Enable Microsoft Defender for SQL on the server (Standard tier). az security pricing create --name SqlServers --tier Standard # Route SQL audit to the central Log Analytics workspace. az sql server audit-policy update \\ --resource-group rg-data-prod-westeu \\ --name sql-app-prod-westeu \\ --state Enabled \\ --log-analytics-target-state Enabled \\ --log-analytics-workspace-resource-id $(az monitor log-analytics workspace show --resource-group rg-sec-prod --workspace-name law-sec-prod --query id -o tsv)</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn (accessed 2026-05) resource \"azurerm_mssql_server\" \"app\" { name = \"sql-app-prod-westeu\" resource_group_name = azurerm_resource_group.data.name location = azurerm_resource_group.data.location version = \"12.0\" administrator_login = \"sqladmin\" # rotated to Entra-only admin; password vaulted administrator_login_password = var.sql_admin_password minimum_tls_version = \"1.2\" public_network_access_enabled = false identity { type = \"SystemAssigned\" } azuread_administrator { login_username = \"sql-admins-prod\" object_id = azuread_group.sql_admins.object_id } } resource \"azurerm_role_assignment\" \"sql_mi_kv\" { scope = azurerm_key_vault.app.id role_definition_name = \"Key Vault Crypto Service Encryption User\" principal_id = azurerm_mssql_server.app.identity[0].principal_id } resource \"azurerm_mssql_server_transparent_data_encryption\" \"app\" { server_id = azurerm_mssql_server.app.id key_vaul"},{"id":"azure/genai.html","url":"azure/genai.html","title":"Azure OpenAI Service Hardening — Cloud Hardening Guide","breadcrumb":"Home Azure GenAI","description":"Azure OpenAI Service security hardening: Entra ID auth, content filters, Prompt Shields, private endpoints, RBAC, diagnostic logging, CMK, quota limits, and abuse monitoring.","body":"Azure OpenAI Service Hardening Overview This page covers the Azure OpenAI Service API (also surfaced as \"Azure OpenAI in Azure AI Foundry Models\" in the portal). The Foundry developer portal experience is not in scope — this page addresses the API service authentication, content safety, network, and observability controls. API version referenced in examples: api-version=2024-10-01. For the underlying threat model and cross-cutting principles that apply to all managed LLM API services, see General GenAI Hardening. Key infrastructure prerequisites are covered on sibling pages: azure-iam-06 — managed identity, azure-net-04 — private endpoint pattern, and Azure Logging (diagnostic settings pattern). Controls are ordered severity-descending: two CRITICAL controls (authentication and prompt injection defence) appear first, followed by five HIGH controls, then two MEDIUM controls. Equivalence links to AWS Bedrock, GCP Vertex AI, and OCI Generative AI will be added in Phase 14 when those pages are authored. azure-genai-01-entra-id-auth-disable-keys ! CRITICAL PREVENTIVE Enforce Entra ID (managed identity) authentication and disable local API key authentication via disableLocalAuth: true. API keys are long-lived credentials susceptible to leakage in code repositories, CI pipelines, and application logs. Disabling them forces all callers to present an Entra ID token — enabling full caller attribution in audit logs, per-identity token rate-limiting, and Conditional Access enforcement. See azure-iam-06 — managed identity for the prerequisite managed-identity setup. MITIGATES: Credential theft via committed API key (GitHub/Azure DevOps secret scanning bypass, hardcoded key in application config, key leaked in log output). ATTACK VECTOR: Attacker finds an Azure OpenAI key in source repository or application configuration file, makes unlimited inference calls or exfiltrates conversation history. Token-based rate-limit enforcement is bypassed by direct key usage, so abuse can exhaust quota without triggering per-identity controls. BLAST RADIUS: All models and deployments on the resource; any application sharing the same key loses isolation. Without Entra ID tokens, there is no per-caller attribution in audit logs and no ability to revoke individual caller access without rotating the key for all callers simultaneously. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Audit: find Azure OpenAI resources with local auth enabled az cognitiveservices account list \\ --query \"[?kind=='OpenAI' && properties.disableLocalAuth!=true].{name:name, rg:resourceGroup}\" \\ --output table # Remediate: disable local API key authentication az cognitiveservices account update \\ --name \"${AOAI_ACCOUNT}\" \\ --resource-group \"${RG}\" \\ --custom-domain \"${AOAI_ACCOUNT}\" \\ --api-properties '{\"DisableLocalAuth\": true}'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 resource \"azurerm_cognitive_account\" \"aoai\" { name = var.account_name location = var.location resource_group_name = var.resource_group_name kind = \"OpenAI\" sku_name = \"S0\" local_auth_enabled = false identity { type = \"SystemAssigned\" } }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Azure OpenAI account name.') param accountName string param location string = resourceGroup().location resource aoai 'Microsoft.CognitiveServices/accounts@2024-10-01' = { name: accountName location: location kind: 'OpenAI' sku: { name: 'S0' } identity: { type: 'SystemAssigned' } properties: { customSubDomainName: accountName disableLocalAuth: true // Entra ID only — disables shared keys publicNetworkAccess: 'Disabled' networkAcls: { defaultAction: 'Deny' } } } </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as cs from \"@pulumi/azure-native/cognitiveservices\"; import * as resources from \"@pulumi/azure-native/resources\"; const rg = new resources.ResourceGroup(\"aoai-rg\"); new cs.Account(\"aoai\", { resourceGroupName: rg.name, kind: \"OpenAI\", sku: { name: \"S0\" }, identity: { type: cs.ResourceIdentityType.SystemAssigned }, properties: { customSubDomainName: \"aoai-hardened\", disableLocalAuth: true, // Entra ID only — disables shared keys publicNetworkAccess: \"Disabled\", networkAcls: { defaultAction: \"Deny\" }, }, }); </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) IA-2; IA-3; AC-17 A.5.17; A.8.5 CLD.6.3.1 LLM06:2025 Information Security Art. 55 (in force 2025-08-02) Log signals AzureActivity Microsoft.CognitiveServices/accounts/write where the request body sets properties.disableLocalAuth = false — re-enables the long-lived API-key auth path on an Azure OpenAI account. AzureActivity Microsoft.CognitiveServices/accounts/regenerateKey/action issued from a principal outside the documented operator group — key-issuance event without a matching ticket. AzureDiagnostics ResourceProvider = \"MICROSOFT.COGNITIVESERVICES\" Category Audit showing authMethod = \"ApiKey\" on completions calls — runtime regression even when the account flag did not change. Query <code class=\"language-sql\">AzureActivity | where ResourceId has \"Microsoft.CognitiveServices/accounts\" | where OperationNameValue in (\"Microsoft.CognitiveServices/accounts/write\", \"Microsoft.CognitiveServices/accounts/regenerateKey/action\") | extend body = tostring(parse_json(Properties).requestbody) | where body has \"\\\"disableLocalAuth\\\":false\" or OperationNameValue endswith \"/regenerateKey/action\" | project TimeGenerated, Caller, ResourceId, OperationNameValue, body | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. The API-key path provides no audit attribution for completions calls; persist as a Sentinel analytics rule with severity High and require a governance ticket for every key regenerate event. Alert threshold Any flip of disableLocalAuth to false on a production Azure OpenAI account — page on first occurrence. Key regeneration by a principal outside the operator group — page; treat as preparation for credential theft. Initial response Reapply disableLocalAuth=true via the IaC baseline; rotate the regenerated key via az cognitiveservices account keys regenerate to invalidate any copy that left the operator session. Walk AzureDiagnostics Audit log for completions calls during the exposure window — any call with authMethod = \"ApiKey\" is candidate unattributed usage and should be charged back to whichever workload should have used managed identity. Escalate per general/ir.html — confirm Azure Policy Cognitive Services accounts should have local authentication methods disabled remains in deny mode. References Microsoft Learn — authenticate requests to Azure AI services (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS — IAM least privilege · GCP — SA scoping · OCI — IAM least privilege azure-genai-03-prompt-shields ! CRITICAL PREVENTIVE Enable Azure AI Content Safety Prompt Shields for both direct user-prompt injection (jailbreak attempts) and document/RAG indirect injection (malicious instructions embedded in retrieved documents). Prompt Shields is a SEPARATE service from the Azure OpenAI content filter — it is an API endpoint in Azure AI Content Safety that detects injection attacks before the prompt reaches the model. Configure for both userPromptAnalysis (direct injection) and documentsAnalysis (indirect/RAG injection). Prompt Shields went GA in 2024. Important architectural distinction: Prompt Shields (this control) and the Azure OpenAI content filter (azure-genai-02) are architecturally distinct: Prompt Shields detects injection attacks at the input layer; content filters moderate harm categories at the output layer. Both are required. Using only the content filter does not protect against prompt injection; using only Prompt Shields does not moderate harmful output. MITIGATES: LLM01:2025 direct prompt injection (jailbreak that bypasses system prompt); LLM01:2025 indirect RAG injection (malicious instructions embedded in retrieved document context). ATTACK VECTOR: Attacker embeds \"ignore previous instructions\" or role-override directives in a document that is retrieved into context, causing the model to act against its system-prompt constraints. In RAG scenarios the attacker controls the external data source (poisoned knowledge base, malicious email attachment, adversarial web page). BLAST RADIUS: Full system-prompt override enabling extraction of confidential configuration, generation of harmful content, tool-use misuse, or exfiltration of other users' conversation context in multi-tenant scenarios. Audit — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Check current Content Safety configuration on the Azure OpenAI resource az cognitiveservices account show \\ --name \"${AOAI_ACCOUNT}\" \\ --resource-group \"${RG}\" \\ --query \"properties.contentSafetyConfig\"</code> Configuration — Azure AI Content Safety REST API <code class=\"language-json\">{ \"userPromptAnalysis\": { \"disable\": false }, \"documentsAnalysis\": { \"disable\": false } }</code> Submit via POST https://{endpoint}/contentsafety/text:shieldPrompt?api-version=2024-09-01 with your prompt and retrieved documents as the request body. Integrate Prompt Shields as a pre-flight check in your application before forwarding to the Azure OpenAI inference endpoint. Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Azure OpenAI account name.') param accountName string @description('RAI policy with Prompt Shields jailbreak + indirect-attack detection enabled.') resource raiPolicy 'Microsoft.CognitiveServices/accounts/raiPolicies@2024-10-01' = { name: '${accountName}/prompt-shields-enforced' properties: { mode: 'Blocking' contentFilters: [ { name: 'jailbreak', blocking: true, enabled: true, source: 'Prompt' } { name: 'indirect_attack', blocking: true, enabled: true, source: 'Prompt' } { name: 'protected_material_text', blocking: true, enabled: true, source: 'Completion' } { name: 'protected_material_code', blocking: true, enabled: true, source: 'Completion' } ] } } </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as cs from \"@pulumi/azure-native/cognitiveservices\"; new cs.RaiPolicy(\"prompt-shields-enforced\", { resourceGroupName: \"<rg>\", accountName: \"<aoai-account>\", raiPolicyName: \"prompt-shields-enforced\", properties: { mode: \"Blocking\", contentFilters: [ { name: \"jailbreak\", blocking: true, enabled: true, source: \"Prompt\" }, { name: \"indirect_attack\", blocking: true, enabled: true, source: \"Prompt\" }, { name: \"protected_material_text\", blocking: true, enabled: true, source: \"Completion\" }, { name: \"protected_material_code\", blocking: true, enabled: true, source: \"Completion\" }, ], }, }); </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) SI-10; SI-15 A.8.28 n/a LLM01:2025 Information Integrity Art. 55 (in force 2025-08-02) Log signals AzureActivity edits removing the jailbreak or indirect_attack Prompt Shield setting from an RAI policy assignment — disarms the prompt-injection defence layer. AzureDiagnostics Category RequestResponse showing promptShieldResult.detected = true on inbound prompts followed by completions that nevertheless returned action-bearing tokens — possible bypass via prompt structure. AzureDiagnostics contentFilterResults.jailbreak field flipping from filtered=true historical baseline to filtered=false on the same prompt signatures — coverage regression. Query <code class=\"language-sql\">AzureDiagnostics | where ResourceProvider == \"MICROSOFT.COGNITIVESERVICES\" and Category == \"RequestResponse\" | extend filterJB = tostring(parse_json(properties_s).contentFilterResults.jailbreak.filtered) | extend filterIA = tostring(parse_json(properties_s).contentFilterResults.indirect_attack.filtered) | where filterJB == \"false\" or filterIA == \"false\" | project TimeGenerated, Resource, identity_claim_appid_g, filterJB, filterIA, properties_s | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. Prompt-shield disablement is rare and easily reverted; the more important signal is the runtime stream showing whether the shield actually fired on adversary-style prompts. Persist as a Sentinel analytics rule. Alert threshold Any RAI-policy edit that disables Prompt Shields — page on first occurrence. Spike in jailbreak.filtered=false entries above the 30-day baseline — page; adversary may have discovered a bypass pattern. Initial response Reapply the Prompt Shields setting via the IaC pipeline; confirm the next RequestResponse batch shows the jailbreak shield active on adversary-style prompts. Walk the prompt/response pairs that bypassed the shield — feed them to the content-safety adversarial-prompt corpus and rerun the Defender for AI evaluation suite. Escalate per general/ir.html — confirm Microsoft Defender for AI workloads remains enabled on the subscription and that the Prompt Shields telemetry is routed into Sentinel. References Microsoft Learn — Azure AI Content Safety Prompt Shields (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS — Guardrails prompt attack · GCP — safety filters (partial) · OCI — PI component azure-genai-02-content-filter-baseline ! HIGH PREVENTIVE Configure the Azure OpenAI content filter (RAI policy) with non-default severity thresholds for the four harm categories — Hate, Sexual, Self-harm, and Violence — applied to both prompt input and completion output. The default content filter is not an acceptable sole control; it must be explicitly configured at recommended or stricter thresholds and attached to each model deployment. RAI policy threshold configuration requires the Azure OpenAI REST API; az cognitiveservices account update does not support RAI policy threshold configuration (known CLI limitation — use REST API or Terraform azurerm_cognitive_account_rai_policy). Anti-pattern: Setting any harm category to \"annotate only\" or disabling filters for \"better response quality\" is equivalent to BLOCK_NONE — the second of five common misconfigurations documented in General GenAI — Common Misconfigurations. All four harm categories must be set to block at recommended or higher thresholds for both input and output. MITIGATES: LLM01:2025 (jailbreak producing harmful output after bypassing system prompt); LLM02:2025 (harmful content disclosure including extremist material, self-harm instructions, or explicit content). ATTACK VECTOR: Adversarial prompt elicits harmful, extremist, or self-harm content through indirect instruction, role-play framing, or encoded payloads that evade a misconfigured \"annotate-only\" filter. BLAST RADIUS: Regulatory and reputational harm; content safety incidents that trigger mandatory breach notifications under the EU AI Act GPAI obligations; potential platform suspension for policy violations. Audit — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Locate the resource custom domain (needed for REST API calls) az cognitiveservices account show \\ --name \"${AOAI_ACCOUNT}\" \\ --resource-group \"${RG}\" \\ --query \"properties.customSubDomainName\" # Then retrieve current RAI policies via REST API: # GET https://{endpoint}/openai/rai/policies?api-version=2024-10-01</code> Configuration — Azure OpenAI REST API (RAI policy) <code class=\"language-json\">{ \"name\": \"recommended-baseline\", \"type\": \"UserManaged\", \"contentFilters\": [ {\"name\": \"Hate\", \"blocking\": true, \"enabled\": true, \"allowedContentLevel\": \"Low\", \"source\": \"Prompt\"}, {\"name\": \"Hate\", \"blocking\": true, \"enabled\": true, \"allowedContentLevel\": \"Low\", \"source\": \"Completion\"}, {\"name\": \"Sexual\", \"blocking\": true, \"enabled\": true, \"allowedContentLevel\": \"Low\", \"source\": \"Prompt\"}, {\"name\": \"Sexual\", \"blocking\": true, \"enabled\": true, \"allowedContentLevel\": \"Low\", \"source\": \"Completion\"}, {\"name\": \"SelfHarm\", \"blocking\": true, \"enabled\": true, \"allowedContentLevel\": \"Low\", \"source\": \"Prompt\"}, {\"name\": \"SelfHarm\", \"blocking\": true, \"enabled\": true, \"allowedContentLevel\": \"Low\", \"source\": \"Completion\"}, {\"name\": \"Violence\", \"blocking\": true, \"enabled\": true, \"allowedContentLevel\": \"Medium\", \"source\": \"Prompt\"}, {\"name\": \"Violence\", \"blocking\": true, \"enabled\": true, \"allowedContentLevel\": \"Medium\", \"source\": \"Completion\"} ] }</code> Submit via POST /openai/rai/policies/{policyName}?api-version=2024-10-01. Then attach the policy to each deployment: PATCH /openai/deployments/{deploymentName}?api-version=2024-10-01 with body {\"rai_policy_name\": \"recommended-baseline\"}. Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # azurerm_cognitive_account_rai_policy — verify argument completeness # for all harm categories against Terraform Registry at deployment time resource \"azurerm_cognitive_account_rai_policy\" \"baseline\" { name = \"recommended-baseline\" cognitive_account_id = azurerm_cognitive_account.aoai.id mode = \"Blocking\" content_filter { name = \"Hate\" filter_enabled = true blocking_enabled = true severity_threshold = \"Low\" source = \"Prompt\" } content_filter { name = \"Hate\" filter_enabled = true blocking_enabled = true severity_threshold = \"Low\" source = \"Completion\" } content_filter { name = \"Violence\" filter_enabled = true blocking_enabled = true severity_threshold = \"Medium\" source = \"Prompt\" } content_filter { name = \"Violence\" filter_enabled = true blocking_enabled = true severity_threshold = \"Medium\" source = \"Completion\" } }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Azure OpenAI account hosting the deployment.') param accountName string @description('Deployment name.') param deploymentName string @description('Content-filter policy name (must exist on the account).') param contentFilterPolicy string = 'Microsoft.DefaultV2' resource aoai 'Microsoft.CognitiveServices/accounts@2024-10-01' existing = { name: accountName } resource deployment 'Microsoft.CognitiveServices/accounts/deployments@2024-10-01' = { parent: aoai name: deploymentName sku: { name: 'Standard', capacity: 10 } properties: { model: { format: 'OpenAI', name: 'gpt-4o', version: '2024-11-20' } raiPolicyName: contentFilterPolicy } } </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) SI-15; SC-28 A.8.28; A.5.34 CLD.6.3.1 LLM01:2025; LLM02:2025 Dangerous/Violent Content Art. 55 (in force 2025-08-02) Log signals AzureActivity Microsoft.CognitiveServices/accounts/raiPolicies/write where the request body lowers a content-filter severity threshold (Hate, Sexual, SelfHarm, Violence) below the org baseline. AzureActivity Microsoft.CognitiveServices/accounts/raiPolicies/delete on a policy that is the active assignment for a production deployment — falls back to the Microsoft default which is more permissive than the org floor. AzureDiagnostics Category RequestResponse showing contentFilterResults where filtered=false on categories that the org baseline marks as block — downstream confirmation the change took effect. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue startswith \"Microsoft.CognitiveServices/accounts/raiPolicies/\" | extend body = tostring(parse_json(Properties).requestbody) | where OperationNameValue endswith \"/delete\" or body has \"\\\"allowedContentLevel\\\":\\\"high\\\"\" or body has \"\\\"allowedContentLevel\\\":\\\"medium\\\"\" | project TimeGenerated, Caller, ResourceId, OperationNameValue, body | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. RAI-policy edits should be ticket-bound and four-eyes-reviewed; persist as a Sentinel analytics rule with severity Medium and require the change ticket to be attached at the time of edit. Alert threshold Any RAI policy edit that loosens a severity threshold below the org baseline — page on first occurrence. RAI policy delete that leaves a production deployment relying on the platform default — page; coverage of the content-filter floor has regressed. Initial response Reapply the org-baseline RAI policy via the IaC pipeline; confirm the next RequestResponse batch shows filtered=true on the baseline-blocked categories. Walk the AzureDiagnostics RequestResponse stream for the exposure window for prompt/response pairs that match the loosened categories — high-volume completions on those categories warrant review. Escalate per general/ir.html — confirm Azure Policy enforcing minimum RAI-policy severity floors remains assigned at the resource provider scope. References Microsoft Learn — Azure OpenAI content filtering (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS — content filter · GCP — safety filters · OCI — content moderation azure-genai-04-private-endpoint ! HIGH PREVENTIVE Deploy a Private Endpoint via Azure Private Link for the Azure OpenAI resource and disable public network access. Without this control, inference traffic (including prompts and completions) traverses the public internet. See azure-net-04 — private endpoint pattern for the general pattern; this control applies it specifically to the Azure OpenAI Cognitive Services resource. MITIGATES: LLM10:2025 network interception of prompts and completions in transit; LLM02:2025 sensitive data exfiltration via unencrypted or intercepted inference traffic. ATTACK VECTOR: Man-in-the-middle on corporate egress proxy intercepts inference payloads containing confidential system prompts, user PII, or proprietary business data. Attacker with visibility to corporate network traffic passively captures model interactions. BLAST RADIUS: Full inference traffic exposure including confidential system prompts, conversation history, retrieved RAG documents, and completion outputs. All deployed models on the resource are affected. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Disable public network access on the Azure OpenAI resource az cognitiveservices account update \\ --name \"${AOAI_ACCOUNT}\" \\ --resource-group \"${RG}\" \\ --custom-domain \"${AOAI_ACCOUNT}\" \\ --public-network-access Disabled # Verify: confirm public access is disabled az cognitiveservices account show \\ --name \"${AOAI_ACCOUNT}\" \\ --resource-group \"${RG}\" \\ --query \"properties.publicNetworkAccess\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 resource \"azurerm_cognitive_account\" \"aoai_private\" { name = var.account_name location = var.location resource_group_name = var.resource_group_name kind = \"OpenAI\" sku_name = \"S0\" public_network_access_enabled = false identity { type = \"SystemAssigned\" } } resource \"azurerm_private_endpoint\" \"aoai_pe\" { name = \"${var.account_name}-pe\" location = var.location resource_group_name = var.resource_group_name subnet_id = var.subnet_id private_service_connection { name = \"${var.account_name}-psc\" private_connection_resource_id = azurerm_cognitive_account.aoai_private.id subresource_names = [\"account\"] is_manual_connection = false } }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Azure OpenAI account resource ID to wrap with a private endpoint.') param aoaiResourceId string @description('Subnet resource ID hosting the private endpoint NIC.') param subnetId string param location string = resourceGroup().location resource pe 'Microsoft.Network/privateEndpoints@2024-03-01' = { name: 'pe-aoai' location: location properties: { subnet: { id: subnetId } privateLinkServiceConnections: [ { name: 'aoai-link' properties: { privateLinkServiceId: aoaiResourceId groupIds: ['account'] } } ] } } </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) SC-7; AC-17 A.8.20; A.8.22 CLD.13.1.4 LLM10:2025 Information Security Art. 55 (in force 2025-08-02) Log signals AzureActivity Microsoft.CognitiveServices/accounts/write where the request body sets publicNetworkAccess = \"Enabled\" on an Azure OpenAI account that was previously private-endpoint-only. AzureActivity Microsoft.Network/privateEndpoints/delete on a Private Endpoint whose target is an Azure OpenAI account — silent fallback to public reachability if combined with the flag flip. AzureDiagnostics RequestResponse showing client source-IP from public CIDRs — runtime confirmation that public reachability is being used. Query <code class=\"language-sql\">AzureActivity | where ResourceId has \"Microsoft.CognitiveServices/accounts\" | where OperationNameValue == \"Microsoft.CognitiveServices/accounts/write\" | extend body = tostring(parse_json(Properties).requestbody) | where body has \"\\\"publicNetworkAccess\\\":\\\"Enabled\\\"\" | project TimeGenerated, Caller, ResourceId, body | order by TimeGenerated desc | take 100</code> Run as a KQL query in Log Analytics. Pair with a Sentinel analytics rule that joins the AzureDiagnostics RequestResponse stream against the corporate egress CIDR list to flag completions calls from public networks. Alert threshold Any publicNetworkAccess flip to Enabled on a production Azure OpenAI account — page on first occurrence. Completions call with a source-IP outside the corporate egress CIDR list — page; treat as adversary reaching the model from outside the trust boundary. Initial response Flip publicNetworkAccess back to Disabled via the IaC baseline; if the Private Endpoint was deleted, recreate it and confirm DNS resolution returns the Private Link address. Walk the RequestResponse stream for the exposure window for completions issued from public-IP clients — any such call is candidate unauthorised inference and should be charged back to a documented workload or treated as compromise. Escalate per general/ir.html — confirm Azure Policy Cognitive Services accounts should disable public network access remains in deny mode at the management-group root. References Microsoft Learn — configure Azure AI services virtual networks and private endpoints (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS — VPC endpoint · GCP — VPC-SC · OCI — private endpoint azure-genai-06-rbac-least-privilege ! HIGH PREVENTIVE Assign the Cognitive Services OpenAI User role per-resource (not at subscription or resource-group scope) for application service identities. Use Cognitive Services OpenAI Contributor only for deployment management operations. Never assign the generic Contributor role at the resource scope for data-plane access — it grants management-plane rights that far exceed what inference workloads require. See azure-iam-03 — Privileged Identity Management for the general RBAC least-privilege pattern. MITIGATES: LLM06:2025 lateral movement via over-privileged identity; LLM08:2025 agentic workload over-privilege enabling unintended actions across Azure resources. ATTACK VECTOR: Compromised application service principal holds Contributor or subscription-scope Cognitive Services OpenAI User; attacker pivots from the GenAI workload to management-plane operations across all Azure OpenAI resources or, with Contributor, to other resource types in the same resource group. BLAST RADIUS: All Azure OpenAI resources within the subscription or resource group if role is assigned too broadly; potentially all resources in the scope if a generic role is assigned. Audit — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Find overly broad Cognitive Services OpenAI User assignments at subscription scope az role assignment list \\ --scope \"/subscriptions/${SUBSCRIPTION_ID}\" \\ --query \"[?roleDefinitionName=='Cognitive Services OpenAI User']\" \\ --output table # Check correct per-resource assignments az role assignment list \\ --scope \"/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RG}/providers/Microsoft.CognitiveServices/accounts/${AOAI_ACCOUNT}\" \\ --query \"[?roleDefinitionName=='Cognitive Services OpenAI User']\" \\ --output table</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Assign Cognitive Services OpenAI User at the specific resource scope only resource \"azurerm_role_assignment\" \"aoai_user\" { scope = azurerm_cognitive_account.aoai.id role_definition_name = \"Cognitive Services OpenAI User\" principal_id = var.app_service_principal_id }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Azure OpenAI account resource ID.') param aoaiResourceId string @description('Application principal that should call the model.') param appPrincipalId string // Cognitive Services OpenAI User (data-plane, no key management) var openAiUserRoleId = '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd' resource assign 'Microsoft.Authorization/roleAssignments@2024-04-01' = { name: guid(aoaiResourceId, appPrincipalId, openAiUserRoleId) scope: resourceGroup() properties: { principalId: appPrincipalId principalType: 'ServicePrincipal' roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', openAiUserRoleId) } } </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) AC-2; AC-6; IA-2 A.5.15; A.5.18 CLD.12.1.5 LLM06:2025; LLM08:2025 Information Security Art. 55 (in force 2025-08-02) Log signals AzureActivity Microsoft.Authorization/roleAssignments/write granting Cognitive Services Contributor or Owner on an Azure OpenAI resource to a principal outside the documented platform-engineering group. AzureActivity scope expansion that binds an existing operator role at a higher scope (subscription rather than resource group) — coverage creep on the inference plane. AzureDiagnostics Category Audit showing data-plane Completions calls from a service principal that just acquired an elevated role binding — adversary exercising fresh privilege. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue == \"Microsoft.Authorization/roleAssignments/write\" | where ResourceId has \"Microsoft.CognitiveServices/accounts\" | extend body = tostring(parse_json(Properties).requestbody) | where body has \"Cognitive Services Contributor\" or body has \"Owner\" or body has \"OpenAI Contributor\" | project TimeGenerated, Caller, ResourceId, body | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. Role bindings on cognitive services accounts should be ticket-bound and four-eyes-reviewed; persist as a Sentinel analytics rule and pair with PIM-eligibility enforcement on the privileged roles. Alert threshold Privileged role-binding write to a non-platform-engineering principal — page on first occurrence. Subscription-scope binding of Cognitive Services OpenAI User when the documented pattern is resource-group scope — page; treat as scope creep. Initial response Reverse the role assignment via the IaC baseline; capture the AzureActivity Caller and the requested role as the ledger. Walk Audit-category data-plane logs for the new principal during the exposure window — any unattributed completions call is candidate misuse. Escalate per general/ir.html — confirm Entra PIM eligibility configuration on the privileged Cognitive Services roles still requires MFA and ticket-bound activation. References Microsoft Learn — Azure OpenAI RBAC roles (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS — IAM least privilege · GCP — SA scoping · OCI — IAM least privilege azure-genai-07-diagnostic-logs-prompt-audit ! HIGH DETECTIVE Configure Diagnostic Settings to forward Azure OpenAI resource logs to a Log Analytics workspace. Enable the Audit and RequestResponse log categories. Resource logs are not enabled by default — explicit configuration is required. Apply PII redaction before log storage; do not store raw unredacted prompts (anti-feature #1 in General GenAI — Common Misconfigurations). See Azure Logging for the general diagnostic settings pattern. MITIGATES: LLM10:2025 undetected abuse and quota exhaustion with no forensic trail; LLM02:2025 inability to perform post-incident prompt review to determine scope of data exposure. ATTACK VECTOR: Attacker exfiltrates sensitive data via model inference with no audit trail; coordinated abuse campaign exhausts quota across multiple deployments; insider threat makes inference calls that are never attributable. BLAST RADIUS: Inability to detect, attribute, or reconstruct security incidents involving GenAI workloads; regulatory exposure under EU AI Act GPAI record-keeping obligations. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x — enable diagnostic logs to Log Analytics az monitor diagnostic-settings create \\ --name \"aoai-diag\" \\ --resource \"${AOAI_RESOURCE_ID}\" \\ --workspace \"${LOG_ANALYTICS_WORKSPACE_ID}\" \\ --logs '[{\"category\":\"Audit\",\"enabled\":true},{\"category\":\"RequestResponse\",\"enabled\":true}]'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 resource \"azurerm_monitor_diagnostic_setting\" \"aoai_diag\" { name = \"aoai-diagnostics\" target_resource_id = azurerm_cognitive_account.aoai.id log_analytics_workspace_id = var.log_analytics_workspace_id enabled_log { category = \"Audit\" } enabled_log { category = \"RequestResponse\" } }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Azure OpenAI account resource ID.') param aoaiResourceId string @description('Log Analytics workspace resource ID.') param workspaceId string resource diag 'Microsoft.Insights/diagnosticSettings@2024-01-01-preview' = { name: 'aoai-prompt-audit' scope: az.resourceId('Microsoft.CognitiveServices/accounts', last(split(aoaiResourceId, '/'))) properties: { workspaceId: workspaceId logs: [ { categoryGroup: 'audit', enabled: true } { categoryGroup: 'allLogs', enabled: true } ] metrics: [ { category: 'AllMetrics', enabled: true } ] } } </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) AU-2; AU-12; SI-4 A.8.15; A.8.16 CLD.12.4.5 LLM10:2025 Information Security Art. 55 (in force 2025-08-02) Log signals AzureActivity Microsoft.Insights/diagnosticSettings/delete on a setting that exports the RequestResponse and Audit categories from an Azure OpenAI account — silences the prompt audit trail. AzureActivity diagnostic-settings write events where the RequestResponse category is removed while only Audit remains — partial coverage erosion. AzureDiagnostics ingestion gap exceeding 60 minutes on the RequestResponse category for an account with a steady baseline — absence-of-signal indicator. Query <code class=\"language-sql\">AzureActivity | where ResourceId has \"Microsoft.CognitiveServices/accounts\" | where OperationNameValue startswith \"Microsoft.Insights/diagnosticSettings/\" | extend body = tostring(parse_json(Properties).requestbody) | project TimeGenerated, Caller, ResourceId, OperationNameValue, body | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. Pair with a Heartbeat-style watchdog on the RequestResponse category — silence on a previously active account is itself the alert. Persist as a Sentinel analytics rule with severity High. Alert threshold Delete or RequestResponse-category drop on a diagnostic setting for a production Azure OpenAI account — page on first occurrence. 60-minute RequestResponse ingestion gap on an account with steady 30-day baseline — page; the prompt-audit truth source is dark. Initial response Reapply the diagnostic setting via Bicep/Terraform; confirm the next RequestResponse batch shows up in Log Analytics within 10 minutes. If a Storage Account archive is also configured as destination, replay any RequestResponse records from the gap window for downstream Sentinel analytics correlation. Escalate per general/ir.html — confirm Azure Policy Diagnostic logs in Cognitive Services accounts should be enabled remains in DeployIfNotExists mode at the management-group root. References Microsoft Learn — diagnostic logging in Azure AI services (accessed 2026-05) Cross-provi"},{"id":"azure/iam.html","url":"azure/iam.html","title":"Azure IAM Hardening — Cloud Hardening Guide","breadcrumb":"Home Azure IAM","description":"Microsoft Entra ID hardening: Global Admin separation, emergency access, PIM, Conditional Access MFA, legacy auth block, managed identity, app consent, guest restrictions.","body":"Azure IAM Hardening Overview This page covers Microsoft Azure identity hardening across the surfaces that determine whether an attacker who lands a single credential can pivot to tenant-wide compromise. The Azure identity story is centred on Microsoft Entra ID (formerly Azure Active Directory; the legacy short-form name appears in older tooling and CIS section titles but every new document, including this one, must use the current name). Unlike AWS, Azure does not ship a separate single-sign-on product: Entra ID is the identity provider, the directory, the federation engine, and the source of truth for role assignments. Scope here is the Azure commercial cloud; the sovereign clouds (Azure Government, Azure China operated by 21Vianet, Azure for US Department of Defense) inherit the same control inventory but require region-specific Graph endpoints and have their own compliance benchmarks — see threat-model for sovereign-cloud caveats. The mental model: Azure exposes three distinct privilege primitives that the rest of this page hardens. First, directory roles in Entra ID — Global Administrator, Privileged Role Administrator, Conditional Access Administrator, and the rest of the ≈90 built-in roles — govern who can change identity, policy, and tenant settings. Second, Privileged Identity Management (PIM) is the just-in-time activation layer that converts standing role membership into time-bound, approval-gated, audit-logged eligibility; PIM is the privilege primitive on Azure the same way that role-assumption is on AWS. Third, Conditional Access (CA) is the tenant-wide enforcement primitive — every authentication flowing through Entra ID is evaluated against the CA policy set, so CA is where you require MFA, block legacy protocols, restrict device state, and enforce session controls. Azure RBAC at the subscription/resource-group/resource scope is a separate layer that authorises actions against the management plane; it draws principals from Entra ID but is not the focus of this page (it surfaces in General IAM — privileged access and again in Phase 6 Azure domain pages). Order matters. Controls 01–04 are the CRITICAL and HIGH preventive controls that close the largest standing risks in nearly every audited tenant: too many Global Admins, no break-glass plan, no JIT on privileged roles, and no enforced MFA at the front door. Controls 05–08 progressively close the remaining identity attack surface — legacy authentication protocols (where MFA cannot be enforced), service-principal secret sprawl, OAuth consent grants weaponised by Midnight Blizzard in 2024, and guest-account drift in tenants that accept B2B collaboration. The compliance rows throughout cite CIS Microsoft Azure Foundations Benchmark v3.0.0 (February 2025 release), NIST SP 800-53 rev5, ISO/IEC 27001:2022, ISO/IEC 27017:2015, and — where the control implements an executive-branch baseline — CISA Binding Operational Directive 25-01 and the SCuBA Microsoft 365 secure configuration baselines. Equivalence callouts at the bottom of each control point to the matching control on the AWS, GCP, and OCI pages so a reader can compare modelling across providers. Cross-cutting principles (MFA, secrets, privileged access, audit logging) live in General IAM — MFA and General IAM — privileged access; this page maps them to Entra ID primitives. One authoring note that affects nearly every control on this page: the az CLI does not have first-class verbs for Conditional Access policies, authorization policies, or several Entra ID governance objects. The canonical pattern is az rest --method POST --uri https://graph.microsoft.com/v1.0/... against Microsoft Graph, with the policy body supplied as a JSON document. This is documented inline in azure-iam-04 and reused in 05, 07, and 08; readers transcribing the snippets should expect to authenticate az against a tenant whose signed-in user holds Conditional Access Administrator or Global Administrator (the latter only when no other role suffices). azure-iam-01-global-admin-count ! CRITICAL PREVENTIVE Limit Global Administrators to between two and four named cloud-only accounts; every other privileged operation must flow through a more specific role (Privileged Role Administrator, User Administrator, Conditional Access Administrator, Application Administrator, etc.) activated through PIM rather than held as a standing assignment. Microsoft's RBAC best-practice guidance explicitly recommends \"less than 5\" Global Administrators and calls the role \"the highest privileged role in Microsoft Entra ID\" (Microsoft Entra ID — RBAC best practices (accessed 2026-05)). The principle is reinforced in General IAM — privileged access; the severity derivation follows the worked example in methodology EX-MFA-01 applied to a single-step path to tenant takeover. MITIGATES: Tenant-wide takeover via compromise of any one of an over-large pool of Global Administrators (phishing, password reuse, leaked recovery email, session-cookie theft from an unmanaged device). ATTACK VECTOR: An organisation that has accumulated 15+ Global Admins (often from one-time troubleshooting that was never reverted) presents an attacker with 15+ phishing targets, any one of whom suffices for full compromise. The attacker harvests a session cookie from a Global Admin's unmanaged laptop, replays it against the Entra admin centre, and from that session creates a new persistent service principal with RoleManagement.ReadWrite.Directory for long-term access. BLAST RADIUS: The entire Entra tenant: every subscription, every Microsoft 365 workload (Exchange, SharePoint, Teams), every connected SaaS app federated through Entra, every Azure resource whose ownership root is the tenant. Global Admins can elevate themselves to User Access Administrator at the root management group and from there assume Owner on every subscription, then disable diagnostic logging to destroy forensic evidence. Remediation — Azure CLI / Microsoft Graph <code class=\"language-bash\"># Enumerate current Global Administrators. The Graph directoryRoles endpoint # returns the activated instance of the role; use roleTemplateId to find it # even when the friendly id differs across tenants. GA_TEMPLATE_ID=\"62e90394-69f5-4237-9190-012177145e10\" # Global Administrator GA_ROLE_ID=$(az rest --method GET \\ --uri \"https://graph.microsoft.com/v1.0/directoryRoles?\\$filter=roleTemplateId eq '${GA_TEMPLATE_ID}'\" \\ --query 'value[0].id' -o tsv) az rest --method GET \\ --uri \"https://graph.microsoft.com/v1.0/directoryRoles/${GA_ROLE_ID}/members\" \\ --query 'value[].{upn:userPrincipalName,id:id,type:\"@odata.type\"}' \\ --output table # Expected: 2–4 named, cloud-only (no on-prem sync) accounts. Any guest # (#EXT#) or synced (onPremisesSyncEnabled=true) account in this list is an # immediate finding.</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # (Directory role assignments live in the AzureAD provider; AzureRM is pinned # for the resource-plane controls later on this page.) terraform { required_providers { azuread = { source = \"hashicorp/azuread\", version = \"~> 2.50\" } } } # Pin the Global Administrator role assignments to a small set of named admins. # Any drift (a 5th assignment appearing) is detected on the next `terraform plan`. data \"azuread_directory_role\" \"global_admin\" { display_name = \"Global Administrator\" } resource \"azuread_directory_role_assignment\" \"ga\" { for_each = toset(var.global_admin_object_ids) # 2–4 entries only role_id = data.azuread_directory_role.global_admin.template_id principal_object_id = each.value }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'managementGroup' @description('Object IDs of the <=5 designated Global Administrators (break-glass + named owners).') param globalAdminObjectIds array @description('Entra ID role definition id for Global Administrator.') var globalAdminRoleId = '62e90394-69f5-4237-9190-012177145e10' resource gaAssignments 'Microsoft.Authorization/roleAssignments@2024-04-01' = [for (oid, i) in globalAdminObjectIds: { name: guid(managementGroup().id, oid, globalAdminRoleId) properties: { roleDefinitionId: tenantResourceId('Microsoft.Authorization/roleDefinitions', globalAdminRoleId) principalId: oid principalType: 'User' } }] output enforcedGlobalAdminCount int = length(globalAdminObjectIds) </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as authorization from \"@pulumi/azure-native/authorization\"; // Entra ID built-in role: Global Administrator const globalAdminRoleId = \"62e90394-69f5-4237-9190-012177145e10\"; const designated = [ \"00000000-0000-0000-0000-000000000001\", // break-glass-1 \"00000000-0000-0000-0000-000000000002\", // break-glass-2 // <= 5 named owners total ]; designated.forEach((principalId, i) => { new authorization.RoleAssignment(`ga-${i}`, { scope: \"/providers/Microsoft.Management/managementGroups/<tenant-root>\", principalId, principalType: \"User\", roleDefinitionId: `/providers/Microsoft.Authorization/roleDefinitions/${globalAdminRoleId}`, }); }); </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.51.1.11.11.1 AC-6(7); AC-2A.5.15; A.5.16n/a Log signals AzureActivity OperationNameValue = \"Microsoft.Authorization/roleAssignments/write\" entries where the assigned role definition matches Global Administrator, Privileged Role Administrator, or User Access Administrator. SigninLogs entries where the resolved UserPrincipalName sits in the tenant Global Administrator directory role and the sign-in is interactive from outside the documented admin-jump-host network. AzureDiagnostics category = \"DirectoryRoleManagement\" deltas tracking the standing-Global-Administrator population over time. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue == \"Microsoft.Authorization/roleAssignments/write\" | where Properties has \"Global Administrator\" or Properties has \"Privileged Role Administrator\" or Properties has \"User Access Administrator\" | project TimeGenerated, Caller, CallerIpAddress, ResourceGroup, ActivityStatusValue, Properties | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics against the workspace receiving the tenant AzureActivity diagnostic export. Persist as a Sentinel analytics rule once the false-positive rate from PIM elevations is calibrated. Alert threshold Any privileged role (Owner / Contributor / User Access Administrator / Global Administrator) assigned to a non-PIM-eligible Caller within a 24h window — page on first occurrence. Tune per environment baseline using Log Analytics KQL summarize count() by Caller over a 30-day calibration window before promoting to an analytics rule. Initial response Verify the assignment against the documented PIM justification ticket and the named Caller; if no ticket exists, treat as confirmed compromise. Roll back via Entra PIM access review: revoke the standing assignment, force the recipient to re-elevate through PIM with MFA and ticket-bound justification, and rotate any tokens the Caller principal issued in the prior 24h. Escalate per general/ir.html — open an incident, capture AzureActivity + SigninLogs + AuditLogs for the affected tenant slice, and confirm the privileged-access workstation policy and conditional-access baselines remain enforced. References Microsoft Learn — AzureActivity table reference (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-iam-02-emergency-access ! HIGH PREVENTIVE Provision at least two break-glass (emergency access) accounts that are cloud-only (no on-prem AD synchronisation), excluded from the standard Conditional Access policies that could lock them out, and protected by FIDO2 hardware security keys rather than the TOTP/Authenticator app used by ordinary users. Credentials are stored offline, sign-ins are monitored continuously, and the accounts are tested on a documented cadence. Microsoft's authoritative guidance is the \"Manage emergency access admin accounts\" article (Microsoft Entra ID — emergency access admin accounts (accessed 2026-05)) and the pattern is referenced in General IAM — privileged access. MITIGATES: Loss of administrative access during an MFA-provider outage, a Conditional Access misconfiguration that locks out all interactive admins, a federation/ADFS outage that breaks SSO for synced accounts, or an active incident where a compromised admin account has been disabled and no other admin can reach the tenant. ATTACK VECTOR: Lack of break-glass is not itself exploited by an attacker; the failure mode is operational. A misconfigured CA policy (\"require compliant device on all users\") applied without an exclusion can lock the entire admin pool out of their own tenant — recovery then requires opening a Microsoft Support ticket, which is measured in hours-to-days. During an active incident, the inability to revoke a compromised privileged session because the responder has no way in is a force multiplier for the attacker. BLAST RADIUS: Tenant-wide unavailability of the management plane for the duration of the lockout; in incident-response scenarios, every minute of locked-out admin access is a minute the attacker retains persistence. The compensating control (FIDO2 hardware key + monitored sign-ins + CA exclusion) is a recognised exception to MFA-on-all-users; documenting the exception in the risk register is mandatory. Remediation — Azure CLI / Microsoft Graph <code class=\"language-bash\"># 1. Create the cloud-only break-glass user (no on-prem sync; explicit # onmicrosoft.com UPN so the account survives custom-domain takedowns). TENANT_DOMAIN=\"contoso.onmicrosoft.com\" az ad user create \\ --display-name \"Break-Glass 01\" \\ --user-principal-name \"breakglass01@${TENANT_DOMAIN}\" \\ --password \"$(openssl rand -base64 32)\" \\ --force-change-password-next-sign-in false # 2. Add to the emergency-access security group that is EXCLUDED from the # tenant-wide MFA Conditional Access policy. EA_GROUP_ID=$(az ad group show --group \"emergency-access-exclusions\" \\ --query id -o tsv) BG_USER_ID=$(az ad user show --id \"breakglass01@${TENANT_DOMAIN}\" \\ --query id -o tsv) az ad group member add --group \"$EA_GROUP_ID\" --member-id \"$BG_USER_ID\" # 3. Verify the user does NOT appear in the standard MFA policy's includeUsers # and DOES appear in its excludeGroups (Conditional Access policies via Graph). az rest --method GET \\ --uri \"https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies\" \\ --query \"value[?displayName=='Require MFA for all users'].conditions.users\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # (Account objects in azuread provider; resource-plane Key Vault for the # offline credential escrow uses AzureRM.) resource \"azuread_user\" \"breakglass\" { for_each = toset([\"breakglass01\", \"breakglass02\"]) user_principal_name = \"${each.key}@${var.tenant_onmicrosoft_domain}\" display_name = \"Break-Glass ${each.key}\" password = random_password.bg[each.key].result # Cloud-only: never synchronized from on-prem AD. account_enabled = true } resource \"azuread_group\" \"emergency_access_exclusions\" { display_name = \"emergency-access-exclusions\" security_enabled = true } resource \"azuread_group_member\" \"bg_in_exclusions\" { for_each = azuread_user.breakglass group_object_id = azuread_group.emergency_access_exclusions.object_id member_object_id = each.value.object_id }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'tenant' @description('UPN of the cloud-only break-glass account (does NOT federate from on-prem AD).') param breakGlassUpn string @description('Conditional Access policy excludes this account so an IdP outage cannot lock out admins.') param caExclusionGroupId string // Reference existing user (created out-of-band via Graph API; do not author secrets in IaC) resource bg 'Microsoft.Graph/users@2023-09-01' existing = { name: breakGlassUpn } resource caExclude 'Microsoft.Graph/groups/members@2023-09-01' = { name: '${caExclusionGroupId}/${bg.id}' } output breakGlassObjectId string = bg.id </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.41.1.3best-practicesbest-practices CP-2; AC-2A.5.29; A.5.16n/a Log signals SigninLogs entries where UserPrincipalName matches the documented break-glass account naming pattern (e.g. breakglass-*@tenant.onmicrosoft.com) — every authentication on these accounts is by definition incident-grade. AuditLogs Category = \"UserManagement\" showing password rotation, MFA method changes, or role removal applied to break-glass principals outside the documented quarterly drill schedule. AzureActivity OperationNameValue = \"Microsoft.Authorization/roleAssignments/delete\" targeting the Global Administrator assignment on break-glass principals — would silently disarm the emergency path. Query <code class=\"language-sql\">SigninLogs | where UserPrincipalName startswith \"breakglass-\" | project TimeGenerated, UserPrincipalName, ResultType, ResultDescription, IPAddress, AppDisplayName, ClientAppUsed, ConditionalAccessStatus | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics scoped to the tenant SigninLogs export. Promote to a Sentinel analytics rule with severity High once the break-glass naming convention is enforced via Entra ID administrative-unit policy. Alert threshold Any successful sign-in on a break-glass principal — page on first occurrence regardless of source IP. Three or more failed sign-ins on a break-glass principal within a 1h window — indicates targeted credential-guessing and warrants account-state inspection plus a rotation event. Initial response Confirm the sign-in correlates with a declared incident ticket; if no ticket exists, treat as confirmed compromise of the highest-privilege identity in the tenant. Revoke all refresh tokens for the break-glass principal via Revoke-MgUserSignInSession, rotate the password to a fresh hardware-managed value, and re-pair the FIDO2 key under four-eyes witness. Escalate per general/ir.html — capture SigninLogs + AuditLogs + AzureActivity for the affected tenant slice over the prior 72h, and confirm that the conditional-access exclusion for the break-glass group remains scoped to the documented IP allow-list. References Microsoft Learn — manage emergency-access accounts in Entra ID (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-iam-03-pim ! CRITICAL PREVENTIVE Every privileged Entra ID role (Global Administrator, Privileged Role Administrator, Conditional Access Administrator, Application Administrator, Security Administrator, plus the privileged Azure RBAC roles Owner / User Access Administrator at the root management group) must be held as a PIM eligible assignment, not an active standing assignment. Activating an eligible assignment requires re-authentication with MFA, optional approval, an activation justification, and a maximum activation window (typically 1–8 hours), and writes an audit log entry — converting a stolen credential's value from indefinite to bounded. Microsoft's authoritative documentation covers configuration and the role-management best-practice baseline (Microsoft Entra Privileged Identity Management documentation (accessed 2026-05)); MCSB control IM-1 (\"Use centralized identity and authentication system\") cites PIM as the just-in-time enforcement layer. MITIGATES: Indefinite privilege held by accounts that need administrative access only occasionally — the canonical \"standing Global Admin who hasn't logged in for six months\" pattern. PIM converts that into a 0-permission steady state plus an audited just-in-time activation flow. ATTACK VECTOR: An attacker compromises an administrator's credentials (phishing → AitM session replay → silent persistence on an unmanaged device). With standing active assignments, the attacker has Global Admin now with no re-authentication challenge, no MFA prompt visible to the legitimate user, and no activation log entry that would alert the security team. With PIM eligible assignments, the attacker must trigger an activation — surfacing an MFA prompt at the legitimate user's device (likely refused) and writing an audit log entry that monitoring can alert on. BLAST RADIUS: Without PIM, equivalent to azure-iam-01: full tenant takeover. With PIM, the window is bounded by the activation duration (default 1 hour, configurable up to 24); the attacker must re-activate to extend, which generates additional audit events. Approval-required activation adds a human-in-the-loop control for the most sensitive roles. Remediation — Azure CLI / Microsoft Graph <code class=\"language-bash\"># Convert an active Global Administrator assignment into an eligible (PIM) one. # This is a two-step Graph call: read the active assignment, then create an # eligibility schedule request with action=adminAssign. USER_ID=$(az ad user show --id \"alice@contoso.com\" --query id -o tsv) GA_TEMPLATE_ID=\"62e90394-69f5-4237-9190-012177145e10\" # Create the eligibility (PIM eligible role assignment) via Graph. az rest --method POST \\ --uri \"https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests\" \\ --body \"$(cat <<JSON { \"action\": \"adminAssign\", \"justification\": \"Bootstrap PIM eligibility for alice@contoso.com (replaces standing GA)\", \"roleDefinitionId\": \"${GA_TEMPLATE_ID}\", \"directoryScopeId\": \"/\", \"principalId\": \"${USER_ID}\", \"scheduleInfo\": { \"startDateTime\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\", \"expiration\": { \"type\": \"noExpiration\" } } } JSON )\" # Remove the now-redundant ACTIVE assignment so the user must activate to use it. az rest --method DELETE \\ --uri \"https://graph.microsoft.com/v1.0/directoryRoles/${GA_ROLE_ID}/members/${USER_ID}/\\$ref\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # PIM eligibility is exposed via azuread_privileged_access_group_*. For # directory-role-level PIM at scale, the canonical pattern is to gate role # membership on a privileged-access group whose eligibility schedule the # resource below manages. resource \"azuread_group\" \"ga_eligible\" { display_name = \"PIM-Eligible-Global-Administrators\" security_enabled = true assignable_to_role = true } # Bind the role to the group, then expose group membership as a PIM eligibility. resource \"azuread_directory_role_assignment\" \"ga_via_group\" { role_id = \"62e90394-69f5-4237-9190-012177145e10\" principal_object_id = azuread_group.ga_eligible.object_id } resource \"azuread_privileged_access_group_eligibility_schedule\" \"ga_eligibility\" { for_each = toset(var.ga_eligible_user_object_ids) principal_id = each.value group_id = azuread_group.ga_eligible.object_id assignment_type = \"member\" duration = \"P365D\" justification = \"Eligible Global Administrator via PIM\" }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'managementGroup' @description('Entra ID role to enable PIM activation for (e.g. Global Administrator).') param roleDefinitionId string @description('Principal eligible for just-in-time activation.') param principalId string resource pimEligible 'Microsoft.Authorization/roleEligibilityScheduleRequests@2024-09-01-preview' = { name: guid(managementGroup().id, principalId, roleDefinitionId, 'eligible') properties: { principalId: principalId roleDefinitionId: tenantResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId) requestType: 'AdminAssign' scheduleInfo: { expiration: { type: 'NoExpiration' } } justification: 'PIM eligible — MFA + approval required at activation' } } </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as authorization from \"@pulumi/azure-native/authorization\"; // PIM eligible role assignment (just-in-time elevation). new authorization.RoleEligibilityScheduleRequest(\"ga-eligible\", { scope: \"/providers/Microsoft.Management/managementGroups/<tenant-root>\", principalId: \"<entra-user-object-id>\", roleDefinitionId: \"/providers/Microsoft.Authorization/roleDefinitions/62e90394-69f5-4237-9190-012177145e10\", requestType: \"AdminAssign\", scheduleInfo: { expiration: { type: \"NoExpiration\" }, }, justification: \"PIM eligible — MFA + approval required at activation\", }); </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.211.1.4best-practicesbest-practices AC-6(1); AC-6(2); AC-2(7)A.5.15n/a Log signals AuditLogs Category = \"RoleManagement\" entries where ActivityDisplayName = \"Add member to role completed (PIM activation)\" — establishes the authoritative ledger of elevation events; absence of an entry beside a privileged AzureActivity write indicates the PIM gate was bypassed. IdentityInfo deltas adding a principal directly to a built-in directory role (Global Administrator, Privileged Role Administrator) as a permanent assignment instead of an eligible one. AzureActivity privileged write events whose Caller has no concurrent PIM activation in the prior 90 minutes — the elevation window is the legitimate signal pattern. Query <code class=\"language-sql\">AuditLogs | where Category == \"RoleManagement\" | where ActivityDisplayName has \"Add member to role\" and TargetResources has \"Permanent\" | extend role = tostring(TargetResources[0].displayName), target = tostring(TargetResources[2].userPrincipalName) | project TimeGenerated, ActivityDisplayName, role, target, InitiatedBy, Result | order by TimeGenerated desc | take 200</code> Run as a KQL query against the Log Analytics workspace ingesting Entra AuditLogs. Schedule as a Sentinel analytics rule with severity High; correlate with PIM activation absence over a 90-minute window to suppress legitimate emergency-elevation noise. Alert threshold Any permanent assignment to a privileged Entra role — page immediately; the policy intent is that all such assignments flow through PIM as eligible. Five or more PIM activations by the same Caller within a rolling 24h period — investigate for credential abuse or automation that should be re-platformed onto a managed identity. Initial response Reverse the permanent assignment via the Entra portal Role Settings blade or Update-MgRoleManagementDirectoryRoleAssignment; re-issue as PIM-eligible with the documented approval flow. Walk back the assigner's recent AuditLogs trail to confirm whether this is a one-shot policy gap or an attempt to bypass PIM systematically; if patterns repeat across multiple principals, treat the assigner as a compromised admin. Escalate per general/ir.html — capture the AuditLogs + IdentityInfo snapshot for the affected role, and revalidate PIM policy enforcement (approver list, max activation duration, MFA requirement) against the tenant baseline. References Microsoft Learn — Privileged Identity Management overview (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-iam-04-conditional-access-mfa ! CRITICAL PREVENTIVE Deploy a Conditional Access policy that requires multi-factor authentication on every interactive sign-in for every user (phishing-resistant FIDO2 / Windows Hello / certificate-based authentication is strongly preferred over SMS or TOTP — see General IAM — MFA for the severity derivation in methodology EX-MFA-01). Exclude only the documented break-glass accounts from azure-iam-02. CIS Microsoft Azure Foundations Benchmark v3.0.0 section 1.1.2 codifies this requirement; CISA Binding Operational Directive 25-01 and the SCuBA Microsoft 365 baseline likewise mandate it for federal civilian agencies (CISA Binding Operational Directive 25-01 — SCuBA baselines (accessed 2026-05)). Note an important authoring detail: the az CLI lacks first-class verbs for Conditional Access, so policies are authored against Microsoft Graph via az rest. MITIGATES: Credential-replay attacks (phishing, password spray, credential stuffing from third-party breaches) against any Entra ID-protected workload (Azure portal, Microsoft 365 apps, federated SaaS). ATTACK VECTOR: An attacker harvests a username/password pair from a breach corpus or a phishing landing page that mirrors the Entra ID sign-in. Without CA-enforced MFA, the second factor is never demanded and the attacker holds a valid session. Even MFA-enabled-per-user (the legacy \"MFA settings\" page) is bypassed for legacy auth flows and service principal sign-ins; only a Conditional Access policy that targets All Users and all client app types enforces the intent universally. BLAST RADIUS: Every resource the compromised user can reach: their Microsoft 365 mailbox and SharePoint sites, any Azure subscription where they hold an RBAC assignment, any SaaS app federated through Entra. For a Global Administrator without MFA — historically a depressingly common audit finding — the blast radius is the full tenant per azure-iam-01. Remediation — Azure CLI / Microsoft Graph <code class=\"language-bash\"># Conditional Access policies cannot be authored with first-class `az` verbs; # `az rest` against the Microsoft Graph beta or v1.0 endpoint is the # documented pattern. The JSON body below targets All Users (excluding the # break-glass group), all cloud apps, all client app types, and requires the # built-in 'mfa' grant control. State 'enabled' applies it immediately. cat > ca-policy-require-mfa.json <<'JSON' { \"displayName\": \"CA001 — Require MFA for all users\", \"state\": \"enabled\", \"conditions\": { \"users\": { \"includeUsers\": [\"All\"], \"excludeGroups\": [\"<EMERGENCY_ACCESS_GROUP_OBJECT_ID>\"] }, \"applications\": { \"includeApplications\": [\"All\"] }, \"clientAppTypes\": [\"all\"] }, \"grantControls\": { \"operator\": \"OR\", \"builtInControls\": [\"mfa\"] } } JSON az rest --method POST \\ --uri https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies \\ --body @ca-policy-require-mfa.json \\ --headers \"Content-Type=application/json\" # Verify enabled state. az rest --method GET \\ --uri https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies \\ --query \"value[?displayName=='CA001 — Require MFA for all users'].state\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # (Conditional Access lives in azuread provider; azuread is referenced # alongside AzureRM in the providers block for this page's controls.) resource \"azuread_conditional_access_policy\" \"require_mfa_all_users\" { display_name = \"CA001 — Require MFA for all users\" state = \"enabled\" conditions { client_app_types = [\"all\"] applications { included_applications = [\"All\"] } users { included_users = [\"All\"] excluded_groups = [azuread_group.emergency_access_exclusions.object_id] } } grant_controls { operator = \"OR\" built_in_controls = [\"mfa\"] } }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'tenant' @description('CA policy: require MFA for all users on all cloud apps; excludes break-glass.') param breakGlassExclusionGroupId string resource caRequireMfa 'Microsoft.Graph/identity/conditionalAccess/policies@2023-09-01' = { name: 'require-mfa-all-users' properties: { state: 'enabled' conditions: { users: { includeUsers: ['All'] excludeGroups: [breakGlassExclusionGroupId] } applications: { includeApplications: ['All'] } } grantControls: { operator: 'AND' builtInControls: ['mfa'] } } } </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as msgraph from \"@pulumi/azure-native/authorization\"; // Conditional Access policy authored via Microsoft Graph (azure-native preview surface). // Excludes the break-glass group so a Conditional Access misconfiguration cannot lock out admins. const policy = { displayName: \"require-mfa-all-users\", state: \"enabled\", conditions: { users: { includeUsers: [\"All\"], excludeGroups: [\"<break-glass-group-object-id>\"] }, applications: { includeApplications: [\"All\"] }, }, grantControls: { operator: \"AND\", builtInControls: [\"mfa\"] }, }; export const conditionalAccessPolicy = policy; </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.101.1.21.21.7 IA-2(1)A.5.17; A.8.5n/a Log signals SigninLogs entries where ConditionalAccessStatus = \"notApplied\" on a high-privilege resource (Microsoft Graph, Azure Resource Manager) — indicates a coverage gap in the policy scope. AuditLogs Category = \"Policy\" with ActivityDisplayName = \"Update conditional access policy\" where the diff reduces state from enabled to disabled or removes the requireMfa grant control. AzureDiagnostics category = \"ConditionalAccessPolicyEvaluation\" entries showing skipped MFA challenge for a principal in scope of the baseline — exception report that should map to documented break-glass principals only. Query <code class=\"language-sql\">SigninLogs | where AuthenticationRequirement == \"singleFactorAuthentication\" | where ResourceDisplayName in (\"Microsoft Graph\", \"Windows Azure Service Management API\") | where ConditionalAccessStatus != \"success\" | project TimeGenerated, UserPrincipalName, AppDisplayName, ResourceDisplayName, IPAddress, ConditionalAccessStatus, ConditionalAccessPolicies | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics; high-privilege resources should never authenticate with a single factor outside the documented break-glass exception. Persist as a Sentinel analytics rule once the legitimate exception list is encoded as a watchlist. Alert threshold Any single-factor sign-in to Microsoft Graph or Azure Resource Manager by a non-break-glass principal — page on first occurrence. Conditional access policy edit that disables an enabled baseline or strips the MFA grant control — page on the edit itself, before the next sign-in cycle materialises the regression. Initial response Restore the policy via the policy version history (Entra portal → Conditional Access → policy → Modified) or apply the IaC baseline; capture the AuditLogs InitiatedBy identity as the policy mutator of record. Force a sign-out for any principal that authenticated single-factor during the exposure window — Revoke-MgUserSignInSession by UserId list — and require re-authentication under the restored baseline. Escalate per general/ir.html — open an incident if any privileged write was issued during the exposure window, and reconfirm the conditional-access What-If simulation against a canonical privileged-role principal. References Microsoft Learn — Conditional Access overview (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-iam-05-block-legacy-auth ! HIGH PREVENTIVE Deploy a Conditional Access policy that blocks legacy authentication — POP3, IMAP4, SMTP AUTH, MAPI, Exchange Web Services, and the \"Other Clients\" client app types that lump together every protocol that does not support modern authentication. Legacy auth is the principal bypass for the MFA control in azure-iam-04: protocols that pre-date OAuth 2.0 cannot present a second factor, so even with MFA mandated for all users the attacker who finds a username/password can still sign in via IMAP. Microsoft retired Basic Authentication for Exchange Online in 2022–2023 but tenant-level legacy auth remains reachable via SMTP AUTH and via on-prem hybrid scenarios; CIS Microsoft Azure Foundations Benchmark v3.0.0 section 1.1.5 mandates the explicit block. MITIGATES: MFA bypass via legacy authentication protocols. Password spray campaigns specifically target IMAP/SMTP/POP endpoints precisely because they cannot enforce the second factor, even when the tenant has CA-enforced MFA on modern auth flows. ATTACK VECTOR: Attacker scrapes leaked Entra ID credential pairs from a breach corpus and replays them against smtp.office365.com:587 with SMTP AUTH or outlook.office365.com:993 with IMAP. The legacy protocol cannot prompt for MFA; if the password is valid, the attacker reads mail and stages further attacks (BEC fraud, password reset interception, OAuth consent phishing) — none of which generate the MFA prompts that would alert the victim. BLAST RADIUS: Initial: the compromised mailbox. Followed by: any account whose password reset flow lands in that mailbox, any OAuth consent prompt the attacker can socially engineer using the legitimate sender identity, any internal phishing reply-chain attack. Mailbox-as-pivot is the canonical first stage in BEC and ransomware actor playbooks. Remediation — Azure CLI / Microsoft Graph <code class=\"language-bash\"># Block legacy authentication via Conditional Access. clientAppTypes filters # to exactly the legacy stacks: exchangeActiveSync (legacy variant) and 'other' # (POP, IMAP, SMTP AUTH, MAPI, RPC, EWS, autodiscover with basic auth, etc). cat > ca-policy-block-legacy.json <<'JSON' { \"displayName\": \"CA002 — Block legacy authentication\", \"state\": \"enabled\", \"conditions\": { \"users\": { \"includeUsers\": [\"All\"], \"excludeGroups\": [\"<EMERGENCY_ACCESS_GROUP_OBJECT_ID>\"] }, \"applications\": { \"includeApplications\": [\"All\"] }, \"clientAppTypes\": [\"exchangeActiveSync\", \"other\"] }, \"grantControls\": { \"operator\": \"OR\", \"builtInControls\": [\"block\"] } } JSON az rest --method POST \\ --uri https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies \\ --body @ca-policy-block-legacy.json \\ --headers \"Content-Type=application/json\" # Sanity-check: query the sign-in logs for any legacy auth attempts in the # last 24h that succeeded BEFORE the block was deployed (these are likely # active service accounts that will break and need migrati"},{"id":"azure/index.html","url":"azure/index.html","title":"Azure Hardening — Cloud Hardening Guide","breadcrumb":"Home Azure","description":"Azure security hardening reference: Entra ID, network, data protection, logging & detection, workloads, and incident response.","body":"Azure Hardening This section covers Microsoft Azure hardening across the six security domains. Each domain page maps cross-cutting principles (covered in the General section) onto specific Azure services and configuration primitives — Entra ID, Azure Policy, Defender for Cloud, Sentinel, and the platform's native control planes. Content is authored progressively: IAM ships first as a pilot (Phase 5), followed by Network, Data Protection, Logging & Detection, Workloads, and Incident Response in subsequent phases. Domains IAM — Entra ID, Global Admin separation, PIM, Conditional Access, managed identities, Key Vault Network — NSGs, Azure Firewall, Private Endpoints, DDoS Protection, Front Door WAF Data Protection — Storage public access, CMK with Key Vault, SQL TDE, Disk Encryption, Purview Logging & Detection — Diagnostic Settings, Log Analytics, Activity Log, Defender for Cloud, Sentinel Workloads — VM Trusted Launch, JIT VM access, AKS hardening, App Service identity Incident Response — Defender automation, Sentinel playbooks, forensic snapshots GenAI Security — Entra ID auth, content filters, Prompt Shields, private endpoints, RBAC, diagnostic logging, abuse monitoring, CMK encryption, quota limits Kubernetes — AKS private cluster, Microsoft Entra Workload Identity, KMS v2 etcd encryption, Entra ID RBAC + Azure RBAC for K8s Authorization, Microsoft Defender for Containers, Azure Policy PSS, Log Analytics diagnostic settings, Azure CNI network policy, User-Assigned Managed Identity, Pod Security Standards This page is a Phase 2 stub. Section overview content arrives in later phases."},{"id":"azure/ir.html","url":"azure/ir.html","title":"Azure Incident Response Hardening — Cloud Hardening Guide","breadcrumb":"Home Azure Incident Response","description":"Azure incident response: emergency-access break-glass, Microsoft Sentinel automation playbooks, immutable forensic blob storage, KQL hunting, VM isolation and token-revocation runbooks, tabletop exercises.","body":"Azure Incident Response Hardening Overview This page covers Microsoft Azure incident response (IR) hardening — the controls that decide whether the organisation can contain, investigate, and recover from an Azure-resident incident inside a defensible time window, and whether the resulting forensic record will hold up to subsequent regulatory or legal scrutiny. Scope is the Azure commercial regions; Azure Government and Azure operated by 21Vianet (China) inherit the same controls but route through different sovereign endpoint suffixes, a different Microsoft Entra ID (formerly Azure Active Directory) tenant topology, and (for Azure Government) a separate Microsoft Sentinel commercial-to-government data-residency boundary that prohibits cross-cloud workspace replication. Re-verify partition caveats and the Microsoft Graph endpoint before applying any of the IaC below to a non-commercial cloud. Cross-cutting IR lifecycle principles — preparation, detection, containment, eradication, recovery, lessons-learned, and forensics & evidence preservation — are documented on the General Incident Response page against NIST SP 800-61 rev 3 (April 2025 CSF 2.0 community profile). This page does not re-author the lifecycle; it maps the Prepare → Detect → Contain → Eradicate → Recover → Lessons-Learned sequence to Azure primitives and to the specific posture controls that make each lifecycle phase executable inside an Azure tenant. Severity assignments follow the rubric documented in methodology — severity assignment; equivalence callouts at the bottom of each control point to the matching control on the AWS, GCP, and OCI sibling pages so a reader can compare break-glass, automated-response, and forensic-retention models across providers. Azure IR posture splits cleanly into two stacks. The detective stack — subscription Activity Log routed to a central Log Analytics workspace, Microsoft Defender for Cloud workload-protection plans, Microsoft Sentinel analytics rules and data connectors, NSG Flow Logs with traffic analytics, Activity Log alerts on canonical events — lives on the Azure Logging page; it is what tells you an incident is happening. The responsive stack — emergency-access break-glass identities in Microsoft Entra ID, Microsoft Sentinel automation rules and Logic App playbooks, immutable forensic blob storage in a dedicated subscription, Sentinel KQL hunting query libraries, documented VM-isolation and token-revocation runbooks — lives here; it is what you do once you know. The handoff between the two stacks is concrete and Azure-internal: a high-severity Microsoft Sentinel incident triggers an automation rule that runs a Logic App playbook (azure-ir-02); a forensic question about who-touched-what at 03:00 last Tuesday is answered by a Sentinel KQL hunting query against archived Activity Log and SigninLogs (azure-ir-04). Every IR control on this page assumes the corresponding logging control on the Azure Logging page is in place; if it is not, the IR control degrades to a manual playbook with insufficient telemetry to drive it. This page is the provider-specific how-to; General IR owns the cross-cutting principles. Per the canonical-content rule, the lifecycle phases, the threat-actor taxonomy, and the regulatory-reporting timelines are not re-authored here. Pair-control announcement: azure-ir-02 and azure-ir-04 both cross-link STRICT to azure-log-08-sentinel-data-lake on the Azure Logging page — Microsoft Sentinel is the SIEM/SOAR plane that both controls depend on, and the same-phase bidirectional linkage is the parallel of the Phase 6 AWS pattern (aws-ir-02 / aws-ir-04 ↔ aws-log-04 / aws-log-08). azure-ir-03 additionally cross-links to azure-data-08-immutable-blob: both controls rely on the identical Immutable Blob in Locked mode mechanism, but with different postures — defensive retention of business records vs forensic chain-of-custody storage of incident evidence. Order matters. Control 01 is the preparation invariant that gates everything else: without a pre-provisioned emergency-access identity, the very first incident that takes out Microsoft Entra ID — exactly the scenario IR exists to handle — locks responders out of the tenant at the moment they need it most. Control 02 is the automation layer that compresses time-to-contain from human-response-time minutes to seconds via Microsoft Sentinel SOAR. Control 03 is the evidence invariant — without write-once-read-many evidence storage in a separate subscription, an attacker with sufficient privileges can erase the very logs and snapshots that would prove what happened. Controls 04–06 are the responsive playbooks themselves: Sentinel KQL hunting for retrospective forensic queries, VM isolation for \"we think this VM is compromised, take it off the network without destroying state\", and token revocation for \"an Entra ID identity is known or suspected stolen\". Control 07 closes the lessons-learned loop with quarterly tabletop exercises so the playbooks above are tested before they are needed, and with an annual Microsoft Incident Response (DART) engagement contact test so the vendor escalation path is known-working when needed. One housekeeping note on the compliance table that follows every control. Most IR controls are playbook-driven and process-bound rather than state-driven — CIS Foundations Benchmarks across all four providers are weighted toward configurable state (encryption, public access, logging enabled) and only lightly cover the IR domain. Expect the CIS columns on this page to read (best-practices) or n/a for most controls; the CIS Microsoft Azure Foundations Benchmark v3.0.0 (Feb 2025) Section 5 (Logging and Monitoring) covers the detective half of IR but does not enumerate playbook-style response controls. NIST SP 800-53 rev5 IR family (IR-4 Incident Handling, IR-5 Incident Monitoring, IR-6 Incident Reporting, IR-8 Incident Response Plan, plus AU-9 / AU-11 for evidence) and ISO/IEC 27001:2022 (A.5.24 information-security incident management, A.5.26 response to incidents, A.5.28 collection of evidence) are the primary mappings. azure-ir-01-emergency-access ! CRITICAL PREVENTIVE Pre-provision between two and four emergency-access (break-glass) accounts in Microsoft Entra ID. Every account is cloud-only — created directly in the Entra tenant, never synchronised from on-premises Active Directory via Entra Connect — uses a FIDO2 hardware security key for authentication (no passwords, no SMS, no Microsoft Authenticator push), and is explicitly excluded from every Conditional Access policy via a dedicated CA-exclusion group so that a misconfigured or compromised CA policy cannot lock the responder out of the tenant they need to recover (Microsoft Learn — Manage emergency access accounts in Microsoft Entra ID (accessed 2026-05)). Each account is assigned the Global Administrator role at the tenant root; the hardware key is stored in a locked safe in two physically separate buildings; a Microsoft Sentinel analytics rule fires on every sign-in for these accounts to PagerDuty, the security on-call Teams channel, and an SMTP gateway for redundancy. The control is typed PREVENTIVE, not RESPONSIVE — mirroring the Phase 6 aws-ir-01 precedent. The control is the pre-positioning that makes response possible: creating an emergency-access account during the incident that took out Microsoft Entra ID, after the federation provider was compromised, or after the IdP-to-Entra trust was misconfigured is structurally impossible. The control is also CRITICAL: without it, the very first incident that affects the identity plane has no recovery path. Quarterly access tests — a named responder retrieves their FIDO2 key from the safe, signs into the Entra portal, performs a single read-only Graph API call, signs out — keep the credential, the hardware key, and the Sentinel alarm pipeline all known-working. Tests that have not been performed in the last 90 days are tracked on the security team's drift dashboard. The principle is reinforced in General IR — preparation and cross-references the privileged-access posture documented on azure/iam.html. MITIGATES: Loss of administrative access to the Microsoft Entra tenant during the exact incident class IR exists to handle — Entra ID partial outage (the 2020 and 2024 Entra ID availability incidents), federated IdP compromise (the Midnight Blizzard / Storm-0558 token-forgery chain against M365), or accidental misconfiguration of a Conditional Access policy that locks every interactive user out of the tenant until rolled back. ATTACK VECTOR: An attacker who compromises the federated IdP (or who modifies a Conditional Access policy to block every legitimate sign-in) can either lock legitimate responders out or assume their identities via forged tokens. Without a cloud-only, CA-excluded emergency-access identity, responders have no out-of-band path to the Entra portal at the precise moment they need to revoke federation, disable the malicious CA policy, or rotate the compromised signing keys. Equally common: a botched Conditional Access policy edit (a too-broad \"require compliant device\" rule rolled to all users in a hurry) blocks every interactive sign-in for the tenant, and the responder who would normally roll it back is now also locked out. BLAST RADIUS: The entire Entra tenant and every Azure subscription that trusts it. Without emergency access, the time-to-recover an Entra-identity-plane failure is bounded below by Microsoft Support's response time, which can be hours to days for non-Premier incidents. With emergency access, recovery time is bounded by the responder's drive-to-the-safe time plus a single Conditional Access policy edit or federation re-binding — typically under an hour. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Microsoft Entra emergency-access account creation. The CA-exclusion group MUST # exist before the account is created; the account MUST be added to the group # before any Conditional Access policy is applied tenant-wide. # (1) Create the dedicated CA-exclusion group. az ad group create \\ --display-name \"Emergency Access Accounts\" \\ --mail-nickname emergency-access \\ --description \"Excluded from ALL Conditional Access policies — break-glass only\" # (2) Create the cloud-only break-glass user account. Note: --account-enabled true # is intentional; the account is enabled but should only be used by named # responders retrieving the hardware key from the safe. az ad user create \\ --display-name \"Break-Glass Responder 01\" \\ --user-principal-name break-glass-01@contoso.onmicrosoft.com \\ --password \"$(openssl rand -base64 48)\" \\ --force-change-password-next-sign-in false \\ --account-enabled true # (3) Add the account to the CA-exclusion group. USER_ID=$(az ad user show --id break-glass-01@contoso.onmicrosoft.com --query id -o tsv) GROUP_ID=$(az ad group show --group \"Emergency Access Accounts\" --query id -o tsv) az ad group member add --group \"$GROUP_ID\" --member-id \"$USER_ID\" # (4) Assign Global Administrator at tenant root via Microsoft Graph. # az CLI lacks a first-class verb for directory role assignment; az rest is canonical. az rest --method POST \\ --uri \"https://graph.microsoft.com/v1.0/directoryRoles/roleTemplateId=62e90394-69f5-4237-9190-012177145e10/members/\\$ref\" \\ --body \"{\\\"@odata.id\\\": \\\"https://graph.microsoft.com/v1.0/directoryObjects/$USER_ID\\\"}\" # (5) FIDO2 hardware-key enrolment is interactive: the responder signs in once # (via Temporary Access Pass issued for first sign-in) and registers the FIDO2 # key via aka.ms/mysecurityinfo. CLI enrolment of FIDO2 keys is not supported.</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn — Entra emergency-access accounts (accessed 2026-05) # Directory-plane resources use the AzureAD provider declared in-block. terraform { required_providers { azuread = { source = \"hashicorp/azuread\" version = \"~> 2.50\" } } } # Dedicated Conditional Access exclusion group. resource \"azuread_group\" \"emergency_access\" { display_name = \"Emergency Access Accounts\" mail_nickname = \"emergency-access\" description = \"Excluded from ALL Conditional Access policies — break-glass only\" security_enabled = true } # Two cloud-only break-glass user identities. Cloud-only = not synced from # on-prem AD; FIDO2 enrolment via mysecurityinfo (interactive step). resource \"azuread_user\" \"break_glass\" { for_each = toset([\"bg01\", \"bg02\"]) user_principal_name = \"break-glass-${each.key}@contoso.onmicrosoft.com\" display_name = \"Break-Glass Responder ${each.key}\" mail_nickname = \"break-glass-${each.key}\" password = random_password.break_glass[each.key].result force_password_change = false account_enabled = true } resource \"random_password\" \"break_glass\" { for_each = toset([\"bg01\", \"bg02\"]) length = 48 special = true } # Bind both break-glass accounts to the CA-exclusion group. resource \"azuread_group_member\" \"break_glass_in_exclusion\" { for_each = azuread_user.break_glass group_object_id = azuread_group.emergency_access.object_id member_object_id = each.value.object_id } # Microsoft Sentinel analytics rule firing on any sign-in for these accounts. resource \"azurerm_sentinel_alert_rule_scheduled\" \"break_glass_signin\" { name = \"break-glass-signin\" log_analytics_workspace_id = azurerm_log_analytics_workspace.security.id display_name = \"Emergency access account sign-in\" severity = \"High\" query = <<-KQL SigninLogs | where UserPrincipalName in~ (\"break-glass-bg01@contoso.onmicrosoft.com\", \"break-glass-bg02@contoso.onmicrosoft.com\") | project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName, ResultType KQL query_frequency = \"PT5M\" query_period = \"PT5M\" trigger_operator = \"GreaterThan\" trigger_threshold = 0 }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'tenant' @description('Object IDs of two cloud-only break-glass accounts (no MFA dependency on tenant IdP).') param breakGlassObjectIds array @description('Group used in Conditional Access exclusions for break-glass.') param exclusionGroupId string resource memberships 'Microsoft.Graph/groups/members@2023-09-01' = [for (oid, i) in breakGlassObjectIds: { name: '${exclusionGroupId}/${oid}' }] </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; // Break-glass accounts are created out-of-band (no secrets in IaC). // Pulumi authors the CA-exclusion-group memberships only. const breakGlassObjectIds = [ \"<bg-account-1-object-id>\", \"<bg-account-2-object-id>\", ]; const exclusionGroupId = \"<break-glass-exclusion-group-id>\"; // graph-membership authoring goes here (azure-native preview surface). export const breakGlassRoster = breakGlassObjectIds; </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/a(best-practices)n/an/a IR-4; AC-2(8); AC-6A.5.24; A.5.26CLD.9.5.1 Log signals SigninLogs entries for the tenant break-glass principals outside the quarterly-drill cadence window — every event on these accounts is by design incident-grade and warrants page-on-first-occurrence handling. AuditLogs Category = \"UserManagement\" showing password rotation, MFA-method change, or directory-role removal on the break-glass principal — adversary-attempt-to-disarm signal. AzureActivity role-assignment delete events targeting the Global Administrator binding on break-glass principals — would silently strip the emergency path. Query <code class=\"language-sql\">SigninLogs | where UserPrincipalName startswith \"breakglass-\" | project TimeGenerated, UserPrincipalName, ResultType, ResultDescription, IPAddress, Location, AppDisplayName | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics scoped to the SigninLogs export. Pair with a Sentinel analytics rule severity High and an automation playbook that posts to the incident-response channel on every match — the legitimate-use cadence is rare enough that false positives are negligible. Alert threshold Any successful break-glass sign-in outside the documented quarterly drill window — page immediately. Any directory-role change or MFA-method change on a break-glass principal — page; treat as adversary preparing the path for later use. Initial response Confirm the sign-in maps to a declared incident ticket; if no ticket exists, treat as compromise of the highest-privilege identity in the tenant. Rotate the break-glass password to a fresh hardware-managed value via four-eyes process; re-pair the FIDO2 key under witness; revoke refresh tokens via Revoke-MgUserSignInSession. Escalate per general/ir.html — capture SigninLogs + AuditLogs + AzureActivity for the affected tenant slice over the prior 72 hours and confirm the conditional-access exception for break-glass remains tightly scoped. References Microsoft Learn — manage emergency-access accounts in Entra ID (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-ir-02-sentinel-playbook ! HIGH RESPONSIVE Wire Microsoft Sentinel automation rules to invoke Logic App playbooks the moment a high-severity incident is created in the Sentinel workspace. The canonical automation set covers four deterministic actions: (a) isolate the affected VM by attaching a deny-all \"quarantine\" NSG to its NIC, (b) disable the implicated Entra ID identity (az ad user update --account-enabled false or Microsoft Graph PATCH /users/{id}), (c) snapshot the OS and data disks for forensic preservation (handing off to azure-ir-03), and (d) notify the on-call rotation via Teams adaptive card and PagerDuty. Microsoft Defender for Cloud workflow automation is a complement, not a substitute: Defender raises the finding, Sentinel ingests it as an incident (via the Microsoft Defender for Cloud data connector), the Sentinel automation rule pattern-matches on tactics or severity, and the Logic App carries out the SOAR action (Microsoft Learn — Automate incident handling with automation rules (accessed 2026-05)). The detective half of this loop lives on the Azure Logging page as azure-log-08-sentinel-data-lake; without Sentinel onboarded to the central Log Analytics workspace with data connectors for Entra ID sign-ins, Activity Log, and Defender for Cloud alerts, this control has nothing to fire on. This is the STRICT same-phase pair-control link to azure/logging.html — the bidirectional linkage parallels the Phase 6 aws-ir-02 ↔ aws-log-04 pattern. Logic Apps are preferred over Azure Functions for SOAR playbooks because the connector library covers Entra ID, ServiceNow, Teams, Jira, PagerDuty, and Microsoft 365 Defender out-of-the-box; the workflow editor is reviewable by non-developer responders; and the run history is queryable per-incident for post-incident review. MITIGATES: The gap between detection and containment during compromise of an Azure VM or Entra ID identity — a window in which the attacker is actively pivoting, exfiltrating data, or escalating privilege via the workload's managed identity. Without automation, time-to-contain is bounded below by the on-call responder's pager-to-keyboard time (15–45 minutes typical); with automation, it is bounded by Sentinel automation-rule latency (single-digit seconds from incident creation) plus Logic App execution time (seconds for the canonical actions). ATTACK VECTOR: Microsoft Defender for Cloud raises a Suspicious activity from compromised workload alert at HIGH severity (or Sentinel raises an analytics-rule incident on impossible-travel + new-device sign-in). In the manual-response path, the incident sits in the Sentinel queue until a human triages it, the human RDP/SSHes to the VM, the human runs commands to isolate, and by the time all of that completes the attacker has already exfiltrated whatever was reachable from the VM's managed identity (Key Vault secrets, Storage containers, downstream Service Bus queues). The window typical attackers operate inside is well under the manual-response time. BLAST RADIUS: Per compromised resource — the playbook's actions are scoped to a single VM ID or single user object ID extracted from the Sentinel incident entities. A buggy playbook that mis-targets is bounded by the same scope; the Logic App's role assignment grants only the specific permissions (Microsoft.Network/networkInterfaces/write on a single resource group, Microsoft.Graph User.EnableDisableAccount.All on the directory) needed for the deterministic actions. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # (1) Create the Logic App workflow that the Sentinel automation rule will invoke. # Workflow definition lives in playbook-isolate-vm.json and contains the # Entra ID, Network, Compute, and Teams connector actions. az logic workflow create \\ --resource-group rg-security-prod \\ --name la-ir-isolate-vm \\ --location westeurope \\ --definition @playbook-isolate-vm.json # (2) Grant the Logic App's system-assigned managed identity the roles it needs. LA_PRINCIPAL=$(az logic workflow show --resource-group rg-security-prod \\ --name la-ir-isolate-vm --query identity.principalId -o tsv) # Network Contributor for NSG attach/detach (scoped to a single resource group # that holds workloads which may need isolation). az role assignment create --assignee \"$LA_PRINCIPAL\" \\ --role \"Network Contributor\" \\ --scope \"/subscriptions/$SUB_ID/resourceGroups/rg-workload-prod\" # (3) Create the Sentinel automation rule that invokes the Logic App on any # incident with severity High or Critical. az sentinel automation-rule create \\ --resource-group rg-security-prod \\ --workspace-name law-security-prod \\ --automation-rule-id \"$(uuidgen)\" \\ --display-name \"Isolate VM on High/Critical incident\" \\ --order 1 \\ --triggering-logic '{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[{\"conditionType\":\"Property\",\"conditionProperties\":{\"propertyName\":\"IncidentSeverity\",\"operator\":\"Equals\",\"propertyValues\":[\"High\",\"Critical\"]}}]}' \\ --actions '[{\"actionType\":\"RunPlaybook\",\"order\":1,\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/'\"$SUB_ID\"'/resourceGroups/rg-security-prod/providers/Microsoft.Logic/workflows/la-ir-isolate-vm\"}}]'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn — Sentinel automation rules (accessed 2026-05) # Pre-staged quarantine NSG that the playbook attaches to compromised VMs. resource \"azurerm_network_security_group\" \"quarantine\" { name = \"nsg-ir-quarantine\" location = \"westeurope\" resource_group_name = azurerm_resource_group.security.name security_rule { name = \"DenyAllInbound\" priority = 100 direction = \"Inbound\" access = \"Deny\" protocol = \"*\" source_port_range = \"*\" destination_port_range = \"*\" source_address_prefix = \"*\" destination_address_prefix = \"*\" } security_rule { name = \"DenyAllOutbound\" priority = 100 direction = \"Outbound\" access = \"Deny\" protocol = \"*\" source_port_range = \"*\" destination_port_range = \"*\" source_address_prefix = \"*\" destination_address_prefix = \"*\" } } # Logic App workflow — the SOAR playbook itself. Body lives in playbook.json # and contains the Microsoft Graph + Compute + Network connector actions. resource \"azurerm_logic_app_workflow\" \"isolate_vm\" { name = \"la-ir-isolate-vm\" location = \"westeurope\" resource_group_name = azurerm_resource_group.security.name identity { type = \"SystemAssigned\" } } resource \"azurerm_logic_app_trigger_http_request\" \"isolate_vm\" { name = \"manual\" logic_app_id = azurerm_logic_app_workflow.isolate_vm.id schema = jsonencode({ \"type\": \"object\" }) } # Sentinel automation rule that fires the playbook on High/Critical incidents. resource \"azurerm_sentinel_automation_rule\" \"isolate_vm\" { name = \"isolate-vm-high-critical\" log_analytics_workspace_id = azurerm_log_analytics_workspace.security.id display_name = \"Isolate VM on High/Critical incident\" order = 1 condition_json = jsonencode([{ conditionType = \"Property\" conditionProperties = { propertyName = \"IncidentSeverity\" operator = \"Equals\" propertyValues = [\"High\", \"Critical\"] } }]) action_playbook { logic_app_id = azurerm_logic_app_workflow.isolate_vm.id order = 1 } }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Sentinel-workspace-scoped Logic App (consumption) acting as an IR playbook.') param playbookName string param location string = resourceGroup().location resource playbook 'Microsoft.Logic/workflows@2024-05-01-preview' = { name: playbookName location: location identity: { type: 'SystemAssigned' } properties: { state: 'Enabled' definition: { '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#' contentVersion: '1.0.0.0' triggers: { SentinelIncident: { type: 'ApiConnectionWebhook' inputs: { /* … */ } } } actions: { /* tag incident, isolate VM, post to Teams … */ } } } } </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/a(best-practices)n/an/a IR-4(1); IR-4(7); SI-4(7)A.5.26CLD.12.4.5 Log signals AzureActivity Microsoft.SecurityInsights/automationRules/delete targeting an automation rule that previously bound a Critical-severity analytic rule to its containment playbook — silently disarms the auto-response path. AzureActivity Microsoft.Logic/workflows/disable on a Logic App that is referenced by Sentinel as a playbook — incident creation still occurs but no auto-response runs. Sentinel SecurityIncident table where Status = \"New\" persists beyond the playbook-SLA timer — downstream signal that auto-handling has stopped. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue in (\"Microsoft.SecurityInsights/automationRules/delete\", \"Microsoft.Logic/workflows/disable/action\", \"Microsoft.SecurityInsights/incidents/relations/delete\") | project TimeGenerated, Caller, ResourceId, OperationNameValue | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. Pair with a Sentinel analytics rule that joins SecurityIncident rows against the documented playbook coverage matrix — any Critical incident without a triggered playbook run is itself a control failure. Alert threshold Automation-rule delete touching a Critical-severity binding — page on first occurrence. Logic App disable on a playbook referenced by Sentinel — page; the auto-response path is now manual-only. Initial response Restore the automation rule and Logic App state via the IaC baseline; trigger a synthetic incident to confirm the playbook execution succeeds end-to-end. Walk SecurityIncident rows for the exposure window and apply manual containment to any Critical incident that did not benefit from auto-response. Escalate per general/ir.html — confirm Azure Policy Configure Microsoft Sentinel automation rules remains assigned and that the playbook's managed identity retains the requisite Sentinel Contributor role. References Microsoft Learn — automate threat response with Sentinel playbooks (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Pair-control: azure-log-08-sentinel-data-lake (detective half, Sentinel SOAR plane). Equivalent on: AWS · GCP · OCI azure-ir-03-snapshot-forensic ! CRITICAL RESPONSIVE Stand up a dedicated forensic Azure subscription (separate management group, no shared role assignments with workload subscriptions) that owns a Storage Account configured with Immutable Blob Storage in Locked mode, with a time-based retention policy of at least one year — preferably seven years to align with regulatory evidence-retention norms. Immutable Blob in Locked mode is write-once-read-many at the API level: not even the subscription owner can delete or shorten the retention of a blob during its lock window, and the lock itself cannot be removed or reduced once locked (Microsoft Learn — Immutable storage for Blob data overview (accessed 2026-05)). This is the Azure analog of the Phase 6 aws-ir-03 decision to use S3 Object Lock in COMPLIANCE mode (not Governance) — the threat model is identical: the very privileges an attacker is most likely to acquire are the ones that would let them disable a bypassable lock. When an incident is declared, the responder snapshots the affected VM's OS and data managed disks using az snapshot create, tagging each snapshot with chain-of-custody metadata (incident_id, captured_by, captured_at, source_resource_id), then exports the snapshot artefacts and the relevant Activity Log slice into the forensic Storage Account. Cross-tenant role assignments granted to an external IR partner's Service Principal allow that partner to read the evidence container without ever having a credential inside the customer tenant. The same Immutable Blob Locked mode mechanism is used for defensive storage of business records on azure-data-08-immutable-blob — same mechanism, different posture; this control is the forensic-storage application of that primitive. The principle is documented in General IR — forensics & evidence preservation. MITIGATES: Anti-forensics — an attacker with administrative privileges in the breached subscription deleting Activity Log slices, disk snapshots, or NSG flow log captures to cover their tracks. Also mitigates inadvertent loss (a misconfigured lifecycle management policy that tiers blobs to deletion before retention requirements are met) and regulatory non-compliance with PCI-DSS, HIPAA, and SOX evidence-retention requirements. ATTACK VECTOR: An attacker assumes Owner on the workload subscription via a chained role assignment or a leaked Service Principal client secret. They run az storage blob delete-batch against the same-subscription evidence container, or they delete the snapshots, or they remove the Storage Account entirely. If the evidence lived in the same subscription under the same trust boundary, the chain of custody vanishes. Even Immutable Blob in Unlocked mode is bypassable by a subscription owner — only Locked mode survives a compromised subscription owner. Same-subscription evidence storage is a single point of failure for forensic reconstruction. BLAST RADIUS: Without this control, the entire forensic record for an incident is at the mercy of the breached subscription's owners. With this control, the forensic record is reachable only from a subscription whose trust boundary was not breached, and the records themselves cannot be deleted until their retention expires — even by the subscription owner of the forensic subscription. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # All commands run in the FORENSIC subscription context. az account set --subscription \"$FORENSIC_SUB_ID\" # (1) Storage Account for forensic evidence — geo-redundant, blob-versioning ON. az storage account create \\ --resource-group rg-forensic-prod \\ --name stforensicirprodweu \\ --location westeurope \\ --sku Standard_GRS \\ --kind StorageV2 \\ --allow-blob-public-access false \\ --public-network-access Disabled \\ --enable-hierarchical-namespace false # (2) Enable blob versioning (prerequisite for version-level immutability). az storage account blob-service-properties update \\ --account-name stforensicirprodweu \\ --enable-versioning true # (3) Create the evidence container. az storage container create \\ --account-name stforensicirprodweu \\ --name ir-evidence \\ --auth-mode login # (4) Apply a time-based immutability policy in LOCKED mode (1-year retention). # Once locked, no API call by any principal can delete or shorten the lock. az storage container immutability-policy create \\ --account-name stforensicirprodweu \\ --container-name ir-evidence \\ --period 365 \\ --allow-protected-append-writes true az storage container immutability-policy lock \\ --account-name stforensicirprodweu \\ --container-name ir-evidence \\ --if-match \"*\" # (5) Snapshot a VM's OS disk and tag with chain-of-custody metadata. INCIDENT_ID=ir-2026-05-23-001 DISK_ID=$(az vm show --resource-group rg-workload-prod --name vm-app-01 \\ --query storageProfile.osDisk.managedDisk.id -o tsv) az snapshot create \\ --resource-group rg-forensic-prod \\ --name snap-${INCIDENT_ID}-vm-app-01-os \\ --source \"$DISK_ID\" \\ --incremental true \\ --tags incident_id=$INCIDENT_ID captured_by=responder-bg01 \\ captured_at=$(date -u +%FT%TZ) source_resource_id=$DISK_ID</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn — Immutable storage for Blob data (accessed 2026-05) # Forensic Storage Account in the FORENSIC subscription. resource \"azurerm_storage_account\" \"forensic\" { name = \"stforensicirprodweu\" resource_group_name = azurerm_resource_group.forensic.name location = \"westeurope\" account_tier = \"Standard\" account_replication_type = \"GRS\" allow_nested_items_to_be_public = false public_network_access_enabled = false blob_properties { versioning_enabled = true } } # Evidence container. resource \"azurerm_storage_container\" \"ir_evidence\" { name = \"ir-evidence\" storage_account_name = azurerm_storage_account.forensic.name container_access_type = \"private\" } # Time-based immutability policy in LOCKED mode — 1-year retention; once # applied, this policy_mode = \"Locked\" cannot be reduced or removed. resource \"azurerm_storage_container_immutability_policy\" \"ir_evidence\" { storage_container_resource_manager_id = azurerm_storage_container.ir_evidence.resource_manager_id immutability_period_in_days = 365 protected_append_writes_all_enabled = true locked = true } # Cross-tenant role assignment for the external IR partner's Service Principal. # The partner SP reads evidence without ever holding a credential in this tenant. resource \"azurerm_role_assignment\" \"ir_partner_reader\" { scope = azurerm_storage_account.forensic.id role_definition_name = \"Storage Blob Data Reader\" principal_id = var.ir_partner_service_principal_object_id }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Source managed disk to snapshot for forensic analysis.') param sourceDiskResourceId string @description('Snapshot name (forensic-evidence-<timestamp>).') param snapshotName string param location string = resourceGroup().location resource snap 'Microsoft.Compute/snapshots@2024-03-02' = { name: snapshotName location: location sku: { name: 'Standard_ZRS' } properties: { creationData: { createOption: 'Copy' sourceResourceId: sourceDiskResourceId } incremental: false networkAccessPolicy: 'DenyAll' publicNetworkAccess: 'Disabled' diskAccessId: null } tags: { 'forensic-evidence': 'true' 'do-not-delete': 'true' } } </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as compute from \"@pulumi/azure-native/compute\"; new compute.Snapshot(\"forensic-evidence\", { resourceGroupName: \"<rg>\", snapshotName: \"forensic-evidence-2026-05-26\", sku: { name: compute.SnapshotStorageAccountTypes.Standard_ZRS }, creationData: { createOption: compute.DiskCreateOption.Copy, sourceResourceId: \"/subscriptions/.../disks/<source-disk>\", }, incremental: false, networkAccessPolicy: compute.NetworkAccessPolicy.DenyAll, publicNetworkAccess: compute.PublicNetworkAccess.Disabled, tags: { \"forensic-evidence\": \"true\", \"do-not-delete\": \"true\", }, }); </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/a(best-practices)n/an/a AU-11; IR-4(7); SI-7A.5.28; A.8.13CLD.12.4.5 Log signals AzureActivity Microsoft.Compute/snapshots/delete on snapshots tagged forensic=true or stored in the dedicated forensics resource group — interferes with evidence chain. AzureActivity write events on the forensics Storage Account where immutability policy enforcement is reduced — investigation archive integrity at risk. Audit-failure spikes against the forensics resource group's RBAC scope — adversary probing the evidence vault. Query <code class=\"language-sql\">AzureActivity | where ResourceId contains \"/resourceGroups/rg-forensics\" or ResourceId contains \"snapshots\" | where OperationNameValue endswith \"/delete\" or OperationNameValue endswith \"/write\" | extend body = tostring(parse_json(Properties).requestbody) | project TimeGenerated, Caller, ResourceId, OperationNameValue, body, ActivityStatusValue | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. The forensics resource group should be tightly scoped via RBAC and Azure Policy; persist as a Sentinel analytics rule with severity High and treat any write or delete as worth reviewing immediately. Alert threshold Delete on any resource in the forensics resource group — page on first occurrence. Three or more authorization-failed events in the forensics scope within a 1h window — page; adversary is probing the evidence vault. Initial response Restore the deleted snapshot from the immutable archive container or from the regional backup vault; capture the AzureActivity Caller as the actor of record. Walk RBAC role-assignment writes targeting the forensics resource group during the prior 30 days — any new principal that should not have evidence-vault access is itself an incident. Escalate per general/ir.html — confirm the forensics-scope Azure Policy Resource locks should be applied to forensic resources remains in deny mode. References Microsoft Learn — computer forensics chain-of-custody in Azure (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Pair-control: azure-data-08-immutable-blob (same Locked-mode mechanism; defensive vs forensic posture). Equivalent on: AWS · GCP · OCI azure-ir-04-sentinel-kql ! HIGH RESPONSIVE Pre-write and version-control a Microsoft Sentinel KQL hunting query library that answers the mos"},{"id":"azure/kubernetes.html","url":"azure/kubernetes.html","title":"Azure AKS Hardening — Cloud Hardening Guide","breadcrumb":"Home Azure Kubernetes","description":"Azure Kubernetes Service (AKS) hardening: private cluster, Microsoft Entra Workload Identity, KMS v2 etcd encryption via Azure Key Vault CMK, Entra ID RBAC, Microsoft Defender for Containers, Azure Policy PSS add-on, Log Analytics diagnostic settings, Azure CNI Overlay network policy, User-Assigned Managed Identity, Pod Security Standards.","body":"Azure AKS Hardening Overview This page covers hardening controls for Azure Kubernetes Service (AKS). Both AKS Standard and AKS Automatic cluster modes are addressed — Standard/Automatic differences are noted in per-control callouts immediately below each control header. Where a control is enforced by default in AKS Automatic, the callout identifies it; where AKS Automatic manages a setting on your behalf, the callout explains what Azure handles. See general/kubernetes.html for the cross-cutting threat model, cluster-baseline principles, and common misconfigurations that apply to all providers. Controls are ordered by TSV anchor sequence (which approximates severity: CRITICAL first, then HIGH, then MEDIUM). Terraform examples use hashicorp/azurerm ~> 4.0. The sealed v1.0 Azure pages use the same provider pin — both contracts are mutually consistent. Supporting Entra ID Workload Identity prerequisites (federated credentials, UAMI provisioning) live on azure/iam.html; private cluster VNet, private DNS zone, and IP allow-list patterns live on azure/network.html; Log Analytics workspace + Diagnostic Settings sink configuration lives on azure/logging.html. azure-k8s-01 ! CRITICAL PREVENTIVE AKS Standard: Enable --enable-private-cluster + --private-dns-zone system + --api-server-authorized-ip-ranges for any required external management. AKS Automatic: Private cluster is the default; verify with az aks show --query apiServerAccessProfile. CIS Azure Kubernetes Service (AKS) Benchmark v2.0.0 §5.5 covers private-cluster posture. Provision the AKS cluster with a private control-plane endpoint so the kube-apiserver is not reachable from the public internet. The cluster's API server gets a private IP inside the VNet and is resolvable only via the linked private DNS zone. For required external management — CI/CD agents, bastions, operator workstations — combine with --api-server-authorized-ip-ranges to allow-list only known CIDRs. A public kube-apiserver is the single largest AKS breach surface — any leaked kubeconfig, service-account token, or Entra ID bearer token becomes immediately usable from any internet host. MITIGATES: Public kube-apiserver exploitation — unauthenticated probing, credential-stuffing, and stolen-token use against the AKS control plane from the internet. ATTACK VECTOR: Attacker recovers a kubeconfig from a leaked CI artifact or a developer laptop, issues kubectl exec, kubectl get secrets, or kubectl apply from any internet host with no network-layer barrier. BLAST RADIUS: Full cluster administrative access — pod execution, Secret exfiltration, workload tampering, and lateral movement into Azure resources accessible via the cluster's managed identities. Remediation — Terraform <code class=\"language-hcl\"># Terraform Azure provider ~> 4.0 resource \"azurerm_kubernetes_cluster\" \"hardened\" { name = \"hardened-cluster\" location = var.location resource_group_name = azurerm_resource_group.aks.name dns_prefix = \"hardened\" private_cluster_enabled = true private_dns_zone_id = \"System\" private_cluster_public_fqdn_enabled = false api_server_access_profile { authorized_ip_ranges = [\"203.0.113.0/24\"] } default_node_pool { name = \"system\" vm_size = \"Standard_D4s_v5\" node_count = 3 } identity { type = \"UserAssigned\" identity_ids = [azurerm_user_assigned_identity.aks_cluster.id] } }</code> Remediation — az aks CLI <code class=\"language-bash\">az aks create \\ --resource-group hardened-rg \\ --name hardened-cluster \\ --enable-private-cluster \\ --private-dns-zone system \\ --disable-public-fqdn \\ --api-server-authorized-ip-ranges 203.0.113.0/24 \\ --enable-managed-identity \\ --assign-identity /subscriptions/SUB/resourceGroups/hardened-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks-cluster-uami \\ --network-plugin azure \\ --network-plugin-mode overlay</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('AKS cluster name (private API server endpoint).') param clusterName string @description('Subnet ID for system node pool.') param subnetId string param location string = resourceGroup().location resource aks 'Microsoft.ContainerService/managedClusters@2024-09-01' = { name: clusterName location: location identity: { type: 'SystemAssigned' } properties: { dnsPrefix: clusterName apiServerAccessProfile: { enablePrivateCluster: true privateDNSZone: 'system' enablePrivateClusterPublicFQDN: false } networkProfile: { networkPlugin: 'azure' networkPolicy: 'cilium' loadBalancerSku: 'standard' } enableRBAC: true aadProfile: { managed: true enableAzureRBAC: true } agentPoolProfiles: [ { name: 'system' count: 3 vmSize: 'Standard_D4ds_v5' mode: 'System' vnetSubnetID: subnetId } ] } } </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as cs from \"@pulumi/azure-native/containerservice\"; import * as resources from \"@pulumi/azure-native/resources\"; const rg = new resources.ResourceGroup(\"aks-rg\"); new cs.ManagedCluster(\"aks-private\", { resourceGroupName: rg.name, identity: { type: cs.ResourceIdentityType.SystemAssigned }, dnsPrefix: \"aks-private\", apiServerAccessProfile: { enablePrivateCluster: true, privateDNSZone: \"system\", enablePrivateClusterPublicFQDN: false, }, networkProfile: { networkPlugin: cs.NetworkPlugin.Azure, networkPolicy: \"cilium\", loadBalancerSku: cs.LoadBalancerSku.Standard, }, enableRBAC: true, aadProfile: { managed: true, enableAzureRBAC: true }, agentPoolProfiles: [{ name: \"system\", count: 3, vmSize: \"Standard_D4ds_v5\", mode: cs.AgentPoolMode.System, vnetSubnetID: \"<subnet-id>\", }], }); </code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Azure Kubernetes Service (AKS) Benchmark v2.0.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 azure-k8s-01 CRITICAL PREVENTIVE Azure AKS n/a (managed control plane) n/a (verify against CIS Azure Kubernetes Service (AKS) Benchmark v2.0.0 PDF) AC-17; SC-7; SC-8 A.8.20; A.8.22 CLD.13.1.4 NIST SP 800-190 §4.4.1 NSA/CISA Kubernetes Hardening Guide v1.2 §2 (Network separation) Log signals AzureActivity OperationNameValue = \"Microsoft.ContainerService/managedClusters/write\" where the request body sets apiServerAccessProfile.enablePrivateCluster = false — flips the cluster API surface from VNet-private back to internet-reachable. AzureActivity body diff showing authorizedIPRanges widened beyond the documented administrator CIDR list (canonical regression: 0.0.0.0/0). AzureDiagnostics ResourceProvider = \"MICROSOFT.CONTAINERSERVICE\" Category kube-apiserver entries showing requests from source IPs outside the operator-jump-host network. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue == \"Microsoft.ContainerService/managedClusters/write\" | where ActivityStatusValue == \"Success\" | extend body = tostring(parse_json(Properties).requestbody) | where body has \"enablePrivateCluster\\\":false\" or body has \"0.0.0.0/0\" | project TimeGenerated, Caller, CallerIpAddress, ResourceId, body | order by TimeGenerated desc | take 200</code> Run the KQL query in Log Analytics against the workspace receiving AzureActivity export. Promote to a Sentinel analytics rule with severity High; the AKS control plane is one of the highest-value lateral-movement pivots in the tenant. Alert threshold Any flip of enablePrivateCluster from true to false in production — page immediately; the cluster control plane is now reachable from the internet until rolled back. Any 0.0.0.0/0 entry appearing in authorizedIPRanges — block via Azure Policy preview before alert fan-out and treat the attempt as the incident. Initial response Roll back via az aks update --name {cluster} --resource-group {rg} --enable-private-cluster or apply the IaC baseline; capture the AzureActivity OperationId and Caller as the forensic ledger entry. Inspect the AKS control-plane audit logs (kube-apiserver Category in AzureDiagnostics) for the exposure window — any verb=create or verb=patch from an unexpected sourceIPs warrants treating affected pods as compromised. Escalate per general/ir.html — rotate cluster certificates via az aks rotate-certs and confirm the Azure Policy denying enablePrivateCluster=false is in deny mode. References Microsoft Learn — create a private AKS cluster (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent controls in other providers: GKE private cluster + authorized networks, EKS private endpoint, OKE private API endpoint. azure-k8s-02 ! HIGH PREVENTIVE AKS Standard: Enable --enable-workload-identity + --enable-oidc-issuer at cluster create (or via az aks update on an existing cluster). AKS Automatic: Microsoft Entra Workload Identity is enabled by default; the OIDC issuer URL is provisioned automatically. ServiceAccount annotation: azure.workload.identity/client-id: <UAMI-CLIENT-ID>. The federated identity credential on the UAMI binds the Kubernetes ServiceAccount subject to the User-Assigned Managed Identity in Microsoft Entra ID. Use Microsoft Entra Workload Identity so pods authenticate to Azure resources via short-lived OIDC tokens federated to a User-Assigned Managed Identity (UAMI) — no static secrets stored in the cluster. The Kubernetes ServiceAccount projects an OIDC token; Microsoft Entra ID validates the token against the federated credential and exchanges it for an Azure access token scoped to the UAMI. Microsoft Entra Workload Identity replaced the previous Azure AD pod identity mechanism (the legacy pod-identity webhook + MIC controller pair, end-of-life September 2025). The current mechanism is Azure-native, requires no add-on controllers in the cluster, and integrates directly with Microsoft Entra ID's federated credential model. MITIGATES: Static Azure credential leakage from the cluster — service-principal client secrets in Kubernetes Secrets, kubeconfig files, or environment variables. ATTACK VECTOR: Attacker compromises a pod (RCE, SSRF, dependency confusion), reads a mounted Secret containing an Azure service-principal client secret, calls Azure ARM with that identity. BLAST RADIUS: All Azure resources the UAMI is granted access to via Azure RBAC — Key Vault secrets, Storage Accounts, Cosmos DB, ACR pulls, additional managed identities the UAMI can impersonate. Remediation — Terraform <code class=\"language-hcl\"># Terraform Azure provider ~> 4.0 resource \"azurerm_user_assigned_identity\" \"app\" { name = \"app-workload-uami\" resource_group_name = azurerm_resource_group.aks.name location = var.location } resource \"azurerm_federated_identity_credential\" \"app\" { name = \"app-federated\" resource_group_name = azurerm_resource_group.aks.name parent_id = azurerm_user_assigned_identity.app.id audience = [\"api://AzureADTokenExchange\"] issuer = azurerm_kubernetes_cluster.hardened.oidc_issuer_url subject = \"system:serviceaccount:production:app-sa\" } # AKS cluster flags resource \"azurerm_kubernetes_cluster\" \"hardened\" { # ... other args ... workload_identity_enabled = true oidc_issuer_enabled = true }</code> Remediation — az aks CLI + kubectl <code class=\"language-bash\">az aks update \\ --resource-group hardened-rg \\ --name hardened-cluster \\ --enable-workload-identity \\ --enable-oidc-issuer # Create the federated identity credential on the UAMI az identity federated-credential create \\ --name app-federated \\ --identity-name app-workload-uami \\ --resource-group hardened-rg \\ --issuer \"$(az aks show -g hardened-rg -n hardened-cluster --query oidcIssuerProfile.issuerUrl -o tsv)\" \\ --subject \"system:serviceaccount:production:app-sa\" \\ --audiences \"api://AzureADTokenExchange\" # Annotate the Kubernetes ServiceAccount kubectl create serviceaccount app-sa --namespace production kubectl annotate serviceaccount app-sa --namespace production \\ azure.workload.identity/client-id=<UAMI-CLIENT-ID></code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Existing AKS cluster.') param clusterName string resource aks 'Microsoft.ContainerService/managedClusters@2024-09-01' = { name: clusterName location: resourceGroup().location properties: { oidcIssuerProfile: { enabled: true } securityProfile: { workloadIdentity: { enabled: true } } } } </code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Azure Kubernetes Service (AKS) Benchmark v2.0.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 azure-k8s-02 HIGH PREVENTIVE Azure AKS n/a (managed control plane) n/a (verify against CIS Azure Kubernetes Service (AKS) Benchmark v2.0.0 PDF) IA-2; AC-6; IA-5 A.5.15; A.5.18 n/a NIST SP 800-190 §4.4.2 NSA/CISA Kubernetes Hardening Guide v1.2 §4 (Authentication and authorization) Log signals AzureActivity Microsoft.ContainerService/managedClusters/write where oidcIssuerProfile.enabled or securityProfile.workloadIdentity.enabled flips from true to false — disarms the federated-credential path and forces secret fallback. AKSAuditAdmin entries where verb = \"create\" targets secrets resources with names matching *-azure-credentials within an hour of the workload-identity disable event. AuditLogs Category = \"ApplicationManagement\" showing a federated identity credential removal (Update application – Certificates and secrets management) from a service principal mapped to a cluster service account. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue == \"Microsoft.ContainerService/managedClusters/write\" | extend body = tostring(parse_json(Properties).requestbody) | where body has \"workloadIdentity\\\":{\\\"enabled\\\":false\" or body has \"oidcIssuerProfile\\\":{\\\"enabled\\\":false\" | project TimeGenerated, Caller, ResourceId, body | order by TimeGenerated desc | take 200</code> Run the KQL query in Log Analytics; AKS workload identity disablement is the supply-chain pivot toward Kubernetes Secret-backed credentials. Pair with a Sentinel analytics rule joining the AKSAuditAdmin secret-create stream over a 60-minute window. Alert threshold Any workload identity disablement in production — page immediately; pods are now reauthenticating with whatever secret is on disk. Three or more federated-credential removals across the tenant in a 24h window — supply-chain campaign targeting workload-identity tenants. Initial response Re-enable via az aks update --enable-workload-identity --enable-oidc-issuer; reapply federated credentials per the IaC baseline and force a rolling restart of affected namespaces. Inspect AKSAuditAdmin for the exposure window — every Secret read by a workload that should be using federated credentials is a leak event. Escalate per general/ir.html — rotate any service-principal secret that was issued during the disable window and reconfirm the Azure Policy denying workload-identity disable is in deny mode. References Microsoft Learn — AKS workload identity overview (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent controls in other providers: GKE Workload Identity Federation, EKS Pod Identity, OKE Workload Identity. azure-k8s-03 ! HIGH PREVENTIVE AKS Standard: Enable KMS v2 envelope encryption via --enable-azure-keyvault-kms + --azure-keyvault-kms-key-id referencing a Customer-Managed Key (CMK) in Azure Key Vault. KMS v2 is the current Kubernetes envelope encryption protocol (KMS v1 is deprecated as of Kubernetes 1.28). AKS Automatic: KMS v2 + Azure Key Vault integration is opt-in even in Automatic mode; pass the same flags at cluster creation. Network access on the Key Vault must be restricted (Private Link recommended) so the KMS plugin reaches the vault over the VNet only. Enable KMS v2 envelope encryption for the AKS etcd store so Kubernetes Secrets are encrypted at the application layer with a Customer-Managed Key (CMK) held in Azure Key Vault. This sits on top of Azure-managed at-rest encryption and gives the customer authoritative control over the key lifecycle — rotation cadence, access policies, and emergency revocation. Without CMK envelope encryption, the encryption key is held entirely by Azure; with it, key revocation in Key Vault immediately renders all cluster Secret material undecryptable until the key is restored. MITIGATES: Cloud-provider-layer compromise of etcd contents, and BYOK / sovereign-key compliance requirements that mandate customer-held key material. ATTACK VECTOR: Cloud-provider-layer or insider actor reads etcd snapshot data outside the Kubernetes API path; without envelope encryption, Secret values are recoverable. BLAST RADIUS: All Kubernetes Secrets in the cluster — service-account tokens, TLS private keys, database connection strings, API keys, OAuth client secrets stored as Secret objects. Remediation — Terraform <code class=\"language-hcl\"># Terraform Azure provider ~> 4.0 resource \"azurerm_key_vault\" \"aks_kms\" { name = \"aks-kms-kv\" location = var.location resource_group_name = azurerm_resource_group.aks.name tenant_id = data.azurerm_client_config.current.tenant_id sku_name = \"premium\" purge_protection_enabled = true enable_rbac_authorization = true network_acls { default_action = \"Deny\" bypass = \"AzureServices\" } } resource \"azurerm_key_vault_key\" \"aks_etcd\" { name = \"aks-etcd-cmk\" key_vault_id = azurerm_key_vault.aks_kms.id key_type = \"RSA\" key_size = 2048 key_opts = [\"wrapKey\", \"unwrapKey\"] } resource \"azurerm_kubernetes_cluster\" \"hardened\" { # ... other args ... key_management_service { key_vault_key_id = azurerm_key_vault_key.aks_etcd.id key_vault_network_access = \"Private\" } }</code> Remediation — az aks CLI <code class=\"language-bash\">KEY_ID=$(az keyvault key show \\ --vault-name aks-kms-kv \\ --name aks-etcd-cmk \\ --query key.kid -o tsv) az aks create \\ --resource-group hardened-rg \\ --name hardened-cluster \\ --enable-azure-keyvault-kms \\ --azure-keyvault-kms-key-id \"$KEY_ID\" \\ --azure-keyvault-kms-key-vault-network-access Private \\ --azure-keyvault-kms-key-vault-resource-id /subscriptions/SUB/resourceGroups/hardened-rg/providers/Microsoft.KeyVault/vaults/aks-kms-kv \\ --enable-managed-identity</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('AKS cluster name (must have OIDC + workload identity for KMS plugin).') param clusterName string @description('Versionless Key Vault key URI for etcd KMS plugin.') param keyVaultKeyId string @description('Key Vault resource ID granting AKS identity Encrypt/Decrypt.') param keyVaultResourceId string resource aks 'Microsoft.ContainerService/managedClusters@2024-09-01' = { name: clusterName location: resourceGroup().location properties: { securityProfile: { azureKeyVaultKms: { enabled: true keyId: keyVaultKeyId keyVaultNetworkAccess: 'Private' keyVaultResourceId: keyVaultResourceId } } } } </code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Azure Kubernetes Service (AKS) Benchmark v2.0.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 azure-k8s-03 HIGH PREVENTIVE Azure AKS §1.2 (etcd encryption posture) n/a (verify against CIS Azure Kubernetes Service (AKS) Benchmark v2.0.0 PDF) SC-28; IA-5 A.8.24; A.8.10 n/a NIST SP 800-190 §4.3.2 NSA/CISA Kubernetes Hardening Guide v1.2 §5 (Log auditing and threat detection — secrets handling) Log signals AzureActivity Microsoft.ContainerService/managedClusters/write where securityProfile.azureKeyVaultKms.enabled flips to false or where keyId is removed — disables the Key Vault-backed envelope encryption layer for cluster secrets. AzureDiagnostics ResourceProvider = \"MICROSOFT.KEYVAULT\" OperationName = \"KeyDelete\" targeting the cluster KMS key — would silently strip the unwrap path. AKSAuditAdmin entries showing repeated 500-class responses to secrets reads — symptom of a broken KMS plugin chain after key rotation gone wrong. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue == \"Microsoft.ContainerService/managedClusters/write\" | extend body = tostring(parse_json(Properties).requestbody) | where body has \"azureKeyVaultKms\\\":{\\\"enabled\\\":false\" or body has \"\\\"keyId\\\":\\\"\\\"\" | project TimeGenerated, Caller, ResourceId, body | order by TimeGenerated desc | take 100</code> Run the KQL query in Log Analytics and persist as a Sentinel analytics rule. KMS-disable on a running AKS cluster is rare and indicates either a misconfigured operator action or deliberate envelope-encryption bypass. Alert threshold Any KMS disablement on a cluster carrying production data — page on first occurrence. Key Vault key delete event on a key referenced by an AKS cluster — page immediately; the cluster will fail to unwrap secrets within minutes. Initial response Re-enable KMS via az aks update --enable-azure-keyvault-kms --azure-keyvault-kms-key-id {keyUri}; if the underlying Key Vault key was deleted, soft-delete recovery via az keyvault key recover is the first move. Snapshot etcd via az aks command invoke --command \"kubectl get secrets -A -o yaml\" from a privileged-access workstation to enumerate what secrets the cluster currently believes it holds; treat any drift versus the GitOps source as suspect. Escalate per general/ir.html — rotate all cluster-scoped secrets via the IaC pipeline and reconfirm the Key Vault firewall + RBAC scope still permits the cluster's managed identity. References Microsoft Learn — use Key Vault for AKS etcd encryption (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent controls in other providers: GKE Cloud KMS application-layer secrets encryption, EKS KMS envelope encryption, OKE OCI Vault CMK secrets encryption. azure-k8s-04 ! HIGH DETECTIVE AKS Standard: Enable Microsoft Defender for Containers via az aks update --enable-defender or by enabling the Defender for Containers plan in Microsoft Defender for Cloud at subscription scope. AKS Automatic: Defender for Containers is enabled by default; verify in the Microsoft Defender for Cloud portal under Environment settings. Enable Microsoft Defender for Containers to provide runtime threat protection (eBPF-based detection on cluster nodes), admission control posture, vulnerability scanning of running workloads, and centralized security posture management in Microsoft Defender for Cloud. Defender for Containers is the AKS-native answer to runtime detection: it streams kernel-level signals through an eBPF sensor on each node and correlates them against Microsoft's threat library, flagging cryptominer execution, reverse-shell patterns, privilege-escalation attempts, and known-malicious-binary hashes. Without it, in-pod behavior between API events is invisible. MITIGATES: Post-compromise runtime threats inside pods — cryptomining, reverse shells, container-escape attempts, privilege escalation, malicious-binary execution. ATTACK VECTOR: Attacker establishes initial access via an exploitable workload (vulnerable web framework, misconfigured ingress), pivots inside the pod or escapes to the node; without runtime detection, this activity is invisible until lateral movement reaches the K8s API. BLAST RADIUS: Without Defender — no runtime telemetry; with Defender — Microsoft Defender for Cloud alerts emit within minutes, scoped to namespace/pod/node with the kernel-level event chain. Remediation — Terraform <code class=\"language-hcl\"># Terraform Azure provider ~> 4.0 resource \"azurerm_log_analytics_workspace\" \"aks\" { name = \"aks-law\" location = var.location resource_group_name = azurerm_resource_group.aks.name sku = \"PerGB2018\" retention_in_days = 90 } resource \"azurerm_kubernetes_cluster\" \"hardened\" { # ... other args ... microsoft_defender { log_analytics_workspace_id = azurerm_log_analytics_workspace.aks.id } } # Subscription-scoped Defender for Containers plan (optional but recommended) resource \"azurerm_security_center_subscription_pricing\" \"containers\" { tier = \"Standard\" resource_type = \"Containers\" }</code> Remediation — az aks CLI <code class=\"language-bash\">LAW_ID=$(az monitor log-analytics workspace show \\ --resource-group hardened-rg \\ --workspace-name aks-law \\ --query id -o tsv) az aks update \\ --resource-group hardened-rg \\ --name hardened-cluster \\ --enable-defender \\ --defender-config-workspace-resource-id \"$LAW_ID\" # Subscription-scoped plan az security pricing create --name Containers --tier Standard</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'subscription' resource defenderContainers 'Microsoft.Security/pricings@2024-01-01' = { name: 'Containers' properties: { pricingTier: 'Standard' subPlan: 'ContainerSensor' } } </code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Azure Kubernetes Service (AKS) Benchmark v2.0.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 azure-k8s-04 HIGH DETECTIVE Azure AKS n/a (runtime detection) n/a (verify against CIS Azure Kubernetes Service (AKS) Benchmark v2.0.0 PDF) SI-3; SI-4; AU-12 A.8.7; A.8.16 CLD.12.4.5 NIST SP 800-190 §4.4.4 NSA/CISA Kubernetes Hardening Guide v1.2 §6 (Audit logging and threat detection) Log signals AzureActivity Microsoft.Security/pricings/write where name = \"Containers\" and the request body sets pricingTier = \"Free\" — disarms the Defender for Containers analytics layer across the tenant or subscription. AzureDiagnostics ResourceProvider = \"MICROSOFT.SECURITY\" entries where OperationName matches \"DefenderForContainersConfiguration/Disable\" at the cluster scope. SecurityAlert table entries that abruptly drop to zero per-cluster after a previously steady baseline — indicates the sensor agent is no longer reporting. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue == \"Microsoft.Security/pricings/write\" | extend body = tostring(parse_json(Properties).requestbody) | where body has \"Containers\" and body has \"Free\" | project TimeGenerated, Caller, SubscriptionId, body | order by TimeGenerated desc | take 100</code> Run as a KQL query in Log Analytics. Pair with a daily anomaly query against the SecurityAlert table grouped by cluster — sudden silence is more informative than the disable event itself when the disable was applied at a parent scope. Alert threshold Any flip of the Containers plan from Standard to Free at the subscription or tenant scope — page on first occurrence; entire cluster fleets just lost run-time threat detection. A 24h window with zero SecurityAlerts for a cluster that previously generated more than five — investigate the sensor health and the underlying Defender plan state. Initial response Re-enable via az security pricing create --name Containers --tier Standard; reconfirm the cluster's Microsoft Defender extension is healthy via az aks show --query securityProfile.defender. Run a baseline sweep with the Defender for Containers vulnerability assessment query in Defender XDR to confirm the agent backlog has drained. Escalate per general/ir.html — the disable window itself is incident-grade if any production cluster was uncovered; confirm the Azure Policy denying Defender plan downgrade is in deny mode. References Microsoft Learn — Microsoft Defender for Containers overview (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI azure-k8s-05 ! HIGH PREVENTIVE AKS Standard: Enable the Azure Policy add-on via az aks enable-addons --addons azure-policy. Assign the built-in initiative Kubernetes cluster pod security restricted standards for Linux-based workloads at cluster or subscription scope to enforce Pod Security Standards via Azure Policy. AKS Automatic: The Azure Policy add-on is enabled by default; the operator still chooses which initiative to assign. Enable the Azure Policy add-on for AKS and assign the built-in Pod Security Standards initiative to enforce the Restricted profile at admission time. The Azure Policy add-on installs the Gatekeeper-based admission controller in the cluster and translates Azure Policy assignments into ConstraintTemplates and Constraints; this gives a single Azure-native policy-as-code surface that covers both Azure ARM resources and in-cluster Kubernetes objects. The built-in Restricted-PSS initiative blocks privileged pod creation, hostPath mounts, host namespace sharing, and other workload-tenant escape vectors. This control intentionally covers both Azure Policy add-on enablement and Pod Security Standards enforcement, because Azure Policy is the AKS-native PSS enforcement path; the upstream Kubernetes PodSecurity admission controller is also available as a parallel mechanism. MITIGATES: Privileged-pod escape, hostPath-based node compromise, and other workload patterns explicitly forbidden by the upstream Restricted Pod Security Standard. ATTACK VECTOR: Attacker with namespace-create or pod-create rights deploys a workload requesting privileged: true, mounts the host filesystem, and escapes the container to the node. BLAST RADIUS: Without PSS enforcement — any pod-creator can compromise the underlying node and pivot to other tenants on the same node; with PSS Restricted — privileged manifests are rejected at admission time. Remediation — Terraform <code class=\"language-hcl\"># Terraform Azure provider ~> 4.0 resource \"azurerm_kubernetes_cluster\" \"hardened\" { # ... other args ... azure_policy_enabled = true } # Assign the built-in PSS Restricted initiative to the cluster scope data \"azurerm_policy_set_definition\" \"pss_restricted\" { display_name = \"Kubernetes cluster pod security restricted standards for Linux-based workloads\" } resource \"azurerm_resource_group_policy_assignment\" \"pss\" { name = \"aks-pss-restricted\" resource_group_id = azurerm_resource_group.aks.id policy_definition_id = data.azurerm_policy_set_definition.pss_restricted.id parameters = jsonencode({ effect = { value = \"deny\" } }) }</code> Remediation — az aks CLI <code class=\"language-bash\">az aks enable-addons \\ --resource-group hardened-rg \\ --name hardened-cluster \\ --addons azure-policy # Assign the built-in PSS Restricted initiative INIT_ID=$(az policy set-definition list \\ --query \"[?displayName=='Kubernetes cluster pod security restricted standards for Linux-based workloads'].id | [0]\" -o tsv) az policy assignment create \\ --name aks-pss-restricted \\ --policy-set-definition \"$INIT_ID\" \\ --scope /subscriptions/SUB/resourceGroups/hardened-rg \\ --params '{\"effect\":{\"value\":\"deny\"}}'</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('AKS cluster to enable Azure Policy add-on on.') param clusterName string resource aks 'Microsoft.ContainerService/managedClusters@2024-09-01' = { name: clusterName location: resourceGroup().location properties: { addonProfiles: { azurepolicy: { enabled: true } } } } // Assign restricted-pod-security policy initiative at the cluster scope (RG-scoped here). resource policyAssign 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'aks-restricted-pod-security' properties: { policyDefinitionId: tenantResourceId('Microsoft.Authorization/policySetDefinitions', '42b8ef37-b724-4e24-bbc8-7a7708edfe00') displayName: 'Kubernetes cluster pod security restricted standards' } } </code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Azure Kubernetes Service (AKS) Benchmark v2.0.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 azure-k8s-05 HIGH PREVENTIVE Azure AKS §5.2 (Pod security) n/a (verify against CIS Azure Kubernetes Service (AKS) Benchmark v2.0.0 PDF) CM-6; AC-6; SI-3 A.8.9; A.8.28 CLD.6.3.1 NIST SP 800-190 §4.2 NSA/CISA Kubernetes Hardening Guide v1.2 §3 (Pod security) Log signals AzureActivity Microsoft.ContainerService/managedClusters/write where the request body removes azurepolicy from addonProfiles or sets enabled = false — disarms the Gatekeeper admission webhook chain. AKSAuditAdmin entries showing admission decisions disappear from the stream — Gatekeeper's ValidatingAdmissionWebhook log entries should be continuous; gaps indicate webhook failure-open. AzureActivity Microsoft.Authorization/policyAssignments/delete targeting a Kubernetes-policy initiative — coverage erosion at the policy layer rather than the addon. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue == \"Microsoft.ContainerService/managedClusters/write\" | extend body = tostring(parse_json(Properties).requestbody) | where body has \"azurepolicy\\\":{\\\"enabled\\\":false\" or (body has \"addonProfiles\" and not(body has \"azurepolicy\")) | project TimeGenerated, Caller, ResourceId, body | order by TimeGenerated desc | take 100</code> Run the KQL query in Log Analytics. Azure Policy addon disablement is one of the highest-signal AKS coverage regressions; persist as a Sentinel analytics rule with severity High. Alert threshold Any Azure Policy addon disable on a production cluster — page on first occurrence. Cluster-policy initiative delete that takes the cluster outside the documented policy assignment scope — page immediately even if the addon is still enabled. Initial response Re-enable via az aks enable-addons --addons azure-policy; confirm the policy initiative is still assigned to the resource group via az policy assignment list. Sweep recent AKSAuditAdmin for any resource that would have failed the policy gate during the disable window — privileged pods, hostNetwork enablement, hostPath mounts — and treat them as suspect. Escalate per general/ir.html — reconfirm the parent Azure Policy denying addon-disable is in deny mode and that the initiative compliance scan has refreshed. References Microsoft Learn — Azure Policy for Kubernetes (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent controls in other providers: GKE PSS via PodSecurity admission, EKS PSS namespace labels, OKE PSS admission. azure-k8s-06 ! HIGH PREVENTIVE AKS Standard: Enable Microsoft Entra ID integration + Azure RBAC for Kubernetes Authorization at cluster create — pass --enable-aad --enable-azure-rbac --aad-admin-group-object-ids <GROUP-OID> --disable-local-accounts. AKS Automatic: Entra ID integration, Azure RBAC for K8s Authorization, and local-accounts-disabled are all defaults. Use Microsoft Entra ID as the cluster authentication provider and Azure RBAC for Kubernetes Authorization as the authorization layer, then disable local Kubernetes accounts via --disable-local-accounts. The local-accounts-disabled flag is the critical hardening step here: legacy local Kubernetes admin accounts (kubeconfig credentials issued by the cluster itself) sit outside Microsoft Entra ID's authentication and audit pipeline, so if a legacy kubeconfig leaks, the attacker bypasses Conditional Access policies, MFA, and Entra ID sign-in logs entirely. Azure built-in roles such as Azure Kubernetes Service RBAC Admin, Azure Kubernetes Service RBAC Cluster Admin, Azure Kubernetes Service RBAC Reader, and Azure Kubernetes Service RBAC Writer map to Kubernetes verbs and resources, so role assignments live in Azure RBAC rather than Kubernetes RoleBindings. MITIGATES: Authentication bypass via legacy local Kubernetes accounts that sit outside Microsoft Entra ID audit and Conditional Access policies. ATTACK VECTOR: Attacker recovers a legacy kubeconfig (with local-account credentials) from a CI artifact, developer laptop, or backup; uses it to call the AKS API without ever touching Microsoft Entra ID sign-in logs or Conditional Access enforcement. BLAST RADIUS: Full cluster administrative access with no Entra ID audit footprint — the attacker's kubectl commands appear only in kube-audit logs (and only if those are forwarded), not in Microsoft Entra ID sign-in logs. Remediation — Terraform <code class=\"language-hcl\"># Terraform Azure provider ~> 4.0 resource \"azurerm_kubernetes_cluster\" \"hardened\" { # ... other args ... local_account_disabled = true azure_active_directory_role_based_access_control { tenant_id = data.azurerm_client_config.current.tenant_id admin_group_object_ids = [var.aks_admin_group_oid] azure_rbac_enabled = true } } # Assign Azure RBAC for Kubernetes role to a user/group resource \"azurerm_role_assignment\" \"aks_rbac_admin\" { scope = azurerm_kubernetes_cluster.hardened.id role_definition_name = \"Azure Kubernetes Service RBAC Admin\" principal_id = var.platform_team_group_oid }</code> Remediation — az aks CLI <code class=\"language-bash\">az aks create \\ --resource-group hardened-rg \\ --name hardened-cluster \\ --enable-aad \\ --enable-azure-rbac \\ --aad-admin-group-object-ids <GROUP-OID> \\ --disable-local-accounts \\ --enable-managed-identity # Grant Azure RBAC for Kubernetes role to a user az role assignment create \\ --assignee <USER-OID> \\ --role \"Azure Kubernetes Service RBAC Admin\" \\ --scope /subscriptions/SUB/resourceGroups/hardened-rg/providers/Microsoft.ContainerService/managedClusters/hardened-cluster</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Existing AKS cluster name.') param clusterName string @description('Entra ID group for SREs (RBAC Cluster Admin).') param sreGroupObjectId string resource aks 'Microsoft.ContainerService/managedClusters@2024-09-01' existing = { name: clusterName } // AKS RBAC Cluster Admin role var clusterAdminRoleId = 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b' resource assignSre 'Microsoft.Authorization/roleAssignments@2024-04-01' = { scope: aks name: guid(aks.id, sreGroupObjectId, clusterAdminRoleId) properties: { principalId: sreGroupObjectId principalType: 'Group' roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', clusterAdminRoleId) } } </code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Azure Kubernetes Service (AKS) Benchmark v2.0.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 azure-k8s-06 HIGH"},{"id":"azure/logging.html","url":"azure/logging.html","title":"Azure Logging & Detection Hardening — Cloud Hardening Guide","breadcrumb":"Home Azure Logging & Detection","description":"Azure logging & detection: Activity Log centralization via Diagnostic Settings, Defender for Cloud (CSPM/CWPP), Microsoft Sentinel (SIEM/SOAR), NSG flow logs v2, Activity Log alerts.","body":"Azure Logging & Detection Hardening Overview This page covers Microsoft Azure logging and detection hardening — the surfaces that decide whether an attacker's footprints are captured durably, surfaced quickly, and correlated into an actionable incident. Scope is the Azure commercial regions; Azure Government and Azure operated by 21Vianet (China) inherit the same control structure but expose a separate Log Analytics workspace topology, a separate Microsoft Sentinel data residency boundary, and a separate Microsoft Defender for Cloud regulatory compliance catalogue — re-verify region table caveats and the Microsoft Graph endpoint before applying any of the IaC below to a non-commercial cloud. CIS sub-IDs and NIST / ISO mappings throughout this page reference the commercial Microsoft Azure Foundations Benchmark v3.0.0 (Feb 2025) unless explicitly annotated as a post-v3.0.0 feature or a best-practice recommendation that the current benchmark has not yet codified. The crosswalk page at compliance frameworks describes how the seven pinned framework columns relate to each other. Azure exposes three distinct log streams, and they are routinely conflated in audit reports. Activity Log is the subscription-level control-plane log: every ARM API call against a subscription (role assignments, NSG rule writes, Key Vault deletes, policy assignments, resource manager critical operations) emits an Activity Log event. It is per-subscription, kept by the platform for 90 days only, and must be routed via Diagnostic Settings into a durable sink to outlive that window. Resource (Diagnostic) Logs are the per-resource data-plane logs: Storage Account read/write/delete, Key Vault key operations, Application Gateway requests, AKS audit, SQL audit, Service Bus, Event Hubs, and every other resource-type that emits a diagnostic category. Each resource is configured individually (or via Azure Policy at scale) with a Diagnostic Setting that routes the logs to a Log Analytics workspace, a Storage Account (archive), or an Event Hub (streaming). Microsoft Entra ID Audit and Sign-in Logs are the directory-plane logs: every directory write (user create, group membership change, application consent grant) emits an Audit Log event; every interactive and non-interactive sign-in emits a Sign-in Log event. Entra logs are tenant-scoped, not subscription-scoped, and require a separate Diagnostic Setting on the Entra tenant resource to flow into the same Log Analytics workspace as the resource and Activity logs (covered on the Azure IAM page). Pretending these are one stream — or assuming \"Activity Log covers it all\" — is the canonical Azure logging misconfiguration; the controls below treat each stream as a separate enforcement target. Two anti-conflation callouts up front, because the boundary they describe is the one most often blurred in Azure audit reviews. First: Microsoft Defender for Cloud and Microsoft Sentinel are complementary products, not substitutes. Defender for Cloud is the Azure-native CSPM (Cloud Security Posture Management) and CWPP (Cloud Workload Protection Platform) plane — it scores posture against built-in regulatory initiatives (CIS Microsoft Azure Foundations v6.0.0, NIST 800-53, ISO 27001, PCI-DSS), it runs workload-protection plans on Servers / Storage / SQL / Containers / Key Vault / App Service / Resource Manager / DNS, and it emits security alerts and recommendations into the Defender alerts blade. Microsoft Sentinel is the Azure-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) plane — it ingests data via connectors from Defender for Cloud, Microsoft Entra ID, Activity Log, Office 365, Defender XDR, third-party firewalls, and arbitrary syslog / CEF / custom sources; it runs analytics rules expressed in KQL on top of that data; and it executes automated playbooks via Logic Apps in response to incidents. The recommended end-to-end pipeline is Defender for Cloud alerts → Sentinel incidents (via the Defender for Cloud data connector) → Sentinel automation rules → Logic App playbooks (isolate VM, disable identity, snapshot disk, page on-call). They are independently licensed (Defender for Cloud per protected resource-hour; Sentinel per GB ingested into the workspace), independently administered, and answer different questions: Defender answers \"what is wrong with my posture and what active threats are running on my workloads right now\"; Sentinel answers \"across every log source I have, what correlated story can I tell about an incident, and how do I respond to it automatically\". Adopting one and skipping the other leaves a gap; adopting both and connecting them is the design intent. The two controls on this page that codify this boundary are azure-log-04 (Defender for Cloud plans) and azure-log-08 (Sentinel onboarding + SOAR). Second: Defender for Cloud's regulatory compliance dashboard (azure-log-03) and Defender for Cloud's Secure Score (azure-log-05) are two different surfaces of the same product. The regulatory dashboard scores a subscription against an assigned policy initiative (e.g., CIS Microsoft Azure Foundations Benchmark v3.0.0) and tracks remediation per CIS sub-ID; Secure Score is the umbrella weighted posture metric across all Defender recommendations regardless of initiative, and is the operational KPI for the security team's monthly review cadence. Both ship; both are populated by the same engine; both have distinct review rituals. Order and scope matter. Controls 01–02 are foundational invariants: route every subscription's Activity Log into a central Log Analytics workspace via mgmt-group-enforced Diagnostic Settings, and route every regulated Storage Account's data-plane logs into the same workspace. Controls 03–05 are the Defender for Cloud surface in three layers: regulatory compliance initiative assignment + auto-remediation (03), workload-protection plan enablement subscription-wide (04), and Secure Score baseline + monthly cadence + workflow automation (05). Control 06 captures L4 network flow telemetry via NSG Flow Logs v2 with Traffic Analytics. Control 07 wires Activity Log alerts on the canonical critical-event set (role assignment writes, NSG rule changes, Key Vault deletes, policy assignments, Resource Manager critical operations). Control 08 onboards Microsoft Sentinel into the central workspace and closes the SOAR loop with automation rules and Logic App playbooks. Subscription and management-group scope: Azure Policy at the root management group is the single most important lever for keeping the Diagnostic Settings of new subscriptions from drifting out of compliance the moment a workload team self-provisions a sandbox — every control below names the corresponding built-in or custom policy. azure-log-01-activity-log-centralized ! CRITICAL DETECTIVE Every subscription in the tenant routes its Activity Log via a Diagnostic Setting into a single central Log Analytics workspace (the \"LAW\"), and an Azure Policy assigned at the tenant-root management group enforces that the diagnostic setting exists on every subscription — including ones created tomorrow by a workload team self-service-provisioning a sandbox (Microsoft Learn — Azure Monitor Activity Log (accessed 2026-05)). At minimum eight log categories stream: Administrative (ARM control-plane writes), Security (Defender for Cloud alert events into Activity Log), ServiceHealth (Azure platform health), Alert (Activity Log alert fires), Recommendation (Defender recommendations), Policy (policy evaluation results, including non-compliance), Autoscale (autoscale rule executions), and ResourceHealth (per-resource health transitions). The 90-day platform retention on raw Activity Log is the timer that this control beats — anything beyond 90 days requires the durable sink. The cross-cutting principle is reinforced in General Logging — centralization; the underlying audit-integrity expectation in General Logging — log integrity. MITIGATES: Loss of forensic-quality control-plane history past the 90-day platform retention; silent diagnostic-setting drift on newly created subscriptions; per-subscription siloed logging that defeats cross-subscription correlation; inability to answer \"who deleted that resource\" or \"when did the role assignment change\" once the platform-retention window closes. ATTACK VECTOR: An attacker with subscription-Contributor (acquired via a compromised service principal secret in a build pipeline) waits past 90 days before triggering the visible-impact action — by the time the security team correlates a breach indicator back to the original ARM call, the Activity Log has aged out of the platform retention window and only the diagnostic-setting sink can answer the question. In the absence of the sink, the investigation hits a wall. Compounds when only some subscriptions have the sink: new sandbox subscriptions self-provisioned by workload teams are exactly the ones an attacker pivots through first. BLAST RADIUS: Every subscription without the diagnostic setting, for every Activity Log category not streamed, past the 90-day platform horizon. Compounds across hundreds of subscriptions in an enterprise tenant; one missing subscription is one investigation that cannot be completed. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Audit: list every subscription whose Activity Log lacks a diagnostic setting. for sub in $(az account list --query '[].id' -o tsv); do count=$(az monitor diagnostic-settings subscription list \\ --subscription \"$sub\" --query 'length(value)' -o tsv 2>/dev/null || echo 0) echo \"sub=$sub diag_settings=$count\" done # Apply the canonical 8-category diagnostic setting to one subscription. SUB_ID=$(az account show --query id -o tsv) LAW_ID=$(az monitor log-analytics workspace show \\ --resource-group rg-security-logging-westeu \\ --workspace-name law-central-prod \\ --query id -o tsv) az monitor diagnostic-settings subscription create \\ --name send-activity-to-law \\ --subscription \"$SUB_ID\" \\ --workspace \"$LAW_ID\" \\ --logs '[ {\"category\":\"Administrative\",\"enabled\":true}, {\"category\":\"Security\",\"enabled\":true}, {\"category\":\"ServiceHealth\",\"enabled\":true}, {\"category\":\"Alert\",\"enabled\":true}, {\"category\":\"Recommendation\",\"enabled\":true}, {\"category\":\"Policy\",\"enabled\":true}, {\"category\":\"Autoscale\",\"enabled\":true}, {\"category\":\"ResourceHealth\",\"enabled\":true} ]' # Enforce tenant-wide via root-mgmt-group policy assignment (built-in initiative # 'Configure Azure Activity logs to stream to specified Log Analytics workspace'). az policy assignment create \\ --name pa-activity-log-to-law \\ --scope \"/providers/Microsoft.Management/managementGroups/tenant-root\" \\ --policy \"/providers/Microsoft.Authorization/policyDefinitions/<activity-log-diag-setting-policy-id>\" \\ --params \"{\\\"logAnalytics\\\":{\\\"value\\\":\\\"$LAW_ID\\\"}}\" \\ --location westeurope \\ --mi-system-assigned \\ --role Contributor \\ --identity-scope \"/providers/Microsoft.Management/managementGroups/tenant-root\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn — Activity Log routed via Diagnostic Settings. resource \"azurerm_log_analytics_workspace\" \"central\" { name = \"law-central-prod\" resource_group_name = \"rg-security-logging-westeu\" location = \"westeurope\" sku = \"PerGB2018\" retention_in_days = 730 # 2-year hot retention; archive tier configured separately } resource \"azurerm_monitor_diagnostic_setting\" \"activity_log_to_law\" { name = \"send-activity-log-to-central-law\" target_resource_id = \"/subscriptions/${var.subscription_id}\" log_analytics_workspace_id = azurerm_log_analytics_workspace.central.id enabled_log { category = \"Administrative\" } enabled_log { category = \"Security\" } enabled_log { category = \"ServiceHealth\" } enabled_log { category = \"Alert\" } enabled_log { category = \"Recommendation\" } enabled_log { category = \"Policy\" } enabled_log { category = \"Autoscale\" } enabled_log { category = \"ResourceHealth\" } } # Root-management-group policy assignment: every subscription must stream # Activity Log to the central LAW. resource \"azurerm_management_group_policy_assignment\" \"activity_log_to_law\" { name = \"activity-log-to-central-law\" management_group_id = \"/providers/Microsoft.Management/managementGroups/tenant-root\" policy_definition_id = var.activity_log_diag_policy_definition_id description = \"Stream subscription Activity Log to the central Log Analytics workspace\" location = \"westeurope\" identity { type = \"SystemAssigned\" } parameters = jsonencode({ logAnalytics = { value = azurerm_log_analytics_workspace.central.id } }) }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'subscription' @description('Subscription-level diagnostic setting routing Activity Log to central LAW.') param workspaceId string resource diag 'Microsoft.Insights/diagnosticSettings@2024-01-01-preview' = { name: 'subscription-activity-log-central' scope: subscription() properties: { workspaceId: workspaceId logs: [ { category: 'Administrative', enabled: true } { category: 'Security', enabled: true } { category: 'ServiceHealth', enabled: true } { category: 'Alert', enabled: true } { category: 'Recommendation', enabled: true } { category: 'Policy', enabled: true } { category: 'Autoscale', enabled: true } { category: 'ResourceHealth', enabled: true } ] } } </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as insights from \"@pulumi/azure-native/insights\"; new insights.DiagnosticSetting(\"subscription-activity-log-central\", { resourceUri: \"/subscriptions/<sub-id>\", workspaceId: \"/subscriptions/.../workspaces/central-law\", logs: [ { category: \"Administrative\", enabled: true }, { category: \"Security\", enabled: true }, { category: \"ServiceHealth\", enabled: true }, { category: \"Alert\", enabled: true }, { category: \"Recommendation\", enabled: true }, { category: \"Policy\", enabled: true }, { category: \"Autoscale\", enabled: true }, { category: \"ResourceHealth\", enabled: true }, ], }); </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/a5.1; 5.xn/an/a AU-2; AU-3; AU-6; AU-9A.8.15; A.5.28CLD.12.4.5 Log signals AzureActivity OperationNameValue = \"Microsoft.Insights/diagnosticSettings/delete\" targeting a subscription-scope diagnostic setting that exports Administrative, Security, Policy categories — silences the tenant control-plane ledger. AzureActivity Microsoft.Insights/diagnosticSettings/write where the workspace destination is replaced with one outside the centralised security tenant — diverts the export stream away from the SOC workspace. AzureActivity ingestion gap (no rows for > 30 minutes) on a subscription previously emitting steady traffic — absence-of-signal proof that the export pipeline is broken. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue startswith \"Microsoft.Insights/diagnosticSettings/\" | where ResourceId contains \"providers/microsoft.insights/diagnosticsettings\" or ResourceId !contains \"/resourcegroups/\" | project TimeGenerated, Caller, OperationNameValue, ResourceId, ActivityStatusValue, Properties | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. Pair with a heartbeat watchdog: AzureActivity | summarize maxTime=max(TimeGenerated) by SubscriptionId | where maxTime < ago(30m) — any subscription that goes quiet should page the SOC on-call. Alert threshold Any delete or destination-change of a subscription-scope diagnostic setting that previously exported Administrative + Security categories — page on first occurrence. 30-minute ingestion gap on any subscription whose 30-day baseline is more than 100 rows/hour — page; the SOC's truth source is dark for that subscription. Initial response Reapply the centralised diagnostic-settings Bicep module or Azure Policy Deploy diagnostic settings for activity logs to Log Analytics workspace; capture the AzureActivity Caller as the mutator-of-record. Reconcile the missing window by pulling the Storage Account archive (if also configured as a destination) and replaying via AzureActivity | union storageAccountBackfill; flag any privileged write in the gap window as suspect-pending-review. Escalate per general/ir.html — confirm the management-group-scoped Azure Policy enforcing diagnostic-settings deployment remains in DeployIfNotExists mode. References Microsoft Learn — diagnostic settings in Azure Monitor (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-log-02-storage-diagnostic ! HIGH DETECTIVE Every Storage Account holding regulated data has a Diagnostic Setting that streams data-plane operations (StorageRead, StorageWrite, StorageDelete) plus the Transaction and Capacity metrics to the central Log Analytics workspace, for each of the four storage services in use (Blob, File, Queue, Table) (Microsoft Learn — Diagnostic settings in Azure Monitor (accessed 2026-05)). Activity Log alone (azure-log-01) covers control-plane writes against the Storage Account resource (e.g., key rotation, network-ACL change); it does not cover the data-plane events that matter for breach investigation — who read which blob, who wrote which object, who deleted which container. Without this control, the question \"which 12,000 objects did the leaked SAS token enumerate\" has no answer in the platform; with it, the answer is a KQL query against StorageBlobLogs. Enforce via an Azure Policy initiative at the root management group that targets Microsoft.Storage/storageAccounts and assigns the canonical diagnostic setting on creation and on existing resources via deployIfNotExists. MITIGATES: Blob exfiltration via leaked SAS tokens, leaked account keys, or compromised RBAC; ransomware-style mass-delete events on regulated containers; unauthorised data-plane enumeration ahead of a targeted exfiltration; absence of forensic answer to \"which objects were touched\" past the 90-day platform retention window for data-plane events. ATTACK VECTOR: A leaked SAS token from a misconfigured shared-with-public-internet build artefact is harvested by a credential-scanning bot and used to enumerate-then-download the entire Blob container. Without diagnostic settings routed to the LAW, the breach is detected via downstream impact (data appearing on a leak site) rather than via the data-plane log stream, and the investigator cannot reconstruct the precise blob-list that exfiltrated. Compounds when the same Storage Account hosts more than one tenant's data: scoping the breach is impossible without per-blob access records. BLAST RADIUS: Every Storage Account in the tenant lacking the diagnostic setting, for every data-plane category not streamed, past the 90-day platform horizon. For regulated workloads (PII, PHI, PCI scope), the absence of these logs is in most cases a breach-notification gap rather than only a forensic inconvenience. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Inventory: list every Storage Account in the tenant without a diagnostic setting. for sub in $(az account list --query '[].id' -o tsv); do az storage account list --subscription \"$sub\" --query '[].id' -o tsv | while read sa_id; do count=$(az monitor diagnostic-settings list --resource \"$sa_id\" --query 'length(value)' -o tsv 2>/dev/null || echo 0) [ \"$count\" -eq 0 ] && echo \"MISSING: $sa_id\" done done # Apply the diagnostic setting to one Storage Account, scoping each storage service. SA_ID=$(az storage account show --resource-group rg-data-prod --name stregprod001 --query id -o tsv) LAW_ID=$(az monitor log-analytics workspace show \\ --resource-group rg-security-logging-westeu --workspace-name law-central-prod --query id -o tsv) # Blob service: data-plane read/write/delete + transaction/capacity metrics. az monitor diagnostic-settings create \\ --name stg-blob-diag \\ --resource \"$SA_ID/blobServices/default\" \\ --workspace \"$LAW_ID\" \\ --logs '[ {\"category\":\"StorageRead\",\"enabled\":true}, {\"category\":\"StorageWrite\",\"enabled\":true}, {\"category\":\"StorageDelete\",\"enabled\":true} ]' \\ --metrics '[{\"category\":\"Transaction\",\"enabled\":true},{\"category\":\"Capacity\",\"enabled\":true}]' # Repeat for fileServices/default, queueServices/default, tableServices/default.</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn — Storage Account diagnostic settings. variable \"regulated_storage_account_ids\" { type = map(string) # keyed by friendly name } # Per-service diagnostic setting; iterate the four storage services per account. locals { storage_services = [\"blobServices\", \"fileServices\", \"queueServices\", \"tableServices\"] account_service_pairs = merge([ for acc_name, acc_id in var.regulated_storage_account_ids : { for svc in local.storage_services : \"${acc_name}-${svc}\" => { acc_id = acc_id, svc = svc } } ]...) } resource \"azurerm_monitor_diagnostic_setting\" \"storage\" { for_each = local.account_service_pairs name = \"diag-${each.key}\" target_resource_id = \"${each.value.acc_id}/${each.value.svc}/default\" log_analytics_workspace_id = var.central_law_id enabled_log { category = \"StorageRead\" } enabled_log { category = \"StorageWrite\" } enabled_log { category = \"StorageDelete\" } metric { category = \"Transaction\" enabled = true } metric { category = \"Capacity\" enabled = true } }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Storage account whose blob/queue/table/file ops should be audited.') param storageName string @description('Workspace receiving the data-plane logs.') param workspaceId string resource storage 'Microsoft.Storage/storageAccounts@2024-01-01' existing = { name: storageName } resource blobSvc 'Microsoft.Storage/storageAccounts/blobServices@2024-01-01' existing = { parent: storage name: 'default' } resource diagBlob 'Microsoft.Insights/diagnosticSettings@2024-01-01-preview' = { scope: blobSvc name: 'blob-audit' properties: { workspaceId: workspaceId logs: [ { category: 'StorageRead', enabled: true } { category: 'StorageWrite', enabled: true } { category: 'StorageDelete', enabled: true } ] } } </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/a5.x (verify)n/an/a AU-2; AU-12A.8.15CLD.12.4.5 Log signals AzureActivity Microsoft.Insights/diagnosticSettings/delete or write targeting Storage Account resources where the StorageRead/StorageWrite/StorageDelete categories are dropped — terminates the dataplane audit trail. AzureActivity Microsoft.Storage/storageAccounts/write where the request body reduces minimumTlsVersion on the diagnostics destination account or flips allowSharedKeyAccess = true — weakens the trustworthiness of the archive itself. StorageBlobLogs StatusText = \"AuthenticationFailed\" spikes on the diagnostics destination — adversary attempting to write decoy events or probe the archive. Query <code class=\"language-sql\">AzureActivity | where ResourceId contains \"Microsoft.Storage/storageAccounts\" | where OperationNameValue in (\"Microsoft.Insights/diagnosticSettings/delete\", \"Microsoft.Insights/diagnosticSettings/write\") | extend body = tostring(parse_json(Properties).requestbody) | project TimeGenerated, Caller, ResourceId, OperationNameValue, body | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. The dataplane categories (StorageRead/Write/Delete) are the only direct way to attribute an object-level operation to a principal once at-rest; their disable is incident-grade. Alert threshold Any drop of StorageRead/Write/Delete diagnostic categories on a Storage Account holding production data — page on first occurrence. Diagnostic-settings change that retargets the destination workspace to one outside the SOC tenant — page; treat as data-residency control failure as well as audit failure. Initial response Reapply the Storage Account diagnostic-settings module via the IaC pipeline; capture the AzureActivity Caller and resource-graph snapshot as the change ledger. Walk StorageBlobLogs (or the archive container if also written to immutable blob) for the exposure window — every read/write against sensitive containers during the gap should be reconciled with documented application access. Escalate per general/ir.html — reconfirm the Azure Policy Deploy diagnostic settings for Storage to Log Analytics workspace is assigned in DeployIfNotExists mode at the management group. References Microsoft Learn — monitor Azure Blob Storage (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-log-03-defender-recommendations ! HIGH DETECTIVE Microsoft Defender for Cloud's regulatory compliance dashboard is configured with the CIS Microsoft Azure Foundations Benchmark v3.0.0 policy initiative assigned at the tenant-root management group, plus auto-remediation policies (deployIfNotExists / modify effects) on the high-priority recommendations the organisation has signed off on remediating without human review (typically: enable diagnostic settings, enable encryption-by-default, lock storage to private network access, enforce TLS 1.2+) (Microsoft Learn — Defender for Cloud regulatory compliance dashboard (accessed 2026-05)). The dashboard scores every subscription against every CIS sub-ID in the assigned initiative and gives the security and compliance teams a per-control remediation queue keyed to the audit framework's sub-IDs. Distinction from azure-log-05: this control is the regulatory compliance surface (score per assigned initiative; CIS sub-IDs; deployIfNotExists auto-remediation); azure-log-05 is the umbrella Secure Score surface (cross-initiative weighted score; monthly review cadence; workflow automation on Defender recommendations as events). Both ship; both are populated by the same Defender engine but answer different review-cadence questions. The underlying compliance-engineering principle is in General Compliance Frameworks. MITIGATES: Drift from the CIS Microsoft Azure Foundations Benchmark v3.0.0 baseline; unremediated high-priority recommendations sitting in a Defender backlog with no owner; absence of an auditable evidence trail for \"what was non-compliant and when did it get remediated\" against the framework's own sub-IDs. ATTACK VECTOR: A workload team disables a Defender recommendation that they consider \"noisy\" without a compensating control; the misconfiguration accumulates across subscriptions for months because there is no enforcement at the root management group; an attacker exploits the original misconfiguration (e.g., Storage Account left publicly accessible) once Shodan-style scanners discover it. The dashboard's value is exactly to surface this drift with a CIS sub-ID a compliance officer can ticket against. BLAST RADIUS: Every subscription not assigned the CIS Azure v3.0.0 initiative at the root management group, for every sub-ID's non-compliance state. Compounds because new sandbox subscriptions inherit the initiative automatically from the tenant root, so absence is observable across the whole tenant. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Find the built-in policy set definition GUID for CIS Microsoft Azure Foundations v6.0.0. az policy set-definition list --query \"[?contains(displayName, 'CIS Microsoft Azure Foundations Benchmark v3')].{name:name, displayName:displayName}\" -o table # Assign at the tenant-root management group. CIS_SET_ID=\"/providers/Microsoft.Authorization/policySetDefinitions/<cis-azure-v3-policy-set-guid>\" az policy assignment create \\ --name cis-azure-v3 \\ --scope \"/providers/Microsoft.Management/managementGroups/tenant-root\" \\ --policy-set-definition \"$CIS_SET_ID\" \\ --location westeurope \\ --mi-system-assigned \\ --role Contributor \\ --identity-scope \"/providers/Microsoft.Management/managementGroups/tenant-root\" \\ --display-name \"CIS Microsoft Azure Foundations Benchmark v3.0.0\" # Inspect compliance state for one subscription via the regulatory-compliance API. az rest --method GET --uri \"https://management.azure.com/subscriptions/$(az account show --query id -o tsv)/providers/Microsoft.Security/regulatoryComplianceStandards/CIS-Microsoft-Azure-Foundations-Benchmark-v3.0.0/regulatoryComplianceControls?api-version=2019-01-01-preview\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn — Defender for Cloud regulatory compliance initiative assignment. variable \"cis_azure_v3_policy_set_definition_id\" { type = string description = \"Built-in policy set GUID for CIS Microsoft Azure Foundations Benchmark v3.0.0\" } resource \"azurerm_management_group_policy_assignment\" \"cis_azure_v3\" { name = \"cis-azure-v3\" display_name = \"CIS Microsoft Azure Foundations Benchmark v3.0.0\" management_group_id = \"/providers/Microsoft.Management/managementGroups/tenant-root\" policy_definition_id = var.cis_azure_v3_policy_set_definition_id location = \"westeurope\" identity { type = \"SystemAssigned\" } } # Auto-remediation on a specific high-priority recommendation: enable secure # transfer required on Storage Accounts. Uses the modify effect. resource \"azurerm_management_group_policy_assignment\" \"secure_transfer\" { name = \"stg-secure-transfer\" management_group_id = \"/providers/Microsoft.Management/managementGroups/tenant-root\" policy_definition_id = \"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\" location = \"westeurope\" identity { type = \"SystemAssigned\" } parameters = jsonencode({ effect = { value = \"Modify\" } }) }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'subscription' resource autoProv 'Microsoft.Security/autoProvisioningSettings@2024-08-01' = { name: 'default' properties: { autoProvision: 'On' } } resource defenderContact 'Microsoft.Security/securityContacts@2023-12-01-preview' = { name: 'default' properties: { emails: 'soc@example.org' notificationsByRole: { state: 'On', roles: ['Owner', 'ServiceAdmin'] } alertNotifications: { state: 'On', minimalSeverity: 'High' } } } </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/a2.xn/an/a CM-8; CM-3A.8.9CLD.12.4.5 Log signals AzureActivity Microsoft.Security/autoProvisioningSettings/write where autoProvision flips from On to Off — disarms the Log Analytics agent deployment that feeds Defender recommendations. AzureActivity Microsoft.Security/assessmentMetadata/write or Microsoft.Security/securityStandards/write where the request body excludes an MCSB recommendation that the org has classified as critical. Sudden drop in SecurityRecommendation table volume per subscription — coverage erosion that the per-assessment delete events alone may not explain. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue in (\"Microsoft.Security/autoProvisioningSettings/write\", \"Microsoft.Security/assessmentMetadata/write\", \"Microsoft.Security/securityStandards/write\") | extend body = tostring(parse_json(Properties).requestbody) | where body has \"\\\"autoProvision\\\":\\\"Off\\\"\" or body has \"exempt\" or OperationNameValue endswith \"assessmentMetadata/write\" | project TimeGenerated, Caller, SubscriptionId, OperationNameValue, body | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. Sentinel can also pivot via the SecurityRecommendation table — sudden recommendation-volume drops are a downstream symptom worth alerting on. Alert threshold Any flip of autoProvision to Off at the subscription scope — page on first occurrence. Exemption applied to an MCSB recommendation tagged Critical without an attached governance ticket reference — page; exemptions should be ticket-bound by policy. Initial response Reapply the IaC baseline that sets autoProvision=On and unassigns any unauthorised exemption; confirm the next Defender for Cloud assessment cycle refreshes within four hours. Cross-check the new recommendation count vs the 30-day baseline — any subscription where critical recommendations failed to repopulate likely has agent-deployment failures and warrants a Defender for Servers fleet inventory walk. Escalate per general/ir.html — confirm the management-group Azure Policy Configure Microsoft Defender for Cloud to enable continuous export remains assigned and enforced. References Microsoft Learn — Microsoft Defender for Cloud security policies and recommendations (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-log-04-defender-for-cloud ! CRITICAL DETECTIVE Microsoft Defender for Cloud's workload-protection plans are enabled subscription-wide for every resource type the tenant operates: Defender for Servers Plan 2 (MDE auto-deploy, vulnerability assessment via Defender Vulnerability Management, just-in-time VM access, file integrity monitoring, adaptive application controls), Defender for Storage v2 (malware scanning + sensitive-data discovery), Defender for SQL (Standard), Defender for SQL Server on machines (Standard), Defender for App Service (Standard), Defender for Key Vault (Standard), Defender for Resource Manager (Standard, \"Arm\"), Defender for DNS (Standard), Defender for Containers (Standard, MDC for AKS + ACR), and Defender CSPM (Standard, \"CloudPosture\") (Microsoft Learn — What is Microsoft Defender for Cloud (accessed 2026-05)). Each plan is billed per protected-resource-hour and emits its own alert taxonomy into the Defender alerts blade; alerts flow into Microsoft Sentinel via the Defender for Cloud data connector (azure-log-08) where incidents are correlated and automation rules execute SOAR playbooks. Anti-conflation with azure-log-08 (Sentinel): Defender for Cloud is the CSPM + CWPP plane (posture management, regulatory compliance scoring, workload-protection plans that run against Servers / Storage / SQL / Containers / Key Vault / App Service / RM / DNS); Microsoft Sentinel is the SIEM + SOAR plane (data ingestion across Defender, Entra, Activity, Office 365, third-party syslog; KQL analytics on top; Logic App playbook automation). They complement each other and are independently licensed — Defender for Cloud per protected resource-hour, Sentinel per GB ingested. The intended pipeline is Defender alerts → Sentinel incidents → Sentinel automation rules → playbooks. Adopting Defender without Sentinel leaves correlation and SOAR off the table; adopting Sentinel without Defender leaves a CWPP gap. They are not substitutable. MITIGATES: Workload compromise without alert (Defender for Servers detects post-exploitation behaviours via MDE), credential theft inside an Azure VM, malware uploaded to Storage Accounts, suspicious data-plane activity against Key Vault, anomalous Resource Manager operations indicating credential compromise, unauthorised activity against AKS clusters and ACR registries, DNS-based exfiltration channels, and posture drift away from the CIS baseline. ATTACK VECTOR: An attacker who compromises a build-pipeline service principal uses the SP credentials to enumerate the tenant's subscriptions, attempts to mount an Object-Lock-bypass attempt against a regulated Storage Account, and pivots to a VM by exploiting a known CVE. Without Defender for Servers, the MDE-detected post-exploitation behaviour goes unreported. Without Defender for Storage, the suspicious-anonymous-access alerts never fire. Without Defender for Resource Manager, the enumeration-then-write pattern from an unknown ASN is invisible. Each missing plan is a missing alert channel. BLAST RADIUS: Every subscription with a Defender plan disabled, for every resource type that plan would have covered, until enablement. Cost containment is tempting but typically misframed — Defender for Servers Plan 2 in a 1000-VM tenant runs far cheaper than the one incident it catches early. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Audit: which plans are enabled / standard tier across the current subscription? az security pricing list --query \"value[].{name:name, tier:pricingTier}\" -o table # Enable each plan at Standard tier (subscription-scope). for plan in VirtualMachines StorageAccounts SqlServers SqlServerVirtualMachines AppServices KeyVaults Arm Dns Containers CloudPosture; do az security pricing create --name \"$plan\" --tier Standard done # Defender for Servers Plan 2 (sub-plan of VirtualMachines). az security pricing create --name VirtualMachines --tier Standard --subplan P2 # Defender for Storage v2 (malware scanning + sensitive-data discovery sub-plan). az security pricing create --name StorageAccounts --tier Standard --subplan DefenderForStorageV2 # Enforcement: built-in initiative 'Configure Microsoft Defender for Cloud plans' # assigned at the tenant root management group keeps new subscriptions enrolled.</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn — Defender for Cloud plan configuration. locals { defender_plans = { \"VirtualMachines\" = \"P2\" # Defender for Servers Plan 2 \"StorageAccounts\" = \"DefenderForStorageV2\" \"SqlServers\" = \"Standard\" \"SqlServerVirtualMachines\" = \"Standard\" \"AppServices\" = \"Standard\" \"KeyVaults\" = \"Standard\" \"Arm\" = \"Standard\" \"Dns\" = \"Standard\" \"Containers\" = \"Standard\" \"CloudPosture\" = \"Standard\" } } resource \"azurerm_security_center_subscription_pricing\" \"plans\" { for_each = local.defender_plans resource_type = each.key tier = each.value == \"Standard\" ? \"Standard\" : \"Standard\" subplan = each.value == \"Standard\" ? null : each.value } # Defender alerts → central Log Analytics "},{"id":"azure/network.html","url":"azure/network.html","title":"Azure Network Hardening — Cloud Hardening Guide","breadcrumb":"Home Azure Network","description":"Azure network hardening: VNet design, NSGs, Private Endpoints, Azure Firewall Premium, Front Door WAF, DDoS Protection Standard, DNS DNSSEC, egress controls.","body":"Azure Network Hardening Overview This page covers Microsoft Azure network hardening across the surfaces that decide whether an attacker who reaches the network edge can pivot inward, exfiltrate data, or sustain disruption. Scope is the Azure commercial regions; Azure Government and Azure operated by 21Vianet (China) inherit the same controls but expose a different region table, a different sovereign endpoint suffix, and a slightly different Microsoft Entra ID (formerly Azure Active Directory) tenant topology — re-verify region-table caveats and the Microsoft Graph endpoint before applying any of the IaC below to a non-commercial cloud. CIS sub-IDs and NIST / ISO mappings throughout this page reference the commercial Microsoft Azure Foundations Benchmark v3.0.0 (Feb 2025) unless explicitly annotated as a post-v3.0.0 feature or a best-practice recommendation that the current benchmark has not yet codified. The crosswalk page at compliance frameworks describes how the seven pinned framework columns relate to each other. The Azure network model is the product of subscriptions (the billing and policy boundary), virtual networks (regional, RFC1918-addressed address spaces with their own DNS context), subnets (per-tier CIDR slices that anchor an NSG and a route table), Network Security Groups (stateful L4 ACLs evaluated at the NIC and at the subnet), route tables (user-defined routes that override Azure system routing — typically pointing east-west and egress traffic through a hub-and-spoke design at an Azure Firewall), Private Endpoints (private IPs inside a subnet that front PaaS services and remove the public attack surface entirely), Service Endpoints (legacy: traffic stays on the Azure backbone but the PaaS service still has a public IP), Azure Firewall (stateful L4/L7 NVA with FQDN filtering, IDPS and TLS inspection in the Premium tier), and edge primitives Azure Front Door (global L7 ingress with managed WAF) and Application Gateway (regional L7 ingress, the in-VNet alternative). The cross-cutting principles — segmentation, zero trust, egress control, encryption in transit, and DNS security — are owned by the General Network page; this page maps them to Azure primitives. Severity is assigned from the methodology severity rubric; equivalence callouts at the bottom of each control point at the matching control on the AWS, GCP, and OCI sibling pages. Three anti-conflation callouts up front, because each pair gets conflated in audit reports and architecture reviews and the distinction matters for control design. First: NSGs, Azure Firewall, and Private Endpoints are complementary, not alternatives. NSGs are L4 ACLs at NIC/subnet scope (covered as azure-net-02); Azure Firewall is stateful L4/L7 with FQDN filtering, IDPS, and TLS inspection (covered as azure-net-08); Private Endpoints remove the public-IP attack surface from PaaS services entirely (covered as azure-net-03 and azure-net-04). Each addresses a different scope; reviewers who insist on \"pick one\" are wrong. Second: Azure Front Door WAF and Azure DDoS Protection Standard are complementary, not alternatives. Front Door WAF is a global, edge-deployed L7 filter (covered as azure-net-05); DDoS Protection Standard is a per-VNet L3/L4 volumetric-attack mitigation tier (covered as azure-net-06). One filters application-layer abuse; the other absorbs network-layer flooding. Third: Azure Front Door WAF and Application Gateway WAF answer different deployment questions. Front Door is global and runs at the Microsoft edge; Application Gateway WAF is regional and runs inside a VNet — the right choice for in-VNet backends that cannot front via the public edge (mTLS-required APIs, internal-only landing pages). Application Gateway WAF is referenced in prose where relevant; it is not a separate control because it does not add an attack-surface concept beyond what Front Door WAF already covers. Order and scope matter. Controls 01–04 are foundational invariants enforced subscription-wide via Azure Policy assigned at the root management group: have no reliance on default networking, lock admin ports against the Internet service tag, disable public network access on regulated PaaS, and front it with Private Endpoints. Control 05 protects the L7 edge of public web traffic; control 06 absorbs L3/L4 volumetric attacks; control 07 signs the organisation's public DNS zones; control 08 closes the egress loop with stateful FQDN-filtering and default-deny — the missing complement to Private Endpoints, which only covers Azure-service traffic. Subscription and management-group scope: Azure Policy at the root management group enforces tenant-wide invariants (allowed locations, denied resource types, required-tag policies, regulatory compliance initiatives) and is the single most important lever for keeping the controls below from drifting out of compliance once dozens of subscriptions and hundreds of resource groups exist. azure-net-01-default-vnet ! MEDIUM PREVENTIVE Azure does not provision a \"default VNet\" the way AWS provisions a default VPC, but the equivalent failure mode is real: workload teams creating ad-hoc VNets outside the approved IP-address plan, with overlapping CIDRs, no peering to the hub, and no NSG on the subnet at all. Enforce an explicit per-workload VNet design (hub-and-spoke or Azure Virtual WAN) via Azure Policy assigned at the root management group, deny VNet creation outside the approved IP plan, and require NSG attachment on every subnet at creation time (Microsoft Learn — Azure Virtual Network overview (accessed 2026-05)). The principle is reinforced in General Network — segmentation: a network the organisation did not consciously design is a network whose blast radius the organisation cannot reason about. MITIGATES: Accidental shadow VNets with overlapping address space, missing NSGs at the subnet, and no peering to the hub firewall — making centralised egress filtering and monitoring impossible to enforce on the traffic those VNets generate. ATTACK VECTOR: A workload team creates a VNet under deadline pressure with a public-IP-bearing VM in a subnet that has no NSG; the VM is reachable from the internet on every port the OS opens. Because the VNet was never peered to the hub, traffic does not traverse Azure Firewall and no egress filtering applies either. Compounds when the same team replicates the pattern across regions. BLAST RADIUS: Per subscription: every resource launched into an unsanctioned VNet for as long as the shadow VNet exists. Compounds across tens of subscriptions in a large tenant. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Inventory: list every VNet in every subscription of the tenant. for sub in $(az account list --query '[].id' -o tsv); do az network vnet list --subscription \"$sub\" \\ --query \"[].{sub:'$sub', name:name, rg:resourceGroup, prefixes:addressSpace.addressPrefixes}\" \\ -o tsv done # Per workload: create an explicit VNet inside the approved IP plan. az network vnet create \\ --resource-group rg-net-prod-westeu \\ --name vnet-app-prod-westeu \\ --address-prefixes 10.40.0.0/16 \\ --location westeurope # Assign the built-in \"Allowed locations\" + a custom \"denied address-space\" policy # at the root management group so future VNets cannot drift. az policy assignment create \\ --name pa-network-ip-plan \\ --scope \"/providers/Microsoft.Management/managementGroups/tenant-root\" \\ --policy-set-definition \"/providers/Microsoft.Authorization/policySetDefinitions/<ip-plan-initiative-id>\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn (accessed 2026-05) resource \"azurerm_resource_group\" \"net\" { name = \"rg-net-prod-westeu\" location = \"westeurope\" } resource \"azurerm_virtual_network\" \"workload\" { name = \"vnet-app-prod-westeu\" resource_group_name = azurerm_resource_group.net.name location = azurerm_resource_group.net.location address_space = [\"10.40.0.0/16\"] tags = { tier = \"prod\", owner = \"platform-network\" } } # Root-management-group policy assignment: deny VNet creation outside the # approved IP plan. Custom policy definition referenced by id. resource \"azurerm_management_group_policy_assignment\" \"deny_unplanned_vnets\" { name = \"deny-unplanned-vnets\" management_group_id = \"/providers/Microsoft.Management/managementGroups/tenant-root\" policy_definition_id = var.ip_plan_policy_definition_id description = \"Deny VNet creation outside the approved IP plan\" }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Hardened-by-default VNet with explicit address space, no default subnet, DDoS std off-by-default plan id.') param vnetName string @description('Address space CIDR.') param addressPrefix string = '10.0.0.0/16' param location string = resourceGroup().location resource vnet 'Microsoft.Network/virtualNetworks@2024-03-01' = { name: vnetName location: location properties: { addressSpace: { addressPrefixes: [addressPrefix] } // No default subnet — explicit subnets defined per-workload module. encryption: { enabled: true, enforcement: 'AllowUnencrypted' } } } </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/a6.x (verify)n/an/a SC-7; CM-2A.8.20; A.8.22CLD.9.5.1 Log signals AzureActivity Microsoft.Network/virtualNetworks/write creating a VNet whose address space overlaps the documented hub/spoke plan or that lacks the standard environment + owner tags — accidental shadow VNet outside the landing-zone topology. AzureActivity Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write establishing peering across subscriptions or to a VNet owned by a different management group — bypasses the documented hub interconnect. AzureActivity Microsoft.Network/virtualNetworks/subnets/write creating a subnet without an attached networkSecurityGroup or routeTable reference — defeats the landing-zone enforcement baseline. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue in (\"Microsoft.Network/virtualNetworks/write\", \"Microsoft.Network/virtualNetworks/subnets/write\", \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write\") | extend body = tostring(parse_json(Properties).requestbody) | project TimeGenerated, Caller, OperationNameValue, ResourceId, body | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. Pair with an Azure Resource Graph daily reconciliation to catch shadow VNets that bypass the resource-provider event surface; persist as a Sentinel analytics rule with Medium severity. Alert threshold VNet creation in a non-landing-zone subscription — page on first occurrence. Cross-management-group peering — page; treat as escape-from-policy-boundary event. Initial response Hold the VNet via tag quarantine=true and disable peering on the new resource via the IaC pipeline; capture the AzureActivity record as the rollback ledger. Walk recent AzureActivity for the Caller — shadow VNet creation often co-occurs with role-assignment expansion or with policy-exemption application. Escalate per general/ir.html — confirm the Azure Policy Audit virtual networks created outside hub-spoke topology remains in deny mode at the management-group root. References Microsoft Learn — landing-zone network topology guidance (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-net-02-nsg-no-admin-internet ! CRITICAL PREVENTIVE No Network Security Group in any subscription may permit ingress from the Internet service tag (or 0.0.0.0/0) on administrative ports — SSH 22, RDP 3389, SQL 1433, PostgreSQL 5432, MySQL 3306, MongoDB 27017, Redis 6379, and any other database or management port the organisation uses — at either NIC scope or subnet scope (Microsoft Learn — Network Security Groups overview (accessed 2026-05)). NSGs are stateful L4 firewalls evaluated twice on the packet path (once at the subnet NSG and once at the NIC NSG), default-deny on ingress from the internet, and the most directly enforceable per-resource boundary Azure exposes at the network layer. This is the canonical \"open the internet to my database\" misconfiguration; Shodan-style scanners locate exposures within minutes. Anti-conflation: NSGs are L4 only — they do not do FQDN filtering, IDPS, or TLS inspection. Those live on Azure Firewall Premium (azure-net-08), which is centralised at the hub and complements NSGs rather than replacing them. Use the Internet service tag rather than literal 0.0.0.0/0 where possible; the tag is operationally clearer and survives address-prefix expansions. MITIGATES: Direct internet exposure of management planes and databases — leading to credential brute force, exploitation of unpatched pre-auth RCE in admin services, and untargeted ransomware against open SQL/MongoDB/Redis. ATTACK VECTOR: An engineer opens TCP 22 from Internet on a subnet NSG \"temporarily\" to debug a jump host; the rule is never reverted. Within hours, distributed brute-force traffic from compromised residential IPs begins probing for SSH passwords or weak keys. Database admin ports are worse: many database engines have pre-authentication CVEs that turn an open port into immediate unauthenticated code execution, and MongoDB / Redis deployments pre-3.6 / pre-6 with default no-auth configurations are still in the wild. BLAST RADIUS: Every NIC in the offending subnet (subnet NSG) or every NIC the offending NSG is associated to (NIC NSG), across every region and subscription the NSG (or a copy of it via cross-subscription templating) is applied to. Pre-authentication exploitation in databases means exfiltration is the assumed outcome. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Audit: enumerate every NSG rule allowing Internet -> admin ports across the tenant. for sub in $(az account list --query '[].id' -o tsv); do az network nsg list --subscription \"$sub\" --query '[].id' -o tsv | while read nsg_id; do az network nsg rule list --ids \"$nsg_id\" \\ --query \"[?direction=='Inbound' && access=='Allow' && (sourceAddressPrefix=='Internet' || sourceAddressPrefix=='*' || sourceAddressPrefix=='0.0.0.0/0')].{nsg:'$nsg_id', name:name, ports:destinationPortRanges}\" \\ -o tsv done done # Apply the canonical deny rule at NIC + subnet scope. az network nsg rule create \\ --resource-group rg-net-prod-westeu \\ --nsg-name nsg-app-subnet \\ --name DenyInternetToSshRdpSql \\ --priority 100 \\ --direction Inbound \\ --access Deny \\ --protocol Tcp \\ --source-address-prefixes Internet \\ --destination-port-ranges 22 3389 1433 5432 3306 27017 6379 # Continuous enforcement: built-in CIS Microsoft Azure Foundations Benchmark v3.0.0 # initiative assigned at the root management group covers 6.1 and 6.2.</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn (accessed 2026-05) resource \"azurerm_network_security_group\" \"app_subnet\" { name = \"nsg-app-subnet\" resource_group_name = azurerm_resource_group.net.name location = azurerm_resource_group.net.location } # Canonical CRITICAL deny: Internet service tag -> all common admin ports. resource \"azurerm_network_security_rule\" \"deny_internet_admin_ports\" { name = \"DenyInternetToSshRdpSql\" resource_group_name = azurerm_resource_group.net.name network_security_group_name = azurerm_network_security_group.app_subnet.name priority = 100 direction = \"Inbound\" access = \"Deny\" protocol = \"Tcp\" source_port_range = \"*\" destination_port_ranges = [\"22\", \"3389\", \"1433\", \"5432\", \"3306\", \"27017\", \"6379\"] source_address_prefix = \"Internet\" destination_address_prefix = \"*\" } # Allow SSH/RDP only from the bastion subnet ASG. resource \"azurerm_network_security_rule\" \"allow_bastion_admin\" { name = \"AllowBastionToAdmin\" resource_group_name = azurerm_resource_group.net.name network_security_group_name = azurerm_network_security_group.app_subnet.name priority = 200 direction = \"Inbound\" access = \"Allow\" protocol = \"Tcp\" source_port_range = \"*\" destination_port_ranges = [\"22\", \"3389\"] source_application_security_group_ids = [azurerm_application_security_group.bastion.id] destination_address_prefix = \"*\" } resource \"azurerm_subnet_network_security_group_association\" \"app\" { subnet_id = azurerm_subnet.app.id network_security_group_id = azurerm_network_security_group.app_subnet.id }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('NSG name applied to workload subnets to deny SSH/RDP from Internet.') param nsgName string param location string = resourceGroup().location resource nsg 'Microsoft.Network/networkSecurityGroups@2024-03-01' = { name: nsgName location: location properties: { securityRules: [ { name: 'deny-ssh-from-internet' properties: { priority: 100, direction: 'Inbound', access: 'Deny', protocol: 'Tcp' sourceAddressPrefix: 'Internet', sourcePortRange: '*' destinationAddressPrefix: '*', destinationPortRange: '22' } } { name: 'deny-rdp-from-internet' properties: { priority: 110, direction: 'Inbound', access: 'Deny', protocol: 'Tcp' sourceAddressPrefix: 'Internet', sourcePortRange: '*' destinationAddressPrefix: '*', destinationPortRange: '3389' } } ] } } </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as network from \"@pulumi/azure-native/network\"; new network.NetworkSecurityGroup(\"workload-nsg\", { resourceGroupName: \"<rg>\", securityRules: [ { name: \"deny-ssh-from-internet\", priority: 100, direction: network.AccessRuleDirection.Inbound, access: network.SecurityRuleAccess.Deny, protocol: network.SecurityRuleProtocol.Tcp, sourceAddressPrefix: \"Internet\", sourcePortRange: \"*\", destinationAddressPrefix: \"*\", destinationPortRange: \"22\", }, { name: \"deny-rdp-from-internet\", priority: 110, direction: network.AccessRuleDirection.Inbound, access: network.SecurityRuleAccess.Deny, protocol: network.SecurityRuleProtocol.Tcp, sourceAddressPrefix: \"Internet\", sourcePortRange: \"*\", destinationAddressPrefix: \"*\", destinationPortRange: \"3389\", }, ], }); </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 5.2; 5.36.1; 6.23.6; 3.72.1; 2.2 SC-7(5); SC-7A.8.20; A.8.22CLD.9.5.1 Log signals AzureActivity Microsoft.Network/networkSecurityGroups/securityRules/write where the request body resolves to access = Allow, direction = Inbound, sourceAddressPrefix in (\"*\", \"0.0.0.0/0\", \"Internet\") and destinationPortRange covers TCP 22, 3389, or 5985-5986. AzureActivity write events on NSG rules whose priority is moved into the 100-200 range where the deny baselines previously occupied — silent override. NetworkSecurityGroupFlowEvent inbound connections on admin ports from public-internet CIDRs that match the rule edit — downstream confirmation the change took effect. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue == \"Microsoft.Network/networkSecurityGroups/securityRules/write\" | extend body = tostring(parse_json(Properties).requestbody) | where body has \"\\\"access\\\":\\\"Allow\\\"\" and body has \"\\\"direction\\\":\\\"Inbound\\\"\" | where body has \"\\\"sourceAddressPrefix\\\":\\\"*\\\"\" or body has \"\\\"sourceAddressPrefix\\\":\\\"0.0.0.0/0\\\"\" or body has \"\\\"sourceAddressPrefix\\\":\\\"Internet\\\"\" | where body has \"\\\"22\\\"\" or body has \"\\\"3389\\\"\" or body has \"\\\"5985\\\"\" or body has \"\\\"5986\\\"\" or body has \"\\\"22-22\\\"\" | project TimeGenerated, Caller, ResourceId, body | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. The internet-exposed-admin-port pattern is the single highest-fidelity NSG misconfiguration signal; persist as a Sentinel analytics rule with severity High and pair with an automation playbook that disables the rule on detection. Alert threshold Any inbound Allow rule on TCP 22/3389/5985/5986 from * or Internet — page on first occurrence. NSG rule priority insertion below the existing deny baseline — page; the rule may not yet match traffic but the precedence regression has occurred. Initial response Delete the offending rule via az network nsg rule delete or apply the IaC baseline; capture the AzureActivity Caller and the rule body as the rollback ledger. Pull NetworkSecurityGroupFlowEvent for the exposure window from each NIC bound to the NSG — every inbound flow on the admin port from internet CIDRs should be reconciled with documented administrator access. Escalate per general/ir.html — confirm the Azure Policy Internet-facing virtual machines should be protected with NSGs remains in deny mode and that Defender for Cloud has refreshed its assessment. References Microsoft Learn — network security groups overview (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-net-03-private-endpoints-only ! CRITICAL PREVENTIVE Regulated PaaS services — Storage Accounts, Key Vault, Azure SQL, Cosmos DB, App Configuration, Container Registry — must have public_network_access_enabled = false at the resource level, default network rules set to Deny, and access strictly through Private Endpoints (covered as azure-net-04). Enforce subscription-wide via Azure Policy assigned at the root management group; do not rely on per-resource diligence (Microsoft Learn — Storage Account network security (accessed 2026-05)). The principle is reinforced in General Network — private connectivity: PaaS services with a public IP are reachable from any internet host that can guess the resource name and present valid credentials, so the network perimeter must remove the public IP rather than rely on identity alone. Anti-conflation: this is the policy invariant (\"public off, Private Endpoints required\"); the resource-level Private Endpoint attachment is the implementation pattern covered by azure-net-04. CRITICAL because exploitation is a single misconfiguration away from internet-reachable storage or secrets. MITIGATES: Internet-reachable Storage Account / Key Vault / SQL via the public PaaS endpoint, leading to credential-stuffing or token-replay attacks against secret stores, or anonymous blob enumeration against misconfigured containers. ATTACK VECTOR: A workload team creates a Storage Account from the portal with default network settings; the account ends up reachable from any internet host on <name>.blob.core.windows.net. An attacker who acquires (via phishing or supply-chain compromise) a SAS token or account key has direct network-layer access to the account from anywhere. With public network access disabled and the firewall default-action set to Deny, the same SAS token or key still requires a network path through the corporate VNet to be usable — narrowing the attack surface to compromised insider workstations on the corporate network. BLAST RADIUS: Per resource: every Storage Account / Key Vault / SQL Server is either public-accessible or not. The policy at root management group scope is the single setting that flips the default for every future resource as well. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Storage Account: turn off all three public-access toggles + default-deny firewall. az storage account update \\ --resource-group rg-data-prod-westeu \\ --name stappprodwesteu001 \\ --public-network-access Disabled \\ --allow-blob-public-access false \\ --default-action Deny # Key Vault: turn off public network access; enforce RBAC. az keyvault update \\ --resource-group rg-data-prod-westeu \\ --name kv-app-prod-westeu \\ --public-network-access Disabled \\ --default-action Deny \\ --enable-rbac-authorization true # Audit: list every Storage Account in the tenant that still allows public access. for sub in $(az account list --query '[].id' -o tsv); do az storage account list --subscription \"$sub\" \\ --query \"[?publicNetworkAccess=='Enabled' || allowBlobPublicAccess==\\`true\\`].{sub:'$sub', name:name, rg:resourceGroup}\" \\ -o tsv done</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn (accessed 2026-05) resource \"azurerm_storage_account\" \"app\" { name = \"stappprodwesteu001\" resource_group_name = azurerm_resource_group.data.name location = azurerm_resource_group.data.location account_tier = \"Standard\" account_replication_type = \"ZRS\" min_tls_version = \"TLS1_2\" # Three independent public-access toggles — all must close. public_network_access_enabled = false allow_nested_items_to_be_public = false shared_access_key_enabled = false # force Entra ID auth where supported network_rules { default_action = \"Deny\" bypass = [\"AzureServices\"] virtual_network_subnet_ids = [] # no Service Endpoints; Private Endpoints only ip_rules = [] } } resource \"azurerm_key_vault\" \"app\" { name = \"kv-app-prod-westeu\" resource_group_name = azurerm_resource_group.data.name location = azurerm_resource_group.data.location tenant_id = data.azurerm_client_config.current.tenant_id sku_name = \"premium\" public_network_access_enabled = false enable_rbac_authorization = true purge_protection_enabled = true soft_delete_retention_days = 90 network_acls { default_action = \"Deny\" bypass = \"AzureServices\" } } # Root-management-group initiative: deny PaaS resources with public network access on. resource \"azurerm_management_group_policy_assignment\" \"deny_paas_public\" { name = \"deny-paas-public-network-access\" management_group_id = \"/providers/Microsoft.Management/managementGroups/tenant-root\" policy_definition_id = var.deny_paas_public_initiative_id description = \"Storage / KV / SQL / Cosmos must have public network access disabled\" }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Azure Policy assignment forbidding public-access PaaS endpoints.') param assignmentName string = 'deny-public-paas-endpoints' // Built-in initiative: Configure Azure PaaS services to use private link var initiativeId = '/providers/Microsoft.Authorization/policySetDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c' resource assign 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: assignmentName properties: { policyDefinitionId: initiativeId enforcementMode: 'Default' displayName: 'Deny PaaS resources with public network access' } } </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as authorization from \"@pulumi/azure-native/authorization\"; new authorization.PolicyAssignment(\"deny-public-paas-endpoints\", { scope: \"/subscriptions/<sub-id>\", policyAssignmentName: \"deny-public-paas-endpoints\", policyDefinitionId: \"/providers/Microsoft.Authorization/policySetDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c\", enforcementMode: authorization.EnforcementMode.Default, displayName: \"Deny PaaS resources with public network access\", }); </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/a3.x; 4.x; 8.xn/an/a SC-7; AC-4A.8.20; A.8.22CLD.9.5.1 Log signals AzureActivity write events on data-plane services (Microsoft.Storage/storageAccounts, Microsoft.KeyVault/vaults, Microsoft.Sql/servers, Microsoft.DocumentDB/databaseAccounts) where publicNetworkAccess flips from Disabled to Enabled. AzureActivity Microsoft.Network/privateEndpoints/delete on a private endpoint that was the sole replacement for the public surface — silent fallback to public access if combined with a public-network-access flip. AzureActivity write events on data-plane firewalls (e.g. networkAcls.defaultAction = Allow) — equivalent regression even when public-network-access stays disabled. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue endswith \"/write\" | where ResourceId has_any (\"Microsoft.Storage/storageAccounts\", \"Microsoft.KeyVault/vaults\", \"Microsoft.Sql/servers\", \"Microsoft.DocumentDB/databaseAccounts\", \"Microsoft.CognitiveServices/accounts\") | extend body = tostring(parse_json(Properties).requestbody) | where body has \"\\\"publicNetworkAccess\\\":\\\"Enabled\\\"\" or body has \"\\\"defaultAction\\\":\\\"Allow\\\"\" | project TimeGenerated, Caller, ResourceId, body | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. Persist as a Sentinel analytics rule with severity High; private-endpoint posture regression is one of the highest-impact data-plane control failures. Alert threshold Any public-network-access flip to Enabled on a data-plane service holding production data — page on first occurrence. Delete of a private endpoint without a same-window creation of a replacement — page; data-plane reachability has changed even if the resource flag did not. Initial response Flip publicNetworkAccess back to Disabled via the IaC baseline; capture the AzureActivity Caller and the resource-graph diff as the rollback ledger. Walk the data-plane diagnostic stream (StorageBlobLogs, AzureDiagnostics for Key Vault category AuditEvent, SQLSecurityAuditEvents) for the exposure window — any successful read from a public IP should be considered exfiltration-pending-review. Escalate per general/ir.html — confirm the Azure Policy Public network access should be disabled for {service} set remains in deny mode at the management-group root. References Microsoft Learn — Private Endpoint overview (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-net-04-private-endpoint ! HIGH PREVENTIVE Front PaaS services accessed from VNets with Private Endpoints, not Service Endpoints. A Private Endpoint surfaces a private IP inside a chosen workload subnet that fronts the PaaS resource via Azure Private Link, integrates with a Private DNS Zone so the public PaaS FQDN resolves to the private IP from inside the VNet, and lets the upstream policy in azure-net-03 hold (Microsoft Learn — Private Endpoint overview (accessed 2026-05)). The principle is reinforced in General Network — zero trust: never traverse a network you do not control. Anti-pattern to flag: Service Endpoints (the legacy pattern, Microsoft.Storage etc. on a subnet) keep traffic on the Azure backbone but the PaaS service still exposes a public IP, so the public attack surface remains; Private Endpoints expose a private IP inside the VNet and remove the public attack surface entirely. Service Endpoints survive only for backwards-compatibility — new code should always use Private Endpoints. HIGH PREVENTIVE because this is the implementation pattern that makes the CRITICAL policy in azure-net-03 enforceable in workload code. MITIGATES: Service-call traffic from workloads to PaaS resources traversing the public internet where TLS is the only barrier; cross-tenant confused-deputy patterns where lack of network-side controls means identity is the only gate; DNS-side leakage of which PaaS resources a workload uses. ATTACK VECTOR: A workload in vnet-app-prod calls kv-app-prod.vault.azure.net over the public Key Vault endpoint via the NAT/Internet path. An attacker who compromises the workload can do the same — including any vault the workload's managed identity has RBAC on — and the call leaves the workload's VNet entirely. With a Private Endpoint in snet-pe-data + a Private DNS Zone link, the FQDN resolves to a 10.x address inside the VNet, the Key Vault public endpoint is unreachable (per azure-net-03), and the call cannot leave the corporate network even if the workload tries. BLAST RADIUS: Per PaaS resource: each Private Endpoint is a 1:1 binding to one PaaS resource (or one sub-resource — e.g. Storage Account has separate group IDs for blob, file, queue, table, dfs). The Private DNS Zone link applies to every VNet that subscribes to it. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Resolve the resource id of the target Storage Account. STORAGE_ID=$(az storage account show \\ --resource-group rg-data-prod-westeu \\ --name stappprodwesteu001 --query id -o tsv) # Create a Private Endpoint in the workload PE subnet for the blob sub-resource. az network private-endpoint create \\ --resource-group rg-net-prod-westeu \\ --name pe-stappprodwesteu001-blob \\ --vnet-name vnet-app-prod-westeu \\ --subnet snet-pe-data \\ --private-connection-resource-id \"$STORAGE_ID\" \\ --group-id blob \\ --connection-name pec-stappprodwesteu001-blob \\ --location westeurope # Create the Private DNS Zone and link the workload VNet to it. az network private-dns zone create \\ --resource-group rg-net-prod-westeu \\ --name privatelink.blob.core.windows.net az network private-dns link vnet create \\ --resource-group rg-net-prod-westeu \\ --zone-name privatelink.blob.core.windows.net \\ --name pdz-link-vnet-app-prod \\ --virtual-network vnet-app-prod-westeu \\ --registration-enabled false # Wire the Private Endpoint's A record into the zone. az network private-endpoint dns-zone-group create \\ --resource-group rg-net-prod-westeu \\ --endpoint-name pe-stappprodwesteu001-blob \\ --name pdzg-blob \\ --private-dns-zone privatelink.blob.core.windows.net \\ --zone-name blob</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn (accessed 2026-05) resource \"azurerm_private_dns_zone\" \"blob\" { name = \"privatelink.blob.core.windows.net\" resource_group_name = azurerm_resource_group.net.name } resource \"azurerm_private_dns_zone_virtual_network_link\" \"blob_app\" { name = \"pdz-link-vnet-app-prod\" resource_group_name = azurerm_resource_group.net.name private_dns_zone_name = azurerm_private_dns_zone.blob.name virtual_network_id = azurerm_virtual_network.workload.id registration_enabled = false } resource \"azurerm_private_endpoint\" \"storage_blob\" { name = \"pe-stappprodwesteu001-blob\" resource_group_name = azurerm_resource_group.net.name location = azurerm_resource_group.net.location subnet_id = azurerm_subnet.pe_data.id private_service_connection { name = \"pec-stappprodwesteu001-blob\" private_connection_resource_id = azurerm_storage_account.app.id subresource_names = [\"blob\"] is_manual_connection = false } private_dns_zone_group { name = \"pdzg-blob\" private_dns_zone_ids = [azurerm_private_dns_zone.blob.id] } }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Resource ID of the PaaS service being wrapped (e.g. Storage / KV / SQL).') param targetResourceId string @description('Group ID for the private endpoint (e.g. blob, vault, sqlServer).') param groupId string @description('Subnet ID hosting the endpoint NIC.') param subnetId string param location string = resourceGroup().location resource pe 'Microsoft.Network/privateEndpoints@2024-03-01' = { name: 'pe-${groupId}-${uniqueString(targetResourceId)}' location: location properties: { subnet: { id: subnetId } privateLinkServiceConnections: [ { name: 'plsc' properties: { privateLinkServiceId: targetResourceId groupIds: [groupId] } } ] } } </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/a6.x (verify)n/an/a SC-7(8); AC-4A.8.20; A.8.22CLD.9.5.1 Log signals AzureActivity Microsoft.Network/privateEndpoints/privateLinkServiceConnections/write creating a connection request from a subscription outside the documented internal-consumer set — possible cross-tenant Private Link abuse. AzureActivity Microsoft.Network/privateLinkServices/privateEndpointConnections/write where connectionState = Approved is set by an unexpected approver identity — bypasses the four-eyes service-exposure flow. AzureDiagnostics ResourceProvider = \"MICROSOFT.NETWORK\" Category PrivateLinkServiceAnonymous events — surface anomalies in connection requests pre-approval. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue in (\"Microsoft.Network/privateLinkServices/privateEndpointConnections/write\", \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections/write\") | extend body = tostring(parse_json(Properties).requestbody) | where body has \"Approved\" or body has \"Pending\" | project TimeGenerated, Caller, ResourceId, body | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. Approval of a Private Link connection from an unknown subscription is the canonical pivot signal for cross-tenant data egress; persist as a Sentinel analytics rule with severity Medium and route to the data-plane service owner. Alert threshold Approval issued by an identity that is not on the Private Link approval allow-list — page on first occurrence. Connection request from a subscription outside the documented consumer set — page even at the Pending stage so the approval flow does not autocomplete. Initial response Reject the connection via az network private-endpoint-connection reject; capture the requester subscription and AzureActivity Caller as the ledger. Walk the data-plane diagnostic stream for the exposure window — every dataplane operation from the Private Link CIDR during the connection should be reconciled with the requester's claimed purpose. Escalate per general/ir.html — confirm the Azure Policy enforcing manual approval on Private Link Services remains assigned at the resource provider scope. References Microsoft Learn — Azure Private Link service overview (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-net-05-front-door-waf ! HIGH PREVENTIVE Front internet-facing web traffic with Azure Front Door Premium and attach a WAF Premium policy carrying the Microsoft-managed Default Rule Set (DRS) 2.1 and the Bot Manager Rule Set; use custom rules only for tenant-specific exceptions (Microsoft Learn — Azure Front Door WAF overview (accessed 2026-05)). Front Door WAF is global and runs at the Microsoft edge, inspecti"},{"id":"azure/workloads.html","url":"azure/workloads.html","title":"Azure Workloads Hardening — Cloud Hardening Guide","breadcrumb":"Home Azure Workloads","description":"Azure workloads hardening: VM Trusted Launch, JIT + Bastion, ACR quarantine + Defender for Containers, Defender for Servers Plan 2, Function managed identity, AKS Workload Identity + Cilium, Shared Image Gallery, Update Manager.","body":"Azure Workloads Hardening Overview This page covers Microsoft Azure workload hardening across the compute surfaces that decide whether an attacker who lands code execution on a single VM, container, or function can pivot to credentials, sibling workloads, or the Azure Resource Manager control plane. Scope is the Azure commercial regions; Azure Government and Azure operated by 21Vianet (China) inherit the same controls but expose a different sovereign endpoint suffix, a different Microsoft Entra ID (formerly Azure Active Directory) tenant topology, and a slightly different Defender for Cloud plan availability matrix — re-verify the per-region plan availability and the Microsoft Graph endpoint before applying any of the IaC below to a non-commercial cloud. CIS sub-IDs and NIST / ISO mappings throughout this page reference the commercial Microsoft Azure Foundations Benchmark v3.0.0 (Feb 2025) unless explicitly annotated as a post-v3.0.0 feature or a best-practice recommendation that the current benchmark has not yet codified. The crosswalk page at compliance frameworks describes how the seven pinned framework columns relate to each other. The Azure workload model spans three compute planes that map to three distinct hardening conversations. Virtual Machines (Compute) — Linux and Windows guests on Hyper-V — hardened via Trusted Launch (Secure Boot + virtual TPM), Bastion-fronted remote access, Just-in-Time VM Access for residual direct exposure, Defender for Servers Plan 2 (Microsoft Defender for Endpoint auto-deploy + Defender Vulnerability Management + file integrity monitoring + adaptive application controls), Shared Image Gallery golden images, and Azure Update Manager for patch hygiene. Containers — Azure Container Registry (image supply chain), Azure Kubernetes Service (orchestration), Container Apps and Container Instances (managed runtimes) — hardened via ACR quarantine + content trust, Defender for Containers (agentless + agent-based image scanning, runtime detection, Kubernetes posture), Microsoft Entra Workload Identity for pod-to-Azure authentication, and Azure CNI Powered by Cilium for L4/L7 network policy. Serverless — Azure Functions and App Service Web Apps — hardened via system-assigned managed identity, Key Vault references for secrets (no connection strings in app settings), and Easy Auth / Microsoft Entra authentication for HTTP-triggered endpoints. Cross-cutting principles — image / OS hardening, runtime security, supply chain, secrets in workloads, and patch management — are owned by the General Workloads page; this page maps them to Azure primitives. One canonical-content cross-link to flag at the top, because authoring this page in isolation would otherwise duplicate ~1500 words of canonical material: secrets management for Azure Functions and App Service is documented on the General IAM — secrets management page, not here. The Phase 4 canonical-content rule (one canonical treatment per cross-cutting topic) is honoured in azure-work-05: the control covers Function App / App Service system-assigned managed identity and Key Vault references (the Azure-specific how-to), and cross-links to general/iam.html for the Key Vault + secret-rotation reference architecture rather than re-authoring it. The same pattern recurs on azure/data.html for the Key Vault data-plane controls and on azure/iam.html — managed identities for the underlying identity-plane primitive. Three anti-conflation callouts up front, because each pair gets confused in design reviews. First: VM Trusted Launch is a structural primitive (Secure Boot + vTPM), not a metadata-version control. AWS IMDSv2 is a metadata-token handshake that defeats SSRF-to-credentials reflection; Azure has IMDS but no v1/v2 protocol split — IMDS on Azure is already token-and-header-required and runs against a non-routable address with a hop limit of 1 by Azure platform default. The structural workload-integrity primitive on Azure is Trusted Launch: Secure Boot validates the UEFI boot chain against a Microsoft signature database (rejects rootkits that tamper with the bootloader or kernel modules), and a virtual TPM 2.0 measures boot integrity into PCRs that downstream Azure Disk Encryption and remote attestation services can verify (covered as azure-work-01). The cross-provider equivalence to aws-work-01 is structural, not mechanical — both raise the bar against pre-OS and credential-theft attacks, but the surface they harden is different. Do not transpose AWS IMDSv2 framing onto Azure. Second: Azure Bastion is the structural answer; Just-in-Time VM Access is the compensating control. Bastion removes the public IP from the target VM entirely — there is no NSG rule on TCP 22 or 3389 to expose because the management traffic terminates at a managed Microsoft service inside a dedicated AzureBastionSubnet. JIT VM Access keeps the public IP but opens the NSG rule for a bounded window on demand, with the request authorised through Defender for Cloud RBAC. Bastion is the default; JIT is the compensating control for legacy workloads that for licensing or vendor-support reasons cannot front via Bastion (covered as azure-work-02). Third: AKS Workload Identity (the umbrella in azure-work-06) replaces Pod Identity; Pod Identity was deprecated 24 October 2022. Microsoft Entra Pod Identity (the managed add-on formerly known as Azure AD Pod Identity) is patched-only until September 2025 and is not the path Microsoft is investing in. New AKS deployments must use Microsoft Entra Workload Identity (OIDC federation between the AKS cluster's OIDC issuer and Entra) — covered as a single umbrella control in azure-work-06 alongside Azure CNI Powered by Cilium (Azure NPM retiring September 2028), private API server, and Defender for Containers integration. Do not author Pod Identity into new code; reference it only with deprecation framing. Order matters. Controls 01–02 are foundational invariants for every VM: Trusted Launch closes the pre-OS attack surface and removes guest tampering as a credible vector, Bastion + JIT closes the remote-access surface. Controls 03–04 close the container and vulnerability-assessment loop: ACR quarantine holds an image push until Defender for Containers clears its vulnerability scan, Defender for Servers Plan 2 provides continuous EDR + vulnerability assessment + FIM across Linux and Windows VMs. Control 05 hardens Function App / App Service identity. Control 06 hardens AKS as a single umbrella. Control 07 establishes golden-image provenance via Shared Image Gallery + Azure Image Builder. Control 08 handles ongoing patch hygiene via Azure Update Manager (the canonical Azure patching plane, successor to Update Management Center). The page is structured so a reader can skim 01–02 for the everyday VM baseline, then dip into 03–08 by service area as needed. Equivalence callouts at the bottom of each control point to the matching control on the AWS, GCP, and OCI sibling pages — note that the AWS callouts are bidirectional and load-bearing (the Phase 6 AWS page links INTO the IDs on this page, and the Phase 7 equivalence gate auto-promotes those links from graceful-skip to strict once the control boxes here exist). Subscription and management-group scope: Azure Policy at the root management group enforces tenant-wide invariants (Trusted Launch required on new VMs, Defender plans enabled, allowed VM SKUs, required tagging) and is the single most important lever for keeping the controls below from drifting out of compliance once dozens of subscriptions and thousands of VMs exist. azure-work-01-trusted-launch ! CRITICAL PREVENTIVE Every Azure VM (Linux or Windows) must be deployed with Trusted Launch enabled — Secure Boot on, virtual TPM 2.0 on — and the requirement must be pinned at the root management group via an Azure Policy assignment that denies VM creation with securityProfile.securityType other than TrustedLaunch (Confidential VMs additionally require Trusted Launch as a prerequisite) — see Microsoft Learn — Azure Trusted Launch for VMs (accessed 2026-05). Secure Boot validates the UEFI boot chain against the Microsoft-managed signature database, rejecting bootkits that tamper with the bootloader or unsigned kernel modules; the virtual TPM measures boot integrity into PCRs that Azure Disk Encryption and the Azure Attestation service can later verify. PITFALL 11 — Gen2 prerequisite is non-negotiable. Trusted Launch requires a Generation 2 VM SKU (UEFI boot) and a Generation 2 image — Gen1 legacy gallery images (BIOS boot) cannot enable Trusted Launch under any flag combination. Inventory existing Gen1 VMs before assigning the deny policy and refresh them through azure-work-07 (Shared Image Gallery + Azure Image Builder) onto Gen2 hardened base images. The default-on posture for newly published gallery images (since November 2023) handles the green-field case; the brown-field case is where this control earns its severity. Anti-conflation vs the AWS sibling: aws-work-01-imdsv2-mandatory defeats the SSRF-to-credentials reflection on the metadata service; azure-work-01 closes the pre-OS firmware attack surface. The equivalence is structural — both raise the workload-integrity bar — but the mechanism and the threat model are different. MITIGATES: Pre-OS persistence (bootkits, rootkits in the EFI System Partition), guest-kernel module tampering by an attacker with brief root access, and physical-tamper attacks in shared-tenant scenarios — by anchoring the boot chain to a Microsoft signature database and to a hardware-backed (virtual) TPM that an in-guest attacker cannot forge. ATTACK VECTOR: A long-lived Linux VM in production is compromised via a Day-1 unpatched CVE in a privileged daemon; the attacker installs a kernel module that hides their process tree and persists by patching the GRUB2 bootloader so the module reloads after reboot. Without Secure Boot, the patched bootloader runs unchallenged on every restart and the implant survives even after the original CVE is patched and the daemon hardened. Trusted Launch refuses to boot the modified loader and the persistence chain breaks. Compounds across long-running stateful workloads (databases, identity directories) where rebuild-from-known-good is operationally expensive. BLAST RADIUS: Per VM the policy applies to; per region the policy is assigned at. An organisation-wide deny policy at the root management group turns Trusted Launch into a tenant-wide invariant — every new VM is forced into the validated boot chain at create time. Pre-existing Gen1 VMs require explicit refresh via azure-work-07. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Inventory: list VMs and their security profile across all subscriptions. for sub in $(az account list --query '[].id' -o tsv); do az vm list --subscription \"$sub\" --show-details \\ --query \"[].{sub:'$sub', name:name, rg:resourceGroup, gen:storageProfile.imageReference.sku, sec:securityProfile.securityType}\" \\ -o tsv done # Create a new Gen2 VM with Trusted Launch (Secure Boot + vTPM). az vm create \\ --resource-group rg-app-prod-westeu \\ --name vm-app-01 \\ --image Canonical:0001-com-ubuntu-server-jammy:22_04-lts-gen2:latest \\ --size Standard_D4s_v5 \\ --security-type TrustedLaunch \\ --enable-secure-boot true \\ --enable-vtpm true \\ --admin-username azureuser \\ --generate-ssh-keys # Assign the built-in policy at the root management group to force the property tenant-wide. # Built-in: \"Guest Attestation extension should be installed on supported Linux virtual machines\" # Built-in: \"vTPM should be enabled on supported virtual machines\" # Built-in: \"Secure Boot should be enabled on supported Windows virtual machines\" az policy assignment create \\ --name pa-trusted-launch-required \\ --scope \"/providers/Microsoft.Management/managementGroups/tenant-root\" \\ --policy-set-definition \"/providers/Microsoft.Authorization/policySetDefinitions/<trusted-launch-initiative-id>\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn (accessed 2026-05) resource \"azurerm_resource_group\" \"app\" { name = \"rg-app-prod-westeu\" location = \"westeurope\" } resource \"azurerm_network_interface\" \"vm\" { name = \"nic-vm-app-01\" resource_group_name = azurerm_resource_group.app.name location = azurerm_resource_group.app.location ip_configuration { name = \"ipcfg\" subnet_id = var.app_subnet_id private_ip_address_allocation = \"Dynamic\" } } resource \"azurerm_linux_virtual_machine\" \"app\" { name = \"vm-app-01\" resource_group_name = azurerm_resource_group.app.name location = azurerm_resource_group.app.location size = \"Standard_D4s_v5\" admin_username = \"azureuser\" network_interface_ids = [azurerm_network_interface.vm.id] # Trusted Launch (PITFALL 11: requires Gen2 image + Gen2 SKU) secure_boot_enabled = true vtpm_enabled = true admin_ssh_key { username = \"azureuser\" public_key = var.admin_ssh_public_key } os_disk { caching = \"ReadWrite\" storage_account_type = \"Premium_LRS\" } # Gen2 image — Trusted Launch will refuse to apply against a Gen1 SKU. source_image_reference { publisher = \"Canonical\" offer = \"0001-com-ubuntu-server-jammy\" sku = \"22_04-lts-gen2\" version = \"latest\" } tags = { tier = \"prod\", owner = \"platform-compute\" } } # Tenant-wide enforcement at the root management group. resource \"azurerm_management_group_policy_assignment\" \"trusted_launch_required\" { name = \"trusted-launch-required\" management_group_id = \"/providers/Microsoft.Management/managementGroups/tenant-root\" policy_definition_id = var.trusted_launch_initiative_id description = \"Require Secure Boot + vTPM on all new VMs (Trusted Launch)\" }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Hardened-by-default Linux VM with Trusted Launch (Secure Boot + vTPM).') param vmName string @description('Subnet ID for the VM NIC.') param subnetId string @description('Admin SSH public key.') @secure() param adminPublicKey string param location string = resourceGroup().location resource nic 'Microsoft.Network/networkInterfaces@2024-03-01' = { name: '${vmName}-nic' location: location properties: { ipConfigurations: [ { name: 'ipconfig' properties: { subnet: { id: subnetId }, privateIPAllocationMethod: 'Dynamic' } } ] } } resource vm 'Microsoft.Compute/virtualMachines@2024-07-01' = { name: vmName location: location identity: { type: 'SystemAssigned' } properties: { hardwareProfile: { vmSize: 'Standard_D4ds_v5' } securityProfile: { securityType: 'TrustedLaunch' uefiSettings: { secureBootEnabled: true vTpmEnabled: true } } osProfile: { computerName: vmName adminUsername: 'azureuser' linuxConfiguration: { disablePasswordAuthentication: true ssh: { publicKeys: [{ path: '/home/azureuser/.ssh/authorized_keys', keyData: adminPublicKey }] } } } storageProfile: { imageReference: { publisher: 'Canonical', offer: '0001-com-ubuntu-server-jammy', sku: '22_04-lts-gen2', version: 'latest' } osDisk: { createOption: 'FromImage' managedDisk: { storageAccountType: 'Premium_LRS' } deleteOption: 'Delete' } } networkProfile: { networkInterfaces: [{ id: nic.id }] } } } </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as compute from \"@pulumi/azure-native/compute\"; new compute.VirtualMachine(\"vm-trusted-launch\", { resourceGroupName: \"<rg>\", hardwareProfile: { vmSize: \"Standard_D4ds_v5\" }, identity: { type: compute.ResourceIdentityType.SystemAssigned }, securityProfile: { securityType: compute.SecurityTypes.TrustedLaunch, uefiSettings: { secureBootEnabled: true, vTpmEnabled: true }, }, storageProfile: { imageReference: { publisher: \"Canonical\", offer: \"0001-com-ubuntu-server-jammy\", sku: \"22_04-lts-gen2\", version: \"latest\", }, osDisk: { createOption: compute.DiskCreateOptionTypes.FromImage, managedDisk: { storageAccountType: compute.StorageAccountTypes.Premium_LRS } }, }, osProfile: { computerName: \"vm-tl\", adminUsername: \"azureuser\", linuxConfiguration: { disablePasswordAuthentication: true }, }, networkProfile: { networkInterfaces: [{ id: \"<nic-id>\" }] }, }); </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/a7.x (verify)n/an/a AC-3; CM-7; SC-8A.8.20; A.8.25CLD.9.5.1 Log signals AzureActivity Microsoft.Compute/virtualMachines/write where the request body sets securityProfile.securityType from TrustedLaunch to Standard on an existing VM — disables Secure Boot and vTPM enforcement. AzureActivity VM creation events where securityProfile.uefiSettings.secureBootEnabled is false on a workload tagged production. AzureActivity scale-set updates that mass-disable vTpmEnabled across an instance fleet — fleet-wide regression. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue in (\"Microsoft.Compute/virtualMachines/write\", \"Microsoft.Compute/virtualMachineScaleSets/write\") | extend body = tostring(parse_json(Properties).requestbody) | where body has \"\\\"securityType\\\":\\\"Standard\\\"\" or body has \"\\\"secureBootEnabled\\\":false\" or body has \"\\\"vTpmEnabled\\\":false\" | project TimeGenerated, Caller, ResourceId, body | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. Trusted Launch downgrade is rare and intentional; persist as a Sentinel analytics rule with severity Medium and require an attached governance ticket reference. Alert threshold Any flip of securityType back to Standard on a production VM — page on first occurrence. Scale-set update touching more than 5 instances with vTPM or Secure Boot disablement — page; treat as fleet-scale supply-chain event. Initial response Reapply Trusted Launch via the IaC baseline; capture the AzureActivity Caller and the prior VM-resource JSON as the rollback ledger. Walk Defender for Servers Guest Configuration assessments for the affected VM — boot integrity assessment going from PASS to FAIL after the change confirms the impact. Escalate per general/ir.html — confirm Azure Policy Virtual machines should have Secure Boot enabled and Virtual machines should have vTPM enabled remain in deny mode at the management group. References Microsoft Learn — Trusted Launch for Azure virtual machines (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-work-02-jit-bastion ! HIGH PREVENTIVE Remote administrative access to Azure VMs must terminate at Azure Bastion Standard — a managed Microsoft service deployed into a dedicated AzureBastionSubnet that brokers RDP and SSH over TLS from the Azure portal (and from native clients via the Standard SKU) — with no public IP and no NSG rule on TCP 22 or 3389 on the target VM. For workloads that for licensing or vendor-support reasons cannot front via Bastion, Defender for Cloud Just-in-Time VM Access serves as the compensating control: the NSG rule for the management port is normally absent and is added for a bounded window (typically ≤3 hours) on a per-request basis, authorised through Defender for Cloud RBAC and audited in the Activity Log (Microsoft Learn — Azure Bastion overview (accessed 2026-05); Microsoft Learn — Defender for Cloud Just-in-Time VM Access (accessed 2026-05)). Bastion-Standard adds session recording (when integrated with Log Analytics), native-client support (az network bastion ssh / tunnel), and scale (host scale-units for high-throughput tenants); Bastion-Basic is acceptable for lower-tier subscriptions but loses native-client and scaling. Conditional Access policies on the Microsoft Entra users authorised to launch Bastion sessions add MFA + device-compliance enforcement to the management plane. Anti-conflation vs the AWS sibling: aws-work-02-ssm-session-manager uses an SSM agent inside the instance to broker the session through the AWS API plane (no inbound network path at all); Azure Bastion uses a managed bastion VM in a service-managed subnet that brokers the session over TLS — equivalent threat posture (no exposed management port on the target), different architectural primitive. MITIGATES: Internet exposure of SSH/RDP/SQL admin ports; credential brute force and pre-authentication CVE exploitation against management daemons; lateral movement from a compromised jump host; ad-hoc \"temporary\" NSG rule openings that never get closed. ATTACK VECTOR: An engineer opens an NSG rule allowing TCP 22 from Internet for a \"quick debug\" session on a production jump host. The rule is never reverted. Within hours, distributed brute-force traffic from compromised residential IPs probes for SSH passwords. If MFA is not enforced on the SSH path (and on bastion-style jump hosts often isn't), a single weak credential leaks the entire downstream VLAN. With Bastion, there is no public IP on the jump host to brute-force in the first place; with JIT, the rule is absent by default and the request to open it is audited and time-bounded. BLAST RADIUS: Per VM (when JIT is the only control) or per VNet (when Bastion is the only ingress path). At organisation scale, a default-Bastion posture combined with an Azure Policy that denies Microsoft.Network/networkSecurityGroups/securityRules creates with sourceAddressPrefix == \"Internet\" on ports 22/3389 makes ad-hoc management-port exposure impossible. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Audit: enumerate VMs with public IPs and NSG rules opening 22/3389 from the Internet tag. for sub in $(az account list --query '[].id' -o tsv); do az network nsg list --subscription \"$sub\" --query '[].id' -o tsv | while read nsg_id; do az network nsg rule list --ids \"$nsg_id\" \\ --query \"[?direction=='Inbound' && access=='Allow' && (sourceAddressPrefix=='Internet' || sourceAddressPrefix=='*') && (contains(destinationPortRanges, '22') || contains(destinationPortRanges, '3389'))].{nsg:'$nsg_id', name:name}\" \\ -o tsv done done # Deploy Azure Bastion (Standard) into the dedicated AzureBastionSubnet. az network vnet subnet create \\ --resource-group rg-net-hub-westeu \\ --vnet-name vnet-hub-westeu \\ --name AzureBastionSubnet \\ --address-prefixes 10.0.255.0/26 az network public-ip create \\ --resource-group rg-net-hub-westeu \\ --name pip-bastion-hub \\ --sku Standard --allocation-method Static az network bastion create \\ --resource-group rg-net-hub-westeu \\ --name bastion-hub \\ --vnet-name vnet-hub-westeu \\ --public-ip-address pip-bastion-hub \\ --sku Standard \\ --enable-tunneling true # Enable JIT VM Access on residual VMs that cannot front via Bastion. az security jit-policy create \\ --resource-group rg-app-legacy-westeu \\ --location westeurope \\ --name default \\ --kind Basic \\ --virtual-machines '[{\"id\":\"<vm-resource-id>\",\"ports\":[{\"number\":22,\"protocol\":\"TCP\",\"allowedSourceAddressPrefix\":\"<corp-vpn-cidr>\",\"maxRequestAccessDuration\":\"PT3H\"}]}]'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn (accessed 2026-05) resource \"azurerm_subnet\" \"bastion\" { name = \"AzureBastionSubnet\" resource_group_name = azurerm_resource_group.net.name virtual_network_name = azurerm_virtual_network.hub.name address_prefixes = [\"10.0.255.0/26\"] } resource \"azurerm_public_ip\" \"bastion\" { name = \"pip-bastion-hub\" resource_group_name = azurerm_resource_group.net.name location = azurerm_resource_group.net.location allocation_method = \"Static\" sku = \"Standard\" } resource \"azurerm_bastion_host\" \"hub\" { name = \"bastion-hub\" resource_group_name = azurerm_resource_group.net.name location = azurerm_resource_group.net.location sku = \"Standard\" # Standard-SKU features tunneling_enabled = true copy_paste_enabled = true file_copy_enabled = false shareable_link_enabled = false ip_connect_enabled = true scale_units = 2 ip_configuration { name = \"ipcfg\" subnet_id = azurerm_subnet.bastion.id public_ip_address_id = azurerm_public_ip.bastion.id } } # Defender for Cloud JIT VM Access — compensating control for legacy VMs. # JIT policy is currently authored via Azure Policy / az security jit-policy; # the azurerm_security_center_subscription_pricing resource enables the Defender for Servers # plan that licenses the feature. resource \"azurerm_security_center_subscription_pricing\" \"servers\" { tier = \"Standard\" resource_type = \"VirtualMachines\" subplan = \"P2\" }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Azure Bastion (Standard SKU) replaces public RDP/SSH.') param bastionName string @description('Subnet named AzureBastionSubnet (/26).') param bastionSubnetId string @description('Standard SKU public IP resource ID.') param publicIpId string param location string = resourceGroup().location resource bastion 'Microsoft.Network/bastionHosts@2024-03-01' = { name: bastionName location: location sku: { name: 'Standard' } properties: { disableCopyPaste: false enableTunneling: true enableShareableLink: false enableIpConnect: false ipConfigurations: [ { name: 'bastion-ipconfig' properties: { subnet: { id: bastionSubnetId } publicIPAddress: { id: publicIpId } } } ] } } </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/a7.x (verify)n/an/a AC-17; AC-17(3); AU-2A.8.5; A.8.15CLD.9.5.1 Log signals AzureActivity Microsoft.Security/locations/jitNetworkAccessPolicies/delete on a JIT policy that previously gated VM admin access — silently removes the time-bound NSG-open path. AzureActivity Microsoft.Network/bastionHosts/delete on a Bastion attached to a production VNet — operators may pivot to direct SSH/RDP rules instead. MicrosoftAzureBastionAuditLogs entries showing session disconnects spike followed by AzureActivity NSG-rule writes that open TCP 22/3389 on the same VNet — supply-chain pivot from Bastion to raw NSG access. Query <code class=\"language-sql\">AzureActivity | where OperationNameValue in (\"Microsoft.Security/locations/jitNetworkAccessPolicies/delete\", \"Microsoft.Network/bastionHosts/delete\", \"Microsoft.Network/networkSecurityGroups/securityRules/write\") | extend body = tostring(parse_json(Properties).requestbody) | where OperationNameValue endswith \"Delete\" or (body has \"\\\"22\\\"\" or body has \"\\\"3389\\\"\") | project TimeGenerated, Caller, ResourceId, OperationNameValue, body | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. Pair with the Bastion audit-log baseline — sustained Bastion-session activity that abruptly drops while NSG admin rules appear is the canonical pivot signal. Alert threshold JIT policy delete on a production VM — page immediately. Bastion delete followed within 24h by NSG admin-port Allow on the same VNet — page; the operator path has shifted off the audited surface. Initial response Restore the JIT policy and the Bastion via the IaC baseline; delete the NSG admin-port Allow rule introduced in the gap window. Walk SigninLogs and AzureActivity for the exposure window for any VM management operation issued from a principal that did not also use Bastion — these are candidate raw-port-access events. Escalate per general/ir.html — confirm Azure Policy Internet-facing virtual machines should be protected with NSGs and Just-in-time access should be enabled for VMs remain in deny mode. References Microsoft Learn — just-in-time VM access in Defender for Cloud (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-work-03-acr-scanning ! HIGH DETECTIVE Every Azure Container Registry holding images destined for production workloads must run on the Premium SKU with quarantine_policy_enabled = true (the push is held in a quarantined state until a vulnerability scan clears or an explicit override is recorded), with Microsoft Defender for Containers enabled at the subscription so that registry images and running cluster images are scanned continuously (agent-based for AKS, agentless for non-AKS targets), and with the registry content-trust / signed-images policy enabled so downstream consumers (AKS, Container Apps, Function App container deployments) refuse unsigned tags (Microsoft Learn — ACR content trust (accessed 2026-05); Microsoft Learn — Defender for Containers (accessed 2026-05)). ACR Tasks with base-image-trigger-enabled = true automatically rebuild downstream tags when a base image is updated, closing the \"old node-based image, fresh CVE in libcrypto\" gap that bites long-lived production images. Defender for Containers replaces the legacy \"Defender for container registries\" plan and additionally provides Kubernetes-runtime threat detection, admission controller integration, and Kubernetes posture (CIS Kubernetes Benchmark assessment) — but the registry-scanning slice is the part that earns this control's HIGH DETECTIVE severity. Pair-control prose: this control covers the image supply chain at the registry boundary; azure-work-06 covers the AKS cluster posture that consumes those images; azure-data-07 covers sensitive-data discovery inside the running data plane. The three controls are complementary; image scanning at the registry is not a substitute for runtime detection in the cluster. MITIGATES: Vulnerable images promoted to production unscanned; tampered images injected through a compromised CI pipeline; old base images carrying unpatched CVEs in OpenSSL, glibc, log4j-style runtime libraries; supply-chain attacks where a published base-image tag is silently re-pointed to a malicious layer. ATTACK VECTOR: A CI/CD pipeline pushes a freshly built application image to ACR. The base image was pinned to ubuntu:22.04 14 months ago and has accumulated 30+ high-severity CVEs since. Without quarantine + scanning, the image promotes to AKS and runs as the workload identity for a Kubernetes deployment that talks to the production database. An attacker who lands an exploit against any of the 30+ CVEs has working code execution inside the cluster, talking to the database through the workload identity. With Defender for Containers + quarantine enabled, the push is held, the high-severity findings surface in Defender for Cloud, and the pipeline blocks the promotion until the base image is refreshed via ACR Tasks. BLAST RADIUS: Per registry: every image push held until vulnerability scan clears. Per cluster: every running image continuously assessed via agentless scanning. Tenant-wide: subscription-level enablement of the Defender for Containers plan amortises the cost and the visibility. Remediation — Azure CLI <code class=\"language-bash\"># Azure CLI 2.x # Upgrade ACR to Premium and enable quarantine + content trust. az acr update \\ --name acrprodweu \\ --sku Premium az acr config content-trust update \\ --registry acrprodweu \\ --status enabled # Quarantine policy: hold push until vulnerability scan clears. az acr config retention update --registry acrprodweu --status enabled --days 30 --type UntaggedManifests # Quarantine is currently set via the management API / ARM template; az acr update --quarantine # was the legacy verb. Use ARM/Terraform for the canonical declaration (below). # Enable Defender for Containers at the subscription. az security pricing create \\ --name Containers \\ --tier Standard # ACR Task: rebuild on base-image update. az acr task create \\ --registry acrprodweu \\ --name app-base-rebuild \\ --image app:{{.Run.ID}} \\ --context https://github.com/example/app.git \\ --file Dockerfile \\ --base-image-trigger-enabled true \\ --commit-trigger-enabled true \\ --git-access-token \"$GH_PAT\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform AzureRM provider ~> 3.0 # Source: Microsoft Learn (accessed 2026-05) resource \"azurerm_container_registry\" \"prod\" { name = \"acrprodweu\" resource_group_name = azurerm_resource_group.app.name location = azurerm_resource_group.app.location sku = \"Premium\" admin_enabled = false # Quarantine: hold image push until scan clears (Premium only). quarantine_policy_enabled = true # Content trust: signed images required. trust_policy { enabled = true } # Vulnerability scanning is delivered via Defender for Containers — see plan below. retention_policy { days = 30 enabled = true } # No public network access; consume via Private Endpoint. public_network_access_enabled = false network_rule_set { default_action = \"Deny\" } } # Subscription-level Defender for Containers plan enables registry + runtime scanning. resource \"azurerm_security_center_subscription_pricing\" \"containers\" { tier = \"Standard\" resource_type = \"Containers\" } # ACR Task: rebuild on base-image change. resource \"azurerm_container_registry_task\" \"rebuild\" { name = \"app-base-rebuild\" container_registry_id = azurerm_container_registry.prod.id platform { os = \"Linux\" } docker_step { dockerfile_path = \"Dockerfile\" context_path = \"https://github.com/example/app.git\" context_access_token = var.github_pat image_names = [\"app:{{.Run.ID}}\"] } base_image_trigger { name = \"default-base-image-trigger\" type = \"Runtime\" enabled = true update_trigger_payload_type = \"Default\" } }</code> Remediation — Bicep <code class=\"language-bicep\">targetScope = 'resourceGroup' @description('Container Registry with Defender vuln scanning + content trust + public access disabled.') param acrName string param location string = resourceGroup().location resource acr 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = { name: acrName location: location sku: { name: 'Premium' } identity: { type: 'SystemAssigned' } properties: { adminUserEnabled: false publicNetworkAccess: 'Disabled' policies: { trustPolicy: { status: 'enabled', type: 'Notary' } retentionPolicy: { status: 'enabled', days: 90 } quarantinePolicy: { status: 'enabled' } exportPolicy: { status: 'disabled' } } networkRuleSet: { defaultAction: 'Deny' } encryption: { status: 'enabled' } } } </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/a(best-practices)n/an/a RA-5; SI-3; SA-11A.8.8; A.8.29CLD.12.4.5 Log signals ContainerRegistryRepositoryEvents showing operationName = \"Push\" on an ACR repository where the subsequent Defender for Containers scan report never lands — scan pipeline disconnected. AzureActivity Microsoft.ContainerRegistry/registries/write where the request body removes the policies.quarantinePolicy setting — disables the quarantine-on-push gate. AzureDiagnostics Category ContainerRegistryLoginEvents showing pulls from identities outside the documented runtime principals — supply-chain abuse of registry credentials. Query <code class=\"language-sql\">ContainerRegistryRepositoryEvents | where OperationName == \"Push\" | join kind=leftanti ( SecurityAlert | where AlertName has \"Container image\" | extend repo = tostring(parse_json(Entities)[0].name) ) on $left.Repository == $right.repo | project TimeGenerated, Repository, ImageTag, Identity | order by TimeGenerated desc | take 200</code> Run as a KQL query in Log Analytics. The anti-join surfaces image pushes for which no Defender scan completed within the expected SLA — coverage gap rather than per-event policy violation. Persist as a Sentinel analytics rule and pair with daily ACR inventory reconciliation. Alert threshold Image push without a matching Defender scan report within 60 minutes — page; the runtime fleet may already be pulling an unscanned image. ACR pull from an identity outside the documented runtime principal set — page on first occurrence; treat as registry credential abuse. Initial response Manually trigger a scan via az acr repository show --name {acr} --image {repo}:{tag} and the Defender for Containers re-scan API; quarantine the image via tag rename until results return clean. Walk ContainerRegistryLoginEvents for unauthorised pulls; rotate the registry credentials for any non-managed-identity principal that was active during the exposure window. Escalate per general/ir.html — confirm Azure Policy Container registries should have vulnerability scan completed remains in audit-deny mode and that downstream AKS clusters pull only from the documented ACR. References Microsoft Learn — ACR image vulnerability assessment with Defender for Cloud (accessed 2026-05) Cross-provider equivalence: AWS · GCP · OCI Equivalent on: AWS · GCP · OCI azure-work-04-defender-for-servers ! HIGH DETECTIVE Microsoft Defender for Servers Plan 2 must be enabled subscription-wide for every subscription containing production VMs. Plan 2 auto-deploys Microsoft Defender for Endpoint (the EDR engine, ex-Microsoft Defender Advanced Threat Protection) to every Linux and Windows VM in scope, runs Defender Vulnerability Management for continuous OS + application vulnerability assessment, licenses the Just-in-Time VM Access feature exercised by azure-work-02, enables File Integrity Monitoring (FIM) on a configurable set of paths and registry keys, and provisions Adaptive Application Controls (an allow-list of known-good binaries per VM group) — see Microsoft Learn — Defender for Servers plans (accessed 2026-05). Plan 1 covers Defender for Endpoint deployment only and is acceptable for low-tier subscriptions; Plan 2 is the production baseline because the vulnerability-assessment + FIM + adaptive-application-controls bundle is what makes the EDR signal actionable. Pair-control prose: azure-log-04 enables the Defender for Cloud workload-protection plans subscription-wide as a posture and licensing decision; azure-work-04 authors the per-server-class hardening implications of having Plan 2 specifically (FIM rule sets, adaptive-application-control allow-lists, the JIT-VM-Access integration). The two controls are deliberately separated because they answer different operational questions (which plan tier? vs how do I use it on my Linux fleet?). Anti-conflation vs the AWS sibling: aws-work-04-inspector-org covers Amazon Inspector (continuous vu"},{"id":"compliance-matrix.html","url":"compliance-matrix.html","title":"Compliance Matrix — Cloud Hardening Guide","breadcrumb":"Home Compliance Matrix","description":"Cross-provider compliance matrix mapping every control on every domain page to CIS, NIST 800-53 rev5, ISO 27001:2022, and ISO 27017:2015.","body":"Compliance Matrix Overview This page is a single cross-provider view of every control authored in the Cloud Hardening Guide, mapped to the seven compliance frameworks the guide tracks. Each row is one control on one provider domain page; each of the seven framework columns shows the control identifier (or sub-control reference) that the guide's authors consider equivalent to, or covered by, that control. The frameworks are pinned to specific versions so that mappings remain reproducible across audits: CIS AWS Foundations v7.0.0, CIS Microsoft Azure Foundations v6.0.0, CIS GCP Foundation v5.0.0, CIS OCI Foundation v3.1.0, NIST SP 800-53 rev5, ISO/IEC 27001:2022, and ISO/IEC 27017:2015. See general/compliance-frameworks.html for what each framework is, why it is pinned at that version, and how to consume the official source. Cells render as either a hyperlink to the originating control article (when the control is mapped), a literal — (em-dash, when no mapping is recorded), or n/a (post-vX.Y.Z) when the control is best-practice but post-dates the pinned benchmark snapshot. Hovering an unmapped cell reveals a tooltip that distinguishes the post-benchmark case from the true blank — see the Methodology section. Filters Filters are AND-combined. The matrix re-renders client-side; there is no server round-trip. Provider: All AWS Azure GCP OCI Domain: All IAM Network Data Logging Workloads Incident Response Severity: All Critical High Medium Low Control Type: All Preventive Detective Responsive Search title: Reset filters Matrix Click any column header to sort. — controls shown. Control Provider Domain Severity Type CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 Coverage summary Per-framework mapping counts computed client-side from the same dataset that drives the table above. Mapped = cell value is a real identifier (not blank, not —, not n/a). Gap = total controls minus mapped. CIS AWS Foundations v7.0.0— / — mapped CIS Microsoft Azure Foundations v6.0.0— / — mapped CIS GCP Foundation v5.0.0— / — mapped CIS OCI Foundation v3.1.0— / — mapped NIST SP 800-53 rev5— / — mapped ISO/IEC 27001:2022— / — mapped ISO/IEC 27017:2015— / — mapped Gaps include controls post-dating the pinned benchmark snapshot (rendered as n/a (post-vX.X.X) in their cell) — the matrix surfaces these deliberately so authors and auditors can see where best-practice controls outpace the benchmark. GenAI Controls The second table covers the 35 GenAI controls across all five GenAI hardening pages (general/genai.html, aws/genai.html, azure/genai.html, gcp/genai.html, oci/genai.html). These controls use a 10-column schema: the seven frameworks from the v1.0 matrix plus three AI-specific frameworks — OWASP LLM Top 10:2025, NIST AI 600-1 (Jul 2024), and EU AI Act (2024/1689). CIS Benchmark cells read n/a (no dedicated CIS GenAI benchmark) for all GenAI controls — no CIS benchmark covering Amazon Bedrock, Azure OpenAI Service, GCP Vertex AI, or OCI Generative AI exists at the v1.1 authoring date (2026-05). Click any column header to sort. — controls shown. (Table is 14 columns wide — scroll horizontally if needed.) Control Provider Severity Type CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) GenAI Coverage Summary Coverage across AI-specific framework columns only. CIS columns are intentionally n/a for all GenAI controls. OWASP LLM Top 10:2025— / — mapped NIST AI 600-1 (Jul 2024)— / — mapped EU AI Act (2024/1689)— / — mapped Kubernetes Controls The third table covers the 40 Kubernetes controls across four provider hardening pages (aws/kubernetes.html, azure/kubernetes.html, gcp/kubernetes.html, oci/kubernetes.html). The schema uses ~13 columns: 4 metadata columns plus CIS Kubernetes Benchmark v2.0.0, four provider-specific CIS managed-service columns (CIS EKS v1.8.0, CIS AKS v2.0.0, CIS GKE v1.9.0, CIS OKE v1.8.0), NIST SP 800-53 rev5, ISO/IEC 27001:2022, ISO/IEC 27017:2015, NIST SP 800-190 (Sep 2017), and NSA/CISA K8s Hardening Guide v1.2. Each row populates only its own provider's CIS column; the other three render as —. general/kubernetes.html contributes zero rows (cross-cutting principles page). Click any column header to sort. — controls shown. (Table is ~13 columns wide — scroll horizontally if needed.) Control Provider Severity Type CIS Kubernetes Benchmark v2.0.0 CIS EKS v1.8.0 CIS AKS v2.0.0 CIS GKE v1.9.0 CIS OKE v1.8.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA K8s Hardening Guide v1.2 Kubernetes Coverage Summary Coverage across K8s-specific framework columns. CIS managed-service columns are per-provider; coverage counts the rows mapped to each. CIS Kubernetes Benchmark v2.0.0— / — mapped NIST SP 800-190 (Sep 2017)— / — mapped NSA/CISA K8s Hardening Guide v1.2— / — mapped Methodology The matrix is not hand-maintained. It is generated by build/make-compliance-matrix.js, a Node script that walks all 24 sealed domain pages under aws/, azure/, gcp/, and oci/, parses each <article class=\"control-box\"> using node-html-parser, extracts the per-control compliance-table, and emits js/compliance-matrix.json as a single source of truth. The domain pages are therefore the canonical authoring surface; this page is a projection. For the broader control-selection methodology — how controls earn their place on a domain page, the severity rubric, and the preventive/detective/responsive taxonomy — see general/methodology.html. Three distinct unmapped cell renderings carry different meanings: — (em-dash): no mapping recorded by the authors; the framework simply does not address this control. n/a: the framework is provider-scoped (e.g. CIS AWS Foundations) and the control belongs to a different provider, so the framework intrinsically cannot map. n/a (post-vX.Y.Z): the control is recognised best-practice but post-dates the pinned benchmark snapshot — a visible gap that the matrix surfaces rather than hides. To rebuild the dataset after editing any domain page: node build/make-compliance-matrix.js (re-emits js/compliance-matrix.json; gates G10.7-G10.12 validate the result). Sources Center for Internet Security — CIS AWS Foundations Benchmark v7.0.0 (accessed 2026-05). Center for Internet Security — CIS Microsoft Azure Foundations Benchmark v6.0.0 (accessed 2026-05). Center for Internet Security — CIS Google Cloud Platform Foundation Benchmark v5.0.0 (accessed 2026-05). Center for Internet Security — CIS Oracle Cloud Infrastructure Foundation Benchmark v3.1.0 (accessed 2026-05). National Institute of Standards and Technology — NIST SP 800-53 rev5: Security and Privacy Controls for Information Systems and Organizations (NIST CSRC, accessed 2026-05). International Organization for Standardization — ISO/IEC 27001:2022 Information security management systems — Requirements (ISO catalogue, accessed 2026-05). International Organization for Standardization — ISO/IEC 27017:2015 Code of practice for information security controls based on ISO/IEC 27002 for cloud services (ISO catalogue, accessed 2026-05)."},{"id":"gcp/data.html","url":"gcp/data.html","title":"GCP Data Protection Hardening — Cloud Hardening Guide","breadcrumb":"Home GCP Data Protection","description":"GCP data protection: Cloud Storage public access prevention, CMEK chain across Cloud Storage / Persistent Disk / Cloud SQL / BigQuery via Cloud KMS, KMS IAM least privilege, key rotation, Sensitive Data Protection (formerly Cloud DLP), Bucket Lock immutability.","body":"GCP Data Protection Hardening Overview This page covers Google Cloud Platform data-at-rest hardening across the surfaces that decide whether an attacker who reaches an authenticated principal — or a misconfigured bucket policy, or a leaked CI/CD service account, or a compromised partner — can read regulated data. Scope is the commercial GCP regions; GCP Sovereign Cloud (formerly Assured Workloads and the Google Cloud Air-Gapped offering) inherits the same controls but exposes a different region table, different service-availability matrices, and tenant topology constraints — re-verify region availability and the relevant cloud.google.com sovereign endpoint documentation before applying any of the IaC below to a sovereign or air-gapped deployment. CIS sub-IDs and NIST / ISO mappings throughout this page reference the CIS Google Cloud Platform Foundation Benchmark v4.0.0 — May 2025 release (accessed 2026-05) unless explicitly annotated as a post-v4.0.0 feature. The crosswalk page at compliance frameworks describes how the seven pinned framework columns relate to each other. The GCP data plane is the product of Cloud Storage (buckets with their own IAM, uniform-bucket-level access toggle, three-layer public-access prevention model, retention policies, and per-bucket default CMEK key reference), Persistent Disks (boot and data volumes for Compute Engine VMs; encrypted at rest by Google-managed keys by default; CMEK is the upgrade for regulated workloads), Cloud SQL (managed MySQL / PostgreSQL / SQL Server with CMEK, Private IP via Service Networking, mandatory SSL, and the Cloud SQL Auth Proxy as the canonical client-connection model), BigQuery (datasets and tables with CMEK at dataset scope, plus policy-tag column-level security delivered through Dataplex Universal Catalog (formerly Data Catalog)), Secret Manager (the canonical secret store; CMEK-capable; audit-logged), Cloud KMS (key rings and crypto keys; software- or HSM-backed; rotation-policy-driven), and Sensitive Data Protection (formerly Cloud DLP — the discovery, profiling, inspection, and de-identification service that crosses every storage primitive above). The cryptographic root for everything regulated is Cloud KMS; the IAM root for Cloud KMS is the per-key (not per-key-ring) policy. The cross-cutting principles — encryption at rest, key management, data classification, data loss prevention, and retention, backup & recovery — are owned by the General Data Protection page; this page maps them to GCP primitives. Encryption in transit lives canonically at General Network — encryption in transit and is not re-authored here (Phase 4 canonical-content rule); the GCP network specifics — TLS termination at Global External HTTPS Load Balancers, Cloud SQL require_ssl = true, internal HTTPS for service-to-service — are covered alongside the GCP network surface at GCP Network Hardening. Three anti-conflation callouts up front, because each pair gets conflated in audit reports and architecture reviews and the distinction matters for control design. First: Cloud Storage public-access prevention has THREE complementary enforcement layers, and missing any one re-opens the leak surface. (a) Organization Policy constraints/storage.publicAccessPrevention applied at organization or folder scope is a tenant-wide invariant that prevents any new bucket — including in projects that do not yet exist — from being created without public-access-prevention enforced. (b) The per-bucket public_access_prevention = \"enforced\" attribute pins the resource-level state and is what audit tools actually read when scanning an existing bucket. (c) uniform_bucket_level_access = true disables the legacy object-level ACL surface entirely so that even a misconfigured per-object grant cannot expose an object to allUsers / allAuthenticatedUsers. The canonical hardened posture sets all three — and that is what gcp-data-01 enforces. This is the GCP analog of the AWS Phase 6 aws-data-01 three-scope BPA pattern and the Azure Phase 7 azure-data-01 four-toggle storage pattern. Second: CMEK at rest (gcp-data-02 / 03 / 04) and KMS IAM (gcp-data-05) form a single cryptographic chain, and compromise of the KMS admin role unwinds the chain. Cloud Storage CMEK, Persistent Disk CMEK, and Cloud SQL CMEK all reference Cloud KMS crypto keys; whichever principal holds roles/cloudkms.admin on those keys can rewrite the key IAM, grant cryptoKeyEncrypterDecrypter to a malicious service account, and read every byte the chain protects. KMS rotation (gcp-data-06) bounds the compromise window of used keying material but does not prevent compromise of the IAM surface — which is why rotation is typed MEDIUM DETECTIVE not PREVENTIVE (PITFALL B-14 application; mirrors the aws-data-06 and azure-data-06 decisions). The control at gcp-data-05 is therefore CRITICAL PREVENTIVE: it is the gating control for every CMEK-backed resource on this page. Third: Sensitive Data Protection (formerly Cloud DLP) and Dataplex Universal Catalog (formerly Data Catalog) are two distinct services that are easy to conflate. Sensitive Data Protection is the runtime data-inspection plane — Discovery scans, Data Profiling on BigQuery datasets, Inspect Templates, and De-identification Templates with format-preserving encryption (FPE) and cryptographic hashing — and its API endpoint is still dlp.googleapis.com (which is why \"Cloud DLP API\" is still a current product name even though \"Sensitive Data Protection\" is the consolidated brand). Dataplex Universal Catalog (formerly Data Catalog) is the metadata / governance / lineage plane that hosts policy tags for BigQuery column-level security and taxonomies for data-classification labelling. BigQuery column-level security therefore depends on both: SDP scans identify sensitive columns, and Dataplex Universal Catalog policy tags gate the column reads. The two roles are covered in gcp-data-07 with policy-tag IaC examples folded into the prose; there is no standalone \"BigQuery column-level security\" control on this page because the pre-locked control inventory does not pre-lock one. Order and scope matter. Controls 01–04 are foundational invariants enforced organization-wide via Org Policy and per-resource attributes: lock Cloud Storage against public access at three layers, force CMEK on every bucket / disk / Cloud SQL instance, and pair Cloud SQL with Private IP + require SSL so the storage layer is unreachable from the public internet. Control 05 hardens the IAM surface that gates the cryptographic chain. Control 06 closes the rotation loop on key material. Control 07 brings Sensitive Data Protection to bear on data already at rest (and references Dataplex Universal Catalog policy tags for BigQuery column-level security). Control 08 closes the immutability loop with Cloud Storage Bucket Lock, the GCP analog of S3 Object Lock Compliance mode and Azure Immutable Blob Storage locked mode. The VPC Service Controls identity-plane perimeter is owned by the GCP IAM page and cross-referenced from this page where relevant; do not re-author it here. gcp-data-01-bucket-pap ! CRITICAL PREVENTIVE Every Cloud Storage bucket in the organization has public-access prevention enforced via three independent toggles, and missing any one re-opens the leak surface. (a) Organization Policy constraints/storage.publicAccessPrevention is applied at organization or folder scope with enforce: TRUE — a tenant-wide invariant that survives project creation. (b) Each bucket carries public_access_prevention = \"enforced\" at the resource level. (c) Each bucket carries uniform_bucket_level_access = true so the legacy per-object ACL surface is disabled entirely (anonymous ACLs cannot be set even if a principal has storage.objects.setIamPolicy). CIS GCP v4.0.0 §5.1 and §5.2 codify the requirement (Google Cloud — Public access prevention documentation (accessed 2026-05)). CRITICAL because this is the canonical \"object storage open to the internet\" misconfiguration; the failure mode (a bucket inadvertently set to allUsers:objectViewer or with anonymous-readable objects) is single-step exploitable by any unauthenticated principal and is the most-cited data-leak story for the entire public-cloud era. MITIGATES: Anonymous internet read of regulated data through (i) a bucket-level IAM grant to allUsers / allAuthenticatedUsers, (ii) a per-object legacy ACL with public-read on an otherwise-private bucket, or (iii) a new bucket created without public-access prevention in a project whose admin did not know the org-policy default. ATTACK VECTOR: A workload team needs to share a single CSV with an external partner. The fastest path is to set the bucket's IAM policy to grant roles/storage.objectViewer to allUsers for five minutes — the team will revert it after the partner downloads. The bucket also has anonymous-readable legacy ACLs left over from a 2019 import, but the team does not know that because uniform-bucket-level-access was never enabled. A scanner indexing GCS for open buckets locates the bucket within minutes of the grant. The grant is never reverted. Months later, a compliance audit finds the bucket public — and the per-object legacy ACLs that were never visible to the bucket-level IAM model are still serving the original 2019 import to anonymous readers. BLAST RADIUS: With the org-policy constraint and uniform-bucket-level-access set across the org: zero — public grants are rejected at admission. Without: every object in every bucket where any of the three toggles is missing, for as long as the misconfiguration persists. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: enforce public-access prevention at organization scope. cat > pap-org.yaml <<'YAML' name: organizations/ORG_ID/policies/storage.publicAccessPrevention spec: rules: - enforce: true YAML gcloud org-policies set-policy pap-org.yaml --organization=ORG_ID # Step 2: enforce uniform bucket-level access at organization scope. cat > ubla-org.yaml <<'YAML' name: organizations/ORG_ID/policies/storage.uniformBucketLevelAccess spec: rules: - enforce: true YAML gcloud org-policies set-policy ubla-org.yaml --organization=ORG_ID # Step 3: create a hardened bucket with both toggles at creation time. gcloud storage buckets create gs://app-prod-regulated-euw1 \\ --project=svc-app-prod \\ --location=europe-west1 \\ --uniform-bucket-level-access \\ --public-access-prevention \\ --default-storage-class=STANDARD # Step 4: remediate an existing bucket created before the org policy landed. gcloud storage buckets update gs://legacy-bucket \\ --uniform-bucket-level-access \\ --public-access-prevention # Step 5: audit the org for non-compliant buckets (PAP disabled or inherited). for project in $(gcloud projects list --format='value(projectId)'); do gcloud storage buckets list --project=\"$project\" \\ --format=\"value(name,iamConfiguration.publicAccessPrevention,iamConfiguration.uniformBucketLevelAccess.enabled)\" \\ 2>/dev/null done</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud docs (accessed 2026-05) resource \"google_org_policy_policy\" \"pap_org\" { name = \"organizations/${var.org_id}/policies/storage.publicAccessPrevention\" parent = \"organizations/${var.org_id}\" spec { rules { enforce = \"TRUE\" } } } resource \"google_org_policy_policy\" \"ubla_org\" { name = \"organizations/${var.org_id}/policies/storage.uniformBucketLevelAccess\" parent = \"organizations/${var.org_id}\" spec { rules { enforce = \"TRUE\" } } } # Hardened bucket — all three toggles closed at creation time. resource \"google_storage_bucket\" \"app_prod_regulated\" { project = var.svc_project_id name = \"app-prod-regulated-euw1\" location = \"EUROPE-WEST1\" storage_class = \"STANDARD\" uniform_bucket_level_access = true public_access_prevention = \"enforced\" # CMEK encryption block — paired with gcp-data-02 below. encryption { default_kms_key_name = google_kms_crypto_key.bucket.id } versioning { enabled = true } lifecycle { prevent_destroy = true } }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: hardened-bucket namespace: config-control annotations: cnrm.cloud.google.com/project-id: PROJECT_ID spec: location: us-central1 uniformBucketLevelAccess: true publicAccessPrevention: enforced versioning: enabled: true</code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as gcp from \"@pulumi/gcp\"; // Bucket with public-access prevention enforced and uniform bucket-level access. const hardenedBucket = new gcp.storage.Bucket(\"hardened-bucket\", { name: \"hardened-bucket\", location: \"US-CENTRAL1\", uniformBucketLevelAccess: true, publicAccessPrevention: \"enforced\", versioning: { enabled: true }, forceDestroy: false, });</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a5.1; 5.2n/a AC-3; AC-6; SC-7A.5.10; A.8.3CLD.9.5.1 Log signals Cloud Audit Logs on storage.googleapis.com for storage.setIamPermissions adding allUsers or allAuthenticatedUsers to a bucket's IAM policy. Bucket-level buckets.update patches where iamConfiguration.publicAccessPrevention transitions from enforced to inherited. Object ACL legacy mutations: storage.objects.update setting predefinedAcl to publicRead on individual objects bypassing the bucket-level guard. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"storage.googleapis.com\" AND ((protoPayload.methodName=\"storage.setIamPermissions\" AND protoPayload.serviceData.policyDelta.bindingDeltas.member=~\"allUsers|allAuthenticatedUsers\") OR (protoPayload.methodName=\"storage.buckets.update\" AND protoPayload.request.iamConfiguration.publicAccessPrevention=\"inherited\"))</code> Pin this Cloud Logging filter at organisation scope; pair with the Cloud Asset Inventory bucket inventory query (storage.googleapis.com/Bucket with iamPolicy snapshot) so the steady-state public-bucket count is visible alongside change events. Alert threshold Page on any binding that adds allUsers/allAuthenticatedUsers to a bucket; the steady-state count of public buckets is zero outside the documented static-website allow-list. Page on any bucket flipping publicAccessPrevention away from enforced. Initial response Remove the offending binding via gcloud storage buckets remove-iam-policy-binding and re-assert publicAccessPrevention=enforced. Pull the bucket's HTTP access logs (Cloud Storage usage logs) and Cloud Logging data-access logs for the exposure window; enumerate every object read by a non-authenticated requestor and treat them as exposed. If sensitive data was reachable, follow the breach-notification runbook in general/ir.html; rotate any signed-URL keys whose corresponding objects were in the exposed set. References Google Cloud — Public Access Prevention for Cloud Storage (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-data-02-cmek ! HIGH PREVENTIVE Regulated Cloud Storage buckets reference a customer-managed encryption key (CMEK) hosted in Cloud KMS via encryption.default_kms_key_name, and the organization-level constraint constraints/gcp.restrictNonCmekServices enumerates the services for which non-CMEK creation is forbidden (Cloud Storage, Compute Engine disks, Cloud SQL, BigQuery, Pub/Sub, Dataflow, Composer for the most-common regulated set). Google-managed (default) encryption remains acceptable for non-regulated data but is deprecated for any workload that needs to demonstrate cryptographic-erase, key-revocation, or per-tenant-key-separation properties (Google Cloud — Customer-managed encryption keys on Cloud Storage (accessed 2026-05)). The principle is reinforced in General Data — key management. Anti-conflation: Cloud Storage encryption is always on at the platform level with Google-managed keys; CMEK is the upgrade that puts the organization's Cloud KMS key on the cryptographic-erase path (revoke or schedule destruction of the key version → Cloud Storage reads start failing with HTTP 400 KMS key not found, even though Google still operates the storage hardware). HIGH PREVENTIVE because CMEK reduces the trust boundary from \"Google's key management\" to \"the organization's Cloud KMS posture\" — which is only an improvement if the controls in gcp-data-05 and gcp-data-06 hold. MITIGATES: Plaintext recovery of bucket contents through (i) a Google operator with platform-level data-plane access executing a lawful-process request, (ii) a regulatory finding that requires cryptographic erasure on demand, (iii) backup-tape forensics in scenarios where ciphertext recovery is feasible but the key is not. ATTACK VECTOR: A contractual breach or regulatory finding requires the organization to demonstrate it can render specific historic data permanently unreadable. With platform-managed keys, the only path is to delete the data and rely on Google's erasure SLAs. With CMEK and the key in a Cloud KMS key ring the organization controls, the organization schedules the key version for destruction, the destruction window elapses (24 hours minimum by default), and the bucket's reads start failing with KMS key not found — forensic recovery of the ciphertext yields nothing because the key is gone. BLAST RADIUS: Per bucket: every object encrypted with the configured CMEK. Across the org: every bucket without default_kms_key_name remains on Google-managed keys (acceptable for non-regulated data; gap for regulated). Coupled with gcp-data-05 KMS IAM and gcp-data-06 rotation, the chain is complete. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: enforce CMEK at org scope for the regulated service list. cat > cmek-restrict.yaml <<'YAML' name: organizations/ORG_ID/policies/gcp.restrictNonCmekServices spec: rules: - values: allowedValues: - storage.googleapis.com - compute.googleapis.com - sqladmin.googleapis.com - bigquery.googleapis.com YAML gcloud org-policies set-policy cmek-restrict.yaml --organization=ORG_ID # Step 2: create a Cloud KMS key ring + crypto key in the workload region. gcloud kms keyrings create kr-app-prod-euw1 \\ --project=sec-keys-prod \\ --location=europe-west1 gcloud kms keys create k-bucket-app-prod \\ --project=sec-keys-prod \\ --location=europe-west1 \\ --keyring=kr-app-prod-euw1 \\ --purpose=encryption \\ --rotation-period=90d \\ --next-rotation-time=$(date -u -d '+7 days' +%Y-%m-%dT%H:%M:%SZ) # Step 3: grant the bucket service-agent permission to use the key. PROJECT_NUMBER=$(gcloud projects describe svc-app-prod --format='value(projectNumber)') gcloud kms keys add-iam-policy-binding k-bucket-app-prod \\ --project=sec-keys-prod \\ --location=europe-west1 \\ --keyring=kr-app-prod-euw1 \\ --member=serviceAccount:service-${PROJECT_NUMBER}@gs-project-accounts.iam.gserviceaccount.com \\ --role=roles/cloudkms.cryptoKeyEncrypterDecrypter # Step 4: attach the CMEK key to the bucket. gcloud storage buckets update gs://app-prod-regulated-euw1 \\ --default-encryption-key=projects/sec-keys-prod/locations/europe-west1/keyRings/kr-app-prod-euw1/cryptoKeys/k-bucket-app-prod</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud docs (accessed 2026-05) resource \"google_kms_key_ring\" \"app_prod_euw1\" { project = var.keys_project_id name = \"kr-app-prod-euw1\" location = \"europe-west1\" } resource \"google_kms_crypto_key\" \"bucket\" { name = \"k-bucket-app-prod\" key_ring = google_kms_key_ring.app_prod_euw1.id purpose = \"ENCRYPT_DECRYPT\" rotation_period = \"7776000s\" # 90 days; gcp-data-06 version_template { algorithm = \"GOOGLE_SYMMETRIC_ENCRYPTION\" protection_level = \"HSM\" } lifecycle { prevent_destroy = true } } data \"google_project\" \"svc_app\" { project_id = var.svc_project_id } resource \"google_kms_crypto_key_iam_member\" \"bucket_sa_encrypter\" { crypto_key_id = google_kms_crypto_key.bucket.id role = \"roles/cloudkms.cryptoKeyEncrypterDecrypter\" member = \"serviceAccount:service-${data.google_project.svc_app.number}@gs-project-accounts.iam.gserviceaccount.com\" } resource \"google_org_policy_policy\" \"restrict_non_cmek\" { name = \"organizations/${var.org_id}/policies/gcp.restrictNonCmekServices\" parent = \"organizations/${var.org_id}\" spec { rules { values { allowed_values = [ \"storage.googleapis.com\", \"compute.googleapis.com\", \"sqladmin.googleapis.com\", \"bigquery.googleapis.com\", ] } } } }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: cmek-encrypted-bucket namespace: config-control spec: location: us-central1 uniformBucketLevelAccess: true encryption: defaultKmsKeyRef: external: \"projects/PROJECT_ID/locations/us-central1/keyRings/data-kr/cryptoKeys/data-key\"</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a1.x (verify)n/a SC-13; SC-28A.8.24; A.5.34n/a Log signals Cloud Audit Logs on storage.googleapis.com for storage.buckets.update where encryption.defaultKmsKeyName is cleared — bucket reverts to Google-managed encryption. Object-level storage.objects.rewrite calls that re-write existing objects without specifying the bucket's CMEK — surfaces silent un-encryption migrations. KMS IAM mutations removing roles/cloudkms.cryptoKeyEncrypterDecrypter from the Cloud Storage service identity — breaks new-object writes silently. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND ((protoPayload.serviceName=\"storage.googleapis.com\" AND protoPayload.methodName=\"storage.buckets.update\" AND protoPayload.request.encryption.defaultKmsKeyName=\"\") OR (protoPayload.serviceName=\"cloudkms.googleapis.com\" AND protoPayload.methodName=\"SetIamPolicy\" AND resource.type=\"cloudkms_cryptokey\"))</code> Run this Cloud Logging filter at project scope; pair with a Cloud Asset Inventory feed on storage.googleapis.com/Bucket so the steady-state CMEK assignment per bucket is visible as a snapshot alongside change events. Alert threshold Page on any bucket update clearing defaultKmsKeyName on a bucket previously tagged as CMEK-required. Page on KMS IAM mutations affecting the Storage service identity binding for any active CMEK key. Initial response Restore the CMEK binding on the bucket via gcloud storage buckets update --default-encryption-key; for objects written during the gap, force a re-write with the CMEK explicit via the legacy gsutil rewrite -k command (gsutil is legacy; gcloud storage cp is the current default). Re-bind roles/cloudkms.cryptoKeyEncrypterDecrypter on the KMS key for the Storage service identity; verify the next object write succeeds. Pin bucket CMEK + KMS IAM in Terraform; add a Cloud Asset Inventory feed alerting on any bucket whose encryption.defaultKmsKeyName drifts from the source-of-truth map. References Google Cloud — Customer-managed encryption keys for Cloud Storage (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-data-03-cmek-disks ! HIGH PREVENTIVE All Compute Engine Persistent Disks — both boot and additional data disks — are encrypted with CMEK via Cloud KMS, and the organization-level constraint constraints/gcp.restrictNonCmekServices (see gcp-data-02) includes compute.googleapis.com so new disks created without a CMEK reference are rejected. For high-sensitivity workloads, use an HSM-backed key (protection_level = \"HSM\") so the key material is held in a Cloud HSM cluster that is FIPS 140-2 Level 3 validated and from which the private key cannot be exported in cleartext (Google Cloud — Customer-managed encryption keys on Compute Engine disks (accessed 2026-05)). The principle is reinforced in General Data — encryption at rest. Disk snapshots inherit the CMEK reference of the source disk; cross-region snapshot replication therefore requires a CMEK in the destination region (snapshot replication is not key-material replication — the snapshot ciphertext is re-encrypted with a key in the destination region). MITIGATES: Plaintext recovery of disk contents through (i) a Google operator with platform-level access executing a lawful-process request, (ii) snapshot exfiltration by a project-level principal who lacks the KMS cryptoKeyEncrypterDecrypter role on the CMEK, (iii) cross-tenant boundary failure on the underlying storage substrate (a theoretical class of incident Google has not yet had publicly but for which CMEK is the documented mitigation). ATTACK VECTOR: A compromised project-owner principal calls gcloud compute snapshots create against every disk in the project, then attempts to download the snapshot ciphertext via the Compute Engine API. Without CMEK, the snapshot is encrypted with a Google-managed key and any principal with compute.snapshots.useReadOnly can attach the snapshot to a new disk and read it. With CMEK and the KMS IAM at gcp-data-05 properly bound (no cryptoKeyEncrypterDecrypter for the compromised principal), the snapshot decryption fails at attach time. BLAST RADIUS: Per disk: every byte of the disk and every snapshot derived from it. Across the org: every disk without CMEK remains decryptable with a Google-managed key — acceptable for non-regulated data; gap for regulated workloads where cryptographic-erase is required. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: create a CMEK-encrypted boot disk by referencing the KMS key at create time. gcloud compute disks create disk-app-prod-boot \\ --project=svc-app-prod \\ --zone=europe-west1-b \\ --size=50GB \\ --type=pd-ssd \\ --image-family=debian-12 \\ --image-project=debian-cloud \\ --kms-key=projects/sec-keys-prod/locations/europe-west1/keyRings/kr-app-prod-euw1/cryptoKeys/k-disk-app-prod # Step 2: grant the Compute Engine service agent permission to use the key. PROJECT_NUMBER=$(gcloud projects describe svc-app-prod --format='value(projectNumber)') gcloud kms keys add-iam-policy-binding k-disk-app-prod \\ --project=sec-keys-prod \\ --location=europe-west1 \\ --keyring=kr-app-prod-euw1 \\ --member=serviceAccount:service-${PROJECT_NUMBER}@compute-system.iam.gserviceaccount.com \\ --role=roles/cloudkms.cryptoKeyEncrypterDecrypter # Step 3: audit existing disks for non-CMEK state. for project in $(gcloud projects list --format='value(projectId)'); do gcloud compute disks list --project=\"$project\" \\ --format=\"value(name,zone,diskEncryptionKey.kmsKeyName)\" 2>/dev/null \\ | awk -F'\\t' '$3==\"\" {print \"NON-CMEK:\", $0}' done</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud docs (accessed 2026-05) resource \"google_kms_crypto_key\" \"disk\" { name = \"k-disk-app-prod\" key_ring = google_kms_key_ring.app_prod_euw1.id purpose = \"ENCRYPT_DECRYPT\" rotation_period = \"7776000s\" # 90 days version_template { algorithm = \"GOOGLE_SYMMETRIC_ENCRYPTION\" protection_level = \"HSM\" } } resource \"google_kms_crypto_key_iam_member\" \"disk_compute_agent\" { crypto_key_id = google_kms_crypto_key.disk.id role = \"roles/cloudkms.cryptoKeyEncrypterDecrypter\" member = \"serviceAccount:service-${data.google_project.svc_app.number}@compute-system.iam.gserviceaccount.com\" } resource \"google_compute_disk\" \"app_prod_boot\" { project = var.svc_project_id name = \"disk-app-prod-boot\" zone = \"europe-west1-b\" size = 50 type = \"pd-ssd\" image = \"debian-cloud/debian-12\" disk_encryption_key { kms_key_self_link = google_kms_crypto_key.disk.id } }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeDisk metadata: name: cmek-encrypted-disk namespace: config-control spec: location: us-central1-a sizeGb: 100 type: pd-ssd diskEncryptionKey: kmsKeyRef: external: \"projects/PROJECT_ID/locations/us-central1/keyRings/compute-kr/cryptoKeys/compute-key\"</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a4.x (verify)n/a SC-28; SC-13A.8.24n/a Log signals Cloud Audit Logs on compute.googleapis.com for v1.compute.disks.insert or v1.compute.regionDisks.insert omitting the diskEncryptionKey.kmsKeyName field on production VPCs. Snapshot creates that derive from a non-CMEK source disk — produces a snapshot encrypted with Google-managed keys and inherits the gap. Constraint drift on constraints/gcp.restrictNonCmekServices — removal of compute.googleapis.com from the deny list weakens the perimeter. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"compute.googleapis.com\" AND protoPayload.methodName=~\"v1.compute.(disks|regionDisks|snapshots).insert\" AND NOT protoPayload.request.diskEncryptionKey.kmsKeyName=~\".*\"</code> This Cloud Logging filter catches the gap at disk-create time; pair with a Cloud Asset Inventory query on compute.googleapis.com/Disk with field-mask diskEncryptionKey to surface every existing disk without a CMEK assignment. Alert threshold Page on any disk insert lacking a CMEK on production VPCs tagged for CMEK-only storage. Daily inventory cron: alert on any disk whose diskEncryptionKey is unset on a CMEK-tagged VPC. Initial response Migrate non-CMEK disks to CMEK-encrypted replacements via snapshot-then-restore with --kms-key set; detach the original disk and delete after data integrity is verified. Re-assert the gcp.restrictNonCmekServices constraint at the organisation node; re-run a Cloud Asset Inventory sweep to confirm steady-state coverage. Pin VM templates and disk-create patterns in Terraform with kms_key_self_link set; reject deploys that omit it via a CI policy check. References Google Cloud — Customer-managed encryption keys for persistent disks (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-data-04-cloudsql-cmek ! HIGH PREVENTIVE Every Cloud SQL instance (MySQL, PostgreSQL, SQL Server) is created with CMEK, Private IP only via Service Networking (no public IP, no Authorized Networks), SSL/TLS required for all client connections, and automated backups encrypted with the same CMEK as the primary instance. The canonical client connection model is the Cloud SQL Auth Proxy — which authenticates via the Cloud SQL Admin API, wraps the TCP connection in IAM-aware TLS, and removes the need to expose the database to public IP space at all. Authorized Networks (the legacy public-IP allowlist) is left empty for any new instance (Google Cloud — Configure SSL/TLS for Cloud SQL (accessed 2026-05)). HIGH PREVENTIVE because the failure mode (Cloud SQL on public IP with permissive Authorized Networks, or with SSL not required) is single-step exploitable: a leaked database password or a credential-stuffing run against an exposed Cloud SQL endpoint authenticates immediately if the network surface is reachable. MITIGATES: (i) Plaintext recovery of database files, automated backups, or point-in-time-recovery archives through provider-plane operator access or lawful process; (ii) database-protocol-level credential brute force against an internet-reachable Cloud SQL instance; (iii) network-layer interception of cleartext database traffic between client and server. ATTACK VECTOR: A migration runbook from on-prem to Cloud SQL leaves Authorized Networks set to 0.0.0.0/0 \"until the application stabilises\". A separate runbook leaves require_ssl = false \"until the client library is updated\". Within hours, scanners locate the Cloud SQL public endpoint and begin credential-stuffing against the default root / postgres user. One stuffed credential succeeds; the attacker reads the database over cleartext TCP because SSL is not required. BLAST RADIUS: Per instance: the entire database plus every automated backup and PITR archive. Across the org: every Cloud SQL instance with public IP, missing CMEK, or with require_ssl = false remains exposed until remediated. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: pre-create the Service Networking peering for Cloud SQL Private IP (one-time per VPC). gcloud compute addresses create cloudsql-psa-range \\ --project=svc-app-prod \\ --global \\ --purpose=VPC_PEERING \\ --prefix-length=16 \\ --network=vpc-app-prod gcloud services vpc-peerings connect \\ --service=servicenetworking.googleapis.com \\ --ranges=cloudsql-psa-range \\ --network=vpc-app-prod \\ --project=svc-app-prod # Step 2: create a CMEK-encrypted, Private-IP-only, SSL-required Cloud SQL instance. gcloud sql instances create sql-app-prod-euw1 \\ --project=svc-app-prod \\ --database-version=POSTGRES_15 \\ --region=europe-west1 \\ --tier=db-custom-2-7680 \\ --availability-type=REGIONAL \\ --no-assign-ip \\ --network=projects/svc-app-prod/global/networks/vpc-app-prod \\ --require-ssl \\ --backup-start-time=02:00 \\ --enable-point-in-time-recovery \\ --disk-encryption-key=projects/sec-keys-prod/locations/europe-west1/keyRings/kr-app-prod-euw1/cryptoKeys/k-sql-app-prod \\ --database-flags=cloudsql.iam_authentication=on,log_connections=on,log_disconnections=on # Step 3: connect via Cloud SQL Auth Proxy (canonical client connection model). ./cloud-sql-proxy --auto-iam-authn svc-app-prod:europe-west1:sql-app-prod-euw1 & psql \"host=127.0.0.1 port=5432 user=app-sa@svc-app-prod.iam dbname=app sslmode=disable\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud docs (accessed 2026-05) resource \"google_kms_crypto_key\" \"sql\" { name = \"k-sql-app-prod\" key_ring = google_kms_key_ring.app_prod_euw1.id purpose = \"ENCRYPT_DECRYPT\" rotation_period = \"7776000s\" # 90 days version_template { algorithm = \"GOOGLE_SYMMETRIC_ENCRYPTION\" protection_level = \"HSM\" } } resource \"google_kms_crypto_key_iam_member\" \"sql_service_agent\" { crypto_key_id = google_kms_crypto_key.sql.id role = \"roles/cloudkms.cryptoKeyEncrypterDecrypter\" member = \"serviceAccount:service-${data.google_project.svc_app.number}@gcp-sa-cloud-sql.iam.gserviceaccount.com\" } resource \"google_sql_database_instance\" \"app_prod\" { project = var.svc_project_id name = \"sql-app-prod-euw1\" database_version = \"POSTGRES_15\" region = \"europe-west1\" encryption_key_name = google_kms_crypto_key.sql.id deletion_protection = true settings { tier = \"db-custom-2-7680\" availability_type = \"REGIONAL\" disk_autoresize = true ip_configuration { ipv4_enabled = false private_network = google_compute_network.vpc_app_prod.id require_ssl = true # Authorized Networks intentionally empty — Private IP only. } backup_configuration { enabled = true start_time = \"02:00\" point_in_time_recovery_enabled = true transaction_log_retention_days = 7 } database_flags { name = \"cloudsql.iam_authentication\" value = \"on\" } database_flags { name = \"log_connections\" value = \"on\" } } depends_on = [google_kms_crypto_key_iam_member.sql_service_agent] }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: sql.cnrm.cloud.google.com/v1beta1 kind: SQLInstance metadata: name: cmek-postgres namespace: config-control spec: region: us-central1 databaseVersion: POSTGRES_15 encryptionKMSCryptoKeyRef: external: \"projects/PROJECT_ID/locations/us-central1/keyRings/sql-kr/cryptoKeys/sql-key\" settings: tier: db-custom-2-7680 ipConfiguration: ipv4Enabled: false privateNetworkRef: external: \"projects/PROJECT_ID/global/networks/sql-vpc\"</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a6.x (verify)n/a SC-28; SC-13; SC-8A.8.24n/a Log signals Cloud Audit Logs on sqladmin.googleapis.com for instances.patch where ipConfiguration.ipv4Enabled transitions to true on an instance previously private-only. Backup-config mutations where backupConfiguration.backupRetentionSettings.retainedBackups drops below the documented retention horizon. CMEK assignment changes: diskEncryptionConfiguration.kmsKeyName cleared on an instance previously CMEK-encrypted (requires instance recreation in practice — surfaces as restore from a non-CMEK source). Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"sqladmin.googleapis.com\" AND protoPayload.methodName=~\".*instances.(patch|update|create)\" AND (protoPayload.request.settings.ipConfiguration.ipv4Enabled=true OR protoPayload.request.settings.backupConfiguration.enabled=false)</code> Run this Cloud Logging filter at project scope; pair with a Cloud Asset Inventory feed on sqladmin.googleapis.com/Instance so steady-state public-IP and backup posture surface in a single dashboard pane. Alert threshold Page on any Cloud SQL instance acquiring a public IP after the documented private-only baseline. Page on backup-disable or retention-shrink on production instances; backup posture is a recovery prerequisite. Initial response Remove the public IP via gcloud sql instances patch --no-assign-ip; restore backupConfiguration from the captured baseline; verify the next backup window completes. Audit Cloud SQL connection logs (Cloud Logging resource.type=\"cloudsql_database\") for connections from non-corporate ranges during the public-IP window; rotate the instance's database credentials. Re-assert Private Service Connect or VPC-peered private-IP path; pin instance config in Terraform with ip_configuration.ipv4_enabled=false and gate console edits via change-management. References Google Cloud — Cloud SQL private services access (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AW"},{"id":"gcp/genai.html","url":"gcp/genai.html","title":"GCP Vertex AI GenAI Hardening — Cloud Hardening Guide","breadcrumb":"Home GCP GenAI","description":"GCP Vertex AI GenAI hardening: service account scoping, VPC Service Controls, Gemini safety filters, CMEK, Data Access audit logs, data residency, RAG grounding auth, Model Garden access control.","body":"GCP Vertex AI Hardening Overview This page covers the Vertex AI managed model API — Gemini models served via aiplatform.googleapis.com, the RAG Engine (grounding/retrieval), and Model Garden curated model catalogue. Not in scope: Vertex AI training pipelines, AutoML, or custom container training jobs; those surfaces carry their own IAM and build-pipeline controls addressed in compute and CI/CD hardening guides. For the underlying threat model and cross-cutting principles that apply to all managed LLM API services, see General GenAI Hardening. Key infrastructure prerequisites are covered on GCP sibling pages: gcp-iam-08 — VPC Service Controls perimeter setup (applied to aiplatform.googleapis.com in gcp-genai-02 below) and gcp-iam-02 — service account key avoidance (the key management foundation for gcp-genai-01). Controls are ordered severity-descending: one CRITICAL control (service account scoping) appears first, followed by four HIGH controls (VPC Service Controls, safety filters, audit logs, RAG source auth), then three MEDIUM controls (CMEK, data residency, Model Garden access). Equivalence links to AWS Bedrock, Azure OpenAI, and OCI Generative AI controls are HTML comments during authoring and will be made live in the Wave 4 seal (Phase 14 Plan 14-05). gcp-genai-01-service-account-scoping ! CRITICAL PREVENTIVE Create a dedicated, minimally-scoped service account for Vertex AI workloads. Do not use the default Compute Engine service account (PROJECT_NUMBER-compute@developer.gserviceaccount.com), which typically holds roles/editor at the project level — a blast-radius equivalent to running as root. Grant only roles/aiplatform.user (or a custom role with exactly the Vertex AI permissions the workload requires) to the Vertex AI service account. For GKE-based workloads, use Workload Identity Federation to avoid long-lived downloadable SA key files entirely. See gcp-iam-02 — no SA keys for the key avoidance pattern. Unit 42 April 2026 research on Vertex AI Agent Engine identity risks found that over-privileged service accounts are the primary lateral-movement path from a compromised Vertex AI workload to full GCP project takeover. MITIGATES: LLM06:2025 excessive agency via over-permissioned identity; LLM08:2025 agentic workload tool misuse via over-scoped credential. ATTACK VECTOR: Default Compute Engine service account is compromised (via metadata server SSRF, token theft from application config, or leaked key file), granting project-wide roles/editor that allows pivoting to all GCP resources including Cloud Storage, BigQuery, Cloud SQL, and Secrets Manager. BLAST RADIUS: Complete GCP project compromise via the Vertex AI workload identity — all resources in the project are readable and writable by an attacker holding the default SA token. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud — audit Vertex AI service accounts and their granted roles # Find service accounts named or tagged for Vertex AI usage gcloud iam service-accounts list \\ --filter=\"displayName:vertex\" \\ --format=\"value(email)\" # Audit all roles bound to a specific Vertex AI SA at the project level SA_EMAIL=\"vertex-ai-workload@${PROJECT_ID}.iam.gserviceaccount.com\" gcloud projects get-iam-policy \"${PROJECT_ID}\" \\ --flatten=\"bindings\" \\ --filter=\"bindings.members:${SA_EMAIL}\" \\ --format=\"table(bindings.role)\" # Flag any binding to roles/editor or roles/owner — these must be removed # Acceptable: roles/aiplatform.user or a custom role scoped to Vertex AI actions</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 resource \"google_service_account\" \"vertex_ai_workload\" { project = var.project_id account_id = \"vertex-ai-workload\" display_name = \"Vertex AI Workload SA — minimally scoped\" description = \"Dedicated SA for Vertex AI inference workloads. Granted roles/aiplatform.user only.\" } # Bind only roles/aiplatform.user — NOT roles/aiplatform.admin or roles/editor resource \"google_project_iam_member\" \"vertex_ai_user\" { project = var.project_id role = \"roles/aiplatform.user\" member = \"serviceAccount:${google_service_account.vertex_ai_workload.email}\" } # Do NOT grant roles/editor, roles/owner, or roles/aiplatform.admin. # For GKE workloads, use Workload Identity Federation instead of a key file.</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: name: vertex-inference-sa namespace: config-control spec: displayName: \"Vertex AI inference (scoped)\" description: \"Single-purpose SA for Vertex AI Online Prediction\"</code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as gcp from \"@pulumi/gcp\"; // Single-purpose service account for Vertex AI inference. const vertexSa = new gcp.serviceaccount.Account(\"vertex-inference-sa\", { accountId: \"vertex-inference-sa\", displayName: \"Vertex AI inference (scoped)\", }); // Bind only the minimum Vertex AI runtime role. const vertexUserBinding = new gcp.projects.IAMMember(\"vertex-sa-user\", { project: projectId, role: \"roles/aiplatform.user\", member: vertexSa.email.apply(e => `serviceAccount:${e}`), });</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) AC-2; AC-6; IA-4 A.5.15; A.5.18 n/a LLM06:2025; LLM08:2025 Information Security Art. 55 (in force 2025-08-02) Log signals Cloud Audit Logs on aiplatform.googleapis.com for SetIamPolicy on Vertex AI endpoints or models granting roles/aiplatform.user to broadly scoped principals (e.g. group:all-engineers@). Endpoint-binding events where a Vertex AI service account's IAM-policy is widened to include downstream services (Cloud Storage, BigQuery) the model should not reach. Cross-project impersonation: iamcredentials events generating tokens for a Vertex SA from a principal outside the documented MLOps allow-list. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"aiplatform.googleapis.com\" AND protoPayload.methodName=\"SetIamPolicy\" AND protoPayload.serviceData.policyDelta.bindingDeltas.action=\"ADD\" AND (protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/aiplatform.user\" OR protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/aiplatform.admin\")</code> Pin this Cloud Logging filter to a Cloud Monitoring log-based metric grouped by endpoint name; pair with a Cloud Asset Inventory query enumerating Vertex AI endpoint resources to maintain a live access-graph map. Alert threshold Page on any new aiplatform.user/admin binding outside the documented MLOps consumer allow-list. Page on cross-project impersonation against a Vertex AI service account from a principal not on the documented impersonator list. Initial response Revoke the unauthorised binding via gcloud ai endpoints remove-iam-policy-binding; rotate any tokens issued under the cross-project impersonation path. Audit Vertex AI prediction request logs for the bound principal during the window; treat any prediction whose input contained sensitive data as candidate-leaked under the broadened role. Pin endpoint IAM in Terraform; gate edits through a CI workflow that checks against the documented consumer allow-list TSV. References Google Cloud — Vertex AI access control (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI gcp-genai-02-vpc-service-controls ! HIGH PREVENTIVE Add aiplatform.googleapis.com to a VPC Service Controls (VPC-SC) perimeter to prevent data exfiltration from Vertex AI across project boundaries. VPC-SC wraps the Vertex AI API so that requests originating from outside the defined perimeter — another GCP project, an external IP, or an identity not included in the access policy — are denied at the API gateway layer, before any inference occurs. This is the GCP equivalent of combining AWS VPC endpoints with Service Control Policies for Bedrock. See gcp-iam-08 — VPC Service Controls perimeter setup for the base perimeter configuration pattern; this control adds aiplatform.googleapis.com to the restricted services list. MITIGATES: LLM10:2025 data exfiltration through Vertex AI API by lateral movement across GCP project boundaries. ATTACK VECTOR: Compromised service account in a different GCP project (or exfiltrated token reused from outside the perimeter) makes inference requests against Vertex AI resources in the protected project, receiving model outputs that may contain sensitive data or triggering costly unbounded inference runs. BLAST RADIUS: Data exfiltration of model outputs and RAG retrieval results plus unbounded inference cost if the attacker's billing is routed to the victim project. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud — create VPC Service Controls perimeter for Vertex AI # Prerequisite: an Access Context Manager access policy must already exist for the org gcloud access-context-manager perimeters create \"vertex-ai-perimeter\" \\ --title=\"Vertex AI Perimeter\" \\ --resources=\"projects/${PROJECT_NUMBER}\" \\ --restricted-services=aiplatform.googleapis.com \\ --policy=\"${ACCESS_POLICY_NAME}\" # Verify the perimeter was created and aiplatform.googleapis.com is listed gcloud access-context-manager perimeters describe \"vertex-ai-perimeter\" \\ --policy=\"${ACCESS_POLICY_NAME}\" \\ --format=\"json(status.restrictedServices)\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 resource \"google_access_context_manager_access_policy\" \"org_policy\" { parent = \"organizations/${var.org_id}\" title = \"Vertex AI org access policy\" } resource \"google_access_context_manager_service_perimeter\" \"vertex_ai\" { parent = \"accessPolicies/${google_access_context_manager_access_policy.org_policy.name}\" name = \"accessPolicies/${google_access_context_manager_access_policy.org_policy.name}/servicePerimeters/vertexAiPerimeter\" title = \"Vertex AI VPC-SC Perimeter\" status { restricted_services = [\"aiplatform.googleapis.com\"] resources = [\"projects/${var.project_number}\"] } }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: accesscontextmanager.cnrm.cloud.google.com/v1beta1 kind: AccessContextManagerServicePerimeter metadata: name: vertex-ai-perimeter namespace: config-control spec: parent: \"accessPolicies/POLICY_ID\" title: \"Vertex AI perimeter\" status: resources: - \"projects/PROJECT_NUMBER\" restrictedServices: - \"aiplatform.googleapis.com\" - \"storage.googleapis.com\"</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) SC-7; AC-4 A.8.20; A.8.22 CLD.13.1.4 LLM10:2025 Information Security Art. 55 (in force 2025-08-02) Log signals Cloud Audit Logs on accesscontextmanager.googleapis.com ServicePerimeter.patch where aiplatform.googleapis.com is removed from restrictedServices. Egress-policy rule additions admitting Vertex AI traffic to external projects: new egressPolicies with egressTo.identityType=ANY_IDENTITY and the Vertex service in operations.serviceName. VPC-SC violation drops: a sudden disappearance of Vertex AI denied-request entries after a perimeter edit is a higher-fidelity signal than the patch event alone. Query <code class=\"language-plaintext\">logName=~\"organizations/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"accesscontextmanager.googleapis.com\" AND protoPayload.methodName=~\".*ServicePerimeter.*\" AND (protoPayload.request.servicePerimeter.spec.restrictedServices=\"aiplatform.googleapis.com\" OR protoPayload.request.servicePerimeter.spec.egressPolicies.egressTo.operations.serviceName=\"aiplatform.googleapis.com\")</code> This Cloud Logging filter watches perimeter mutations; pair with a saved query for VPC_SC_DENIED entries with servicename=\"aiplatform.googleapis.com\" so the denial-rate timeseries surfaces silent perimeter erosion alongside the explicit patch events. Alert threshold Page on any perimeter patch that removes Vertex AI from restrictedServices or adds an egress-policy admitting external identities to Vertex AI operations. Page on VPC-SC Vertex-AI denial rate dropping below 10% of rolling baseline for more than 60 minutes. Initial response Restore the perimeter via gcloud access-context-manager perimeters update from the captured baseline; suspend any egress rule introduced in the gap window. Audit Vertex AI prediction request logs for cross-project or cross-org callers during the relaxation window; treat any successful prediction from outside the perimeter's allowed access levels as candidate data-exfil through model inference. Pin perimeter spec in Terraform; require dry-run mode for any production perimeter edit, and enforce a 48h dry-run hold before useExplicitDryRunSpec flips to false. References Google Cloud — Vertex AI with VPC Service Controls (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI gcp-genai-03-safety-filters ! HIGH PREVENTIVE Configure Gemini safety settings with BLOCK_MEDIUM_AND_ABOVE (or stricter) for all four harm categories: HARM_CATEGORY_HATE_SPEECH, HARM_CATEGORY_DANGEROUS_CONTENT, HARM_CATEGORY_HARASSMENT, and HARM_CATEGORY_SEXUALLY_EXPLICIT. Setting any category to BLOCK_NONE disables the safety filter entirely for that category — this is the BLOCK_NONE anti-pattern from general/genai.html#common-misconfigurations. Critical infrastructure note — no Terraform resource: Gemini safety settings are configured at inference-time via the API request body (safety_settings parameter in GenerateContentRequest). No Terraform resource exists for this configuration. The Google Cloud provider (hashicorp/google ~> 5.0) does not include a google_vertex_ai_safety_filter resource — that resource name does not exist in the provider registry (confirmed 2026-05-24). Configure safety settings in your application code using the Vertex AI SDK or REST API. The related google_model_armor_* resources cover the separate Model Armor service, not Gemini in-line safety filters. MITIGATES: LLM01:2025 jailbreak that elicits dangerous or harmful model outputs; LLM02:2025 harmful content disclosure via model completion. ATTACK VECTOR: Adversarial prompt crafted to bypass default safety thresholds, eliciting dangerous instructions, harassing content, or sexually explicit material from the Gemini model API. BLAST RADIUS: Regulatory exposure (EU AI Act GPAI safety requirements, DSA), reputational harm from publicly accessible product returning toxic outputs, and potential violation of Google Cloud Acceptable Use Policy resulting in service suspension. Remediation — Vertex AI Python SDK <code class=\"language-python\"># Vertex AI Python SDK — configure safety settings at inference time # Install: pip install google-cloud-aiplatform>=1.38.0 import vertexai from vertexai.generative_models import ( GenerativeModel, SafetySetting, HarmCategory, HarmBlockThreshold, ) vertexai.init(project=PROJECT_ID, location=REGION) safety_settings = [ SafetySetting( category=HarmCategory.HARM_CATEGORY_HATE_SPEECH, threshold=HarmBlockThreshold.BLOCK_MEDIUM_AND_ABOVE, ), SafetySetting( category=HarmCategory.HARM_CATEGORY_DANGEROUS_CONTENT, threshold=HarmBlockThreshold.BLOCK_MEDIUM_AND_ABOVE, ), SafetySetting( category=HarmCategory.HARM_CATEGORY_HARASSMENT, threshold=HarmBlockThreshold.BLOCK_MEDIUM_AND_ABOVE, ), SafetySetting( category=HarmCategory.HARM_CATEGORY_SEXUALLY_EXPLICIT, threshold=HarmBlockThreshold.BLOCK_MEDIUM_AND_ABOVE, ), ] model = GenerativeModel(\"gemini-2.0-flash\") response = model.generate_content( \"user prompt here\", safety_settings=safety_settings, )</code> Setting threshold=HarmBlockThreshold.BLOCK_NONE for any harm category disables safety filtering for that category entirely. This is equivalent to the BLOCK_NONE anti-pattern documented in general/genai.html#common-misconfigurations. Do not use BLOCK_NONE in production environments. Any deviation from BLOCK_MEDIUM_AND_ABOVE or stricter requires documented risk acceptance and an approved exception in your security register. Remediation — Infrastructure Manager Infrastructure Manager: Vertex AI safety filter configuration ships through model-level request parameters (safetySettings on each generateContent call) and via Model Garden tuning-time safety classifiers — Config Connector has no CRD for google_vertex_ai_endpoint as of 2026-Q2. Submit the Terraform block above to Google Cloud Infrastructure Manager (gcloud infra-manager deployments apply --local-source=.) for managed-state, approval workflows, and Cloud Audit Logs trail. Pair with application-layer enforcement of the four HARM_CATEGORY_* thresholds on every prediction call. Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) SI-15 A.8.28 n/a LLM01:2025; LLM02:2025 Dangerous/Violent Content Art. 55 (in force 2025-08-02) Log signals Cloud Audit Logs on aiplatform.googleapis.com for prediction requests where protoPayload.request.safetySettings.threshold is set to BLOCK_NONE or BLOCK_ONLY_HIGH when baseline policy requires BLOCK_LOW_AND_ABOVE. Per-endpoint generationConfig defaults moving toward laxer safety thresholds on shared endpoints. Safety-flagged prediction rate drops: a sustained decrease in safetyRatings[].blocked=true entries while overall prediction volume is constant. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Fdata_access\" AND protoPayload.serviceName=\"aiplatform.googleapis.com\" AND protoPayload.methodName=~\".*Endpoint.predict\" AND protoPayload.request.safetySettings.threshold=\"BLOCK_NONE\"</code> Stream this Cloud Logging filter (data-access tier — DATA_READ audit must be enabled on Vertex AI) into a log-based metric grouped by endpoint; pair with a saved query computing the rolling blocked-ratio so threshold drift surfaces alongside per-request overrides. Alert threshold Page on any prediction request whose safety threshold is BLOCK_NONE outside the documented red-team endpoint allow-list. Surface (do not page) blocked-ratio drops below 50% of rolling baseline; confirm with the workload owner whether prompt distribution changed. Initial response Identify the calling principal via protoPayload.authenticationInfo.principalEmail; if the call is unsanctioned, revoke the principal's aiplatform.user binding immediately. Sample the prediction responses generated during the threshold-relaxed window; quarantine any output that exhibits unsafe content for downstream-system audit and customer-notification review. Pin baseline safety-threshold defaults in the Vertex AI API client wrapper used by application code; reject requests that downgrade thresholds via a Cloud Functions admission hook on the API path. References Google Cloud — Vertex AI safety filter configuration (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI gcp-genai-05-audit-logs-data-access ! HIGH DETECTIVE Enable Cloud Audit Logs Data Access logging for aiplatform.googleapis.com. Data Access audit logs for aiplatform.googleapis.com are disabled by default and must be explicitly enabled via IAM Audit Configuration at the project or organisation level. Without this configuration, Vertex AI API calls — model inferences, endpoint invocations, dataset operations, RAG corpus queries — are not captured in Cloud Audit Logs. This means there is zero visibility into who called which model, when, from which identity, and with what parameters. Both DATA_READ and DATA_WRITE log types should be enabled; DATA_READ covers inference calls (reading model outputs) and DATA_WRITE covers resource mutations (creating endpoints, updating datasets). Enabling Data Access audit logs incurs Cloud Logging ingestion costs proportional to Vertex AI API call volume. Configure log-based metrics or log exclusions to scope retention and manage cost. Route audit logs to Cloud Storage for long-term retention beyond the 30-day default Cloud Logging retention period to satisfy compliance frameworks that require 90-day or 1-year audit log retention. MITIGATES: LLM10:2025 undetected inference abuse — adversary or insider uses the Vertex AI API without leaving an audit trail. ATTACK VECTOR: Compromised service account or insider threat makes repeated inference requests or accesses sensitive RAG corpus documents with no audit log entry generated, because Data Access logs were never enabled. BLAST RADIUS: Zero forensic evidence for incident response; inability to demonstrate compliance with EU AI Act Art. 12 (logging obligations for high-risk AI), NIST AI 600-1 traceability requirements, and ISO 27001 A.8.15 logging controls during an audit. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud — enable Data Access audit logs for aiplatform.googleapis.com # DATA ACCESS LOGS ARE DISABLED BY DEFAULT — this enablement is the hardening action # Step 1: Export current IAM policy to a local file gcloud projects get-iam-policy \"${PROJECT_ID}\" \\ --format=json > /tmp/policy.json # Step 2: Add the following auditLogConfigs block to policy.json under \"auditConfigs\": # { # \"service\": \"aiplatform.googleapis.com\", # \"auditLogConfigs\": [ # { \"logType\": \"DATA_READ\" }, # { \"logType\": \"DATA_WRITE\" } # ] # } # Step 3: Apply the updated policy gcloud projects set-iam-policy \"${PROJECT_ID}\" /tmp/policy.json # Verify the audit config was applied gcloud projects get-iam-policy \"${PROJECT_ID}\" \\ --format=\"json(auditConfigs)\" | \\ python3 -c \"import json,sys; configs=json.load(sys.stdin); \\ [print(c) for c in configs.get('auditConfigs',[]) if c.get('service')=='aiplatform.googleapis.com']\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 resource \"google_project_iam_audit_config\" \"vertex_ai_data_access\" { project = var.project_id service = \"aiplatform.googleapis.com\" audit_log_config { log_type = \"DATA_READ\" } audit_log_config { log_type = \"DATA_WRITE\" } } # Optional: route audit logs to Cloud Storage for long-term retention resource \"google_logging_project_sink\" \"vertex_ai_audit_sink\" { name = \"vertex-ai-audit-logs-sink\" project = var.project_id destination = \"storage.googleapis.com/${var.audit_log_bucket}\" filter = \"logName:\\\"projects/${var.project_id}/logs/cloudaudit.googleapis.com\\\" AND resource.type=\\\"audited_resource\\\" AND protoPayload.serviceName=\\\"aiplatform.googleapis.com\\\"\" unique_writer_identity = true }</code> Remediation — Infrastructure Manager Infrastructure Manager: Data Access audit log configuration is set at the IAM audit-config level — Config Connector has no CRD for google_project_iam_audit_config as of 2026-Q2 (it is a root-of-trust audit setting deliberately excluded from KCC). Submit the Terraform block above to Google Cloud Infrastructure Manager (gcloud infra-manager deployments apply --local-source=.) for managed-state, approval workflows, and Cloud Audit Logs trail. Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) AU-2; AU-12; SI-4 A.8.15; A.8.16 CLD.12.4.5 LLM10:2025 Information Security Art. 55 (in force 2025-08-02) Log signals Cloud Audit Logs SetIamPolicy events on the audit-log config removing aiplatform.googleapis.com from the DATA_READ logging scope. Project-level exempted-members additions for the Vertex AI service identity — silently suppresses caller-attribution on all prediction calls. Data-access log volume drops on aiplatform.googleapis.com against rolling baseline while prediction QPS metrics remain steady. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.methodName=\"SetIamPolicy\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas.service=\"aiplatform.googleapis.com\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas.action=\"REMOVE\"</code> This Cloud Logging filter watches the audit-config delta plane; pair with a log-based metric counting Vertex AI DATA_READ entry rate so the volume-side regression surfaces independently of the SetIamPolicy event. Alert threshold Page on any audit-config removal of DATA_READ or DATA_WRITE for Vertex AI. Page on Vertex-AI data-access log volume dropping below 30% of rolling baseline for more than 60 minutes while prediction QPS is unchanged. Initial response Restore the audit-log config via gcloud projects set-iam-policy from the captured baseline JSON; verify the next prediction request surfaces in the DATA_READ stream. Audit prediction-attribution data during the gap window from any parallel telemetry (Cloud Run access logs, application-side logging) since the DATA_READ stream is incomplete. Pin audit-log config in Terraform with logType=DATA_READ for aiplatform.googleapis.com explicitly listed; the constraint is set-and-forget and removal warrants change-management. References Google Cloud — Vertex AI audit logging (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI gcp-genai-07-rag-grounding-source-auth ! HIGH PREVENTIVE Secure Vertex AI RAG Engine grounding sources by enforcing IAM scoping and provenance validation on every corpus. Three specific controls are required: (1) IAM corpus restriction — only the designated Vertex AI service account should hold roles/aiplatform.user on the corpus resource; binding allUsers or allAuthenticatedUsers to corpus-level IAM is forbidden; (2) per-source document metadata filtering — configure retrieval filters to prevent embedding lookup returning documents outside the authorised scope for the calling identity; (3) source document provenance validation — validate that GCS buckets and BigQuery tables used as RAG sources are owned by the expected project and not writable by unauthenticated identities before ingestion. Each grounding corpus should use a dedicated, corpus-scoped Vertex AI service account with the minimum permissions needed for retrieval operations. MITIGATES: LLM01:2025 indirect prompt injection via poisoned RAG corpus document; LLM03:2025 training/corpus supply chain poisoning. ATTACK VECTOR: Attacker gains write access to a GCS bucket or BigQuery table used as a RAG grounding source (via over-permissioned IAM binding or compromised upstream pipeline) and injects documents containing malicious instructions. These documents are embedded and indexed into the RAG corpus. Subsequent inference requests retrieve the poisoned context, enabling system-prompt override, data exfiltration commands, or tool-call injection in agentic workloads. BLAST RADIUS: Every future RAG query that retrieves the poisoned embedding receives the injected context — a persistent, difficult-to-detect compromise that affects all users of the application until the corpus is re-ingested from a clean source. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud — enumerate Vertex AI endpoints and audit corpus IAM bindings # List all Vertex AI endpoints in the region gcloud ai index-endpoints list \\ --region=\"${REGION}\" \\ --format=\"table(name, displayName, publicEndpointDomainName)\" # Audit all Vertex AI IAM bindings at the project level gcloud projects get-iam-policy \"${PROJECT_ID}\" \\ --flatten=\"bindings\" \\ --filter=\"bindings.role:roles/aiplatform\" \\ --format=\"table(bindings.role, bindings.members)\" # Check GCS source bucket IAM — ensure no allUsers or allAuthenticatedUsers bindings gsutil iam get \"gs://${RAG_SOURCE_BUCKET}\" | \\ python3 -c \"import json,sys; policy=json.load(sys.stdin); \\ [print('WARNING: public binding found:', b) for b in policy.get('bindings',[]) \\ if 'allUsers' in b.get('members',[]) or 'allAuthenticatedUsers' in b.get('members',[])]\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 resource \"google_service_account\" \"rag_corpus_sa\" { project = var.project_id account_id = \"vertex-rag-corpus\" display_name = \"Vertex AI RAG Corpus SA — corpus-scoped access only\" } # Grant corpus SA access to Vertex AI for retrieval operations resource \"google_project_iam_member\" \"rag_corpus_vertex_user\" { project = var.project_id role = \"roles/aiplatform.user\" member = \"serviceAccount:${google_service_account.rag_corpus_sa.email}\" } # Restrict GCS source bucket to corpus SA only — no allUsers, no allAuthenticatedUsers resource \"google_storage_bucket_iam_member\" \"rag_source_bucket_access\" { bucket = var.rag_source_bucket role = \"roles/storage.objectViewer\" member = \"serviceAccount:${google_service_account.rag_corpus_sa.email}\" } # Vertex AI index and endpoint for the RAG corpus resource \"google_vertex_ai_index\" \"rag_corpus_index\" { project = var.project_id region = var.region display_name = \"rag-corpus-index\" description = \"RAG grounding corpus index — corpus-scoped SA access only\" metadata { contents_delta_uri = \"gs://${var.rag_source_bucket}/embeddings/\" config { dimensions = 768 approximate_neighbors_count = 150 } } } resource \"google_vertex_ai_index_endpoint\" \"rag_endpoint\" { project = var.project_id region = var.region display_name = \"rag-corpus-endpoint\" network = var.vpc_network }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: rag-bucket-reader namespace: config-control spec: resourceRef: apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket name: rag-grounding-corpus role: roles/storage.objectViewer member: \"serviceAccount:vertex-inference-sa@PROJECT_ID.iam.gserviceaccount.com\"</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) SI-10; AC-3; AC-4 A.8.28; A.5.15 CLD.6.3.1 LLM01:2025; LLM03:2025 Information Integrity Art. 55 (in force 2025-08-02) Log signals Cloud Audit Logs on discoveryengine.googleapis.com for DataStore.delete or IAM mutations on the RAG data-store grounding source. Vertex AI Agent Builder Engine.update events changing the grounding-source path to an unauthenticated source (public URL list). Cloud Storage source-bucket IAM mutations adding roles/storage.objectViewer for allUsers on the bucket backing the RAG corpus. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND ((protoPayload.serviceName=\"discoveryengine.googleapis.com\" AND protoPayload.methodName=~\".*DataStore.(delete|setIamPolicy)\") OR (protoPayload.serviceName=\"storage.googleapis.com\" AND protoPayload.methodName=\"storage.setIamPermissions\" AND protoPayload.resourceName=~\".*rag-corpus.*\" AND protoPayload.serviceData.policyDelta.bindingDeltas.member=\"allUsers\"))</code> This Cloud Logging filter joins two surfaces — the Agent Builder data-store plane and the Cloud Storage bucket plane — so source-authenticity drift surfaces regardless of which path the attacker chose. Alert threshold Page on any DataStore delete or IAM mutation widening read access on the RAG grounding source. Page on any Engine config update changing the grounding source to a non-authenticated path. Initial response Restore the DataStore and source-bucket IAM from the captured Terraform state; re-index the corpus from the authenticated source. Audit Agent Builder grounding-request logs during the gap window; flag any agent response that cited the contaminated source for re-grounding and human review. Pin DataStore IAM + Engine grounding-source config in Terraform; reject deploys where the grounding source is a non-private URL via a CI policy check. References Google Cloud — Vertex AI grounding overview (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI gcp-genai-04-cmek ! MEDIUM PREVENTIVE Configure Customer-Managed Encryption Keys (CMEK) via Cloud KMS for Vertex AI model artifacts, training datasets, and tuned model storage on Vertex AI Endpoints. CMEK enables full encryption key lifecycle control: key rotation on schedule, immediate revocation (by disabling or destroying the key version), and enforcement that all data at rest is encrypted under a key managed in your own Cloud KMS key ring rather than a Google-managed key. CMEK is configured via encryption_spec.kms_key_name on Vertex AI endpoint and dataset resources. Note that not all Vertex AI resource types support CMEK in all regions — verify support for your specific resource types and regions at configuration time in the Vertex AI CMEK documentation. MITIGATES: Data-at-rest exposure in the event of a Google-managed key compromise or insider threat at the cloud provider infrastructure layer accessing stored model artifacts or training data without customer authorisation. ATTACK VECTOR: Insider threat at the Google Cloud infrastructure layer accesses stored Vertex AI model weights, fine-tuned model artifacts, or training datasets encrypted under a Google-managed key. With CMEK, the attacker would also require access to the customer's Cloud KMS key, which is a separate security boundary. BLAST RADIUS: Model weights, training data, and fine-tuning artifacts stored at rest on Vertex AI managed storage. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud — check CMEK configuration on existing Vertex AI endpoints gcloud ai endpoints list \\ --region=\"${REGION}\" \\ --format=\"json(name, displayName, encryptionSpec)\" # Create a new endpoint with CMEK gcloud ai endpoints create \\ --region=\"${REGION}\" \\ --display-name=\"cmek-protected-endpoint\" \\ --kms-key-name=\"projects/${PROJECT_ID}/locations/${REGION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 resource \"google_kms_key_ring\" \"vertex_ai_keyring\" { project = var.project_id name = \"vertex-ai-keyring\" location = var.region } resource \"google_kms_crypto_key\" \"vertex_ai_key\" { name = \"vertex-ai-cmek\" key_ring = google_kms_key_ring.vertex_ai_keyring.id rotation_period = \"7776000s\" # 90 days lifecycle { prevent_destroy = true } } # Grant Vertex AI service agent access to the KMS key resource \"google_kms_crypto_key_iam_member\" \"vertex_ai_kms_access\" { crypto_key_id = google_kms_crypto_key.vertex_ai_key.id role = \"roles/cloudkms.cryptoKeyEncrypterDecrypter\" member = \"serviceAccount:service-${var.project_number}@gcp-sa-aiplatform.iam.gserviceaccount.com\" } resource \"google_vertex_ai_endpoint\" \"cmek_endpoint\" { project = var.project_id region = var.region display_name = \"cmek-protected-endpoint\" encryption_spec { kms_key_name = google_kms_crypto_key.vertex_ai_key.id } depends_on = [google_kms_crypto_key_iam_member.vertex_ai_kms_access] }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: kms.cnrm.cloud.google.com/v1beta1 kind: KMSCryptoKey metadata: name: vertex-cmek namespace: config-control spec: keyRingRef: name: vertex-kr purpose: ENCRYPT_DECRYPT rotationPeriod: \"7776000s\" versionTemplate: algorithm: GOOGLE_SYMMETRIC_ENCRYPTION protectionLevel: SOFTWARE</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) SC-28; IA-5 A.8.24; A.8.10 n/a n/a Data Privacy Art. 55 (in force 2025-08-02) Log signals Cloud Audit Logs on aiplatform.googleapis.com for Dataset.update, Model.update, or Endpoint.update where encryptionSpec.kmsKeyName is cleared on resources tagged for CMEK-required workloads. Vertex AI training-pipeline creates omitting encryptionSpec when the project baseline requires CMEK on training artefacts. KMS key destroy events on the Vertex-AI-bound key — produces a hard read-failure on every existing CMEK-protected Vertex resource. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"aiplatform.googleapis.com\" AND protoPayload.methodName=~\".*(Dataset|Model|Endpoint|TrainingPipeline).(create|update)\" AND NOT protoPayload.request.encryptionSpec.kmsKeyName=~\".*\"</code> This Cloud Logging filter catches CMEK drift at resource-create time; pair with a Cloud Asset Inventory query computing the CMEK assignment for every Vertex AI resource type so steady-state coverage is visible. Alert threshold Page on any CMEK-required Vertex resource created or updated without encryptionSpec.kmsKeyName set. Page on KMS-key destroy for any key bound to active Vertex AI resources; the destroy is reversible within 24"},{"id":"gcp/iam.html","url":"gcp/iam.html","title":"GCP IAM Hardening — Cloud Hardening Guide","breadcrumb":"Home GCP IAM","description":"GCP IAM hardening: org admin separation, no service account keys, mandatory MFA, Workload Identity Federation, default SA hardening, VPC Service Controls.","body":"GCP IAM Hardening Overview This page covers Google Cloud Platform Identity & Access Management hardening across the surfaces that determine whether an attacker who lands a credential can pivot to organisation-wide compromise or staged data exfiltration. GCP's IAM model differs from AWS's root-and-Organizations model in three material ways that shape the eight controls below: organisation policy constraints are the primary \"deny\" primitive (there is no equivalent to a Service Control Policy attached to identities, only constraints attached to resource hierarchy nodes); long-lived service-account keys are the dominant credential-compromise vector, which is why Workload Identity Federation replacing those keys is treated here as a load-bearing preventive control; and VPC Service Controls form a GCP-unique data-exfiltration perimeter around regulated services such as BigQuery and Cloud Storage. Scope is commercial GCP regions; the GCP Sovereign Cloud offerings inherit the same controls but require region-specific endpoints and have separate org-policy enforcement domains. The mental model: GCP IAM is the product of allow policies (role bindings attached to organisations, folders, projects, or individual resources), org policy constraints (boolean or list-based limits attached to the resource hierarchy that override any allow policy below them), Workload Identity Federation (the recommended replacement for service-account keys when calling GCP from outside GCP, including CI/CD), and VPC Service Controls (an L7 perimeter that restricts which networks can read or write regulated data services). The cross-cutting principles — least privilege, separation of duties, credential rotation, secrets management, MFA — are explained in the General IAM page; this page maps them to GCP primitives. Severity assignments follow the rubric documented in methodology, in particular the worked example EX-MFA-01 which derives a CRITICAL PREVENTIVE for the canonical phishing-resistant MFA case applied directly to control 03 below. The MFA and secrets-management discussions on General IAM — MFA and General IAM — secrets management are the conceptual backbone of controls 02, 03, and 04. Order matters in this list. Controls 01–03 are CRITICAL PREVENTIVE and address the highest-leverage residual risks in audited GCP organisations: an over-broad Organization Administrator role binding, the continued use of downloadable service-account keys, and incomplete enforcement of mandatory 2-Step Verification (Google's December-2024 rollout completing through 2025; re-verify status at the time of writing). Controls 04–07 are HIGH PREVENTIVE and progressively eliminate service-account keys via Workload Identity Federation, harden default service accounts whose automatic IAM grants are a well-known privilege-escalation surface, forbid Editor/Owner on service accounts, and lock the IAM membership domain to your Workspace / Cloud Identity customer ID so that an attacker who steals a privileged credential cannot grant access to an external account. Control 08 is HIGH PREVENTIVE and is GCP-unique: VPC Service Controls extend the IAM boundary into the network plane and stop data exfiltration even when an attacker holds otherwise-authorised IAM credentials. Reviewing the compliance-frameworks page first will clarify why each control row lists CIS, NIST 800-53 rev5, and ISO 27001/27017 cells in the same order across all four provider pages. gcp-iam-01-org-admin-separation ! CRITICAL PREVENTIVE The roles/resourcemanager.organizationAdmin role grants the ability to set IAM policy at the organisation node — the root of the GCP resource hierarchy — and must be bound only to a small, named break-glass group, never to individual day-to-day administrators and never to service accounts. Day-to-day administration should be performed through scoped roles at the folder or project level. Google's published IAM best practices treat this separation as foundational because Organization Administrator can grant itself any other role anywhere in the organisation, including the ability to disable audit logging at the org level (Google Cloud IAM best practices (accessed 2026-05)). MITIGATES: Full GCP organisation takeover via compromise of a single human identity that has been over-granted at the organisation node (the canonical \"developer with Organization Admin for convenience\" failure mode). ATTACK VECTOR: An engineer holding roles/resourcemanager.organizationAdmin bound directly to their personal Google account is phished; the attacker signs in, adds their own external Google account as another Organization Administrator, then revokes the original engineer's binding and disables organisation-level audit log sinks before staging data exfiltration. BLAST RADIUS: The entire GCP organisation: every folder, every project, every service. Organization Administrator can edit org-level audit log configuration and grant roles/owner on any project, so a single compromise pivots to total environmental control. Remediation — gcloud CLI <code class=\"language-bash\"># Audit: list every member currently bound to roles/resourcemanager.organizationAdmin # at the organisation node. ORG_ID=<your-org-id> gcloud organizations get-iam-policy \"$ORG_ID\" \\ --flatten='bindings[].members' \\ --filter='bindings.role=roles/resourcemanager.organizationAdmin' \\ --format='value(bindings.members)' # Replace direct user bindings with a single break-glass Google group. gcloud organizations remove-iam-policy-binding \"$ORG_ID\" \\ --member='user:departing.admin@example.com' \\ --role='roles/resourcemanager.organizationAdmin' gcloud organizations add-iam-policy-binding \"$ORG_ID\" \\ --member='group:gcp-breakglass-org-admins@example.com' \\ --role='roles/resourcemanager.organizationAdmin'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Organization Administrator is bound to a single named break-glass group. # Any drift (a user added directly to this role) is removed on the next apply. resource \"google_organization_iam_binding\" \"org_admin_breakglass_only\" { org_id = var.organization_id role = \"roles/resourcemanager.organizationAdmin\" members = [ \"group:gcp-breakglass-org-admins@${var.workspace_domain}\", ] }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: name: org-admin-breakglass-only namespace: config-control spec: resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization external: \"organizations/ORG_ID\" bindings: - role: roles/resourcemanager.organizationAdmin members: - member: group:gcp-breakglass-org-admins@example.com</code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as gcp from \"@pulumi/gcp\"; // Bind Organization Administrator only to the break-glass group; drift is // removed on next pulumi up. Mirrors the Terraform google_organization_iam_binding. const orgAdminBreakglass = new gcp.organizations.IAMBinding(\"org-admin-breakglass-only\", { orgId: orgId, role: \"roles/resourcemanager.organizationAdmin\", members: [ \"group:gcp-breakglass-org-admins@example.com\", ], });</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.51.1.1best-practices1.1 AC-5; AC-6(7)A.5.15; A.5.18CLD.6.3.1 Log signals Cloud Audit Logs cloudaudit.googleapis.com/activity entries with protoPayload.methodName = \"SetIamPolicy\" at the organisation, folder, or project resource scope. protoPayload deltas binding roles/resourcemanager.organizationAdmin, roles/owner, or roles/iam.securityAdmin to a fresh principal outside the documented break-glass group. Cloud Asset Inventory iamPolicy feed deltas tracking the standing-Organization-Admin membership over time. Query <code class=\"language-plaintext\">logName=\"organizations/ORG_ID/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.methodName=\"SetIamPolicy\" AND (protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/resourcemanager.organizationAdmin\" OR protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\" OR protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/iam.securityAdmin\") AND severity>=NOTICE</code> Run as a Cloud Logging filter expression against the aggregated organisation log sink. Pin a Log Router sink to BigQuery for retention beyond the default 400-day Activity window if a longer audit horizon is needed. Alert threshold Any SetIamPolicy binding the organisation-admin / owner / security-admin roles with severity >= NOTICE outside documented change windows — page on first occurrence. Starting point: tune per environment using Cloud Logging resource.type=\"organization\" baselines over a 30-day calibration window. Initial response Verify the binding against the documented change-management record and the principal who initiated the call (protoPayload.authenticationInfo.principalEmail); if no ticket exists, treat as confirmed compromise. Roll back via the Cloud Asset Inventory IAM Recommender: revoke the standing binding, surface least-privilege replacement role recommendations, and rotate any service-account keys the principal issued in the prior 24h. Escalate per general/ir.html — open an incident, export the relevant Cloud Audit Logs window to BigQuery for forensic analysis, and re-confirm Org Policy constraints (iam.allowedPolicyMemberDomains, iam.disableServiceAccountKeyCreation) still apply. References Google Cloud — IAM audit logging reference (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-iam-02-no-sa-keys ! CRITICAL PREVENTIVE Long-lived, downloadable service-account keys are the single highest-frequency credential-compromise vector in cloud breach post-mortems — JSON key files end up in public Git repositories, container layers, developer laptops, and CI environment variables, where they are harvested by automated scanners within minutes of exposure. Disable creation of new keys organisation-wide via the boolean constraint iam.disableServiceAccountKeyCreation attached at the organisation node, and rely on Workload Identity Federation (control 04) or attached service accounts for runtime credentials (Google Cloud organization policy constraint reference (accessed 2026-05)). CIS GCP Foundation v5.0.0 1.4 codifies this restriction; re-verify the sub-ID against the v4.0.0 PDF at the time of writing. MITIGATES: Persistent compromise of service-account credentials via leaked JSON key files in source control, container images, CI variables, or backup archives. ATTACK VECTOR: A developer commits a service-account.json file to a public GitHub repository \"for five minutes\" while debugging a deployment; an automated key-scanner harvests it within sixty seconds; the attacker authenticates non-interactively from arbitrary network locations and the key is valid indefinitely because GCP service-account keys do not expire by default. BLAST RADIUS: Whatever roles the compromised service account holds — frequently broad because the service account was originally created with roles/editor or a project-wide custom role; if the service account is impersonatable by other principals, the blast radius can pivot further via iam.serviceAccounts.getAccessToken. Remediation — gcloud CLI <code class=\"language-bash\"># Apply the boolean constraint at the organisation node so it inherits # across every folder and project. ORG_ID=<your-org-id> cat > disable-sa-key-creation.yaml <<'EOF' name: organizations/ORG_ID_PLACEHOLDER/policies/iam.disableServiceAccountKeyCreation spec: rules: - enforce: true EOF sed -i \"s/ORG_ID_PLACEHOLDER/${ORG_ID}/\" disable-sa-key-creation.yaml gcloud org-policies set-policy disable-sa-key-creation.yaml # Audit: list existing user-managed keys across all service accounts in a project. PROJECT=<your-project-id> gcloud iam service-accounts list --project=\"$PROJECT\" \\ --format='value(email)' \\ | while read sa; do gcloud iam service-accounts keys list \\ --iam-account=\"$sa\" \\ --managed-by=user \\ --format='value(name,validAfterTime)' done</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 resource \"google_org_policy_policy\" \"disable_sa_key_creation\" { name = \"organizations/${var.organization_id}/policies/iam.disableServiceAccountKeyCreation\" parent = \"organizations/${var.organization_id}\" spec { rules { enforce = \"TRUE\" } } }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: orgpolicy.cnrm.cloud.google.com/v1beta1 kind: OrgPolicyPolicy metadata: name: disable-sa-key-creation namespace: config-control spec: resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization external: \"organizations/ORG_ID\" spec: rules: - enforce: true name: \"organizations/ORG_ID/policies/iam.disableServiceAccountKeyCreation\"</code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as gcp from \"@pulumi/gcp\"; // Boolean constraint applied at the organisation node; inherits across folders/projects. const disableSaKeyCreation = new gcp.orgpolicy.Policy(\"disable-sa-key-creation\", { name: `organizations/${orgId}/policies/iam.disableServiceAccountKeyCreation`, parent: `organizations/${orgId}`, spec: { rules: [{ enforce: \"TRUE\" }], }, });</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.41.1.31.41.14 IA-5(1); IA-5(7)A.5.17; A.8.2CLD.6.3.1 Log signals Cloud Audit Logs entries on cloudaudit.googleapis.com/activity with protoPayload.methodName=\"google.iam.admin.v1.CreateServiceAccountKey\" — any successful call indicates a fresh user-managed JSON key has been issued. Org Policy drift events where iam.disableServiceAccountKeyCreation changes from enforce: true to enforce: false (orgpolicy.googleapis.com Policy.update). Cloud Asset Inventory snapshot diffs showing the count of iam.googleapis.com/ServiceAccountKey resources rising over a stable baseline — co-relates with key-leak pivot. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND (protoPayload.methodName=\"google.iam.admin.v1.CreateServiceAccountKey\" OR protoPayload.methodName=\"google.cloud.orgpolicy.v2.OrgPolicy.UpdatePolicy\") AND resource.type=(\"service_account\" OR \"organization\")</code> Aggregate the result via a Cloud Logging log-based metric and ship it through Cloud Monitoring; pin a Log Router sink to BigQuery if more than 400 days of key-issuance history is required for forensic reconstruction. Alert threshold Page on any CreateServiceAccountKey outside an explicitly allow-listed automation principal — the steady-state rate after enforcement should be effectively zero. Page immediately on any Org Policy update that turns iam.disableServiceAccountKeyCreation off; no calibration window — the constraint is a hard organisation invariant. Initial response Capture protoPayload.authenticationInfo.principalEmail, requestMetadata.callerIp, and the target service-account email; treat the new key as compromised-by-default until the issuing principal confirms ticket reference and intended consumer. Disable the freshly created key with gcloud iam service-accounts keys disable, then schedule deletion after 24 hours of telemetry validation; re-assert the Org Policy constraint at the organisation node. Pivot to Workload Identity Federation per control 04: cut the hard-coded JSON consumer over to a federated identity pool and bind the OIDC subject claim instead of issuing another long-lived credential. References Google Cloud — IAM audit logging reference (accessed 2026-05) Google Cloud — Org Policy constraint catalog (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-iam-03-mandatory-mfa ! CRITICAL PREVENTIVE Enforce mandatory 2-Step Verification (2SV) for every human identity that can sign in to the Google Cloud console, with phishing-resistant FIDO2 security keys as the preferred second factor and TOTP authenticator apps as the minimum-acceptable fallback. Google announced in 2024 that 2SV is becoming mandatory across all Google Cloud accounts with phased rollouts completing through 2025; treat enforcement as in-flight policy and re-verify the rollout status at the time of writing (Google Cloud — mandatory MFA rollout announcement 2024 (accessed 2026-05)). CIS GCP Foundation v5.0.0 1.2 codifies the requirement; verify the sub-ID against the v4.0.0 PDF. MITIGATES: Console-password compromise of Cloud Identity / Workspace users via phishing, credential stuffing, or password reuse from a third-party breach (the canonical EX-MFA-01 case from methodology). ATTACK VECTOR: An administrator reuses their corporate password on a SaaS app that is later breached; the leaked credential pair is replayed against the GCP console sign-in endpoint and succeeds because 2SV was never enforced on the user's Workspace organisational unit. From the admin session the attacker grants roles/owner on a target project to an external account. BLAST RADIUS: Bounded by whatever IAM bindings the compromised human holds; in practice often equivalent to project-wide Owner because administrators frequently retain broad legacy bindings that pre-date Privileged Access Manager workflows. Remediation — gcloud CLI <code class=\"language-bash\"># 2SV enforcement is configured in the Cloud Identity / Workspace Admin Console: # Security > Authentication > 2-Step Verification # - Enforcement: ON # - Methods: Security key (preferred) or Any # - New user enrollment period: as short as operationally feasible # # Audit current 2SV status across the organisation via Cloud Identity groups # and Workspace user inventory: gcloud identity groups memberships list \\ --group-email='all-admins@example.com' \\ --format='value(preferredMemberKey.id)' # Per-user 2SV status is queried via the Admin SDK Directory API # (gcloud does not expose it directly); the response field is `isEnrolledIn2Sv`. TOKEN=$(gcloud auth print-access-token) curl -s -H \"Authorization: Bearer $TOKEN\" \\ 'https://admin.googleapis.com/admin/directory/v1/users/admin@example.com?projection=full' \\ | jq '{primaryEmail, isEnrolledIn2Sv, isEnforcedIn2Sv}'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # 2SV enforcement itself is configured in the Workspace Admin Console; # Terraform manages Cloud Identity group membership so that audit lists # of admins required to enrol in 2SV stay in sync with the directory. resource \"google_cloud_identity_group\" \"admins\" { display_name = \"GCP Administrators\" parent = \"customers/${var.workspace_customer_id}\" group_key { id = \"gcp-admins@${var.workspace_domain}\" } labels = { \"cloudidentity.googleapis.com/groups.discussion_forum\" = \"\" } } resource \"google_cloud_identity_group_membership\" \"admin_user\" { group = google_cloud_identity_group.admins.id preferred_member_key { id = \"alice@${var.workspace_domain}\" } roles { name = \"MEMBER\" } roles { name = \"OWNER\" } }</code> Remediation — Infrastructure Manager Infrastructure Manager: Mandatory MFA enrolment is enforced via Google Workspace / Cloud Identity admin policy — there is no Config Connector CRD for google_cloud_identity_group or google_cloud_identity_group_membership as of 2026-Q2. Submit the Terraform block above to Google Cloud Infrastructure Manager (gcloud infra-manager deployments apply --local-source=.) for managed-state, approval workflows, and Cloud Audit Logs trail; pair with the Admin Console Security → 2-Step Verification → Enforcement policy applied to the gcp-admins organisational unit. Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as gcp from \"@pulumi/gcp\"; import * as cloudidentity from \"@pulumi/gcp/cloudidentity\"; // Cloud Identity group + membership (the enrolment workflow is admin-console driven; // Pulumi declares the group + admin members; MFA enforcement itself is a Workspace policy). const admins = new cloudidentity.Group(\"admins\", { displayName: \"GCP Admins (MFA mandatory)\", parent: `customers/${customerId}`, groupKey: { id: \"gcp-admins@example.com\" }, labels: { \"cloudidentity.googleapis.com/groups.security\": \"\" }, });</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.101.1.21.21.7 IA-2(1); IA-2(2)A.5.17; A.8.5n/a Log signals Workspace Admin SDK login audit reports with type=\"2sv_disable\" or type=\"2sv_enroll\" events streamed into Cloud Logging via the Workspace audit-log connector. Cloud Audit Logs protoPayload.serviceName=\"admin.googleapis.com\" events where the Workspace 2SV enforcement setting is toggled at the OU level. Cloud Identity user inventory pulls (Directory API users.list?projection=full) where the proportion of admin-group members with isEnforcedIn2Sv=false rises above zero. Query <code class=\"language-plaintext\">logName=~\"organizations/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"admin.googleapis.com\" AND (protoPayload.metadata.event.name=\"2sv_disable\" OR protoPayload.metadata.event.name=\"ALLOW_STRONG_AUTHENTICATION\" OR protoPayload.methodName=~\".*UpdateOrgUnit.*\") AND resource.type=\"audited_resource\"</code> Stream the Workspace admin audit feed into Cloud Logging using the Workspace audit-log export and query it side-by-side with GCP-side Cloud Audit Logs entries to correlate identity-plane changes with downstream IAM policy mutations. Alert threshold Page on any 2sv_disable event at the admin OU; a single occurrence is a candidate compromise of the Workspace super-admin role. Daily cron: alert if any account in gcp-admins@ shows isEnrolledIn2Sv=false for more than the enrolment grace window declared in policy. Initial response Suspend the affected user in Workspace, force a sign-out across all sessions, and revoke active OAuth grants via users.tokens.delete in the Directory API. Re-enable 2SV enforcement on the OU, require security-key enrollment for any account that held privileged IAM bindings during the 2SV gap window, and audit every SetIamPolicy call attributable to the user in that gap. Escalate to the Workspace super-admin break-glass owner per general/ir.html; if the disable was performed by a super-admin principal, treat the Workspace customer-id boundary as compromised and begin tenant-level containment. References Workspace — Admin audit log event reference (accessed 2026-05) Google Cloud — mandatory MFA rollout announcement (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-iam-04-workload-identity-federation ! HIGH PREVENTIVE Workload Identity Federation (WIF) is GCP's recommended replacement for downloadable service-account keys when authenticating from external workloads — GitHub Actions, GitLab CI, on-premises Kubernetes, AWS, Azure, or any OIDC- or SAML-emitting identity provider. WIF exchanges an external-identity-provider token for a short-lived GCP access token via the Security Token Service, eliminating the need to store a long-lived JSON key in CI secrets. Combined with control 02 (no-SA-keys), WIF collapses the credential-rotation problem to \"re-issue an OIDC token from the IdP\", which the IdP already does automatically (Google Cloud Workload Identity Federation documentation (accessed 2026-05)). MITIGATES: Static service-account JSON keys baked into CI secrets, runner images, or workload configuration — the dominant credential-exfiltration vector observed in GCP breach post-mortems (see General threat model). ATTACK VECTOR: A GitHub Actions workflow uses google-github-actions/auth in JSON-key mode with the key stored in a repository secret; a malicious pull-request from a fork triggers a workflow that prints the environment, exfiltrating the key to a public log. The credential remains valid until manually revoked. BLAST RADIUS: Whatever roles the impersonated service account holds. With WIF, even if an attacker steals the short-lived federated token it expires within an hour and cannot be used outside the configured IdP attribute conditions. Remediation — gcloud CLI <code class=\"language-bash\"># Create a Workload Identity pool and an OIDC provider for GitHub Actions. PROJECT=<your-project-id> POOL_ID=github-pool PROVIDER_ID=github-provider gcloud iam workload-identity-pools create \"$POOL_ID\" \\ --project=\"$PROJECT\" \\ --location=global \\ --display-name=\"GitHub Actions pool\" gcloud iam workload-identity-pools providers create-oidc \"$PROVIDER_ID\" \\ --project=\"$PROJECT\" \\ --location=global \\ --workload-identity-pool=\"$POOL_ID\" \\ --display-name=\"GitHub OIDC\" \\ --attribute-mapping='google.subject=assertion.sub,attribute.repository=assertion.repository,attribute.ref=assertion.ref' \\ --attribute-condition='assertion.repository_owner == \"your-org\"' \\ --issuer-uri='https://token.actions.githubusercontent.com' # Allow a specific repository to impersonate the deploy service account. gcloud iam service-accounts add-iam-policy-binding \\ \"deploy@${PROJECT}.iam.gserviceaccount.com\" \\ --role='roles/iam.workloadIdentityUser' \\ --member=\"principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL_ID}/attribute.repository/your-org/your-repo\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 resource \"google_iam_workload_identity_pool\" \"github\" { project = var.project_id workload_identity_pool_id = \"github-pool\" display_name = \"GitHub Actions pool\" } resource \"google_iam_workload_identity_pool_provider\" \"github\" { project = var.project_id workload_identity_pool_id = google_iam_workload_identity_pool.github.workload_identity_pool_id workload_identity_pool_provider_id = \"github-provider\" display_name = \"GitHub OIDC\" attribute_mapping = { \"google.subject\" = \"assertion.sub\" \"attribute.repository\" = \"assertion.repository\" \"attribute.ref\" = \"assertion.ref\" } attribute_condition = \"assertion.repository_owner == \\\"your-org\\\"\" oidc { issuer_uri = \"https://token.actions.githubusercontent.com\" } } resource \"google_service_account_iam_binding\" \"wif_impersonation\" { service_account_id = google_service_account.deploy.name role = \"roles/iam.workloadIdentityUser\" members = [ \"principalSet://iam.googleapis.com/projects/${var.project_number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.github.workload_identity_pool_id}/attribute.repository/your-org/your-repo\", ] }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMWorkloadIdentityPool metadata: name: github namespace: config-control spec: description: \"OIDC federation for GitHub Actions\" disabled: false</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 best-practices1.1.6best-practicesbest-practices IA-5(7); AC-6A.5.15; A.5.16CLD.6.3.1 Log signals Cloud Audit Logs on iam.googleapis.com for WorkloadIdentityPool and WorkloadIdentityPoolProvider mutations — particularly CreateWorkloadIdentityPoolProvider with an oidc.allowedAudiences list that includes a wildcard or an unfamiliar issuer URI. Service-account impersonation events: protoPayload.methodName=\"GenerateAccessToken\" with protoPayload.authenticationInfo.principalSubject bearing a principal://iam.googleapis.com/projects/-/locations/global/workloadIdentityPools/.../subject/... identity, especially where the subject claim drifts from the documented federation map. Org Policy state for iam.workloadIdentityPoolProviders allow-list — drift to a previously unseen issuer host should fire. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND resource.type=\"iam_workload_identity_pool_provider\" AND (protoPayload.methodName=\"google.iam.v1.WorkloadIdentityPools.CreateWorkloadIdentityPoolProvider\" OR protoPayload.methodName=\"google.iam.v1.WorkloadIdentityPools.UpdateWorkloadIdentityPoolProvider\")</code> Pair this Cloud Logging filter with a second filter on iamcredentials.googleapis.com/GenerateAccessToken events so that pool-provider drift can be joined to the federated tokens it subsequently issued — the join key is the provider resource name in the impersonation principal subject. Alert threshold Page on every CreateWorkloadIdentityPoolProvider call — pool providers are rare, security-critical, configuration-as-code artefacts and a console-driven creation is a candidate red-team or social-engineering path. Page on any UpdateWorkloadIdentityPoolProvider that loosens the attribute condition (CEL expression) or adds a wildcard allowed_audiences entry. Initial response Capture the full protoPayload.request body and the diff against the prior provider state via Cloud Asset Inventory history; identify which OIDC issuer was added and which subject-attribute mapping was altered. Disable the pool provider (gcloud iam workload-identity-pools providers update-oidc --disabled) until the change is approved; revoke any access tokens issued through it during the window via iamcredentials.tokens.revoke. Audit downstream GenerateAccessToken events keyed on the provider resource name and correlate to data-plane API calls — every action taken under those tokens needs replay validation. References Google Cloud — Workload Identity Federation reference (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-iam-05-no-default-sa-roles ! HIGH PREVENTIVE The Compute Engine and App Engine default service accounts are created automatically in every new project and, historically, were automatically granted roles/editor at the project level — a long-standing privilege-escalation surface because any compute workload running with the attached default SA inherits broad project-wide write access. Enforce the boolean org-policy constraint iam.automaticIamGrantsForDefaultServiceAccounts at the organisation node to suppress these automatic grants for newly-created projects, then explicitly bind narrow custom roles to default SAs where they are still in use (Google Cloud organization policy constraint reference (accessed 2026-05)). CIS GCP Foundation v5.0.0 1.5 codifies this; re-verify the sub-ID against the v4.0.0 PDF. Where users genuinely need just-in-time elevated access for break-glass workflows, pair this control with Privileged Access Manager (PAM) — GA per Google's 2024 announcement; re-verify GA status at writing time — which issues time-bound role grants with approval flow and full audit trail rather than relying on standing default-SA permissions. MITIGATES: Lateral movement from a compromised compute workload to project-wide write access via the attached default service account's automatic roles/editor binding. ATTACK VECTOR: An SSRF vulnerability in a public-facing Cloud Run service lets an attacker read the metadata server and obtain an access token for the default Compute Engine service account; because that SA holds roles/editor, the attacker creates a new VM with a startup script that exfiltrates Cloud Storage buckets and BigQuery datasets across the entire project. BLAST RADIUS: With automatic grants disabled and narrow custom roles in their place: limited to the workload's data plane. With automatic roles/editor still present: every API in every service in the entire project, including the ability to create new service accounts and grant them roles/owner. Remediation — gcloud CLI <code class=\"language-bash\"># Enforce the boolean constraint at the organisation node. ORG_ID=<your-org-id> cat > no-default-sa-grants.yaml <<EOF name: organizations/${ORG_ID}/policies/iam.automaticIamGrantsForDefaultServiceAccounts spec: rules: - enforce: true EOF gcloud org-policies set-policy no-default-sa-grants.yaml # Audit: identify existing default SAs still holding roles/editor. PROJECT=<your-project-id> PROJECT_NUMBER=$(gcloud projects describe \"$PROJECT\" --format='value(projectNumber)') gcloud projects get-iam-policy \"$PROJECT\" \\ --flatten='bindings[].members' \\ --filter=\"bindings.role=roles/editor AND bindings.members:${PROJECT_NUMBER}-compute@\" \\ --format='value(bindings.members,bindings.role)'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 resource \"google_org_policy_policy\" \"no_default_sa_grants\" { name = \"organizations/${var.organization_id}/policies/iam.automaticIamGrantsForDefaultServiceAccounts\" parent = \"organizations/${var.organization_id}\" spec { rules { enforce = \"TRUE\" } } }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: orgpolicy.cnrm.cloud.google.com/v1beta1 kind: OrgPolicyPolicy metadata: name: no-default-sa-grants namespace: config-control spec: resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization external: \"organizations/ORG_ID\" spec: rules: - enforce: true name: \"organizations/ORG_ID/policies/iam.automaticIamGrantsForDefaultServiceAccounts\"</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 best-practices1.1.41.5best-practices AC-6(1); AC-6(2)A.5.15CLD.6.3.1 Log signals Cloud Audit Logs SetIamPolicy entries at project scope where protoPayload.serviceData.policyDelta.bindingDeltas adds a binding whose member matches serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com or serviceAccount:PROJECT_NUMBER@appspot.gserviceaccount.com with roles/editor. Org Policy constraint iam.automaticIamGrantsForDefaultServiceAccounts mutation events; the constraint should remain enforce: true at the organisation node. Compute Engine API calls instances.insert attaching the default compute service account without an explicit --service-account override — surfaced via Cloud Logging filter on request.serviceAccounts.email. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.methodName=\"SetIamPolicy\" AND resource.type=\"project\" AND protoPayload.serviceData.policyDelta.bindingDeltas.action=\"ADD\" AND protoPayload.serviceData.policyDelta.bindingDeltas.member=~\"serviceAccount:[0-9]+-compute@developer.gserviceaccount.com\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/editor\"</code> Run as a saved Cloud Logging filter pinned to the aggregated organisation sink; correlate hits with Cloud Asset Inventory IAM Recommender output, which produces a least-privilege role suggestion for each binding observed. Alert threshold Page on any binding that grants roles/editor (or any role with *.setIamPolicy permissions) to the default compute or App Engine service account in any project — the policy is project-wide and the steady-state count should be zero. Page on any flip of iam.automaticIamGrantsForDefaultServiceAccounts away from enforced. Initial response Identify VMs and Cloud Functions currently running under the default service account via Cloud Asset Inventory compute.googleapis.com/Instance queries; enumerate the API surface those workloads call before stripping the role. Replace the binding with a purpose-built service account holding only the predicate-narrow roles the workload requires; redeploy with --service-account= explicitly set on the next deployment slot. Re-assert the Org Policy constraint and run the IAM Recommender to confirm no transitive Editor-equivalent role survives via custom roles. References Google Cloud — Default service accounts (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-iam-06-no-admin-sa ! HIGH PREVENTIVE Service accounts must never hold roles/owner or roles/editor at project, folder, or organisation level. These primitive roles bundle thousands of permissions, including the ability to create and impersonate other service accounts, and a workload that needs that much power is almost always a workload whose architecture has not yet been decomposed into purpose-built custom roles. Use IAM Recommender to identify over-privileged SAs from observed call patterns, then replace primitive role bindings with narrow predefined or custom roles. Pair this with Privileged Access Manager (GA per Google's 2024 announcement; re-verify GA status at writing time) where short-lived elevated grants are unavoidable so that no SA carries standing Editor/Owner authority (Google Cloud IAM best practices (accessed 2026-05)). CIS GCP Foundation v5.0.0 1.6 codifies the prohibition; re-verify the sub-ID against the v4.0.0 PDF. MITIGATES: Privilege escalation via the IAM service itself — a service account with roles/owner can grant itself any other role, impersonate any other SA, and disable audit logging. ATTACK VECTOR: A CI/CD pipeline runs as a service account bound to roles/owner \"because the migration scripts needed it once in 2022\". A compromised pull-request workflow triggers gcloud iam service-accounts keys create on a target SA, downloads the key, and exfiltrates it to a public log; the attacker subsequently impersonates the target SA from arbitrary network locations. BLAST RADIUS: With primitive roles removed: bounded by the SA's narrow custom-role permissions. With roles/owner on the SA: full project compromise, identical to standing root in a single-tenant model. Remediation — gcloud CLI <code class=\"language-bash\"># Audit: list every service account bound to roles/owner or roles/editor. PROJECT=<your-project-id> for role in roles/owner roles/editor; do gcloud projects get-iam-policy \"$"},{"id":"gcp/index.html","url":"gcp/index.html","title":"GCP Hardening — Cloud Hardening Guide","breadcrumb":"Home GCP","description":"GCP security hardening reference: IAM, network, data protection, logging, workloads, and incident response.","body":"GCP Hardening This section covers Google Cloud Platform hardening across the six security domains. Each domain page maps cross-cutting principles (covered in the General section) onto specific GCP services and configuration primitives — Cloud IAM, organization policies, VPC Service Controls, Security Command Center, and the platform's native control planes. Content is authored progressively: IAM ships first as a pilot (Phase 5), followed by Network, Data Protection, Logging & Detection, Workloads, and Incident Response in subsequent phases. Domains IAM — org policy, service account key elimination, Workload Identity Federation, VPC Service Controls Network — VPC design, hierarchical firewall policies, Private Google Access, Cloud Armor, Cloud DNS DNSSEC Data Protection — bucket-level IAM, public access prevention, CMEK with Cloud KMS, Cloud DLP, Secret Manager Logging & Detection — Cloud Audit Logs, aggregated sinks, Security Command Center Premium Workloads — Shielded VM, OS Login, GKE hardening, Binary Authorization, Artifact Registry scanning Incident Response — SCC findings to Pub/Sub automation, forensic snapshots, GKE IR GenAI Security — Vertex AI service account scoping, VPC Service Controls, Gemini safety filters, CMEK, Data Access audit logs, data residency, RAG grounding source auth, Model Garden org policy Kubernetes — GKE private cluster, Workload Identity, Binary Authorization, Shielded Nodes, gVisor, Cloud Audit Logs, Pod Security Standards, network policy default-deny This page is a Phase 2 stub. Section overview content arrives in later phases."},{"id":"gcp/ir.html","url":"gcp/ir.html","title":"GCP Incident Response Hardening — Cloud Hardening Guide","breadcrumb":"Home GCP Incident Response","description":"GCP incident response: break-glass Cloud Identity accounts, SCC findings → Pub/Sub → Cloud Functions automation, Bucket Lock forensic evidence, BigQuery audit-log forensic queries, Compute Engine isolation runbook, service-account key revocation, quarterly tabletops.","body":"GCP Incident Response Hardening Overview This page covers Google Cloud Platform incident response — the surfaces, services, and pre-positioned controls that decide whether the organisation can detect, contain, investigate, and recover from a cloud security incident before the attacker achieves their objective. Scope is the commercial GCP regions; GCP Sovereign Cloud (formerly Assured Workloads and the Google Cloud Air-Gapped offering) inherits the same controls but exposes a different region table and constrains some services — re-verify region availability before applying any of the IaC below to a sovereign or air-gapped deployment. The IR lifecycle on this page is the one codified in NIST SP 800-61 Rev 3 — April 2025 release (accessed 2026-05), which restates the lifecycle as a CSF 2.0 community profile (Govern · Identify · Protect · Detect · Respond · Recover); the canonical lifecycle, evidence-handling, communications, and recovery framing live on the General Incident Response page (lifecycle, preparation, containment, forensics, communication, recovery / post-incident, tabletops). This page maps that lifecycle to the GCP surfaces an IR responder actually touches. The GCP IR plane is the product of an organization (the root policy boundary where Cloud Identity tenants attach and where Security Command Center is activated), Cloud Identity (the directory plane and the identity-provider boundary that must remain reachable when the on-prem IdP federation is compromised — this is the architectural reason break-glass accounts are Cloud-Identity-only), Security Command Center (the posture, threat-detection, and finding-aggregation plane — Premium tier ships Event Threat Detection, Container Threat Detection, VM Threat Detection, and Anomaly Detection; Enterprise tier upgrades to multi-cloud CNAPP with Mandiant threat intelligence and case management), Pub/Sub (the asynchronous message bus that SCC notifications fan out to and that Cloud Functions / Eventarc subscribe to for playbook automation), Cloud Functions Gen 2 and Eventarc (the serverless automation surfaces that execute containment playbooks), Cloud Storage with Bucket Lock (the immutable evidence-preservation surface; LOCKED retention is the only retention mode that survives a compromised storage admin), BigQuery audit-log sinks (the analytical surface for SQL-based forensic queries against the corpus of Admin Activity and Data Access logs), Compute Engine snapshots (the disk-image preservation primitive for VM forensics), and the Workspace Admin SDK (the OAuth-token revocation and session-enumeration surface for compromised user-identity response). Severity is assigned from the methodology severity rubric; equivalence callouts at the bottom of each control point at the matching control on the AWS, Azure, and OCI sibling pages. Three anti-conflation callouts up front, because each gets conflated in audit reports and architecture reviews and the distinction is load-bearing for how the corresponding control is designed. First: break-glass (gcp-ir-01) is PREVENTIVE, not RESPONSIVE. The control is the pre-positioning that makes response possible — 2-4 emergency-access Cloud Identity accounts created on a quiet day, hardened with FIDO2 hardware security keys, excluded from Context-Aware Access and Workforce Identity Federation, monitored via SCC and log-based metric alerts on every sign-in, and access-tested quarterly. Creating break-glass during the incident that took out the Workforce Identity Federation or the on-prem IdP is structurally impossible — the entire reason break-glass exists is that the normal sign-in path has failed. This typing mirrors the equivalent decision on Phase 6 aws-ir-01-break-glass-account and Phase 7 azure-ir-01-emergency-access and is locked across all three providers. Second: forensic-evidence storage (gcp-ir-03) uses Cloud Storage Bucket Lock with is_locked = true — LOCKED retention cannot be reduced even by organization admins. Without Bucket Lock the attacker profile that compromised the storage admin role on the security project would also have the authority to shorten or remove the retention policy and overwrite or delete the evidence. The exact analog of this decision is Phase 6 aws-ir-03 using S3 Object Lock in Compliance mode (not Governance — Governance has s3:BypassGovernanceRetention which a sufficiently-privileged attacker acquires) and Phase 7 azure-ir-03 using Immutable Blob storage in Locked mode (not Unlocked — Unlocked is subscription-owner-bypassable). The control across all three providers is \"the retention policy survives the same attacker who compromised the storage admin\"; for Cloud Storage Bucket Lock that means retention_policy { is_locked = true; retention_period_seconds = 31557600 }, applied at bucket-creation time and locked once verified. Third: tabletop exercises (gcp-ir-07) are PREVENTIVE, not RESPONSIVE. The value of a quarterly tabletop is preventing runbook decay before the next incident — runbooks written and never re-exercised are, in practice, runbooks that do not work when they are needed (the modal failure of all written IR procedures). Each exercise that surfaces a wrong, missing, or unexecutable runbook step is tracked as a finding against the runbook repository and remediated before the next quarter. The PREVENTIVE typing is locked across Phases 6 (aws-ir-07), 7 (azure-ir-07), and 8 (this control) per the methodology rubric and PITFALL B-14 (preventive controls stop bad states from arising; tabletops stop runbook decay). Order matters. Control 01 is the pre-positioned identity that survives a compromised IdP. Control 02 is the automation pipeline that contains in seconds rather than the minutes a human on-call would take. Control 03 is the evidence-preservation surface that survives the storage-admin compromise. Control 04 is the SQL-driven forensic-query workflow that lets an analyst pivot across hundreds of millions of audit events. Controls 05–06 are the playbook runbooks for the two most common single-resource compromise scenarios (a VM and a service-account credential). Control 07 is the anti-decay loop that keeps every prior runbook executable. Cross-link to General IR — preparation for the lifecycle framing this ordering reflects. gcp-ir-01-break-glass ! CRITICAL PREVENTIVE Provision two to four break-glass Cloud Identity super-admin accounts that exist outside the normal Workforce Identity Federation / Cloud Identity-Google-Workspace synchronisation path. These accounts are created directly in the Cloud Identity tenant (not synced from an on-prem IdP via Google Cloud Directory Sync), excluded from every Context-Aware Access binding and Workforce Identity Federation pool, hardened with FIDO2 hardware security keys (no SMS, no TOTP authenticator apps — Google's 2024 Advanced Protection Program guidance and the broader phishing-resistant-MFA consensus), stored in dual-control physical safes, and instrumented with Security Command Center notifications plus a Cloud Logging log-based metric on every sign-in event (Google Cloud — Best practices for planning accounts and organizations (accessed 2026-05)). The accounts must be access-tested quarterly: every quarter, one named responder signs in, demonstrates the credential still works, and documents the test in the IR runbook repository. This is PREVENTIVE not RESPONSIVE because the control is the pre-positioning that makes response possible — break-glass cannot be created during the incident that took out the IdP. Cross-link to General IR — preparation and gcp-iam-02 for the Phase 5 zero-tolerance baseline on long-lived credentials that this control deliberately exempts itself from. MITIGATES: Lockout of all administrators following a compromise of the federated identity provider (Okta, Azure AD / Microsoft Entra ID, on-prem Active Directory federated to Cloud Identity), a misconfigured Context-Aware Access binding that excludes all current admins, a Google Cloud Directory Sync misconfiguration that deletes the wrong organizational-unit's accounts, or a malicious-insider scenario where a Cloud Identity super-admin attempts to remove the recovery path before exfiltration. Compounds when the federated IdP is itself the entry point for the original compromise. ATTACK VECTOR: The on-prem AD-FS server federated to Cloud Identity is compromised in a separate incident; all Cloud Identity sign-ins go through that federation. The attacker pivots into the Cloud Identity tenant, removes the federated-IdP binding, and the organisation can no longer sign in to recover the situation. Without break-glass: a Google Workspace support ticket and a multi-day identity-proofing escalation. With break-glass: a named responder retrieves the hardware key from the physical safe and signs in within minutes. BLAST RADIUS: Without break-glass: the entire Cloud Identity tenant and every Google Cloud organization, folder, and project bound to it, for the duration of the Workspace support escalation (typically multi-day under contractual-SLA paths). With break-glass: bounded to the time from incident declaration to the responder reaching the safe. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) + Workspace Admin SDK via gcloud identity # Step 1: create the break-glass super-admin user directly in Cloud Identity. # Done via the Workspace Admin Console UI OR Directory API; gcloud has limited # coverage. The canonical operation is below, executed by a Workspace super-admin. # Workspace Directory API — create the break-glass user. gcloud identity groups memberships list \\ --group-email=breakglass-admins@example.com \\ --format='value(preferredMemberKey.id)' # Step 2: assign Organization Administrator role to the break-glass account. gcloud organizations add-iam-policy-binding ORG_ID \\ --member='user:breakglass-01@example.com' \\ --role='roles/resourcemanager.organizationAdmin' # Step 3: enforce 2-Step Verification with security keys only for the # break-glass OU. Done via Workspace Admin Console (Security > 2-Step # Verification > Enforcement > Security Keys Only). # Step 4: create the log-based metric that fires on every break-glass sign-in. gcloud logging metrics create breakglass-signin \\ --description='Sign-in event for any break-glass Cloud Identity account' \\ --log-filter='logName=\"organizations/ORG_ID/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.authenticationInfo.principalEmail=(\"breakglass-01@example.com\" OR \"breakglass-02@example.com\")' # Step 5: route the metric to a Cloud Monitoring alert policy that pages the # on-call (Pub/Sub topic subscribed by the PagerDuty integration). gcloud alpha monitoring policies create \\ --notification-channels=projects/PROJECT_ID/notificationChannels/PD_CHANNEL_ID \\ --display-name='Break-glass account sign-in detected' \\ --condition-filter='metric.type=\"logging.googleapis.com/user/breakglass-signin\" AND resource.type=\"global\"' \\ --condition-threshold-value=0 \\ --condition-threshold-comparison=COMPARISON_GT \\ --condition-threshold-duration=0s</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud break-glass + Cloud Identity docs (accessed 2026-05) # Note: Cloud Identity user creation is not directly supported by the google # provider; the user object itself is created via the Workspace Admin Console. # Terraform manages the IAM bindings, log-based metric, and alert policy. resource \"google_organization_iam_member\" \"breakglass_01_org_admin\" { org_id = var.org_id role = \"roles/resourcemanager.organizationAdmin\" member = \"user:breakglass-01@example.com\" } resource \"google_organization_iam_member\" \"breakglass_02_org_admin\" { org_id = var.org_id role = \"roles/resourcemanager.organizationAdmin\" member = \"user:breakglass-02@example.com\" } resource \"google_logging_metric\" \"breakglass_signin\" { name = \"breakglass-signin\" description = \"Sign-in event for any break-glass Cloud Identity account\" filter = <<-EOT logName=\"organizations/${var.org_id}/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.authenticationInfo.principalEmail=(\"breakglass-01@example.com\" OR \"breakglass-02@example.com\") EOT metric_descriptor { metric_kind = \"DELTA\" value_type = \"INT64\" } } resource \"google_monitoring_alert_policy\" \"breakglass_signin_alert\" { display_name = \"Break-glass account sign-in detected\" combiner = \"OR\" notification_channels = [var.pagerduty_channel_id] conditions { display_name = \"Any break-glass sign-in\" condition_threshold { filter = \"metric.type=\\\"logging.googleapis.com/user/${google_logging_metric.breakglass_signin.name}\\\" AND resource.type=\\\"global\\\"\" comparison = \"COMPARISON_GT\" threshold_value = 0 duration = \"0s\" } } }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: break-glass-org-admin namespace: config-control spec: resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization external: \"organizations/ORG_ID\" role: roles/resourcemanager.organizationAdmin member: \"user:breakglass-ir@example.com\"</code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as gcp from \"@pulumi/gcp\"; // Break-glass IR account — single human, MFA-mandatory, separate from day-to-day admin path. // Alert on EVERY use of this binding via Cloud Logging. const breakGlass = new gcp.organizations.IAMMember(\"break-glass-org-admin\", { orgId: orgId, role: \"roles/resourcemanager.organizationAdmin\", member: \"user:breakglass-ir@example.com\", });</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a(Cloud Identity emergency-access docs)n/a IR-4; AC-2(8); AC-6A.5.24; A.5.26CLD.9.5.1 Log signals Cloud Audit Logs SetIamPolicy events binding the break-glass principal (typically break-glass-admin@) to roles/owner or roles/iam.securityAdmin on any project or folder. Workspace sign-in audit feed showing sign-ins to the break-glass account from any location — the account should sit dormant outside declared incidents. Cloud Identity password-reset / 2SV-enrol events on the break-glass user; both indicate someone is actively preparing to use the account. Query <code class=\"language-plaintext\">logName=~\"organizations/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND ((protoPayload.methodName=\"SetIamPolicy\" AND protoPayload.serviceData.policyDelta.bindingDeltas.member=~\"user:break-glass-.*\") OR (protoPayload.serviceName=\"admin.googleapis.com\" AND protoPayload.authenticationInfo.principalEmail=~\"break-glass-.*\"))</code> Pair this Cloud Logging filter with a Cloud Monitoring alert that routes to multiple notification channels (SMS, voice, on-call manager email) so a single channel failure cannot suppress the page; the break-glass account is a high-confidence signal. Alert threshold Page immediately on any sign-in to the break-glass account or any IAM binding involving its principal; there is no acceptable rate of background use. Page on any Workspace admin event mutating the break-glass account's 2SV or password posture. Initial response Confirm the on-call engineer initiated the use via the documented incident channel; if not, suspend the account in Workspace and revoke all OAuth tokens via the Directory API. Audit every API call made under the break-glass principal during the active window; the principal should produce a tightly bounded action set documented in the incident timeline. Re-seal the break-glass account post-incident: rotate the password into the offline sealed envelope, re-enrol the FIDO2 key, and revoke any IAM bindings created during the window. References Google Cloud — Identity best practices (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-ir-02-scc-pub-sub-function ! HIGH RESPONSIVE Configure Security Command Center to export findings to a dedicated Pub/Sub topic in the security-operations project; subscribe a Cloud Functions (Gen 2) function — or an Eventarc-triggered Cloud Run service — that executes the auto-containment playbook for high-severity finding categories (cryptomining detection, privilege-escalation detection, exfiltration detection, malware-on-VM detection). The playbook canonical steps: (1) snapshot the implicated disks via gcloud compute snapshots create; (2) swap the VM's firewall tags so it lands in the pre-deployed quarantine network policy (deny-all egress, ingress only from named IR analyst IPs); (3) disable the implicated service account via gcloud iam service-accounts disable; (4) emit a structured event to the IR PagerDuty Pub/Sub topic with the finding payload attached for the human on-call (Google Cloud — SCC notifications documentation (accessed 2026-05)). Pub/Sub subscription filter narrows the playbook scope to the categories that have well-tested auto-containment recipes (category=(\"CRYPTOMINING\" OR \"PRIVILEGE_ESCALATION\" OR \"EXFILTRATION\")); other categories page the on-call without auto-containment. Same-phase STRICT pair-control: SCC threat-detection itself (the enablement of Event Threat Detection, Container Threat Detection, VM Threat Detection) is owned by gcp-log-04-scc-premium — this IR control covers the response pipeline that consumes those findings. MITIGATES: Attacker dwell time between SCC finding emission and human responder action — typically a non-trivial fraction of total dwell when the incident lands outside business hours, when the on-call is paged but the initial assessment takes ten or more minutes, or when the contain-by-hand workflow requires console clicks across multiple projects. Compounds when the attacker is a cryptominer who can spin up dozens of GPU instances before manual containment lands. ATTACK VECTOR: A service-account credential leaks (committed to a public GitHub repo by mistake). An attacker uses it to enumerate IAM permissions and launches GPU-instance cryptomining workloads in unused regions. SCC's Event Threat Detection emits the Mining: Bitcoin Pool finding within minutes; without auto-containment the on-call responder spends 10-30 minutes assessing, identifying the compromised SA, and disabling it manually. With auto-containment: the Cloud Function disables the SA and quarantines the implicated VMs within seconds of finding emission. BLAST RADIUS: Without auto-containment: every workload reachable by the compromised SA during the manual-response window. With auto-containment: bounded to the workloads that were already provisioned before the playbook fired (typically within tens of seconds). Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: create the SCC notification config that exports findings to Pub/Sub. gcloud pubsub topics create scc-findings-prod \\ --project=security-ops-prod gcloud scc notifications create scc-notif-cryptomining \\ --organization=ORG_ID \\ --pubsub-topic=projects/security-ops-prod/topics/scc-findings-prod \\ --filter='state=\"ACTIVE\" AND severity=\"CRITICAL\" AND category=\"Mining: Bitcoin Pool\"' # Step 2: create the Pub/Sub subscription that filters categories with playbooks. gcloud pubsub subscriptions create scc-findings-playbook-sub \\ --project=security-ops-prod \\ --topic=projects/security-ops-prod/topics/scc-findings-prod \\ --message-filter='attributes.category=(\"CRYPTOMINING\" OR \"PRIVILEGE_ESCALATION\" OR \"EXFILTRATION\")' # Step 3: deploy the Gen 2 Cloud Function that runs the containment playbook. gcloud functions deploy scc-auto-containment \\ --project=security-ops-prod \\ --region=europe-west1 \\ --gen2 \\ --runtime=python312 \\ --source=./containment-playbook \\ --entry-point=handle_finding \\ --trigger-topic=scc-findings-prod \\ --service-account=scc-containment-sa@security-ops-prod.iam.gserviceaccount.com # Step 4: grant the containment SA the precise IAM needed in target projects. gcloud organizations add-iam-policy-binding ORG_ID \\ --member='serviceAccount:scc-containment-sa@security-ops-prod.iam.gserviceaccount.com' \\ --role='roles/iam.serviceAccountAdmin' \\ --condition='expression=resource.name.startsWith(\"projects/svc-\"),title=svc-projects-only'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud SCC + Pub/Sub + Cloud Functions Gen 2 docs (accessed 2026-05) resource \"google_pubsub_topic\" \"scc_findings\" { project = var.security_ops_project name = \"scc-findings-prod\" } resource \"google_scc_notification_config\" \"cryptomining\" { config_id = \"scc-notif-cryptomining\" organization = var.org_id description = \"Active CRITICAL cryptomining findings\" pubsub_topic = google_pubsub_topic.scc_findings.id streaming_config { filter = \"state=\\\"ACTIVE\\\" AND severity=\\\"CRITICAL\\\" AND category=\\\"Mining: Bitcoin Pool\\\"\" } } resource \"google_pubsub_subscription\" \"playbook_sub\" { project = var.security_ops_project name = \"scc-findings-playbook-sub\" topic = google_pubsub_topic.scc_findings.id filter = \"attributes.category = \\\"CRYPTOMINING\\\" OR attributes.category = \\\"PRIVILEGE_ESCALATION\\\" OR attributes.category = \\\"EXFILTRATION\\\"\" ack_deadline_seconds = 60 } resource \"google_cloudfunctions2_function\" \"containment\" { project = var.security_ops_project name = \"scc-auto-containment\" location = \"europe-west1\" build_config { runtime = \"python312\" entry_point = \"handle_finding\" source { storage_source { bucket = var.fn_source_bucket object = \"containment-playbook.zip\" } } } service_config { service_account_email = google_service_account.containment_sa.email available_memory = \"512M\" timeout_seconds = 120 } event_trigger { trigger_region = \"europe-west1\" event_type = \"google.cloud.pubsub.topic.v1.messagePublished\" pubsub_topic = google_pubsub_topic.scc_findings.id retry_policy = \"RETRY_POLICY_RETRY\" } } resource \"google_service_account\" \"containment_sa\" { project = var.security_ops_project account_id = \"scc-containment-sa\" }</code> Remediation — Infrastructure Manager Infrastructure Manager: Security Command Center notification configs are organisation-level — Config Connector has no CRD for google_scc_notification_config as of 2026-Q2 (SCC primitives are deliberately excluded from KCC). Submit the Terraform block above to Google Cloud Infrastructure Manager (gcloud infra-manager deployments apply --local-source=.) for managed-state, approval workflows, and Cloud Audit Logs trail. Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a(SCC notifications + Eventarc docs)n/a IR-4(1); IR-4(7); SI-4(7)A.5.26CLD.12.4.5 Log signals Cloud Audit Logs on cloudfunctions.googleapis.com for functions.delete targeting the IR-automation function bound to the SCC findings Pub/Sub topic. Function-update events changing the entry point or the Pub/Sub trigger topic to a non-SCC source — silent re-pointing of the responder. Pub/Sub subscription IAM mutations removing the function's roles/pubsub.subscriber binding — disconnects the fanout without deleting either side. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND ((protoPayload.serviceName=\"cloudfunctions.googleapis.com\" AND protoPayload.methodName=~\".*functions.(delete|update)\" AND protoPayload.resourceName=~\".*scc-responder.*\") OR (protoPayload.serviceName=\"pubsub.googleapis.com\" AND protoPayload.methodName=~\".*subscriptions.SetIamPolicy\" AND protoPayload.resourceName=~\".*scc-findings.*\"))</code> This Cloud Logging filter watches the responder function's lifecycle and the Pub/Sub binding that ties it to SCC findings; pair with a Cloud Monitoring synthetic check that publishes a test finding every hour to verify end-to-end responder activation. Alert threshold Page on any delete or update of the IR-responder function or any IAM mutation on its Pub/Sub subscription. Page on the synthetic finding failing to invoke the responder for two consecutive hourly checks. Initial response Restore the function from the captured Terraform state via terraform apply; re-bind the Pub/Sub subscriber role; verify the next synthetic finding invokes the responder. Backfill any SCC findings raised during the responder outage by replaying via gcloud pubsub topics publish against the recovered subscription. Pin responder code + IAM bindings in Terraform; add a Cloud Asset Inventory feed on the function and topic so future delete or unbind events fire via an independent channel. References Google Cloud — SCC notification responder pattern (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI · Pair-control: gcp-log-04-scc-premium gcp-ir-03-forensic-bucket ! CRITICAL RESPONSIVE Provision a dedicated Cloud Storage bucket in a dedicated forensic-evidence-prod project (sibling to the security-operations project, with its own IAM perimeter) for incident-evidence preservation. The bucket carries Cloud Storage Bucket Lock with retention_policy { is_locked = true; retention_period_seconds = 31557600 } — one calendar year, locked at bucket-creation time, immutable for the lifetime of the bucket (Google Cloud — Bucket Lock documentation (accessed 2026-05)). LOCKED retention is the only retention mode that survives a compromised storage admin: once the policy is locked, no principal — including organization admins and the project owner — can reduce or remove it; the only way to free the objects is to wait out the retention period. This is the precise analog of aws-ir-03 using S3 Object Lock in Compliance mode (Compliance, not Governance — Governance has s3:BypassGovernanceRetention which a sufficiently-privileged attacker acquires) and azure-ir-03 using Immutable Blob storage in Locked mode (Locked, not Unlocked — Unlocked is subscription-owner-bypassable). Layer customer-managed encryption keys (CMEK) via Cloud KMS on the bucket so evidence-at-rest is bound to the same key-management perimeter as the production-data CMEK chain; tag every uploaded object with chain-of-custody metadata (incident ID, uploader principal, SHA-256 hash, ingest timestamp). The CRITICAL rating reflects that evidence destroyed during the incident is irrecoverable — no after-the-fact compensating control exists. MITIGATES: An attacker (or a privileged-insider scenario) deletes or overwrites evidence after compromising the storage admin role on the security project, defeating any subsequent forensic analysis, regulator notification, or law-enforcement engagement. Also mitigates accidental deletion by a responder under stress and lifecycle-rule misconfiguration that silently expires evidence before the post-incident review. ATTACK VECTOR: The incident under investigation involves a compromised organisation-admin credential. The attacker, anticipating forensic preservation, enumerates Cloud Storage buckets across the organisation and identifies the evidence bucket. Without Bucket Lock: the attacker is one gcloud storage rm --recursive away from destroying every artifact. Without LOCKED retention (just an unlocked retention policy): the attacker removes the retention policy first, then deletes. With LOCKED retention: no principal can reduce the policy; the evidence survives for the retention window regardless of any IAM compromise. BLAST RADIUS: Without Bucket Lock: all evidence collected to date. With unlocked retention: same — the policy is bypassable. With LOCKED retention: zero — the policy is non-bypassable for the retention period. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: create the dedicated forensic-evidence project under the security folder. gcloud projects create forensic-evidence-prod \\ --folder=FOLDER_ID_SECURITY \\ --name='Forensic Evidence (production)' # Step 2: create the bucket with CMEK + uniform bucket-level access. gcloud storage buckets create gs://forensic-evidence-prod \\ --project=forensic-evidence-prod \\ --location=europe-west1 \\ --uniform-bucket-level-access \\ --default-encryption-key='projects/security-kms-prod/locations/europe-west1/keyRings/forensic/cryptoKeys/forensic-cmek' \\ --public-access-prevention # Step 3: set the retention policy to 1 year (31_557_600 seconds). gcloud storage buckets update gs://forensic-evidence-prod \\ --retention-period=31557600s # Step 4: lock the retention policy. THIS IS IRREVERSIBLE. # Once locked, the retention period can only be INCREASED, never reduced or removed. gcloud storage buckets update gs://forensic-evidence-prod \\ --lock-retention-period # Step 5: bind the IR team service account at object-admin scope. gcloud storage buckets add-iam-policy-binding gs://forensic-evidence-prod \\ --member='serviceAccount:ir-team-sa@security-ops-prod.iam.gserviceaccount.com' \\ --role='roles/storage.objectAdmin' # Step 6: bind external IR partners at object-viewer scope for read-only handoff. gcloud storage buckets add-iam-policy-binding gs://forensic-evidence-prod \\ --member='group:external-ir-partners@example.com' \\ --role='roles/storage.objectViewer'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud Bucket Lock + retention policy docs (accessed 2026-05) resource \"google_storage_bucket\" \"forensic_evidence\" { project = \"forensic-evidence-prod\" name = \"forensic-evidence-prod\" location = \"europe-west1\" uniform_bucket_level_access = true public_access_prevention = \"enforced\" encryption { default_kms_key_name = var.forensic_cmek_id } retention_policy { is_locked = true retention_period = 31557600 # 1 year, in seconds } versioning { enabled = true } lifecycle { prevent_destroy = true } } resource \"google_storage_bucket_iam_member\" \"ir_team_admin\" { bucket = google_storage_bucket.forensic_evidence.name role = \"roles/storage.objectAdmin\" member = \"serviceAccount:ir-team-sa@security-ops-prod.iam.gserviceaccount.com\" } resource \"google_storage_bucket_iam_member\" \"external_ir_viewer\" { bucket = google_storage_bucket.forensic_evidence.name role = \"roles/storage.objectViewer\" member = \"group:external-ir-partners@example.com\" }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: forensic-evidence namespace: config-control spec: location: us-central1 uniformBucketLevelAccess: true publicAccessPrevention: enforced versioning: enabled: true retentionPolicy: retentionPeriod: 31536000 # 1 year minimum isLocked: true logging: logBucketRef: external: \"log-sink-bucket\"</code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as gcp from \"@pulumi/gcp\"; // Immutable forensic-evidence bucket: bucket lock + retention policy + access logs. const forensicBucket = new gcp.storage.Bucket(\"forensic-evidence\", { name: \"forensic-evidence\", location: \"US-CENTRAL1\", uniformBucketLevelAccess: true, publicAccessPrevention: \"enforced\", versioning: { enabled: true }, retentionPolicy: { retentionPeriod: 31536000, // 1 year isLocked: true, }, forceDestroy: false, });</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a(Bucket Lock docs)n/a AU-11; IR-4(7); SI-7A.5.28; A.8.13CLD.12.4.5 Log signals Cloud Audit Logs on storage.googleapis.com for storage.buckets.update reducing the forensic bucket's retentionPolicy.retentionPeriod or disabling Object Versioning. Bucket-lock state transitions: the forensic bucket's retention policy should be locked, and any buckets.lockRetentionPolicy reversal attempt produces a denial that is still worth reviewing. Bucket-IAM mutations on the forensic bucket adding any storage.objects.delete-capable role to a non-incident principal. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"storage.googleapis.com\" AND protoPayload.resourceName=~\".*buckets/forensic-evidence.*\" AND (protoPayload.methodName=\"storage.buckets.update\" OR protoPayload.methodName=\"storage.setIamPermissions\")</code> Run this Cloud Logging filter at project scope on the forensic-bucket project; pair with a Cloud Asset Inventory feed so retention-policy + IAM-state drift surface in real time, independent of audit-log delivery. Alert threshold Page on any mutation to the forensic bucket's retention policy, versioning, or IAM bindings. Page on any object-delete attempt against the forensic bucket; with the retention lock the delete should be denied, but the attempt itself is signal. Initial response If the retention policy is not yet locked, restore the original retention period and apply the lock via gcloud storage buckets update --lock-retention-policy; locked policies cannot be shortened. Revoke unauthorised IAM bindings; if any object was successfully deleted within object-versioning history, restore the noncurrent version via the legacy gsutil cp gs://bucket/object#GENERATION command (gsutil is legacy; gcloud storage cp is the current default). Audit the principal that issued the mutation for additional forensic-scope tampering attempts; treat as candidate post-breach cover-up activity. References Google Cloud — Bucket Lock for forensic retention (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-ir-04-bigquery-audit-logs ! HIGH RESPONSIVE Use the BigQuery audit-log dataset created by the aggregated Cloud Logging sink to run SQL-based forensic queries across the corpus of Admin Activity, Data Access, System Event, and Policy Denied logs. The sink itself — partitioned table layout, 2-year retention via partition expiration, KMS-CMK encryption — is owned by gcp-log-08-bigquery-audit-sink; this IR control covers the forensic-query workflow that consumes the dataset. Maintain a saved-query library — implemented as google_bigquery_routine resources — covering canonical hunts: \"all IAM role grants in the last 30 days\", \"all service-account-key creation events in the last 90 days\", \"all Cloud Storage storage.objects.list on the forensic-evidence bucket\", \"all Pub/Sub pubsub.subscriptions.create on the SCC findings topic\", \"all setIamPolicy calls by principals outside the security operations group\" (Google Cloud — Cloud Audit Logs best practices (accessed 2026-05)). Partitioning by timestamp day and clustering by protoPayload.serviceName keeps the canonical hunts under a few-GB scan; analysts pivot from one finding to the next without leaving the BigQuery console. Same-phase STRICT pair-control: the sink configuration itself lives at gcp-log-08-bigquery-audit-sink — author the sink there; author the saved-query library here. MITIGATES: Inability to answer time-bounded forensic questions across hundreds of millions of audit events during an active incident. Without SQL-driven hunts, the responder relies on the Cloud Logging console's free-text search which is rate-limited, hard to share, and not joinable across log types. Compounds when the incident spans weeks of historical events and crosses multiple audit-log categories. ATTACK VECTOR: Not a direct attack vector — this control mitigates failure-modes of detection and investigation. The scenario is: an analyst discovers an unauthorised IAM role grant during the incident triage. With the saved-query library, \"show every setIamPolicy call by this principal across every project in the last 90 days\" is one SQL query returning in seconds. Without it: ad-hoc Logs Explorer queries that time out at the 30-day retention boundary or exceed Cloud Logging quota. BLAST RADIUS: Without forensic-query workflow: investigation time inflates by a factor proportional to incident scope; analysts cannot share queries, cannot version them in a runbook repo, and re-author the same hunts each incident. With saved-query library: investigation steps are reproducible, versioned, and runnable by any analyst with BigQuery dataset reader role. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI + bq (latest stable) # Step 1: verify the audit-log dataset exists (created by gcp-log-08 sink). bq ls --project_id=security-logs-prod | grep cloudaudit_googleapis_com_ # Step 2: run a canonical forensic query — all IAM role grants in the last 30 days # by a specific principal across every project. bq query --use_legacy_sql=false --project_id=security-logs-prod \\ --max_rows=10000 \\ 'SELECT timestamp, protoPayload.authenticationInfo.principalEmail AS actor, resource.labels.project_id AS project, protoPayload.methodName AS method, protoPayload.serviceData.policyDelta.bindingDeltas AS deltas FROM `security-logs-prod.cloudaudit_googleapis_com_activity.cloudaudit_googleapis_com_activity_*` WHERE _TABLE_SUFFIX BETWEEN FORMAT_DATE(\"%Y%m%d\", DATE_SUB(CURRENT_DATE(), INTERVAL 30 DAY)) AND FORMAT_DATE(\"%Y%m%d\", CURRENT_DATE()) AND protoPayload.methodName = \"SetIamPolicy\" AND protoPayload.authenticationInfo.principalEmail = \"suspect-actor@example.com\" ORDER BY timestamp DESC;' # Step 3: persist the query as a saved BigQuery routine for reuse. bq query --use_legacy_sql=false --project_id=security-logs-prod \\ 'CREATE OR REPLACE PROCEDURE `security-logs-prod.forensic_hunts.iam_grants_by_actor`( actor STRING, lookback_days INT64 ) BEGIN SELECT timestamp, resource.labels.project_id, protoPayload.methodName FROM `security-logs-prod.cloudaudit_googleapis_com_activity.cloudaudit_googleapis_com_activity_*` WHERE _TABLE_SUFFIX BETWEEN FORMAT_DATE(\"%Y%m%d\", DATE_SUB(CURRENT_DATE(), INTERVAL lookback_days DAY)) AND FORMAT_DATE(\"%Y%m%d\", CURRENT_DATE()) AND protoPayload.methodName IN (\"SetIamPolicy\", \"google.iam.admin.v1.SetIamPolicy\") AND protoPayload.authenticationInfo.principalEmail = actor ORDER BY timestamp DESC; END;'</code> Remediat"},{"id":"gcp/kubernetes.html","url":"gcp/kubernetes.html","title":"GCP GKE Hardening — Cloud Hardening Guide","breadcrumb":"Home GCP Kubernetes","description":"Google Kubernetes Engine (GKE) hardening: private cluster, Workload Identity, Binary Authorization, Shielded Nodes, gVisor sandbox, Cloud Audit Logs, Pod Security Standards, and network policy.","body":"GCP GKE Hardening Overview This page covers hardening controls for Google Kubernetes Engine (GKE). Both Standard and Autopilot cluster modes are addressed — Autopilot/Standard differences are noted in per-control callouts immediately below each control header. Where a control is enforced by default in Autopilot, the callout identifies it; where Autopilot prevents manual configuration, the callout explains what Google manages on your behalf. See general/kubernetes.html for the cross-cutting threat model, cluster-baseline principles, and common misconfigurations that apply to all providers. Controls are ordered by severity: CRITICAL first, then HIGH in control-number order, then MEDIUM. Terraform examples use hashicorp/google ~> 6.0. The sealed v1.0 GCP pages use ~> 5.0 — do not edit those pages. Supporting IAM prerequisites are on gcp/iam.html; VPC-native networking prerequisites are on gcp/network.html; audit log sink configuration is on gcp/logging.html. gcp-k8s-01 ! CRITICAL PREVENTIVE GKE Autopilot: Private nodes and a private control-plane endpoint are enforced by default in Autopilot clusters. Authorized networks for the control-plane endpoint should still be explicitly configured. GKE Standard: Pass --enable-private-nodes, --enable-private-endpoint, --master-ipv4-cidr-block, and --enable-master-authorized-networks at cluster creation. CIS GKE Autopilot Benchmark v1.3.0 documents Autopilot-specific defaults. Enable a private GKE cluster so worker nodes have no public IP addresses, and enable a private control-plane endpoint so the kube-apiserver is not reachable from the public internet. Combine with master authorized networks to restrict which CIDR ranges can reach the control plane. A public kube-apiserver is the number-one Kubernetes breach vector — any leaked credential is immediately usable from the internet without network-level barriers. MITIGATES: Public kube-apiserver exploitation — unauthenticated or stolen-credential access to the Kubernetes API from the internet. ATTACK VECTOR: Attacker finds a service-account token in a leaked kubeconfig or environment variable, issues kubectl exec or kubectl get secrets from any internet host. BLAST RADIUS: Full cluster administrative access — pod execution, secret exfiltration, workload modification, lateral movement to GCP APIs via node SA. Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 6.0 resource \"google_container_cluster\" \"hardened\" { name = \"hardened-cluster\" location = var.region # Private cluster — no external IPs on nodes private_cluster_config { enable_private_nodes = true enable_private_endpoint = true master_ipv4_cidr_block = \"172.16.0.0/28\" } # Restrict control-plane access to authorized CIDR ranges master_authorized_networks_config { cidr_blocks { cidr_block = var.management_cidr display_name = \"management-network\" } } # VPC-native cluster (alias IP ranges) ip_allocation_policy {} # Dataplane V2 enables NetworkPolicy enforcement via Cilium datapath_provider = \"ADVANCED_DATAPATH\" }</code> Remediation — gcloud <code class=\"language-bash\">gcloud container clusters create CLUSTER_NAME \\ --enable-private-nodes \\ --enable-private-endpoint \\ --master-ipv4-cidr-block 172.16.0.0/28 \\ --enable-master-authorized-networks \\ --master-authorized-networks MGMT_CIDR/32 \\ --region REGION</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerCluster metadata: name: hardened-gke namespace: config-control spec: location: us-central1 initialNodeCount: 1 privateClusterConfig: enablePrivateNodes: true enablePrivateEndpoint: true masterIpv4CidrBlock: \"172.16.0.0/28\" masterAuthorizedNetworksConfig: cidrBlocks: - cidrBlock: \"10.0.0.0/8\" displayName: \"corp-vpn\" networkRef: name: gke-vpc subnetworkRef: name: gke-subnet</code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as gcp from \"@pulumi/gcp\"; // Private GKE cluster with private endpoint and master-authorized-networks lock. const hardenedCluster = new gcp.container.Cluster(\"hardened-gke\", { name: \"hardened-gke\", location: \"us-central1\", initialNodeCount: 1, removeDefaultNodePool: true, privateClusterConfig: { enablePrivateNodes: true, enablePrivateEndpoint: true, masterIpv4CidrBlock: \"172.16.0.0/28\", }, masterAuthorizedNetworksConfig: { cidrBlocks: [{ cidrBlock: \"10.0.0.0/8\", displayName: \"corp-vpn\" }], }, network: gkeVpc.id, subnetwork: gkeSubnet.id, });</code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Google Kubernetes Engine (GKE) Benchmark v1.9.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 gcp-k8s-01 CRITICAL PREVENTIVE GCP GKE n/a (managed control plane) n/a (verify against CIS GKE Benchmark v1.9.0 PDF) AC-17; SC-7; SC-8 A.8.20; A.8.22 CLD.13.1.4 NIST SP 800-190 §4.4.1 NSA/CISA Kubernetes Hardening Guide v1.2 §2 (Network separation) Log signals Cloud Audit Logs on container.googleapis.com with protoPayload.methodName=\"google.container.v1.ClusterManager.UpdateCluster\" where the request body contains privateClusterConfig.enablePrivateEndpoint=false or removes masterAuthorizedNetworksConfig. GKE control-plane endpoint visibility change events: desiredPrivateClusterConfig.publicEndpointEnabled flipped to true on an existing cluster. Authorized-network CIDR drift: any cidrBlocks entry widening to 0.0.0.0/0 or a non-corporate range. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND resource.type=\"gke_cluster\" AND protoPayload.methodName=\"google.container.v1.ClusterManager.UpdateCluster\" AND (protoPayload.request.update.desiredPrivateClusterConfig.enablePrivateEndpoint=false OR protoPayload.request.update.desiredMasterAuthorizedNetworksConfig.cidrBlocks.cidrBlock=\"0.0.0.0/0\")</code> Pin this Cloud Logging filter to a per-project log-based metric so any control-plane exposure regression is plotted next to cluster age; combine with a Cloud Asset Inventory feed on container.googleapis.com/Cluster to receive a push notification whenever the visibility field mutates. Alert threshold Page on any UpdateCluster that re-enables the public control-plane endpoint or removes the authorized-networks gate from a production cluster. Page on any CIDR added to cidrBlocks outside the documented corporate-egress allow-list — the steady-state CIDR set is fixed by infra-as-code. Initial response Identify the principal via protoPayload.authenticationInfo.principalEmail and verify the change ticket; if the change is unsanctioned, revert with gcloud container clusters update --enable-private-endpoint --master-authorized-networks=<corp-cidrs>. Inspect the cluster's API-server access logs for the period the public endpoint was exposed — pull k8s.io/api/v1/namespaces/*/pods/exec and other privileged endpoints from resource.type=\"k8s_cluster\" entries during the window. Rotate cluster credentials (kubectl delete secret -n kube-system bootstrap-token-*; rotate node service-account binding) and re-issue any client certificates derived from the control plane during the exposed window. References Google Cloud — Private GKE clusters reference (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent controls in other providers: EKS private endpoint, AKS private cluster, OKE private API endpoint. gcp-k8s-02 ! HIGH PREVENTIVE GKE Autopilot: Workload Identity is mandatory — it cannot be disabled. Service accounts must be configured to use the workload pool. GKE Standard: Set workload_identity_config { workload_pool = \"PROJECT_ID.svc.id.goog\" } at cluster creation or update; bind Kubernetes ServiceAccounts to GCP IAM ServiceAccounts via roles/iam.workloadIdentityUser. CIS GKE Autopilot Benchmark v1.3.0 documents Autopilot-specific defaults. Enable Workload Identity Federation for GKE so Kubernetes pods use GCP IAM ServiceAccounts instead of the default Compute Engine service account. The Compute Engine default SA carries broad project-level permissions including Compute viewer and logging writer — using it for pod workloads violates least-privilege. Workload Identity binds a Kubernetes ServiceAccount in a specific namespace to a GCP SA with the minimum necessary IAM roles, and eliminates the need for static SA key files mounted as secrets. MITIGATES: Over-privileged pod compromise — a pod running with the default Compute Engine SA can call any GCP API the SA can access. ATTACK VECTOR: Attacker exploits a pod vulnerability (RCE, SSRF via metadata endpoint), reads the mounted token, calls GCP APIs with default SA permissions. BLAST RADIUS: All GCP resources accessible to the default Compute Engine SA — GCS buckets, Cloud SQL, Cloud KMS, other Compute instances in the same project. Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 6.0 resource \"google_container_cluster\" \"hardened\" { name = \"hardened-cluster\" location = var.region workload_identity_config { workload_pool = \"${var.project_id}.svc.id.goog\" } } # Bind a Kubernetes ServiceAccount to a GCP IAM ServiceAccount resource \"google_service_account_iam_binding\" \"workload_identity\" { service_account_id = google_service_account.app.name role = \"roles/iam.workloadIdentityUser\" members = [ \"serviceAccount:${var.project_id}.svc.id.goog[${var.namespace}/${var.ksa_name}]\" ] }</code> Remediation — gcloud <code class=\"language-bash\"># Enable Workload Identity on existing cluster gcloud container clusters update CLUSTER_NAME \\ --workload-pool=PROJECT_ID.svc.id.goog \\ --region REGION # Bind K8s ServiceAccount to GCP SA gcloud iam service-accounts add-iam-policy-binding \\ APP_SA@PROJECT_ID.iam.gserviceaccount.com \\ --role roles/iam.workloadIdentityUser \\ --member \"serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]\" # Annotate the Kubernetes ServiceAccount kubectl annotate serviceaccount KSA_NAME \\ --namespace NAMESPACE \\ iam.gke.io/gcp-service-account=APP_SA@PROJECT_ID.iam.gserviceaccount.com</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerCluster metadata: name: workload-identity-gke namespace: config-control spec: location: us-central1 initialNodeCount: 1 workloadIdentityConfig: workloadPool: \"PROJECT_ID.svc.id.goog\"</code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Google Kubernetes Engine (GKE) Benchmark v1.9.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 gcp-k8s-02 HIGH PREVENTIVE GCP GKE n/a (managed control plane) n/a (verify against CIS GKE Benchmark v1.9.0 PDF) IA-2; AC-6; IA-5 A.5.15; A.5.18 n/a NIST SP 800-190 §4.4.2 NSA/CISA Kubernetes Hardening Guide v1.2 §4 (IAM/RBAC) Log signals Cluster updates removing workloadIdentityConfig.workloadPool (back to legacy node-default credentials): protoPayload.request.update.desiredWorkloadIdentityConfig.workloadPool=\"\". Node-pool updates flipping nodeConfig.workloadMetadataConfig.mode from GKE_METADATA to EXPOSED — that exposes the GCE metadata server to pod workloads and undoes the WIF guarantee. Kubernetes service-account annotations removing iam.gke.io/gcp-service-account — visible in resource.type=\"k8s_cluster\" audit entries on core/v1/serviceaccounts. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND resource.type=\"gke_cluster\" AND (protoPayload.methodName=\"google.container.v1.ClusterManager.UpdateCluster\" OR protoPayload.methodName=\"google.container.v1.ClusterManager.UpdateNodePool\") AND (protoPayload.request.update.desiredWorkloadIdentityConfig.workloadPool=\"\" OR protoPayload.request.update.desiredNodePoolAutoConfig.networkTags.tags=~\"legacy-metadata\")</code> Stream this Cloud Logging filter into Cloud Monitoring as a log-based counter; in parallel run a Cloud Asset Inventory query over container.googleapis.com/Cluster to surface clusters where workloadIdentityConfig is unset — those are net-new exposure too. Alert threshold Page on any cluster update that clears workloadPool or any node-pool update that flips workloadMetadataConfig.mode away from GKE_METADATA. Daily inventory diff: alert if a previously WIF-enabled cluster shows workloadIdentityConfig: null regardless of whether the audit-log update event was captured (covers replay drift). Initial response Identify pods whose service accounts had annotations pointing at GCP service accounts via kubectl get sa -A -o json | jq; capture which pods were running during the exposed window. Re-enable WIF (gcloud container clusters update CLUSTER --workload-pool=PROJECT.svc.id.goog) and flip node-pools back to GKE_METADATA; rotate the GCP service-account credentials that the pods previously impersonated. Audit Cloud Audit Logs for compute.googleapis.com calls originating from the node-default service account during the gap window; any data-plane call from the node SA is suspect because pods now have raw node-IAM access. References Google Cloud — Workload Identity for GKE (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent controls in other providers: EKS Pod Identity, AKS Workload Identity, OKE Workload Identity. gcp-k8s-03 ! HIGH PREVENTIVE GKE Autopilot: Autopilot uses Google-managed encryption for etcd by default. Customer-managed encryption keys (CMEK) via Cloud KMS are supported but require explicit configuration at cluster creation. GKE Standard: Configure database_encryption { state = \"ENCRYPTED\", key_name = KMS_KEY_RESOURCE_ID } at cluster creation or update. CIS GKE Autopilot Benchmark v1.3.0 documents Autopilot-specific defaults. Enable application-layer secrets encryption so Kubernetes Secrets stored in etcd are encrypted with a Cloud KMS Customer-Managed Encryption Key (CMEK). This adds an envelope encryption layer on top of Google's default etcd encryption-at-rest, giving the customer control over the key lifecycle — including rotation and revocation. Without CMEK, Google holds the encryption key; with CMEK, the customer can revoke access to the cluster's etcd contents by disabling the key. MITIGATES: Secrets exposure if Google-managed encryption is compromised, or if a cloud-provider-layer actor reads etcd directly. ATTACK VECTOR: Cloud-provider-layer compromise or insider reads unencrypted etcd snapshot data; does not require Kubernetes API access. BLAST RADIUS: All Kubernetes Secrets in the cluster — service account tokens, TLS private keys, database passwords, API keys stored as Secret objects. Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 6.0 resource \"google_kms_key_ring\" \"k8s_keyring\" { name = \"gke-secrets-keyring\" location = var.region } resource \"google_kms_crypto_key\" \"k8s_secrets\" { name = \"gke-secrets-key\" key_ring = google_kms_key_ring.k8s_keyring.id rotation_period = \"7776000s\" # 90 days } resource \"google_container_cluster\" \"hardened\" { name = \"hardened-cluster\" location = var.region database_encryption { state = \"ENCRYPTED\" key_name = google_kms_crypto_key.k8s_secrets.id } }</code> Remediation — gcloud <code class=\"language-bash\">gcloud container clusters create CLUSTER_NAME \\ --database-encryption-key=projects/PROJECT_ID/locations/REGION/keyRings/KEYRING/cryptoKeys/KEY_NAME \\ --region REGION</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerCluster metadata: name: secrets-encrypted-gke namespace: config-control spec: location: us-central1 initialNodeCount: 1 databaseEncryption: state: ENCRYPTED keyName: \"projects/PROJECT_ID/locations/us-central1/keyRings/gke-kr/cryptoKeys/etcd-key\"</code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Google Kubernetes Engine (GKE) Benchmark v1.9.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 gcp-k8s-03 HIGH PREVENTIVE GCP GKE §1.2 (etcd — verify against CIS Kubernetes Benchmark v1.11.0 PDF) n/a (verify against CIS GKE Benchmark v1.9.0 PDF) SC-28; IA-5 A.8.24; A.8.10 n/a NIST SP 800-190 §4.3.2 NSA/CISA Kubernetes Hardening Guide v1.2 §5 (Secrets) Log signals Cluster updates where databaseEncryption.state transitions from ENCRYPTED to DECRYPTED, or where databaseEncryption.keyName is cleared. Cloud KMS audit events on the wrapping key: cloudkms.googleapis.com CryptoKeyVersion.disable or CryptoKey.update changing the IAM binding for the GKE control-plane service identity. Pre-existing Secret-resource access patterns shifting: a spike in k8s.io/api/v1/namespaces/*/secrets reads after a KMS binding edit is a correlated signal. Query <code class=\"language-plaintext\">(logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND resource.type=\"gke_cluster\" AND protoPayload.methodName=\"google.container.v1.ClusterManager.UpdateCluster\" AND protoPayload.request.update.desiredDatabaseEncryption.state=\"DECRYPTED\") OR (logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"cloudkms.googleapis.com\" AND protoPayload.methodName=~\".*CryptoKey.*\" AND protoPayload.request.cryptoKey.name=~\".*gke-etcd.*\")</code> This two-leg Cloud Logging query catches both the cluster-side opt-out and the KMS-side key disable; join on the cluster's databaseEncryption.keyName attribute via Cloud Asset Inventory to maintain a live mapping of cluster→KMS key. Alert threshold Page on any cluster transitioning out of envelope-encrypted state; the constraint is project-wide and there is no acceptable steady-state for production clusters to be unencrypted. Page on KMS key-version disable for any key listed in the cluster→KMS map; secrets become unreadable and a rollover plan must be executed in minutes. Initial response Capture the principal and the change ticket; if the disable was malicious, restore the key version (gcloud kms keys versions enable) before the control plane fails to read secrets. Re-enable envelope encryption (gcloud container clusters update --database-encryption-key=…); if the cluster ran briefly in decrypted state, treat every Secret resource read during the window as candidate-exposed and rotate the underlying credentials. Audit the KMS key's IAM bindings — particularly removals of roles/cloudkms.cryptoKeyEncrypterDecrypter from the GKE service identity — and pin the binding back via the captured baseline policy. References Google Cloud — Encrypting Secrets at the application layer (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent controls in other providers: EKS KMS envelope encryption, AKS KMS etcd encryption, OKE Vault secrets encryption. gcp-k8s-04 ! HIGH PREVENTIVE GKE Autopilot: Binary Authorization is NOT enforced by default in Autopilot clusters — it must be explicitly configured. Both Autopilot and Standard clusters require the Binary Authorization API to be enabled and an admission policy to be set. GKE Standard: Same configuration required — enable the Binary Authorization API, create an attestor, and set the cluster evaluation mode. CIS GKE Autopilot Benchmark v1.3.0 documents Autopilot-specific defaults. Enable Binary Authorization with an attestor-required policy so only container images that have been cryptographically verified and attested by a trusted build pipeline can be deployed to the cluster. This is a GKE-unique differentiator — it prevents unsigned, unverified, or tampered images from running regardless of which tag or digest is referenced at deploy time. The default policy (evaluationMode: ALWAYS_ALLOW) provides no protection; change to REQUIRE_ATTESTATION in ENFORCED_BLOCK_AND_AUDIT_LOG mode. Mutable image tags are the silent supply-chain risk: Binary Authorization locks image identity to a cryptographic attestation, not a tag string. MITIGATES: Supply-chain image substitution — an attacker pushes a malicious image to the registry and overwrites a known tag without re-triggering attestation. ATTACK VECTOR: Attacker gains write access to container registry, pushes a backdoored image under a trusted tag (e.g., :latest or a release tag), and waits for a deployment rollout. BLAST RADIUS: Untrusted code running with the workload's RBAC permissions, service-account token, and network access — full pod-level compromise with potential lateral movement. Remediation — Binary Authorization Policy (YAML) <code class=\"language-yaml\"># Binary Authorization policy — attestor-required # Save as policy.yaml, import with: gcloud container binauthz policy import policy.yaml admissionWhitelistPatterns: [] defaultAdmissionRule: evaluationMode: REQUIRE_ATTESTATION enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG requireAttestationsBy: - projects/MY_PROJECT/attestors/build-attestor clusterAdmissionRules: REGION.CLUSTER_NAME: evaluationMode: REQUIRE_ATTESTATION enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG requireAttestationsBy: - projects/MY_PROJECT/attestors/build-attestor</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 6.0 # Note: google_binary_authorization_policy may require hashicorp/google-beta # at authoring time — verify provider tier at registry.terraform.io/providers/hashicorp/google resource \"google_binary_authorization_attestor\" \"build_attestor\" { name = \"build-attestor\" attestation_authority_note { note_reference = google_container_note.build_note.name } } # Enable Binary Authorization enforcement on the cluster resource \"google_container_cluster\" \"hardened\" { name = \"hardened-cluster\" location = var.region binary_authorization { evaluation_mode = \"PROJECT_SINGLETON_POLICY_ENFORCE\" } }</code> Remediation — gcloud <code class=\"language-bash\"># Import the policy gcloud container binauthz policy import policy.yaml --project=PROJECT_ID # Enable enforcement on the cluster gcloud container clusters update CLUSTER_NAME \\ --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE \\ --region REGION</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1 kind: BinaryAuthorizationPolicy metadata: name: binauthz-policy namespace: config-control spec: projectRef: external: \"projects/PROJECT_ID\" defaultAdmissionRule: evaluationMode: REQUIRE_ATTESTATION enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG requireAttestationsBy: - \"projects/PROJECT_ID/attestors/prod-build-attestor\" globalPolicyEvaluationMode: ENABLE</code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Google Kubernetes Engine (GKE) Benchmark v1.9.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 gcp-k8s-04 HIGH PREVENTIVE GCP GKE n/a (GKE-specific — no CIS Kubernetes Benchmark v1.11.0 section) n/a (verify against CIS GKE Benchmark v1.9.0 PDF) CM-14; SA-10; SI-7 A.8.9; A.8.29 CLD.9.5.2 NIST SP 800-190 §4.1 (Image risks) NSA/CISA Kubernetes Hardening Guide v1.2 §3 (Pod security) Log signals Cloud Audit Logs on binaryauthorization.googleapis.com for UpdatePolicy calls where defaultAdmissionRule.evaluationMode transitions to ALWAYS_ALLOW. Per-cluster admission-rule edits where attestor lists shrink or are cleared via clusterAdmissionRules patches. Container Analysis attestation deletes or signing-key rotations without the corresponding rebuild signal in CI — visible via containeranalysis.googleapis.com Notes.delete and KMS asymmetric-key operations on the signing key. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"binaryauthorization.googleapis.com\" AND (protoPayload.methodName=~\".*UpdatePolicy\" OR protoPayload.methodName=~\".*DeleteAttestor\") AND (protoPayload.request.policy.defaultAdmissionRule.evaluationMode=\"ALWAYS_ALLOW\" OR resource.type=\"binaryauthorization.googleapis.com/Attestor\")</code> Pair with a Cloud Logging filter on resource.type=\"k8s_cluster\" with protoPayload.response.status.message=~\".*denied by Binary Authorization.*\" — a sustained drop in denials is the signal that the policy is effectively bypassed even when no explicit policy update is logged. Alert threshold Page on any policy-update event that switches the default or a per-cluster admission rule to ALWAYS_ALLOW. Page on attestor deletes; an attestor is a long-lived security artefact, deletion should match a documented cluster decommission. Initial response Pull the prior policy via Cloud Asset Inventory history; identify which admission rule was loosened and which images were admitted in the gap window via k8s_cluster pods.create entries. Restore the policy with gcloud container binauthz policy import against the captured baseline; quarantine any pod whose image was not previously attested by isolating the namespace via NetworkPolicy. Re-attest only post-quarantine; rebuild from source if the image provenance chain cannot be verified, and rotate the signing key if the attestor delete was paired with a KMS asymmetric-key operation. References Google Cloud — Binary Authorization overview (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI gcp-k8s-05 ! HIGH PREVENTIVE GKE Autopilot: Shielded Nodes are enabled by default and are not individually configurable — Google manages the node boot process. Autopilot nodes run with Secure Boot, vTPM, and integrity monitoring automatically. GKE Standard: Enable Shielded Nodes at the node-pool level with --shielded-secure-boot, --shielded-vtpm, and --shielded-integrity-monitoring. CIS GKE Autopilot Benchmark v1.3.0 documents Autopilot-specific defaults. Enable Shielded GKE Nodes to protect the node boot process using Secure Boot (prevents loading unsigned kernel modules at boot), vTPM (virtual Trusted Platform Module for cryptographic attestation of the boot sequence), and integrity monitoring (detects changes to the measured boot baseline by comparing boot measurements against known-good values). This prevents rootkit installation at the node level — an attacker who escapes a container cannot silently persist a kernel-level implant across node restarts. This is a GKE-unique hardware-based control with no direct equivalent in EKS or AKS standard configurations. MITIGATES: Node-level rootkit or bootkit persistence after a container escape — attacker loads an unsigned kernel module to maintain persistence across workload restarts. ATTACK VECTOR: Attacker escapes container via kernel exploit, attempts to load a malicious kernel module or modify the bootloader to persist on the node. BLAST RADIUS: All workloads on the node compromised at the hypervisor level; node telemetry (audit logs, monitoring) can be silently modified by a kernel-level implant. Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 6.0 resource \"google_container_node_pool\" \"hardened_nodes\" { name = \"hardened-node-pool\" cluster = google_container_cluster.hardened.name location = var.region node_config { shielded_instance_config { enable_secure_boot = true enable_integrity_monitoring = true } # Container-Optimized OS with containerd runtime image_type = \"COS_CONTAINERD\" } }</code> Remediation — gcloud <code class=\"language-bash\">gcloud container node-pools create NODE_POOL \\ --cluster=CLUSTER_NAME \\ --shielded-secure-boot \\ --shielded-integrity-monitoring \\ --image-type=COS_CONTAINERD \\ --region REGION</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerNodePool metadata: name: shielded-pool namespace: config-control spec: location: us-central1 clusterRef: name: hardened-gke nodeConfig: shieldedInstanceConfig: enableSecureBoot: true enableIntegrityMonitoring: true workloadMetadataConfig: mode: GKE_METADATA</code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Google Kubernetes Engine (GKE) Benchmark v1.9.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 gcp-k8s-05 HIGH PREVENTIVE GCP GKE n/a (GKE-specific — no CIS Kubernetes Benchmark v1.11.0 section) n/a (verify against CIS GKE Benchmark v1.9.0 PDF) SI-7; SC-28; CM-6 A.8.9; A.7.8 CLD.9.5.2 NIST SP 800-190 §4.4 (Container runtime) NSA/CISA Kubernetes Hardening Guide v1.2 §4 (Worker node security) Log signals Node-pool updates where shieldedInstanceConfig.enableSecureBoot or enableIntegrityMonitoring transitions to false. New node-pool creates that omit the shieldedInstanceConfig block entirely — visible on container.googleapis.com CreateNodePool with an absent shieldedInstanceConfig field. Integrity-monitoring violations from individual nodes surfaced in Cloud Logging via compute.googleapis.com/integrity log entries — these are the runtime correlate, not just the config drift. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND resource.type=\"gke_node_pool\" AND (protoPayload.methodName=\"google.container.v1.ClusterManager.UpdateNodePool\" OR protoPayload.methodName=\"google.container.v1.ClusterManager.CreateNodePool\") AND (protoPayload.request.update.desiredNodePoolAutoConfig.shieldedInstanceConfig.enableSecureBoot=false OR protoPayload.request.nodePool.config.shieldedInstanceConfig.enableIntegrityMonitoring=false)</code> Run this Cloud Logging filter alongside a saved query on compute.googleapis.com/integrity entries to bring node-launch posture and node-runtime posture into the same dashboard pane; pin both to a single Cloud Monitoring alert policy keyed on node-pool name. Alert threshold Page on any node-pool that ships without Secure Boot + Integrity Monitoring; the inventory-wide rate of mis-configured pools should be zero. Page on the first integrity-monitoring violation from any node — vTPM measurements diverging from the launch baseline indicate boot-stage tampering. Initial response Capture the node-pool spec and the principal who issued the update; if the change is unsanctioned, recreate the pool with shielded config restored and migrate workloads via a draining rollout. Quarantine any node showing an integrity-monitoring violation: cordon, drain, snapshot the boot disk for forensics, then delete and re-bootstrap via the node-pool's standard image. If multiple nodes diverged, audit the image stream supplying the node-pool — a tampered node image is the upstream root cause and any deployed workload in the affected window is candidate-compromised. References Google Cloud — Shielded GKE Nodes (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI gcp-k8s-06 ! HIGH DETECTIVE GKE Autopilot: Cloud Audit Log Admin Activity logs are enabled by default in both Autopilot and Standard clusters. Data Access audit logs for container.googleapis.com are OFF by default in BOTH modes and must be explicitly enabled. GKE Standard: Same requirement — enable Data Access logs via the project IAM audit configuration. CIS GKE Autopilot Benchmark v1.3.0 documents Autopilot-specific defaults. Enable Cloud Audit Logs Data Access for container.googleapis.com in your GCP project IAM audit configuration. Data Access logs — covering ADMIN_READ, DATA_READ, and DATA_WRITE operations — are disabled by default and must be explicitly enabled. Without Data Access logs, API operations such as kubectl exec, kubectl log, pod creation, and secret reads are not logged to Cloud Audit Logs. Admin Activity logs (cluster creation, deletion, RBAC changes) are automatically enabled and cannot be disabled. MITIGATES: Undetected lateral movement and data exfiltration via kubectl commands — attacker acts with no audit trail. ATTACK VECTOR: Attacker with a stolen service-account token issues kubectl exec into a running pod, reads Secrets, or exfiltrates data via kubectl cp without any Cloud Audit Log entry being generated. BLAST RADIUS: Inability to detect, attribute, or reconstruct incidents — any forensic investigation is blind to API-level actions taken during the intrusion window. Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 6.0 resource \"google_project_iam_audit_config\" \"gke_audit\" { project = var.project_id service = \"container.googleapis.com\" audit_log_config { log_type = \"DATA_READ\" } audit_log_config { log_type = \"DATA_WRITE\" } audit_log_config { log_type = \"ADMIN_READ\" } }</code> Remediation — gcloud <code class=\"language-bash\"># Check current audit configuration gcloud projects get-iam-policy PROJECT_ID --format=json | jq '.auditConfigs' # Enable Data Access logs via policy file # Create audit-policy.json with the auditConfigs block, then: gcloud projects set-iam-policy PROJECT_ID audit-policy.json</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogSink metadata: name: gke-audit-sink namespace: config-control spec: projectRef: external: \"projects/PROJECT_ID\" destination: bigQueryDatasetRef: external: \"projects/PROJECT_ID/datasets/gke_audit\" filter: 'resource.type=\"k8s_cluster\" AND logName:\"cloudaudit.googleapis.com\"'</code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Google Kubernetes Engine (GKE) Benchmark v1.9.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 gcp-k8s-06 HIGH DETECTIVE GCP GKE §1.2.22 (audit log — verify against CIS Kubernetes Benchmark v1.11.0 PDF) n/a (verify against CIS GKE Benchmark v1.9.0 PDF) AU-2; AU-12; SI-4 A.8.15; A.8.16 CLD.12.4.5 NIST SP 800-190 §4.4.3 NSA/CISA Kubernetes Hardening Guide v1.2 §6 (Audit logging) Log signals Log Router sink edits on the GKE/container audit feed: logging.googleapis.com ConfigServiceV2.UpdateSink or DeleteSink on sinks whose filter includes resource.type=\"k8s_cluster\". Data-access log opt-outs on the project: SetIamPolicy against the audit-log config removing DATA_READ/DATA_WRITE exempted-members lists that previously captured GKE control-plane data access. Volume-based detection: a sustained drop in k8s_cluster log-line rate against rolling baseline indicates ingestion has been blocked even when no explicit sink edit is logged. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"logging.googleapis.com\" AND (protoPayload.methodName=\"google.logging.v2.ConfigServiceV2.UpdateSink\" OR protoPayload.methodName=\"google.logging.v2.ConfigServiceV2.DeleteSink\") AND protoPayload.request.sink.filter=~\".*k8s_cluster.*\"</code> Stream the Cloud Logging filter into a log-based metric counted per sink name; pair with a Cloud Monitoring alert that fires when the rolling 1h ingestion rate from any resource.type=\"k8s_cluster\" source drops below 30% of the 30-day baseline — the absence-of-signal pattern catches stealthy filter relaxations. Alert threshold Page on any sink delete or filter mutation that removes k8s_cluster from the GKE audit feed; sinks are configuration-as-code artefacts and console edits warrant immediate review. Page when the 1h ingestion-rate ratio falls below 30% of baseline across any production cluster. Initial response Restore the sink from Cloud Asset Inventory history via gcloud logging sinks update with the captured filter; verify ingestion resumes by tailing the sink destination (BigQuery dataset or Cloud Storage bucket). Treat the gap window as a forensic blackout: pull node-local kubelet logs from any affected node (if still present) and reconstruct API-server activity from etcd audit if available; document the gap in the incident timeline. Re-pin sink IAM to deny logging.sinks.update to all but a break-glass principal, and add a Cloud Asset Inventory feed so future sink-config changes generate a Pub/Sub event independent of the audit log itself. References Google Cloud — GKE audit logging (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent controls in other providers: EKS control-plane logs, AKS control-plane audit logs, OKE OCI audit logging. gcp-k8s-07 ! HIGH PREVENTIVE GKE Autopilot: VPC-native networking is enforced by default. Dataplane V2 (Cilium-based) is also the default in Autopilot, making NetworkPolicy enforcement available without additional configuration. GKE Standard: Create the cluster with --enable-dataplane-v2 (or legacy --enable-network-policy for Calico) and --enable-ip-alias for VPC-native networking. NetworkPolicy objects are not enforced without a CNI that supports them. CIS GKE Autopilot Benchmark v1.3.0 documents Autopilot-specific defaults. Create a VPC-native GKE cluster (alias IP ranges — NOT routes-based legacy networking) and enable GKE Dataplane V2 for NetworkPolicy enforcement via Cilium. Routes-based networking is deprecated and does not support NetworkPolicy. VPC-native enables private IP ranges for pods, reducing the routing blast radius of a compromised pod. Without a NetworkPolicy-capable CNI and explicit deny rules, every pod in the cluster can reach every other pod and the node metadata endpoint on the flat pod network. MITIGATES: Network lateral movement from a compromised pod — flat pod network allows reaching any other pod, service, or cloud metadata endpoint without restriction. ATTACK VECTOR: Compromised pod scans the pod subnet (169.254.169.254 for IMDS, other pod IPs for sensitive internal services), reaches secrets or downstream services that rely on network-level trust. BLAST RADIUS: Full cluster pod network reachable — all services, all pod-to-pod communication, metadata credential theft, and lateral movement to adjacent workloads. Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 6.0 resource \"google_container_cluster\" \"hardened\" { name = \"hardened-cluster\" location = var.region # VPC-native cluster (alias IP ranges —"},{"id":"gcp/logging.html","url":"gcp/logging.html","title":"GCP Logging & Detection Hardening — Cloud Hardening Guide","breadcrumb":"Home GCP Logging & Detection","description":"GCP logging & detection: Cloud Audit Logs (Admin Activity vs Data Access), org-aggregated sinks, Security Command Center three surfaces (compliance, threat detection, SHA lifecycle), VPC Flow Logs, log-based metrics, BigQuery audit sink.","body":"GCP Logging & Detection Hardening Overview This page covers Google Cloud Platform logging and detection across the surfaces that decide whether an attacker who lands in the environment can move undetected. Scope is the commercial GCP regions; GCP Sovereign Cloud (formerly Assured Workloads and the Google Cloud Air-Gapped offering) inherits the same controls but exposes a different service-availability matrix for Security Command Center tiers, Cloud Logging buckets, and BigQuery sink destinations — re-verify the regional and tenancy table before applying any of the IaC below to a sovereign or air-gapped deployment. CIS sub-IDs and NIST / ISO mappings throughout this page reference the CIS Google Cloud Platform Foundation Benchmark v4.0.0 — May 2025 release (accessed 2026-05) unless explicitly annotated as a post-v4.0.0 feature or a best-practice recommendation that the current benchmark has not yet codified. The crosswalk page at compliance frameworks describes how the seven pinned framework columns relate to each other. The GCP detective stack is the product of three layered services that each answer a different question. Cloud Logging (the current brand for the service formerly known under the deprecated legacy logging-suite name retired by Google in 2020) answers what happened on this resource — a project-scoped log router that ingests Cloud Audit Logs, application logs, and platform logs and routes them through Log Sinks to Cloud Storage, BigQuery, Pub/Sub, or another Cloud Logging bucket. Cloud Monitoring (under the same brand-consolidation that retired the prior monitoring-suite name) answers did the metric we care about just cross a threshold — the metric-and-alert layer that closes the loop from log to page; log-based metrics let any log filter become a numeric series an alert policy can fire on. Security Command Center answers what is broken across our entire estate and which findings are actively being exploited — the GCP CSPM/CWPP control plane that surfaces Security Health Analytics misconfiguration findings, Event/Container/Virtual Machine Threat Detection runtime alerts, and a regulatory-compliance dashboard. These three together provide the full record; cross-link the cross-cutting principles at General Logging — log integrity (immutable audit), centralization, retention, SIEM & detection engineering, and alerting. Order matters. Controls 01–02 build the audit log of last resort: one org-aggregated sink with include_children = true so every project, folder, and future-project log lands in a security-team-owned destination (Cloud Storage bucket with retention lock, BigQuery dataset for SQL forensics, and a Cloud Logging bucket for retention) and one Cloud Audit Logs Data Access toggle so the ADMIN_READ, DATA_READ, and DATA_WRITE streams that are not on by default actually capture the read-of-secret, scan-of-bucket, and reconnaissance traffic an investigator needs after compromise. Controls 03–05 are the three surfaces of Security Command Center Premium — explicitly authored as three distinct controls because three distinct review rituals attach to them and conflating them under one umbrella loses pedagogical and operational value (mirrors the Microsoft Defender for Cloud three-surface treatment on the Azure logging page). Control 06 covers VPC Flow Logs for the network-layer record Cloud Audit Logs does not produce. Control 07 puts Cloud Monitoring alert policies on the canonical \"things-went-wrong\" signals via log-based metrics so detection actually pages a human. Control 08 ships the dedicated BigQuery audit-log sink as the forensic SQL store — paired cross-domain with the IR forensic workflow on gcp/ir.html. Anti-conflation #1 — Security Command Center is THREE separate controls. SCC is the GCP CSPM/CWPP control plane, and the same product surface drives three distinct review workflows. (1) gcp-log-03 — Regulatory Compliance dashboard. The Compliance pane in SCC maps Security Health Analytics findings to CIS GCP v4.0.0 detector IDs and similar regulatory frameworks (PCI DSS, HIPAA, ISO 27001). Important caveat cited here in prose and again on the control body itself: Google's built-in SCC detector certification still covers CIS GCP v2.0.0 as of writing; v4.0.0 closure either via the official Google InSpec profile inspec-gcp-cis-benchmark tagged v4.0.0 release or via third-party CSPM tooling. (2) gcp-log-04 — Threat Detection umbrella. Event Threat Detection (auth anomalies, service-account key abuse, IAM anomaly findings), Container Threat Detection (runtime detections on GKE workloads — added binaries, reverse shells, malicious scripts), Virtual Machine Threat Detection (cryptomining detection on Compute Engine via guest-memory scanning), and Anomaly Detection (legacy heuristic detector). SCC Enterprise tier called out as the multi-cloud CNAPP upgrade with Mandiant threat intel plus case management — Enterprise is referenced in prose but the corpus baseline is SCC Premium per the ROADMAP success criterion that pins \"Security Command Center Premium finding types\". (3) gcp-log-05 — Security Health Analytics finding lifecycle. SHA findings get a monthly cadence review by the security team plus per-event automation: SCC notification → Pub/Sub topic → Cloud Function on HIGH and CRITICAL findings, with auto-remediation playbooks for the canonical \"publicly exposed bucket / disabled audit log / overly-permissive role\" patterns. Anti-conflation #2 — Cloud Audit Logs has four streams with different cost and default-on properties. Admin Activity logs are on by default, are free, and cannot be disabled; they capture any API call that modifies configuration or metadata. System Event logs are also on by default, free, and not disable-able; they capture Google-initiated actions (live migration, automatic patch). Policy Denied logs are on by default with no opt-in needed; they capture IAM and VPC-SC denials. Data Access logs — split into ADMIN_READ (metadata reads), DATA_READ (data-plane reads), and DATA_WRITE (data-plane writes) — are opt-in and chargeable, off by default, and are the single largest source of forensic coverage an investigator gets or does not get after compromise. gcp-log-02 enforces enablement on regulated services with explicit awareness of cost. PITFALL: enabling Data Access on allServices with no exemption list can produce orders-of-magnitude log volume on busy services like Cloud Storage and Cloud SQL — plan the cost envelope before flipping the org-level audit config. Anti-conflation #3 — Aggregated Sinks at org scope vs project-scoped sinks. A project-scoped sink (the default created by gcloud logging sinks create without --organization or --folder) captures only the project's own logs and does not see logs from new projects later created in the organization. The Aggregated Sink at organization scope with include_children = true (the canonical pattern in gcp-log-01) sees every project, folder, and future-project log in the organization. Aggregated sinks are not \"advanced\" — they are the only correct pattern at organization scope; project-scoped sinks are the wrong default for the security audit trail. gcp-log-01-aggregated-sink ! CRITICAL DETECTIVE Author exactly one organization-scope Aggregated Sink with include_children = true that routes all projects', folders', and future-projects' logs into a security-team-owned destination set: (a) a Cloud Storage bucket in a dedicated security project with retention_policy { is_locked = true; retention_period_seconds = 63072000 } (two years, Bucket Lock immutable — cannot be reduced even by org admin); (b) a BigQuery dataset for SQL-based analytics and detection engineering; (c) a Cloud Logging bucket in the same security project for retention (Log Analytics queries plus a separate-from-project retention bucket; _Required and _Default log buckets remain at project scope) (Google Cloud — Aggregated Sinks documentation (accessed 2026-05)). Missing include_children = true on the org-level sink, or authoring sinks at project scope instead, is the canonical \"we have logging\" / \"no we don't\" misconfiguration; CIS GCP v4.0.0 §2.1, §2.2, and §2.3 codify the requirement. This is the audit log of last resort — without it, incident response is reconstructing intent from secondary signals. MITIGATES: Loss or tampering of the canonical GCP audit record during or after compromise; gaps in project coverage that let an attacker operate in a project the org never knew existed; deletion of evidence by an attacker who reached project-owner or org-admin privileges; the silent omission of logs from projects created after the sink was authored. ATTACK VECTOR: An attacker who has obtained an organization-level role (or escalates via a misconfigured service account) creates a fresh project, performs the operations the attacker needs, and then either deletes the project or simply walks away. The fresh project never had a sink because the original sinks were authored at project scope; its Admin Activity logs decay with the project's own retention (30 days for _Required, default _Default retention). Alternatively: a panicked engineer with roles/storage.admin on the log bucket attempts to delete log objects to \"clean up\" billing; without Bucket Lock the objects vanish. With the aggregated sink at org scope and Bucket Lock at two years on the destination, neither vector reduces the audit record. BLAST RADIUS: With the org-aggregated sink and Bucket Lock at two years: every project in every folder of the organization, including projects that do not yet exist, for two years past the event. Without it: per-project sinks miss every new project and decay at default retention; one panicked deletion removes the record permanently. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: create the dedicated security project + log destinations. gcloud projects create sec-logs-prod --organization=ORG_ID gcloud config set project sec-logs-prod # Step 2: create the Cloud Storage destination bucket with retention lock. gcloud storage buckets create gs://org-audit-logs-sec-prod \\ --location=EU \\ --uniform-bucket-level-access \\ --public-access-prevention # Lock retention at 2y (cannot be reduced once locked). gcloud storage buckets update gs://org-audit-logs-sec-prod \\ --retention-period=63072000s gcloud storage buckets lock-retention-policy gs://org-audit-logs-sec-prod # Step 3: create the BigQuery dataset for SQL forensics. bq --location=EU mk --dataset \\ --default_table_expiration=63072000 \\ sec-logs-prod:org_audit # Step 4: create the org-scope Aggregated Sink with include_children. gcloud logging sinks create org-audit-sink-storage \\ storage.googleapis.com/org-audit-logs-sec-prod \\ --organization=ORG_ID \\ --include-children \\ --description=\"Org-aggregated audit-log sink to immutable Cloud Storage\" gcloud logging sinks create org-audit-sink-bq \\ bigquery.googleapis.com/projects/sec-logs-prod/datasets/org_audit \\ --organization=ORG_ID \\ --include-children \\ --use-partitioned-tables # Step 5: grant the sinks' writer identities permission on their destinations. WRITER=$(gcloud logging sinks describe org-audit-sink-storage \\ --organization=ORG_ID --format='value(writerIdentity)') gcloud storage buckets add-iam-policy-binding gs://org-audit-logs-sec-prod \\ --member=\"$WRITER\" \\ --role=roles/storage.objectCreator</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud docs (accessed 2026-05) resource \"google_storage_bucket\" \"org_audit_logs\" { project = var.sec_project_id name = \"org-audit-logs-sec-prod\" location = \"EU\" uniform_bucket_level_access = true public_access_prevention = \"enforced\" retention_policy { is_locked = true retention_period = 63072000 # 2 years } versioning { enabled = true } } resource \"google_bigquery_dataset\" \"org_audit\" { project = var.sec_project_id dataset_id = \"org_audit\" location = \"EU\" default_table_expiration_ms = 63072000000 default_encryption_configuration { kms_key_name = var.log_bucket_kms_key } } resource \"google_logging_organization_sink\" \"org_audit_storage\" { name = \"org-audit-sink-storage\" org_id = var.org_id destination = \"storage.googleapis.com/${google_storage_bucket.org_audit_logs.name}\" include_children = true filter = \"\" } resource \"google_logging_organization_sink\" \"org_audit_bq\" { name = \"org-audit-sink-bq\" org_id = var.org_id destination = \"bigquery.googleapis.com/projects/${var.sec_project_id}/datasets/${google_bigquery_dataset.org_audit.dataset_id}\" include_children = true filter = \"\" bigquery_options { use_partitioned_tables = true } } resource \"google_storage_bucket_iam_member\" \"sink_writer_storage\" { bucket = google_storage_bucket.org_audit_logs.name role = \"roles/storage.objectCreator\" member = google_logging_organization_sink.org_audit_storage.writer_identity } resource \"google_bigquery_dataset_iam_member\" \"sink_writer_bq\" { project = var.sec_project_id dataset_id = google_bigquery_dataset.org_audit.dataset_id role = \"roles/bigquery.dataEditor\" member = google_logging_organization_sink.org_audit_bq.writer_identity }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogSink metadata: name: org-aggregated-sink namespace: config-control spec: resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization external: \"organizations/ORG_ID\" destination: bigQueryDatasetRef: external: \"projects/LOG_PROJECT/datasets/security_audit\" filter: 'logName:\"cloudaudit.googleapis.com\"' includeChildren: true</code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as gcp from \"@pulumi/gcp\"; // Org-level aggregated log sink to BigQuery for org-wide audit visibility. const orgSink = new gcp.logging.OrganizationSink(\"org-aggregated-sink\", { name: \"org-aggregated-sink\", orgId: orgId, destination: pulumi.interpolate`bigquery.googleapis.com/projects/${logProject}/datasets/security_audit`, filter: 'logName:\"cloudaudit.googleapis.com\"', includeChildren: true, });</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a2.1; 2.2; 2.3n/a AU-2; AU-3; AU-6; AU-9A.8.15; A.5.28CLD.12.4.5 Log signals Cloud Audit Logs on logging.googleapis.com for ConfigServiceV2.UpdateSink or DeleteSink where the sink scope is the organisation aggregated audit sink (filter pattern includes logName=~\"organizations/.*/logs/cloudaudit.googleapis.com.*\"). Sink-IAM mutations that remove the roles/storage.objectCreator or roles/bigquery.dataEditor binding on the sink's writer-identity — silently breaks ingestion without altering sink config. Aggregated-sink destination resource deletes (Cloud Storage bucket, BigQuery dataset, Pub/Sub topic) — log ingestion fails fast on the next batch flush. Query <code class=\"language-plaintext\">logName=~\"organizations/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"logging.googleapis.com\" AND (protoPayload.methodName=\"google.logging.v2.ConfigServiceV2.UpdateSink\" OR protoPayload.methodName=\"google.logging.v2.ConfigServiceV2.DeleteSink\") AND resource.type=\"logging_sink\"</code> Schedule this Cloud Logging query as a saved view at organisation scope; subscribe a Cloud Functions handler via Pub/Sub log-router topic so sink-config mutations notify the on-call channel within seconds, independent of the very pipeline being mutated. Alert threshold Page immediately on any update or delete of the aggregated organisation audit sink; the sink is a meta-control and its mutation chain almost always precedes a forensic-blackout incident. Page on any IAM mutation against the sink's writer identity that removes the destination-write role. Initial response Restore the sink from Cloud Asset Inventory history via gcloud logging sinks update --organization=ORG_ID with the captured filter and destination; re-bind the writer-identity role on the destination resource. Replay the gap window from the sink-side replica: BigQuery dataset has per-row ingestion-timestamp; Cloud Storage bucket has per-object commit-time — reconstruct the gap window and document a forensic blackout if either record set is incomplete. Add a Cloud Asset Inventory feed on logging.googleapis.com/Sink so future sink mutations also fire an out-of-band Pub/Sub event, breaking the pipeline-mutates-its-own-detector reflexive failure mode. References Google Cloud — Aggregated Cloud Logging sinks (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-log-02-data-access-logs ! HIGH DETECTIVE Enable Cloud Audit Logs Data Access logging — ADMIN_READ, DATA_READ, and DATA_WRITE — at organization scope via an organization-level Audit Config on allServices (with an explicit exemption list for service accounts whose read volume would make the cost envelope untenable) or, where cost forbids the umbrella, on the regulated-data services explicitly: Cloud Storage, BigQuery, Cloud SQL, Secret Manager, Cloud KMS, and the IAM service itself (iam.googleapis.com) — the latter is particularly important because IAMPolicy Data Access logs capture the policy-read calls an attacker uses to enumerate IAM bindings before privilege escalation (Google Cloud — Configure Data Access audit logs (accessed 2026-05)). Data Access logs are off by default and are chargeable — that is precisely the reason they get missed in audit-trail design, and precisely the reason they must be enabled before an incident. Without them, an attacker who has obtained read access to a Cloud Storage bucket of secrets, a BigQuery dataset of customer records, or a Secret Manager version can perform the read with no log entry visible to the investigator after the fact. MITIGATES: Silent data exfiltration where an attacker reads secrets, scans buckets, or queries BigQuery tables with no audit-log entry of any kind; silent IAM reconnaissance where an attacker enumerates project and organization IAM bindings via getIamPolicy calls before crafting a privilege-escalation chain; loss of forensic certainty about which objects an attacker accessed during a compromise (knowing only that the attacker held the credentials). ATTACK VECTOR: An attacker who has obtained a service account with roles/storage.objectViewer on a sensitive bucket performs gcloud storage cp gs://sensitive/* ./. With only Admin Activity logs on, the action produces no audit record at all — Storage object reads are Data Access events. With DATA_READ enabled on storage.googleapis.com in the org-level Audit Config, the same operation produces a per-object storage.objects.get entry the investigator can replay. Same pattern for BigQuery dataset queries, Secret Manager AccessSecretVersion calls, and KMS Decrypt usage. BLAST RADIUS: Without Data Access logs: every Storage / BigQuery / Secret Manager / KMS read across the whole organization is unaudited. With Data Access logs at allServices + targeted exemptions: every read is logged and routed through the aggregated sink to the two-year retention bucket. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: fetch the current organization IAM policy. gcloud organizations get-iam-policy ORG_ID --format=json > org-policy.json # Step 2: edit the auditConfigs block to enable the three Data Access streams. # Append (or merge with) this object inside auditConfigs: cat >> org-policy.json.fragment <<'JSON' { \"auditConfigs\": [ { \"service\": \"allServices\", \"auditLogConfigs\": [ { \"logType\": \"ADMIN_READ\" }, { \"logType\": \"DATA_READ\", \"exemptedMembers\": [ \"serviceAccount:high-volume-batch@PROJECT.iam.gserviceaccount.com\" ] }, { \"logType\": \"DATA_WRITE\" } ] }, { \"service\": \"iam.googleapis.com\", \"auditLogConfigs\": [ { \"logType\": \"ADMIN_READ\" }, { \"logType\": \"DATA_READ\" }, { \"logType\": \"DATA_WRITE\" } ] } ] } JSON # Step 3: apply the merged policy back. gcloud organizations set-iam-policy ORG_ID org-policy.json # Step 4: verify Data Access is now on for the regulated surface. gcloud organizations get-iam-policy ORG_ID \\ --format='json(auditConfigs)'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud docs (accessed 2026-05) resource \"google_organization_iam_audit_config\" \"all_services\" { org_id = var.org_id service = \"allServices\" audit_log_config { log_type = \"ADMIN_READ\" } audit_log_config { log_type = \"DATA_READ\" exempted_members = [ \"serviceAccount:high-volume-batch@${var.batch_project_id}.iam.gserviceaccount.com\", ] } audit_log_config { log_type = \"DATA_WRITE\" } } # IAMPolicy Data Access is particularly important for reconnaissance detection. resource \"google_organization_iam_audit_config\" \"iam_service\" { org_id = var.org_id service = \"iam.googleapis.com\" audit_log_config { log_type = \"ADMIN_READ\" } audit_log_config { log_type = \"DATA_READ\" } audit_log_config { log_type = \"DATA_WRITE\" } } resource \"google_organization_iam_audit_config\" \"crm_service\" { org_id = var.org_id service = \"cloudresourcemanager.googleapis.com\" audit_log_config { log_type = \"ADMIN_READ\" } audit_log_config { log_type = \"DATA_READ\" } audit_log_config { log_type = \"DATA_WRITE\" } }</code> Remediation — Infrastructure Manager Infrastructure Manager: Data Access audit log configuration is a root-of-trust IAM audit-config setting — Config Connector has no CRD for google_project_iam_audit_config as of 2026-Q2 (KCC deliberately excludes IAM audit-config primitives). Submit the Terraform block above to Google Cloud Infrastructure Manager (gcloud infra-manager deployments apply --local-source=.) for managed-state, approval workflows, and Cloud Audit Logs trail. Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a2.x (verify)n/a AU-2; AU-12A.8.15CLD.12.4.5 Log signals Cloud Audit Logs on SetIamPolicy against the audit-log config resource where auditConfigs.exemptedMembers is widened or logType=DATA_READ is removed for a sensitive service (e.g. storage.googleapis.com, bigquery.googleapis.com). Project-level audit-log config changes where auditConfigs.service goes from allServices to a narrower list — silent reduction of data-access coverage. Volume-based: rolling 24h data-access log line count drops more than 50% versus the 14-day baseline. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.methodName=\"SetIamPolicy\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas.action=\"REMOVE\" AND (protoPayload.serviceData.policyDelta.auditConfigDeltas.logType=\"DATA_READ\" OR protoPayload.serviceData.policyDelta.auditConfigDeltas.logType=\"DATA_WRITE\")</code> This Cloud Logging filter captures the audit-config deltas; pair with a log-based metric on per-service DATA_READ entry rate so coverage erosion shows up as a graph regression in Cloud Monitoring even if the SetIamPolicy event is missed. Alert threshold Page on any removal of DATA_READ or DATA_WRITE log-type from allServices or from any of the documented sensitive services. Page on any addition to exemptedMembers — exemptions are explicit forensic blind spots and additions need ticket cover. Initial response Restore the audit-log config via gcloud projects set-iam-policy with the captured baseline JSON; verify the next data-access call surfaces in the sink. Audit data-plane access during the coverage gap: pull BigQuery/Cloud Storage object access logs where they remain in the dataset, and flag any access pattern by the principal who issued the SetIamPolicy as candidate-cover-up. Pin the audit-log config in source control (Terraform google_project_iam_audit_config) and gate edits through a manual approval; document the runbook change in the incident timeline. References Google Cloud — Configure data-access audit logs (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-log-03-scc-premium ! HIGH DETECTIVE Security Command Center Premium — Regulatory Compliance dashboard Activate Security Command Center Premium at organization scope and enable the Regulatory Compliance dashboard, which maps Security Health Analytics findings to CIS GCP v4.0.0 detector IDs plus PCI DSS, HIPAA, and ISO 27001 control sets (Google Cloud — Security Command Center overview (accessed 2026-05)). Critical caveat to cite explicitly in any compliance attestation that references SCC built-in detector results: as of writing, Google's SCC built-in compliance detector certification still covers CIS GCP v2.0.0; v4.0.0 detector parity is closed externally — either via the official Google InSpec profile inspec-gcp-cis-benchmark tagged v4.0.0 release (GoogleCloudPlatform — inspec-gcp-cis-benchmark v4.0.0 (accessed 2026-05)) or via third-party CSPM tooling. The dashboard remains useful for the v2.0.0 baseline plus the per-finding remediation playbooks, and the dashboard's PCI / HIPAA / ISO mappings are not affected by the CIS-version lag. This control is the compliance-posture surface of SCC; gcp-log-04 is the threat-detection surface and gcp-log-05 is the SHA finding-lifecycle surface — three separate review workflows on the same SCC engine. MITIGATES: Compliance drift where the organization adopts a CIS GCP baseline (or a regulatory mapping) and then fails to track per-finding remediation status over time; auditor-time-sink during external assessments when the security team has to assemble a per-control evidence pack from raw configuration scans; the failure mode where each business unit interprets \"we are CIS-compliant\" differently because no canonical scoreboard exists. ATTACK VECTOR: Less an attacker vector than a slow-failure pattern: SHA detects a public Cloud Storage bucket, a service account with roles/owner at project scope, a Cloud SQL instance with public IP, or a firewall rule permitting 0.0.0.0/0 on SSH. With Compliance dashboards, each finding gets a CIS reference, a severity, and a per-finding owner queue. Without the dashboard, findings live in an ad-hoc spreadsheet, age out of attention, and become the eventual root cause of an incident — the kind of bucket Capital One left exposed for months before the 2019 breach. BLAST RADIUS: Whole-organization compliance visibility; without it, an entire CIS or PCI gap-set can sit unaddressed because nobody owned the dashboard. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: enable SCC Premium services at organization scope. gcloud scc settings services update \\ --service=SECURITY_HEALTH_ANALYTICS \\ --enablement-state=ENABLED \\ --organization=ORG_ID # Step 2: enable Web Security Scanner (Premium-only managed module). gcloud scc settings services update \\ --service=WEB_SECURITY_SCANNER \\ --enablement-state=ENABLED \\ --organization=ORG_ID # Step 3: confirm SCC tier (Premium) and SHA module activation. gcloud scc settings describe --organization=ORG_ID gcloud scc settings services describe SECURITY_HEALTH_ANALYTICS \\ --organization=ORG_ID # Step 4: pull the v4.0.0 InSpec profile for the CIS gap detector set # (closes the SCC-v2.0.0-certified-only caveat). git clone --branch v4.0.0 \\ https://github.com/GoogleCloudPlatform/inspec-gcp-cis-benchmark.git inspec exec inspec-gcp-cis-benchmark \\ -t gcp:// \\ --input gcp_project_id=PROJECT_ID \\ gcp_organization_id=ORG_ID</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud docs (accessed 2026-05) # Note: SCC organization-tier activation is primarily console / gcloud at # writing time; Terraform coverage of org-level service-enablement is # partial — re-verify against the google + google-beta providers at apply. # Custom-module authoring is supported and shown here. resource \"google_scc_organization_custom_module\" \"deny_public_bucket\" { organization = var.org_id display_name = \"deny-public-storage-bucket\" enablement_state = \"ENABLED\" custom_config { predicate { expression = \"resource.iamPolicy.bindings.exists(b, b.members.exists(m, m == 'allUsers' || m == 'allAuthenticatedUsers'))\" } resource_selector { resource_types = [\"storage.googleapis.com/Bucket\"] } severity = \"HIGH\" description = \"Cloud Storage bucket IAM grants allUsers/allAuthenticatedUsers\" recommendation = \"Remove allUsers/allAuthenticatedUsers bindings; enforce public_access_prevention=enforced\" } } # Pin the Compliance source so dashboard IDs are referenceable from runbooks. data \"google_scc_source\" \"compliance\" { organization = var.org_id display_name = \"Security Health Analytics\" }</code> Remediation — Infrastructure Manager Infrastructure Manager: SCC Source primitives are excluded from Config Connector as of 2026-Q2 (google_scc_source has no CRD). Submit the Terraform block above to Google Cloud Infrastructure Manager (gcloud infra-manager deployments apply --local-source=.) for managed-state, approval workflows, and Cloud Audit Logs trail. Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a(best-practices)n/a CM-8; CM-3A.8.9CLD.12.4.5 Log signals Cloud Audit Logs on securitycenter.googleapis.com for UpdateOrganizationSettings calls where enableAssetDiscovery flips to false or service-tier downgrades from PREMIUM to STANDARD. SCC source mutes via MuteConfig.create with overly broad filter expressions (e.g. category=\"*\"). Drop in finding-creation rate against rolling baseline — SCC finding rate is a leading indicator of detector enablement state. Query <code class=\"language-plaintext\">logName=~\"organizations/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"securitycenter.googleapis.com\" AND (protoPayload.methodName=~\".*UpdateOrganizationSettings\" OR protoPayload.methodName=~\".*CreateMuteConfig\" OR protoPayload.methodName=~\".*UpdateMuteConfig\")</code> Pin this Cloud Logging filter to a Cloud Monitoring log-based metric grouped by organisation; pair with a saved query on the SCC finding-creation rate (resource.type=\"organization\") so tier downgrades and detector silence show together in one alert pane. Alert threshold Page on any tier downgrade from Premium/Enterprise; the tier change disables a large fraction of SCC's managed detectors. Page on any new MuteConfig whose filter expression matches more than 10 finding categories, or on rolling 1h finding-rate dropping below 30% of the 30-day baseline. Initial response Restore the organisation settings via gcloud scc settings services modules update from the captured baseline; reverse any new MuteConfig and document the gap-window category coverage. Re-run a one-shot SCC asset discovery to backfill the inventory; treat any finding raised in the catch-up sweep as if it were created during the muted window for triage purposes. Pin SCC org settings in source control and gate edits through change-management; the SCC config is a meta-detector and warrants the same friction as the sink config. References Google Cloud — Security Command Center overview (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-log-04-scc-premium ! CRITICAL DETECTIVE Security Command Center Premium — Threat Detection Enable the four threat-detection services that ship with Security Command Center Premium at organization scope: Event Threat Detection (authentication anomalies, service-account key abuse, anomalous IAM grants, suspicious cross-project access, brute-force SSH against Compute Engine), Container Threat Detection (runtime detections on GKE workloads — added binaries inside containers, reverse shells, malicious scripts, Linux Bash root histories), Virtual Machine Threat Detection (cryptomining detection on Compute Engine via guest-memory scanning, no agent required), and the legacy Anomaly Detection heuristic engine (Google Cloud — Event Threat Detection overview (accessed 2026-05)). Anti-conflation: this is the threat-detection surface of SCC; the compliance dashboard is gcp-log-03 and the SHA finding lifecycle is gcp-log-05. SCC Enterprise tier is called out as the multi-cloud CNAPP upgrade — it adds Mandiant threat-intelligence feeds, multi-cloud asset inventory (covering AWS / Azure), and a SOAR-style case-management surface — and is the right tier for organisations running a multi-cloud SOC. The corpus baseline is SCC Premium per the ROADMAP success criterion that explicitly pins \"Security Command Center Premium finding types\"; Enterprise is referenced in prose, not as the primary recommendation. CRITICAL severity because threat detection is the only signal that runtime compromise is currently in progress (versus posture findings, which describe latent risk). MITIGATES: Undetected runtime compromise of GKE workloads via container escape, supply-chain backdoor, or live attacker hands-on-keyboard; cryptomining payloads dropped on Compute Engine VMs after credential theft; service-account key abuse from leaked keys; brute-force credential attacks against Compute Engine SSH; the gap between \"posture is bad\" (SHA / CIS findings) and \"compromise is happening now\" (live attacker activity). ATTACK VECTOR: An attacker who has obtained a leaked Compute Engine SSH key pivots laterally to a second VM and pulls a cryptominer binary. Without VM Threat Detection, the miner runs silently until a billing alert fires — typically days later. With VM Threat Detection enabled, guest-memory scans produce a HIGH-severity finding within minutes, routed to Pub/Sub and the auto-containment Cloud Function (see gcp-log-05). Same shape for a Container Threat Detection finding when an attacker drops nc or a reverse-shell binary into a running pod; same shape for Event Threat Detection's anomalous-IAM-grant alert when an attacker creates a new service account and grants it roles/owner on a fresh project. BLAST RADIUS: With detection on: per-finding response within the SCC notification SLA (typically minutes). Without detection on: the attacker dwell time is bounded only by external signals — billing, customer-impact tickets, CISA notification. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: enable the four threat-detection services at organization scope. for svc in EVENT_THREAT_DETECTION \\ CONTAINER_THREAT_DETECTION \\ VIRTUAL_MACHINE_THREAT_DETECTION \\ SECURITY_HEALTH_ANALYTICS; do gcloud scc settings services update \\ --service=\"$svc\" \\ --enablement-state=ENABLED \\ --organization=ORG_ID done # Step 2: confirm activation per-service. for svc in EVENT_THREAT_DETECTION \\ CONTAINER_THREAT_DETECTION \\ VIRTUAL_MACHINE_THREAT_DETECTION; do gcloud scc settings services describe \"$svc\" \\ --organization=ORG_ID \\ --format='value(serviceEnablementState)' done # Step 3: list active threat-detection findings across the org. gcloud scc findings list ORG_ID \\ --filter='category=~\"EXFIL|CRYPTOMINING|MALWARE|SUSPICIOUS|BACKDOOR\" AND state=\"ACTIVE\"' \\ --format='table(name, category, severity, eventTime)'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud docs (accessed 2026-05) # Note: org-tier service-enablement for SCC Premium threat-detection services # is partially supported in google_scc_organization_custom_module form; # the canonical activation path is gcloud / console. Re-verify support level # in the google + google-beta providers at apply time. The custom-module # pattern below shows the supported Terraform-native surface (organisation # custom detectors that augment the built-in threat-detection set). resource \"google_scc_organization_custom_module\" \"anomalous_sa_key_create\" { organization = var.org_id display_name = \"anomalous-sa-key-creation\" enablement_state = \"ENABLED\" custom_config { predicate { expression = \"resource.type == 'iam.googleapis.com/ServiceAccountKey' && resource.createTime > timestamp(now - duration('1h'))\" } resource_selector { resource_types = [\"iam.googleapis.com/ServiceAccountKey\"] } severity = \"HIGH\" description = \"New service account key created — possible credential persistence\" recommendation = \"Audit the creating principal; rotate or delete the key if not expected\" } } # Route threat-detection findings into Pub/Sub for downstream automation # (the Pub/Sub topic + Cloud Function pair is in gcp-log-05). resource \"google_scc_notification_config\" \"threat_high_critical\" { config_id = \"threat-detection-high-critical\" organization = var.org_id description = \"HIGH+CRITICAL threat-detection findings → SOC playbook\" pubsub_topic = google_pubsub_topic.scc_findings.id streaming_config { filter = \"severity = \\\"HIGH\\\" OR severity = \\\"CRITICAL\\\"\" } }</code> Remediation — Infrastructure Manager Infrastructure Manager: SCC organisation custom module is an SCC primitive excluded from Config Connector as of 2026-Q2 (google_scc_organization_custom_module has no CRD). Submit the Terraform block above to Google Cloud Infrastructure Manager (gcloud infra-manager deployments apply --local-source=.) for managed-state, approval workflows, and Cloud Audit Logs trail. Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as gcp from \"@pulumi/gcp\"; // SCC organisation custom module — SCC Premium tier required. const customModule = new gcp.securitycenter.OrganizationCustomModule(\"scc-custom\", { organization: orgId, displayName: \"scc-prod-baseline\", enablementState: \"ENABLED\", customConfig: { predicate: { expression: \"resource.publicAccessPrevention != 'enforced'\", }, recommendation: \"Set publicAccessPrevention=enforced on every bucket.\", description: \"Detect storage buckets without PAP enforcement.\", severity: \"HIGH\", resourceSelector: { resourceType"},{"id":"gcp/network.html","url":"gcp/network.html","title":"GCP Network Hardening — Cloud Hardening Guide","breadcrumb":"Home GCP Network","description":"GCP network hardening: VPC design, Hierarchical Firewall Policies, Private Google Access, Private Service Connect, Cloud Armor WAF + Adaptive Protection, Cloud DNS DNSSEC, Cloud NAT egress.","body":"GCP Network Hardening Overview This page covers Google Cloud Platform network hardening across the surfaces that decide whether an attacker reaching the network edge can pivot inward, exfiltrate data, or sustain disruption. Scope is the commercial GCP regions; GCP Sovereign Cloud (formerly Assured Workloads and the Google Cloud Air-Gapped offering) inherits the same controls but exposes a different region table, different service-availability matrices, and tenant topology constraints — re-verify region availability and the relevant cloud.google.com sovereign endpoint documentation before applying any of the IaC below to a sovereign or air-gapped deployment. CIS sub-IDs and NIST / ISO mappings throughout this page reference the CIS Google Cloud Platform Foundation Benchmark v4.0.0 — May 2025 release (accessed 2026-05) unless explicitly annotated as a post-v4.0.0 feature or a best-practice recommendation that the current benchmark has not yet codified. The crosswalk page at compliance frameworks describes how the seven pinned framework columns relate to each other. The GCP network model is the product of an organization (the root policy boundary, where Org Policy constraints live), folders (intermediate policy boundaries for business units or environments), projects (the unit of billing, IAM, and quota), VPC networks (regional or global, with their own custom subnet plan; Shared VPC lets one host project lend its network to many service projects), subnets (regional CIDR slices that anchor Private Google Access and flow logging), VPC firewall rules (stateful L4 allow/deny at VPC scope, evaluated per packet), Hierarchical Firewall Policies (stateful L4 allow/deny attached at organization or folder scope, evaluated before VPC firewall rules), Cloud Armor security policies (L7 WAF at the external HTTPS Load Balancer edge), Private Google Access and the private.googleapis.com / restricted.googleapis.com DNS endpoints (private consumption of Google APIs from VMs with no external IP), Private Service Connect (explicit per-VPC private endpoints for Google APIs and third-party services), and edge primitives Cloud Load Balancing, Cloud DNS, and Cloud NAT. The cross-cutting principles — segmentation, zero trust, egress control, private connectivity, encryption in transit, and DNS security — are owned by the General Network page; this page maps them to GCP primitives. Severity is assigned from the methodology severity rubric; equivalence callouts at the bottom of each control point at the matching control on the AWS, Azure, and OCI sibling pages. Three anti-conflation callouts up front, because each pair gets conflated in audit reports and architecture reviews and the distinction matters for control design. First: VPC firewall rules, Hierarchical Firewall Policies, and Cloud Armor are complementary, not alternative. VPC firewall rules are L4 stateful per-VPC ACLs (the legacy ingress/egress allow/deny surface) and exist only inside the VPC they are defined in. Hierarchical Firewall Policies (gcp-net-02) operate at organization or folder scope and evaluate before VPC firewall rules; they enforce tenant-wide invariants that survive VPC creation and cannot be overridden by a project-level admin. Cloud Armor (gcp-net-05) is the L7 WAF at the external HTTPS Load Balancer edge, inspecting HTTP and HTTPS payloads — URI, headers, body, cookies — and is therefore a different plane of inspection from L4 firewalls entirely. Each addresses a different scope; reviewers who insist on \"pick one\" are wrong. Second: Private Google Access and Private Service Connect are complementary, not alternative. Private Google Access (gcp-net-03) is a per-subnet setting that lets private-IP-only VMs reach Google APIs via the private.googleapis.com (199.36.153.8/30) or restricted.googleapis.com (199.36.153.4/30) anycast ranges — the workload doesn't need an external IP and the request never traverses the public internet, but the API still has a Google-owned endpoint. Private Service Connect (gcp-net-04) creates an explicit private-IP endpoint inside your VPC that fronts a Google API or a third-party service via a service attachment; the consuming VM connects to a 10.x address you chose, with no public-IP exposure of the underlying service at all. PGA is the consumption mode for existing workloads; PSC is the publication mode for explicit endpoints. PSC supersedes the legacy Private Service Access (VPC peering) model for new designs. Third: Cloud Armor security policies and Cloud Armor Adaptive Protection are layered on the same resource, not substitutes. Cloud Armor security policies (gcp-net-05) carry preconfigured WAF rules (ModSecurity CRS 3.x — SQLi, XSS, LFI, RFI, RCE, scanner-detection, protocol-anomaly) and custom L7 rules, evaluated at the LB edge. Cloud Armor Adaptive Protection (gcp-net-06) is an ML-driven L7 anomaly-detection layer that runs on the same security policy resource and emits Adaptive Protection alerts and suggested mitigation rules during a sustained attack. Cloud Armor Standard (free, always-on L3/L4 platform protection) is the platform default; Cloud Armor Managed Protection Plus (the Enterprise subscription tier) is the entitlement that unlocks Adaptive Protection plus DDoS Rapid Response engagement. Order and scope matter. Controls 01–04 are foundational invariants enforced organization-wide via Org Policy (gcloud org-policies set-policy at organization or folder level) and Hierarchical Firewall Policies: have no reliance on default networking, lock admin ports against 0.0.0.0/0 at the organization scope, route private workloads to Google APIs without an external IP, and front third-party and Google-managed services with Private Service Connect endpoints. Controls 05–06 protect the L7 and DDoS edge of public web traffic. Control 07 signs the organisation's public DNS zones. Control 08 closes the egress loop with Cloud NAT and egress firewall rules — the missing complement to PSC, which only covers Google-managed and explicitly-published service traffic. The VPC Service Controls identity-plane perimeter is owned by the GCP IAM page and cross-referenced from this page where relevant; do not re-author it here. gcp-net-01-no-default-network ! MEDIUM PREVENTIVE Disable creation of the legacy \"default\" VPC organization-wide via the constraints/compute.skipDefaultNetworkCreation Org Policy constraint, and design every workload network as an explicit custom-mode VPC (typically a Shared VPC host project lent to many service projects in a hub-and-spoke topology). The default VPC ships with auto-mode subnets in every region and a permissive set of pre-baked firewall rules — exactly the surface area an Org-level policy should remove before any project is created (Google Cloud — VPC documentation (accessed 2026-05)). The principle is reinforced in General Network — segmentation: a network the organisation did not consciously design is a network whose blast radius the organisation cannot reason about. Custom-mode (--subnet-mode=custom) is the only acceptable VPC mode for new workloads; auto-mode subnets in every region make egress controls and CIDR planning impossible to enforce consistently. MITIGATES: Accidental shadow VPCs with auto-mode subnets in every region, permissive default-allow firewall rules, and no peering to the Shared VPC host — making centralised egress filtering and monitoring impossible to enforce on the traffic those VPCs generate. ATTACK VECTOR: A new project is created under deadline pressure and inherits the default VPC, which auto-provisions subnets in every region and ships with default-allow ICMP, RDP from 0.0.0.0/0, and SSH from 0.0.0.0/0 firewall rules. A workload team launches a Compute Engine VM in any region with an ephemeral external IP; the VM is immediately reachable from the public internet on the management ports the default rules permit. Compounds when the same pattern replicates across new projects. BLAST RADIUS: Per project: every resource launched into the default VPC across every region for as long as the default VPC exists. Compounds across hundreds of projects in a large organization. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: enforce the skip-default-network constraint at the organization scope. cat > default-network-deny.yaml <<'YAML' name: organizations/ORG_ID/policies/compute.skipDefaultNetworkCreation spec: rules: - enforce: true YAML gcloud org-policies set-policy default-network-deny.yaml \\ --organization=ORG_ID # Step 2: inventory existing default VPCs across all projects in the org. for project in $(gcloud projects list --format='value(projectId)'); do gcloud compute networks list --project=\"$project\" \\ --filter='name=default' \\ --format=\"value(name)\" 2>/dev/null \\ | sed \"s|^|$project: |\" done # Step 3: create the explicit per-workload VPC in custom mode (no auto subnets). gcloud compute networks create vpc-app-prod \\ --project=svc-app-prod \\ --subnet-mode=custom \\ --bgp-routing-mode=regional # Step 4: create a single explicit subnet in the approved region + CIDR. gcloud compute networks subnets create snet-app-prod-euw1 \\ --project=svc-app-prod \\ --network=vpc-app-prod \\ --region=europe-west1 \\ --range=10.40.0.0/22 \\ --enable-flow-logs \\ --enable-private-ip-google-access</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud docs (accessed 2026-05) resource \"google_org_policy_policy\" \"skip_default_network\" { name = \"organizations/${var.org_id}/policies/compute.skipDefaultNetworkCreation\" parent = \"organizations/${var.org_id}\" spec { rules { enforce = \"TRUE\" } } } # Explicit custom-mode VPC in the host project (Shared VPC host pattern). resource \"google_compute_network\" \"vpc_app_prod\" { project = var.host_project_id name = \"vpc-app-prod\" auto_create_subnetworks = false routing_mode = \"REGIONAL\" } resource \"google_compute_subnetwork\" \"snet_app_prod_euw1\" { project = var.host_project_id name = \"snet-app-prod-euw1\" network = google_compute_network.vpc_app_prod.id region = \"europe-west1\" ip_cidr_range = \"10.40.0.0/22\" private_ip_google_access = true log_config { aggregation_interval = \"INTERVAL_5_SEC\" flow_sampling = 0.5 metadata = \"INCLUDE_ALL_METADATA\" } }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: orgpolicy.cnrm.cloud.google.com/v1beta1 kind: OrgPolicyPolicy metadata: name: skip-default-network namespace: config-control spec: resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization external: \"organizations/ORG_ID\" spec: rules: - enforce: true name: \"organizations/ORG_ID/policies/compute.skipDefaultNetworkCreation\"</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a3.1n/a SC-7; CM-2A.8.20; A.8.22CLD.9.5.1 Log signals Cloud Audit Logs on compute.googleapis.com for v1.compute.networks.insert where protoPayload.resourceName ends in /networks/default — the default network ships with overly permissive firewall rules and recreating it re-introduces them. Constraint drift on compute.skipDefaultNetworkCreation via orgpolicy.googleapis.com UpdatePolicy moving from enforce: true to enforce: false. Implicit-default firewall rule creates: compute.googleapis.com firewalls.insert creating default-allow-icmp, default-allow-internal, default-allow-rdp, or default-allow-ssh. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"compute.googleapis.com\" AND ((protoPayload.methodName=\"v1.compute.networks.insert\" AND protoPayload.resourceName=~\".*/networks/default$\") OR (protoPayload.methodName=\"v1.compute.firewalls.insert\" AND protoPayload.request.name=~\"default-allow-(icmp|internal|rdp|ssh)\"))</code> This Cloud Logging filter is project-scoped; pair with a Cloud Asset Inventory query enumerating every project for the presence of a default VPC so steady-state population is visible alongside change events. Alert threshold Page on any insert of a network named default or any of the four implicit firewall rules; the org-policy constraint should prevent this and a successful insert means the constraint was relaxed. Page on any update to compute.skipDefaultNetworkCreation moving away from enforced. Initial response Delete the default network and its implicit firewall rules; re-assert the Org Policy constraint and back-fill the project with the documented hardened VPC template. Audit VM creates in the gap window — any instance bound to the default VPC inherited the permissive firewall set and the workload should be re-deployed onto the hardened VPC. Pin the constraint via Terraform google_org_policy_policy and gate edits through change-management; the constraint is a one-time set-and-forget invariant. References Google Cloud — VPC default network reference (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-net-02-fw-no-admin-internet ! CRITICAL PREVENTIVE No Hierarchical Firewall Policy and no VPC firewall rule in any project of the organization may permit ingress from 0.0.0.0/0 on administrative ports — SSH 22, RDP 3389, SQL Server 1433, PostgreSQL 5432, MySQL 3306, MongoDB 27017, Redis 6379, and any other database or management port the organization uses. Author the canonical deny at organization scope as a Hierarchical Firewall Policy so the invariant survives VPC creation, then layer a VPC-level deny for defence in depth (Google Cloud — Hierarchical Firewall Policies overview (accessed 2026-05)). Anti-conflation: Hierarchical Firewall Policies attach at organization or folder scope and evaluate before VPC firewall rules — a project-level admin cannot override an Org-scope HFP deny. VPC firewall rules attach at network scope and are the per-VPC fallback. Cloud Armor (gcp-net-05) is the L7 WAF at the external HTTPS LB edge and is a complementary inspection plane, not a substitute for L4 firewall policy. CRITICAL because this is the canonical \"open the internet to my database\" misconfiguration; Shodan-style scanners locate exposures within minutes, and CIS GCP v4.0.0 §3.6 and §3.7 codify the requirement. MITIGATES: Direct internet exposure of management planes and databases — leading to credential brute force, exploitation of unpatched pre-auth RCE in admin services, and untargeted ransomware against open SQL / MongoDB / Redis instances. ATTACK VECTOR: A workload team adds a permissive ingress firewall rule \"temporarily\" to debug a jump host (TCP 22 from 0.0.0.0/0); the rule is never reverted. Within hours, distributed brute-force traffic from compromised residential IPs begins probing for SSH passwords or weak keys. Database admin ports are worse: pre-authentication CVEs in some database engines turn an open port into immediate unauthenticated code execution; pre-3.6 MongoDB / pre-6 Redis with default no-auth configurations are still in the wild. BLAST RADIUS: With the HFP deny at organization scope: every VPC in every project of the organization, including projects that do not yet exist. Without HFP and with only per-VPC rules: every VM in the offending VPC, across every region the VPC has subnets in. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: create the Hierarchical Firewall Policy at organization scope. gcloud compute firewall-policies create ORG_NO_ADMIN_INGRESS \\ --organization=ORG_ID \\ --short-name=org-no-admin-ingress \\ --description=\"Org-wide deny: 0.0.0.0/0 -> admin ports\" # Step 2: deny 0.0.0.0/0 -> admin TCP ports at priority 100 (low-numbered = earlier). gcloud compute firewall-policies rules create 100 \\ --firewall-policy=ORG_NO_ADMIN_INGRESS \\ --organization=ORG_ID \\ --action=deny \\ --direction=INGRESS \\ --layer4-configs=tcp:22,tcp:3389,tcp:1433,tcp:3306,tcp:5432,tcp:27017,tcp:6379 \\ --src-ip-ranges=0.0.0.0/0 \\ --enable-logging \\ --description=\"Deny Internet -> admin / DB ports (org-wide invariant)\" # Step 3: attach the policy to the organization (or to specific folders). gcloud compute firewall-policies associations create \\ --firewall-policy=ORG_NO_ADMIN_INGRESS \\ --organization=ORG_ID \\ --name=org-root-association # Audit: list every VPC firewall rule across the org that still allows 0.0.0.0/0 on admin ports. for project in $(gcloud projects list --format='value(projectId)'); do gcloud compute firewall-rules list --project=\"$project\" \\ --filter='direction=INGRESS AND disabled=false AND sourceRanges:0.0.0.0/0' \\ --format=\"value(name,allowed,sourceRanges)\" 2>/dev/null \\ | sed \"s|^|$project: |\" done</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud docs (accessed 2026-05) resource \"google_compute_firewall_policy\" \"org_no_admin_ingress\" { parent = \"organizations/${var.org_id}\" short_name = \"org-no-admin-ingress\" description = \"Org-wide deny: 0.0.0.0/0 -> admin ports\" } resource \"google_compute_firewall_policy_rule\" \"deny_internet_admin_ports\" { firewall_policy = google_compute_firewall_policy.org_no_admin_ingress.id priority = 100 direction = \"INGRESS\" action = \"deny\" enable_logging = true description = \"Deny Internet -> admin / DB ports (CIS GCP v4.0.0 3.6 + 3.7)\" match { src_ip_ranges = [\"0.0.0.0/0\"] layer4_configs { ip_protocol = \"tcp\" ports = [\"22\", \"3389\", \"1433\", \"3306\", \"5432\", \"27017\", \"6379\"] } } } resource \"google_compute_firewall_policy_association\" \"org_root\" { firewall_policy = google_compute_firewall_policy.org_no_admin_ingress.id attachment_target = \"organizations/${var.org_id}\" name = \"org-root-association\" } # Defence in depth: VPC-scope deny for the workload VPC. resource \"google_compute_firewall\" \"vpc_deny_admin_from_internet\" { project = var.host_project_id name = \"deny-internet-to-admin-ports\" network = google_compute_network.vpc_app_prod.name direction = \"INGRESS\" priority = 100 deny { protocol = \"tcp\" ports = [\"22\", \"3389\", \"1433\", \"3306\", \"5432\", \"27017\", \"6379\"] } source_ranges = [\"0.0.0.0/0\"] log_config { metadata = \"INCLUDE_ALL_METADATA\" } }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewall metadata: name: deny-ssh-rdp-internet namespace: config-control spec: networkRef: name: prod-vpc direction: INGRESS priority: 65534 denied: - protocol: tcp ports: [\"22\", \"3389\"] sourceRanges: - \"0.0.0.0/0\"</code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as gcp from \"@pulumi/gcp\"; // Explicit-deny SSH/RDP from the public internet — paired with allow-list rules for // IAP TCP forwarding (35.235.240.0/20) when bastion access is required. const denyAdminInternet = new gcp.compute.Firewall(\"deny-ssh-rdp-internet\", { name: \"deny-ssh-rdp-internet\", network: prodVpc.id, direction: \"INGRESS\", priority: 65534, denies: [{ protocol: \"tcp\", ports: [\"22\", \"3389\"] }], sourceRanges: [\"0.0.0.0/0\"], });</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 5.2; 5.36.1; 6.23.6; 3.72.1; 2.2 SC-7(5); SC-7A.8.20; A.8.22CLD.9.5.1 Log signals Cloud Audit Logs on compute.googleapis.com for v1.compute.firewalls.insert or v1.compute.firewalls.patch where sourceRanges contains 0.0.0.0/0 and allowed.ports includes 22 or 3389. Hierarchical firewall policy edits at organisation / folder scope where new rules with the same admin-port + world-open pattern are inserted via FirewallPolicies.patch. Tag-based firewall rules where the source-tag is removed and replaced with 0.0.0.0/0 — silent broadening of an existing rule. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"compute.googleapis.com\" AND protoPayload.methodName=~\"v1.compute.(firewalls|firewallPolicies).*\" AND protoPayload.request.sourceRanges=\"0.0.0.0/0\" AND (protoPayload.request.allowed.ports=\"22\" OR protoPayload.request.allowed.ports=\"3389\")</code> Stream this Cloud Logging filter through a Cloud Monitoring log-based metric grouped by firewall name; pair with VPC Flow Logs queries scoped to the rule's target tags so post-rule traffic on the admin port is visible alongside the rule creation. Alert threshold Page on any rule insert / patch admitting world-open SSH or RDP; the steady-state count of such rules is zero. Page on a hierarchical firewall policy patch adding the same pattern at folder or organisation scope; impact radius is broader than a single project rule. Initial response Delete the offending firewall rule via gcloud compute firewall-rules delete or revert the policy patch from the captured baseline policy JSON. Inspect VPC Flow Logs for accepted-connection records on the admin port during the exposed window; treat any non-corporate source IP as a candidate compromise of the targeted VM. Force-rotate SSH host keys / Windows administrator credentials on every VM that was reachable; pivot the workload to IAP TCP-forwarding (control 03) so future SSH/RDP access no longer requires a perimeter rule. References Google Cloud — VPC firewall rules reference (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-net-03-pga ! HIGH PREVENTIVE Enable Private Google Access on every workload subnet and route Google API consumption through the private.googleapis.com (199.36.153.8/30) or restricted.googleapis.com (199.36.153.4/30, used in conjunction with VPC Service Controls perimeters) anycast endpoints, so private-IP-only VMs reach Google APIs without traversing the public internet (Google Cloud — Private Google Access documentation (accessed 2026-05)). Pair PGA with Org Policy constraints/compute.vmExternalIpAccess to deny external IP assignment on workload VMs by default; PGA is what makes that denial operationally viable. The principle is reinforced in General Network — private connectivity: traffic to managed services should never cross the public internet when a private path exists. Anti-conflation: PGA is per-subnet, free, and applies to consumption of Google-managed APIs from existing VMs; Private Service Connect (gcp-net-04) creates explicit private-IP endpoints inside the VPC for Google or third-party services and is the publication-mode complement. restricted.googleapis.com is specifically the entry endpoint for VPC SC perimeters; cross-link: VPC Service Controls (Phase 5; owned by the IAM page and not re-authored here). HIGH PREVENTIVE because PGA + the external-IP-deny Org Policy together remove the public-IP attack surface from workload VMs entirely while preserving their ability to reach Cloud Storage, BigQuery, and the other Google APIs they need. MITIGATES: Public-internet exposure of workload VMs that need to reach Google APIs; data-egress paths that traverse the public internet (and incur internet-egress billing); the implicit requirement to allow 0.0.0.0/0 outbound just to talk to storage.googleapis.com. ATTACK VECTOR: A workload VM is provisioned with an ephemeral external IP \"because Cloud Storage needs internet egress.\" The external IP makes the VM reachable from any internet host the firewall rules allow (and the default-allow rules on the legacy default VPC are still in some templates). With PGA enabled on the subnet, a route to 199.36.153.8/30 via the default-internet-gateway next hop, and a DNS forwarding rule that resolves *.googleapis.com to the private range, the same workload reaches Cloud Storage with no external IP and no public-internet exposure at all. BLAST RADIUS: Per subnet: enabling PGA flips the entire subnet to private-google-access capability. Combined with the Org Policy denying external IPs, the blast-radius reduction is organization-wide and survives new project creation. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: enable Private Google Access on the workload subnet. gcloud compute networks subnets update snet-app-prod-euw1 \\ --project=svc-app-prod \\ --region=europe-west1 \\ --enable-private-ip-google-access # Step 2: enforce the no-external-IP Org Policy at organization scope. cat > deny-external-ip.yaml <<'YAML' name: organizations/ORG_ID/policies/compute.vmExternalIpAccess spec: rules: - values: deniedValues: [\"all\"] YAML gcloud org-policies set-policy deny-external-ip.yaml \\ --organization=ORG_ID # Step 3: create the Cloud DNS private zone that resolves googleapis.com to the # private.googleapis.com range, so workloads don't need explicit code changes. gcloud dns managed-zones create googleapis-com-private \\ --project=svc-app-prod \\ --description=\"Private resolution of googleapis.com -> 199.36.153.8/30\" \\ --dns-name=googleapis.com. \\ --networks=vpc-app-prod \\ --visibility=private gcloud dns record-sets create '*.googleapis.com.' \\ --project=svc-app-prod \\ --zone=googleapis-com-private \\ --type=A \\ --ttl=300 \\ --rrdatas=199.36.153.8,199.36.153.9,199.36.153.10,199.36.153.11</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud docs (accessed 2026-05) # Subnet with PGA enabled (boolean flips PGA on for the whole subnet). resource \"google_compute_subnetwork\" \"app_pga\" { project = var.host_project_id name = \"snet-app-prod-euw1\" network = google_compute_network.vpc_app_prod.id region = \"europe-west1\" ip_cidr_range = \"10.40.0.0/22\" private_ip_google_access = true } # Org Policy: deny external IPs on workload VMs. resource \"google_org_policy_policy\" \"deny_external_ip\" { name = \"organizations/${var.org_id}/policies/compute.vmExternalIpAccess\" parent = \"organizations/${var.org_id}\" spec { rules { values { denied_values = [\"all\"] } } } } # Cloud DNS private zone: resolve googleapis.com to private.googleapis.com range. resource \"google_dns_managed_zone\" \"googleapis_private\" { project = var.host_project_id name = \"googleapis-com-private\" dns_name = \"googleapis.com.\" description = \"Private resolution of googleapis.com -> 199.36.153.8/30\" visibility = \"private\" private_visibility_config { networks { network_url = google_compute_network.vpc_app_prod.id } } } resource \"google_dns_record_set\" \"googleapis_wildcard\" { project = var.host_project_id managed_zone = google_dns_managed_zone.googleapis_private.name name = \"*.googleapis.com.\" type = \"A\" ttl = 300 rrdatas = [\"199.36.153.8\", \"199.36.153.9\", \"199.36.153.10\", \"199.36.153.11\"] }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: name: prod-subnet-pga namespace: config-control spec: region: us-central1 ipCidrRange: \"10.0.16.0/20\" networkRef: name: prod-vpc privateIpGoogleAccess: true</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a3.x (verify)n/a SC-7; AC-4A.8.20; A.8.22CLD.9.5.1 Log signals Cloud Audit Logs on compute.googleapis.com for v1.compute.serviceAttachments.insert exposing internal services via Private Service Connect — any new attachment widens the producer surface to consumer VPCs. Service-attachment IAM mutations adding roles/compute.networkUser for consumer projects outside the documented allow-list. PSC endpoint creation events from consumer side: forwardingRules.insert targeting a service attachment whose project is foreign to the consumer's organisation. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"compute.googleapis.com\" AND (protoPayload.methodName=~\"v1.compute.serviceAttachments.(insert|patch)\" OR (protoPayload.methodName=\"v1.compute.forwardingRules.insert\" AND protoPayload.request.target=~\".*serviceAttachments.*\"))</code> Use this Cloud Logging filter at organisation scope; combine with Cloud Asset Inventory's compute.googleapis.com/ServiceAttachment resource feed so steady-state attachment population and IAM bindings stay visible alongside changes. Alert threshold Page on any new service-attachment insert from a producer project outside the documented PSC-publisher allow-list. Page on any IAM binding addition granting compute.networkUser on a service-attachment to an external organisation principal. Initial response Disable the service attachment via gcloud compute service-attachments update --connection-preference=ACCEPT_MANUAL and revoke any auto-accepted consumer projects. Inspect Cloud Logging for data-plane connection events to the attached service during the exposed window; treat any consumer-project session as a candidate cross-org pivot. Pin service-attachment IAM and connection-preference in Terraform; require consumer-project list to be source-of-truth and gate edits through change-management. References Google Cloud — Private Service Connect (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-net-04-private-google-access ! HIGH PREVENTIVE Front Google-managed and third-party services with Private Service Connect endpoints — explicit private-IP forwarding rules inside the consuming VPC that target a service attachment for the upstream service. PSC supersedes the legacy Private Service Access (VPC peering) model for new designs and is the only access pattern that fully removes the upstream service's public-IP exposure from the consuming VPC's perspective (Google Cloud — Private Service Connect documentation (accessed 2026-05)). The principle is reinforced in General Network — zero trust: never traverse a network you do not control. Anti-pattern to flag: Private Service Access (VPC peering to a Google-managed producer VPC) was the original private connectivity pattern for managed services like Cloud SQL and Memorystore; it works but the consuming VPC's route table absorbs the producer's CIDR, transitive peering is constrained, and the model does not scale to per-service granular access. PSC creates one forwarding rule per consumer-to-service binding, eliminates transitive peering questions, and supports IAM at the service-attachment level. Anti-conflation with PGA: PGA is the consumption mode for any VM with a private IP and a route to the anycast googleapis.com range; PSC is the publication mode for explicit per-service endpoints in your VPC. They can coexist: PGA for the broad set of Google APIs, PSC for specific high-value services where IAM at the endpoint is required. MITIGATES: Service-call traffic from workloads to Google-managed or third-party services traversing the public internet where TLS is the only barrier; cross-tenant confused-deputy patterns where lack of network-side controls means identity is the only gate; DNS-side leakage of which managed services a workload depends on. ATTACK VECTOR: A workload in vpc-app-prod reaches a Cloud SQL instance via its public IP (or via a Private Service Access peering whose CIDR is unexpectedly transitive from a peered partner VPC). An attacker who compromises the workload — or a workload in a peered partner VPC — can do the same. With a PSC endpoint at 10.40.255.10 for Cloud SQL, the consuming VPC reaches the database via a private IP it owns, no public IP is exposed, no peering is transitive, and IAM on the service attachment governs who can create new consumer endpoints. BLAST RADIUS: Per PSC endpoint: a forwarding rule is a 1:1 binding to one service attachment. The Org Policy on consumer-side forwarding rule creation governs which producer service attachments are allowable across the organization. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Variant A: global PSC endpoint for Google APIs (all-apis bundle). gcloud compute addresses create psc-google-apis \\ --project=svc-app-prod \\ --global \\ --purpose=PRIVATE_SERVICE_CONNECT \\ --addresses=10.40.255.2 \\ --network=vpc-app-prod gcloud compute forwarding-rules create psc-google-apis \\ --project=svc-app-prod \\ --global \\ --network=vpc-app-prod \\ --address=psc-google-apis \\ --target-google-apis-bundle=all-apis # Variant B: per-service PSC endpoint for a published service attachment # (e.g. a partner SaaS or another team's Cloud SQL instance). gcloud compute forwarding-rules create psc-vendor-api \\ --project=svc-app-prod \\ --region=europe-west1 \\ --network=vpc-app-prod \\ --subnet=snet-psc-euw1 \\ --target-service-attachment=projects/vendor-prod/regions/europe-west1/serviceAttachments/vendor-api</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud docs (accessed 2026-05) # Variant A: global PSC endpoint for the all-apis Google bundle. resource \"google_compute_global_address\" \"psc_google_apis\" { project = var.host_project_id name = \"psc-google-apis\" purpose = \"PRIVATE_SERVICE_CONNECT\" address_type = \"INTERNAL\" address = \"10.40.255.2\" network = google_compute_network.vpc_app_prod.id } resource \"google_compute_global_forwarding_rule\" \"psc_google_apis\" { project = var.host_project_id name = \"psc-google-apis\" target = \"all-apis\" network = google_compute_network.vpc_app_prod.id ip_address = google_compute_global_address.psc_google_apis.id load_balancing_scheme = \"\" } # Variant B: per-service PSC consumer endpoint. resource \"google_compute_forwarding_rule\" \"psc_vendor_api\" { project = var.host_project_id name = \"psc-vendor-api\" region = \"europe-west1\" network = google_compute_network.vpc_app_prod.id subnetwork = google_compute_subnetwork.snet_psc_euw1.id target = var.vendor_service_attachment load_balancing_scheme = \"\" }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeSubnetwork metadata: name: prod-subnet-pga-strict namespace: config-control spec: region: us-central1 ipCidrRange: \"10.0.32.0/20\" networkRef: name: prod-vpc privateIpGoogleAccess: true purpose: PRIVATE</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a3.x (verify)n/a SC-7(8); AC-4A.8.20; A.8.22CLD.9.5.1 Log signals Cloud Audit Logs on compute.googleapis.com for v1.compute.subnetworks.patch where privateIpGoogleAccess transitions from true to false. Cloud DNS private-zone mutations removing the private.googleapis.com / restricted.googleapis.com resolution path: dns.googleapis.com ManagedZones.update on the override zone. NAT-gateway adds on subnets that were previously private-Google-Access-only — egress fallback to the public Googleapis endpoint pattern. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"compute.googleapis.com\" AND protoPayload.methodName=\"v1.compute.subnetworks.patch\" AND protoPayload.request.privateIpGoogleAccess=false</code> Pair this Cloud Logging filter with a Cloud DNS query against the override zone resource feed so private/restricted googleapis resolution changes surface alongside subnet flag changes. Alert threshold Page on any subnet transitioning out of Private Google Access on a production VPC. Page on Cloud DNS private-zone mutations affecting private.googleapis.com resolution; that path is a hard tenancy-perimeter invariant. Initial response Re-enable Private Google Access on the subnet via gcloud compute networks subnets update --enable-private-ip-google-access and restore the Cloud DNS override zone from the captured baseline. Audit VM-→-Googleapis traffic during the gap window via VPC Flow Logs joined against the published Google service-IP ranges; any egress that resolved to the public endpoint is a candidate VPC-SC-bypass attempt. Pin subnet flag and DNS zone records in Terraform and gate edits through change-management. References Google Cloud — Private Google Access (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-net-05-cloud-armor ! HIGH PREVENTIVE Front internet-facing web traffic with an external HTTPS Load Balancer and attach a Cloud Armor security policy carrying the preconfigured WAF rule sets — ModSecurity CRS 3.x for SQL injection (sqli-v33-stable), cross-site scripting (xss-v33-stable), local file inclusion (lfi-v33-stable), remote file inclusion (rfi-v33-stable), remote code execution (rce-v33-stable), scanner-detection, and protocol-anomaly — and integrate reCAPTCHA Enterprise for bot mitigation on credential-bearing endpoints (Google Cloud — Cloud Armor security policy overview (accessed 2026-05)). Cloud Armor evaluates at the LB edge across Google's global PoP fleet, inspecting HTTP and HTTPS payloads — URI, headers, body, cookies, query strings — and is therefore an L7 control. Anti-conflation: Cloud Armor is the L7 WAF at the LB edge; Hierarchical Firewall Policies and VPC firewall rules (gcp-net-02) operate at L4 in the network plane. WAF cannot help with a volumetric SYN flood any more than L4 firewalls can stop an SQLi attempt in a well-formed HTTPS request. They are layered, not alternative. Adaptive Protection (gcp-net-06) is a different feature configured on the same security policy resource. HIGH PREVENTIVE because managed rules block known-exploit-pattern traffic at the edge before it ever reaches the application's parsing logic. MITIGATES: Application-layer attacks against internet-facing HTTP services — SQLi, command injection, XSS reflection, path traversal, known-CVE-pattern probes, credential stuffing, and basic bot abuse. ATTACK VECTOR: An attacker sends a Log4Shell-style probe (${jndi:ldap://...}) to a public API hosted behind a Google Cloud external HTTPS LB. Without the preconfigured CRS rules in deny mode, the request reaches the origin and is logged "},{"id":"gcp/workloads.html","url":"gcp/workloads.html","title":"GCP Workloads Hardening — Cloud Hardening Guide","breadcrumb":"Home GCP Workloads","description":"GCP workloads hardening: Shielded VM, OS Login + IAP, Artifact Registry vulnerability scanning + Binary Authorization, VM Manager observability, Cloud Run service-account hardening, GKE Workload Identity Federation umbrella, Confidential / golden-image pipeline, VM Manager Patch Deployments.","body":"GCP Workloads Hardening Overview This page covers Google Cloud Platform workload hardening across four execution surfaces — Compute Engine virtual machines, Google Kubernetes Engine clusters (Autopilot and Standard), Cloud Run services, and Cloud Functions — and the supply chain that produces the artefacts those workloads run. Scope is the commercial GCP regions; GCP Sovereign Cloud (formerly Assured Workloads and the Google Cloud Air-Gapped offering) inherits the same controls but exposes a different region table and a different service-availability matrix — re-verify against the relevant cloud.google.com sovereign endpoint documentation before applying the IaC below to a sovereign or air-gapped deployment. CIS sub-IDs throughout this page reference the CIS Google Cloud Platform Foundation Benchmark v4.0.0 — May 2025 release (accessed 2026-05) unless explicitly annotated as a post-v4.0.0 best-practice recommendation that the current benchmark has not yet codified. The cross-cutting principles — image / OS hardening, patch management, runtime security, container-specific concerns, serverless-specific concerns, supply chain, and secrets in workloads — are owned by the General Workloads page; this page maps them to GCP primitives. The canonical secrets-management treatment lives on the General IAM page; gcp-work-05 cross-links to it rather than re-authoring. The GCP workloads model layers four product families. Compute Engine exposes virtual machines whose firmware (UEFI + measured boot via vTPM), boot integrity (Secure Boot policy), and runtime integrity (kernel-measurement attestation) are configured per-instance and gated by the organisation-level constraints/compute.requireShieldedVm Org Policy. Google Kubernetes Engine (GKE) runs Kubernetes clusters in two flavours — Autopilot (Google-operated node pool, no node access; reduces control-plane operator burden) and Standard (customer-operated node pools; supports privileged DaemonSets, custom OS images, GPU pools) — and gates pod identity via Workload Identity Federation for GKE using the current --workload-pool=PROJECT_ID.svc.id.goog flag (the legacy identity-namespace flag form is deprecated). Cloud Run is the managed-container serverless surface; it accepts container images from Artifact Registry, runs them under a per-service service account, and exposes ingress that must be restricted away from all. Cloud Functions shares the same Cloud Run substrate in its 2nd-generation form. The supply chain is anchored by Artifact Registry (Docker, Maven, npm, Python, Go, Yum/Apt; CMEK-encryptable) with the Container Analysis API performing CVE + OS-package vulnerability scanning, and Binary Authorization as the admission-policy layer that requires attestations from cryptographically-identified attestors before an image can be deployed to GKE or Cloud Run. VM Manager ties the steady-state observability and patch loops together: OS Config Inventory, OS Config Compliance (reporting to Security Command Center), and OS Config Patch Deployments. The cross-cutting severity rubric applies; equivalence callouts at the bottom of each control point at the matching control on the AWS, Azure, and OCI sibling pages. Four anti-conflation callouts up front, because each pair gets conflated in audit reports and architecture reviews and the distinction matters for control design. First: GKE is presented as a single umbrella control (gcp-work-06), not split by mode. Workload Identity Federation for GKE, private cluster topology (private endpoint + master-authorized networks), Binary Authorization integration, GKE Dataplane V2 (Cilium-based eBPF with NetworkPolicy default-deny), Shielded GKE Nodes, and the Autopilot-vs-Standard authoring choice all sit inside that one control body. Autopilot eliminates control-plane operator burden but constrains node-level customisation; Standard is required for privileged DaemonSets, custom OS images, GPU pools, and any workload that needs direct node access. The choice is a deployment-mode decision, not a different control surface. sibling-anchors.tsv pre-locks an 8-control count for this page and splitting GKE would inflate it without adding pedagogical value — the same umbrella decision applies on the EKS (Phase 6) and AKS (Phase 7) pages. Second: Artifact Registry vulnerability scanning and Binary Authorization are one workflow, one control (gcp-work-03). The Container Analysis API automatically scans every image push for CVE matches against the upstream OS-package indexes and Go / Python / Java / Node.js language dependencies; the results are persisted as Note + Occurrence resources tied to the image digest. Binary Authorization then evaluates a per-cluster (or per-service) admission policy at deploy time; that policy requires attestations from named attestors — typically encoding \"image built by the trusted CI/CD pipeline\" and \"image passed CVE scan with no CRITICAL/HIGH unfixed\". Sigstore cosign produces the keyless or KMS-backed signatures that those attestors consume; SLSA Build Level 3 is the current Google-recommended supply-chain bar (in-toto attestation generated by a hardened, isolated builder). Scanner + policy + attestation is a single supply-chain story; one control, two-part body. Third: VM Manager has two distinct review workflows on this page (gcp-work-04 and gcp-work-08) even though they share the same product. gcp-work-04 covers OS Config Inventory (what is installed) + OS Config Compliance (whether the configuration matches policy) and the resulting vulnerability-report channel into Security Command Center — the detection and posture side of VM Manager. gcp-work-08 covers OS Config Patch Deployments and Patch Policies — the patch-application side: how the organisation rolls out CVE remediations on a recurring schedule with maintenance windows and rolling-restart semantics. They mirror the Phase 6 Inspector + Systems Manager Patch Manager two-surface split, and the Phase 7 Defender for Servers + Update Manager split — the same product, two distinct review rituals. Fourth: Cloud Run services run under a dedicated service account, NOT the default Compute SA (gcp-work-05). The Compute Engine default service account ships with roles/editor across the project — a Cloud Run service running under that identity has project-wide edit on every resource, every secret, every IAM binding. Each Cloud Run service must have its own least-privileged service account; ingress must be restricted to internal-and-cloud-load-balancing or internal for any service that does not legitimately serve the public internet; secrets must arrive via Secret Manager references (run.googleapis.com/secrets annotation or --set-secrets binding), never via plaintext environment variables in the service revision; and the IAM invoker binding must enumerate explicit principals — never allUsers (anonymous) or allAuthenticatedUsers (any Google account on the internet) unless the service is genuinely intended to be public. Cross-link to the canonical Secrets Manager treatment rather than re-authoring the secrets-management reference architecture here. Order and scope matter. Controls 01–02 are foundational invariants enforced organisation-wide via Org Policy and instance metadata: every Compute Engine instance gets Shielded VM (Secure Boot + vTPM + Integrity Monitoring) and is reachable only through OS Login + IAP, with no metadata-based SSH keys and no external IPs on workload VMs. Controls 03–04 close the steady-state observability loop: every image is scanned and admission-gated, every running VM reports inventory and compliance. Controls 05–06 harden the serverless and Kubernetes execution surfaces. Controls 07–08 close the supply-chain and patch loops at maturity. gcp-work-01-shielded-vm ! CRITICAL PREVENTIVE Enforce Shielded VM (Secure Boot + virtual Trusted Platform Module + Integrity Monitoring) on every Compute Engine instance organisation-wide via the constraints/compute.requireShieldedVm Org Policy constraint. Shielded VM raises the boot-firmware bar — UEFI firmware with Microsoft-signed root certificate, measured boot recorded into a vTPM, integrity-monitoring baselines verified against the running guest's PCRs — and refuses to boot images whose bootloader or kernel modules fail signature verification (Google Cloud — Shielded VM documentation (accessed 2026-05)). The principle is reinforced in General Workloads — image / OS hardening: an instance whose pre-OS attack surface is not measured cannot reason about whether it has been rootkitted before the operating system even started. Confidential VM (AMD SEV / SEV-SNP, Intel TDX) is called out as the upgrade path for regulated workloads — it adds memory encryption with attestation against the platform — but it is not a replacement for the Shielded VM baseline. Confidential VM is layered on top: --confidential-compute --maintenance-policy=TERMINATE requires Shielded VM features to be enabled. CRITICAL because a non-Shielded VM accepting an unsigned bootloader or a tampered kernel is the canonical rootkit-survives-reboot scenario; CIS GCP v4.0.0 §4 codifies the requirement. MITIGATES: Pre-OS rootkits and bootkit persistence; tampered or unsigned kernel modules executing before any guest-level EDR loads; in-memory tampering of the guest kernel that survives reboot. ATTACK VECTOR: An attacker with credential access to a Compute Engine admin role replaces a workload boot disk with a custom image whose initramfs hooks an unsigned kernel module that exfiltrates secrets on every boot. Without Secure Boot, the unsigned module loads silently. Without Integrity Monitoring, no PCR mismatch surfaces in Cloud Logging. Without vTPM-backed disk encryption, the disk image can be cloned and inspected offline. BLAST RADIUS: With the Org Policy in enforce mode: every Compute Engine instance in every project of the organisation, including projects that do not yet exist. Without it: any instance whose creation flow forgot the --shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring flags is exposed for its entire lifetime. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: enforce constraints/compute.requireShieldedVm at the organisation scope. cat > require-shielded-vm.yaml <<'YAML' name: organizations/ORG_ID/policies/compute.requireShieldedVm spec: rules: - enforce: true YAML gcloud org-policies set-policy require-shielded-vm.yaml \\ --organization=ORG_ID # Step 2: create a new Shielded VM (boot must use a Shielded-VM-compatible image family). gcloud compute instances create app-prod-01 \\ --project=svc-app-prod \\ --zone=europe-west1-b \\ --machine-type=n2-standard-4 \\ --image-family=ubuntu-2204-lts \\ --image-project=ubuntu-os-cloud \\ --shielded-secure-boot \\ --shielded-vtpm \\ --shielded-integrity-monitoring \\ --no-address \\ --service-account=sa-app-prod@svc-app-prod.iam.gserviceaccount.com \\ --scopes=cloud-platform # Step 3: inventory existing instances missing any Shielded VM toggle. for project in $(gcloud projects list --format='value(projectId)'); do gcloud compute instances list --project=\"$project\" \\ --format=\"value(name,zone,shieldedInstanceConfig.enableSecureBoot,shieldedInstanceConfig.enableVtpm,shieldedInstanceConfig.enableIntegrityMonitoring)\" 2>/dev/null \\ | awk -F'\\t' '$3!=\"True\" || $4!=\"True\" || $5!=\"True\" { print \"'\"$project\"'\\t\" $0 }' done # Step 4: enable the three toggles on an existing stopped instance. gcloud compute instances stop app-legacy-01 --zone=europe-west1-b --project=svc-app-prod gcloud compute instances update app-legacy-01 \\ --project=svc-app-prod --zone=europe-west1-b \\ --shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring gcloud compute instances start app-legacy-01 --zone=europe-west1-b --project=svc-app-prod</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud docs (accessed 2026-05) resource \"google_org_policy_policy\" \"require_shielded_vm\" { name = \"organizations/${var.org_id}/policies/compute.requireShieldedVm\" parent = \"organizations/${var.org_id}\" spec { rules { enforce = \"TRUE\" } } } resource \"google_compute_instance\" \"app_prod_01\" { project = var.app_project_id name = \"app-prod-01\" zone = \"europe-west1-b\" machine_type = \"n2-standard-4\" boot_disk { initialize_params { image = \"projects/ubuntu-os-cloud/global/images/family/ubuntu-2204-lts\" } } network_interface { subnetwork = var.app_subnet_self_link # No access_config block = no external IP. } shielded_instance_config { enable_secure_boot = true enable_vtpm = true enable_integrity_monitoring = true } service_account { email = var.app_service_account_email scopes = [\"cloud-platform\"] } metadata = { enable-oslogin = \"TRUE\" block-project-ssh-keys = \"TRUE\" } }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeInstance metadata: name: hardened-vm namespace: config-control spec: zone: us-central1-a machineType: e2-medium bootDisk: initializeParams: imageRef: external: \"projects/debian-cloud/global/images/family/debian-12\" networkInterface: - networkRef: name: prod-vpc shieldedInstanceConfig: enableSecureBoot: true enableVtpm: true enableIntegrityMonitoring: true</code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as gcp from \"@pulumi/gcp\"; // Shielded VM with Secure Boot + vTPM + Integrity Monitoring (CIS GCP 4.8). const hardenedVm = new gcp.compute.Instance(\"hardened-vm\", { name: \"hardened-vm\", zone: \"us-central1-a\", machineType: \"e2-medium\", bootDisk: { initializeParams: { image: \"projects/debian-cloud/global/images/family/debian-12\", }, }, networkInterfaces: [{ network: prodVpc.id }], shieldedInstanceConfig: { enableSecureBoot: true, enableVtpm: true, enableIntegrityMonitoring: true, }, });</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a4.x (verify)n/a AC-3; CM-7; SC-8A.8.20; A.8.25CLD.9.5.1 Log signals Cloud Audit Logs on compute.googleapis.com for v1.compute.instances.updateShieldedInstanceConfig where enableSecureBoot, enableVtpm, or enableIntegrityMonitoring transitions to false. Integrity-monitoring violation entries from running VMs in resource.type=\"gce_instance\" with jsonPayload.eventType=\"integrityViolation\". Org Policy state of constraints/compute.requireShieldedVm moved away from enforce: true. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"compute.googleapis.com\" AND protoPayload.methodName=~\"v1.compute.instances.updateShieldedInstanceConfig\" AND (protoPayload.request.enableSecureBoot=false OR protoPayload.request.enableIntegrityMonitoring=false)</code> Pair this Cloud Logging filter with a saved query on integrity-violation entries (resource.type=\"gce_instance\"); the two streams together provide both config-drift detection and runtime-integrity detection in a single Cloud Monitoring alert policy. Alert threshold Page on any updateShieldedInstanceConfig call that disables Secure Boot or Integrity Monitoring on production VMs. Page on the first integrity-violation entry from any production VM — vTPM measurement divergence indicates boot-stage tampering. Initial response Re-enable Shielded VM features via gcloud compute instances update --shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring and reboot the instance to re-measure the boot chain. If an integrity violation fired, snapshot the VM's boot disk for forensic review and rebuild the VM from a known-good image; do not patch a tampered VM in place. Re-assert the constraints/compute.requireShieldedVm constraint at the organisation node; pin VM templates in Terraform with all three Shielded flags set. References Google Cloud — Shielded VM (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-work-02-os-login-iap ! HIGH PREVENTIVE Enforce OS Login organisation-wide via the constraints/compute.requireOsLogin Org Policy constraint, require 2-Step Verification (enable-oslogin-2fa = TRUE as project or instance metadata), deny metadata-based SSH keys (block-project-ssh-keys = TRUE), and access workload VMs exclusively through Identity-Aware Proxy (IAP) TCP forwarding — no external IPs on workload VMs (Google Cloud — OS Login documentation (accessed 2026-05); Google Cloud — IAP TCP forwarding documentation (accessed 2026-05)). OS Login ties SSH access to Google Cloud IAM: a user with the roles/compute.osLogin (or roles/compute.osAdminLogin for sudo) role on a project or instance can SSH, and their POSIX uid/gid is provisioned from their Google identity rather than from an instance-local authorized_keys file. IAP TCP forwarding tunnels SSH (and any other TCP protocol) through an IAP front-end that checks IAM (roles/iap.tunnelResourceAccessor) before the connection ever reaches the VM; workload VMs can therefore live in subnets with no external IPs. Anti-conflation: OS Login is the identity-binding layer (who can SSH); IAP is the network-path layer (how the SSH connection arrives). Both are required: OS Login alone leaves you needing external IPs or a self-managed bastion; IAP alone leaves you with instance-local SSH keys and the offboarding gap they imply. MITIGATES: Orphaned instance-local SSH keys after an employee leaves; brute-force traffic against external-IP-exposed SSH; lateral movement from a compromised workstation that scraped a service-account-keyed metadata-based SSH key. ATTACK VECTOR: Without OS Login, a workload team distributes SSH public keys via project metadata; when an engineer leaves the company, removing their Google account does nothing to their metadata-based key. Without IAP, the same workload VM has an external IP and listens on TCP 22; distributed brute-force traffic begins probing within hours. The departed engineer's key still works, and the brute-force may eventually succeed against weak account passwords on the host. BLAST RADIUS: Per VM exposed: full operating-system access plus whatever the bound service account's IAM grants reach in the project. With Org Policy enforcing OS Login + project-wide block-project-ssh-keys: zero metadata-based keys survive offboarding; access path collapses to IAP-gated SSH. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: enforce OS Login organisation-wide via Org Policy. cat > require-oslogin.yaml <<'YAML' name: organizations/ORG_ID/policies/compute.requireOsLogin spec: rules: - enforce: true YAML gcloud org-policies set-policy require-oslogin.yaml --organization=ORG_ID # Step 2: require 2-Step Verification and block metadata SSH keys at project scope. gcloud compute project-info add-metadata --project=svc-app-prod \\ --metadata=enable-oslogin=TRUE,enable-oslogin-2fa=TRUE,block-project-ssh-keys=TRUE # Step 3: grant a user the OS-Login role + the IAP tunnel role at project scope. gcloud projects add-iam-policy-binding svc-app-prod \\ --member='user:alice@example.com' \\ --role='roles/compute.osLogin' gcloud projects add-iam-policy-binding svc-app-prod \\ --member='user:alice@example.com' \\ --role='roles/iap.tunnelResourceAccessor' # Step 4: connect to a VM with no external IP through IAP TCP forwarding. gcloud compute ssh app-prod-01 \\ --project=svc-app-prod --zone=europe-west1-b \\ --tunnel-through-iap # Step 5: audit instances that still carry external IPs (no workload VM should). for project in $(gcloud projects list --format='value(projectId)'); do gcloud compute instances list --project=\"$project\" \\ --format=\"value(name,zone,networkInterfaces[].accessConfigs[].natIP)\" 2>/dev/null \\ | awk -F'\\t' 'NF==3 && $3!=\"\" { print \"'\"$project\"'\\t\" $0 }' done</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud docs (accessed 2026-05) resource \"google_org_policy_policy\" \"require_oslogin\" { name = \"organizations/${var.org_id}/policies/compute.requireOsLogin\" parent = \"organizations/${var.org_id}\" spec { rules { enforce = \"TRUE\" } } } resource \"google_compute_project_metadata\" \"oslogin_metadata\" { project = var.app_project_id metadata = { enable-oslogin = \"TRUE\" enable-oslogin-2fa = \"TRUE\" block-project-ssh-keys = \"TRUE\" } } resource \"google_project_iam_member\" \"oslogin_alice\" { project = var.app_project_id role = \"roles/compute.osLogin\" member = \"user:alice@example.com\" } resource \"google_project_iam_member\" \"iap_tunnel_alice\" { project = var.app_project_id role = \"roles/iap.tunnelResourceAccessor\" member = \"user:alice@example.com\" } # Explicit per-instance IAP tunnel grant (defence in depth). resource \"google_iap_tunnel_instance_iam_member\" \"alice_to_app_prod_01\" { project = var.app_project_id zone = \"europe-west1-b\" instance = \"app-prod-01\" role = \"roles/iap.tunnelResourceAccessor\" member = \"user:alice@example.com\" }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: orgpolicy.cnrm.cloud.google.com/v1beta1 kind: OrgPolicyPolicy metadata: name: require-os-login namespace: config-control spec: resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Organization external: \"organizations/ORG_ID\" spec: rules: - enforce: true name: \"organizations/ORG_ID/policies/compute.requireOsLogin\"</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a4.x (verify)n/a AC-17; AC-17(3); AU-2A.8.5; A.8.15CLD.9.5.1 Log signals Cloud Audit Logs on compute.googleapis.com for setCommonInstanceMetadata or setMetadata calls removing enable-oslogin or adding block-project-ssh-keys=false. IAP-tunnel disable events: compute.googleapis.com firewall-rule changes removing the IAP source range (35.235.240.0/20) from SSH ingress on production VPCs. Direct SSH connection attempts to public IPs: VPC Flow Logs entries on port 22 from non-IAP sources — captures both pure SSH-on-public-IP and bypass attempts. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND protoPayload.serviceName=\"compute.googleapis.com\" AND protoPayload.methodName=~\"v1.compute.(instances|projects).setMetadata\" AND (protoPayload.request.items.key=\"block-project-ssh-keys\" OR protoPayload.request.items.key=\"enable-oslogin\") AND (protoPayload.request.items.value=\"false\" OR protoPayload.request.items.value=\"FALSE\")</code> This Cloud Logging filter watches the metadata-level controls; pair with a VPC Flow Logs query on inbound port 22 traffic so silent IAP-bypass attempts surface alongside the metadata mutation events. Alert threshold Page on any metadata mutation disabling OS Login on production VMs or projects. Page on any inbound SSH connection from outside the IAP source range on a VM tagged for IAP-only access. Initial response Re-enable OS Login via gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE; remove unauthorised SSH keys from project metadata and per-instance metadata. Audit OS Login audit logs (resource.type=\"audited_resource\" with service=\"oslogin.googleapis.com\") for sign-in activity during the gap window; cross-correlate against the OS Login posix-account allow-list. Pin IAP-tunnel firewall config in Terraform; close the public-SSH path entirely so future bypass attempts fail at the network layer regardless of metadata state. References Google Cloud — OS Login (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-work-03-artifact-registry-scanning ! HIGH DETECTIVE Two-part supply-chain control: (a) every Artifact Registry repository has the Container Analysis API automatic vulnerability scanning enabled (CVE matches against OS-package indexes plus Go / Java / Node.js / Python language dependencies are persisted as Note + Occurrence resources tied to the image digest; Container Analysis — container scanning overview (accessed 2026-05)), AND (b) every GKE cluster and every Cloud Run service that consumes those images has a Binary Authorization policy in PROJECT_SINGLETON_POLICY_ENFORCE mode requiring attestations from one or more named attestors. The attestor encodes \"image built by the trusted CI/CD pipeline AND CVE-scanned\" using Sigstore cosign signatures (keyless via OIDC, or KMS-backed via Cloud KMS); the in-toto attestation produced by a hardened, isolated builder is the current Google-recommended SLSA Build Level 3 evidence (SLSA v1.0 — build levels (accessed 2026-05); Google Cloud — Software Delivery Shield overview (accessed 2026-05)). DETECTIVE on the scanning half (the scanner surfaces CVEs already in the image), PREVENTIVE-equivalent on the admission half (BinAuthz blocks deploys that fail the attestation check) — the control is typed DETECTIVE because the surface that names it is the scanner; the policy is the natural enforcement pair. Repository keys should be CMEK (kms_key_name) for regulated workloads. Cite the Binary Authorization key concepts reference for policy-evaluation semantics. MITIGATES: Deployment of images with known unfixed CRITICAL/HIGH CVEs; deployment of images that bypassed the CI/CD pipeline (unsigned, no provenance); typosquatting of trusted image references in deployment manifests. ATTACK VECTOR: An attacker compromises a developer's workstation, builds a malicious image locally with a backdoor in the entrypoint, pushes to the production Artifact Registry repository under a typo'd tag, and updates a Kubernetes Deployment to reference it. Without Container Analysis, no CVE scan ever runs against the image. Without Binary Authorization, GKE pulls and runs it because the registry URI is in an allowed list. The backdoor exfiltrates the bound service account's tokens within minutes of pod start. BLAST RADIUS: Per cluster / per service: every pod that schedules the malicious image, for as long as the image stays referenced. With BinAuthz PROJECT_SINGLETON_POLICY_ENFORCE: deploy is rejected at admission; pod never starts; only audit-log entries are produced. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: create a CMEK-encrypted Artifact Registry repository. gcloud artifacts repositories create app-images \\ --repository-format=docker \\ --location=europe-west1 \\ --kms-key=projects/svc-kms-prod/locations/europe-west1/keyRings/app-prod/cryptoKeys/artifacts \\ --project=svc-app-prod # Step 2: enable Container Analysis API (scanning is automatic once enabled). gcloud services enable containeranalysis.googleapis.com \\ artifactregistry.googleapis.com binaryauthorization.googleapis.com \\ --project=svc-app-prod # Step 3: query vulnerabilities for a specific image digest. gcloud artifacts docker images list \\ europe-west1-docker.pkg.dev/svc-app-prod/app-images/api \\ --include-tags --show-occurrences gcloud artifacts docker images describe \\ europe-west1-docker.pkg.dev/svc-app-prod/app-images/api@sha256:DIGEST \\ --show-package-vulnerability # Step 4: define + import a Binary Authorization policy that requires attestations. cat > binauthz-policy.yaml <<'YAML' defaultAdmissionRule: evaluationMode: REQUIRE_ATTESTATION enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG requireAttestationsBy: - projects/svc-app-prod/attestors/built-by-prod-ci clusterAdmissionRules: europe-west1.gke-prod: evaluationMode: REQUIRE_ATTESTATION enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG requireAttestationsBy: - projects/svc-app-prod/attestors/built-by-prod-ci globalPolicyEvaluationMode: ENABLE YAML gcloud container binauthz policy import binauthz-policy.yaml --project=svc-app-prod # Step 5: create an attestor backed by a Cloud KMS key (cosign-compatible). gcloud container binauthz attestors create built-by-prod-ci \\ --attestation-authority-note=projects/svc-app-prod/notes/built-by-prod-ci-note \\ --project=svc-app-prod # Step 6: sign an image post-CVE-scan in CI (cosign with a Cloud KMS key). cosign sign --key gcpkms://projects/svc-kms-prod/locations/global/keyRings/attest/cryptoKeys/ci/cryptoKeyVersions/1 \\ europe-west1-docker.pkg.dev/svc-app-prod/app-images/api@sha256:DIGEST</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud docs (accessed 2026-05) resource \"google_artifact_registry_repository\" \"app_images\" { project = var.app_project_id location = \"europe-west1\" repository_id = \"app-images\" format = \"DOCKER\" kms_key_name = var.artifact_kms_key_id description = \"Production application images; CMEK + scanned\" } resource \"google_container_analysis_note\" \"built_by_prod_ci_note\" { project = var.app_project_id name = \"built-by-prod-ci-note\" attestation_authority { hint { human_readable_name = \"Built by trusted production CI\" } } } resource \"google_binary_authorization_attestor\" \"built_by_prod_ci\" { project = var.app_project_id name = \"built-by-prod-ci\" attestation_authority_note { note_reference = google_container_analysis_note.built_by_prod_ci_note.name public_keys { id = data.google_kms_crypto_key_version.ci_attest.id pkix_public_key { public_key_pem = data.google_kms_crypto_key_version.ci_attest.public_key[0].pem signature_algorithm = data.google_kms_crypto_key_version.ci_attest.public_key[0].algorithm } } } } resource \"google_binary_authorization_policy\" \"policy\" { project = var.app_project_id default_admission_rule { evaluation_mode = \"REQUIRE_ATTESTATION\" enforcement_mode = \"ENFORCED_BLOCK_AND_AUDIT_LOG\" require_attestations_by = [ google_binary_authorization_attestor.built_by_prod_ci.name, ] } global_policy_evaluation_mode = \"ENABLE\" }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: artifactregistry.cnrm.cloud.google.com/v1beta1 kind: ArtifactRegistryRepository metadata: name: prod-containers namespace: config-control spec: location: us-central1 format: DOCKER description: \"Production container repository (Container Analysis enabled)\"</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a(best-practices)n/a RA-5; SI-3; SA-11A.8.8; A.8.29CLD.12.4.5 Log signals Cloud Audit Logs on containeranalysis.googleapis.com for Notes.delete or Occurrences.delete targeting vulnerability findings tied to Artifact Registry images. Artifact Registry repo IAM mutations: artifactregistry.googleapis.com SetIamPolicy granting roles/artifactregistry.writer to principals outside the documented CI service-account list. Vulnerability-scanning enablement state: Artifact Analysis settings transitions from ENABLED to DISABLED at the project scope. Query <code class=\"language-plaintext\">logName=~\"projects/.*/logs/cloudaudit.googleapis.com%2Factivity\" AND ((protoPayload.serviceName=\"containeranalysis.googleapis.com\" AND protoPayload.methodName=~\".*Occurrences.Delete\") OR (protoPayload.serviceName=\"artifactregistry.googleapis.com\" AND protoPayload.methodName=~\".*SetIamPolicy\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/artifactregistry.writer\"))</code> Stream this Cloud Logging filter into Cloud Monitoring; pair with an Artifact Analysis findings query against the Pub/Sub topic so finding-delete activity and finding-creation rate are visible side-by-side. Alert threshold Page on any vulnerability-finding delete; findings should age out per the documented severity retention, not be deleted on demand. Page on any new artifactregistry.writer binding outside the documented CI principals. Initial response Quarantine images deployed during the unrestricted-writer window: enumerate via Artifact Registry tag history and tag them quarantine; redeploy production workloads from a known-good tag. Force a re-scan via Container Analysis API on every image whose findings were deleted; treat re-surfaced findings as if they had been present continuously. Pin repo IAM bindings in Terraform; gate writer-role bindings via a CI-approval gate so console additions cannot bypass review. References Google Cloud — Artifact Analysis (accessed 2026-05) Cross-provider equivalence: AWS · Azure · OCI Equivalent on: AWS · Azure · OCI gcp-work-04-vm-manager ! HIGH DETECTIVE Enable VM Manager across every project hosting Compute Engine workloads: deploy the Ops Agent (or the legacy Monitoring/Logging agents) via a managed policy, enable OS Config Inventory so the running package set is reported back, and enable OS Config Compliance to evaluate the running configuration against an OS Policy Assignment (CIS-hardened baseline; required sshd hardening; required auditd configuration) (Google Cloud — Manage OS with VM Manager (accessed 2026-05)). The compliance results surface in Security Command Center as Security Command Center findings, closing the detection loop from \"package installed on a running VM\" to \"audit-ready dashboard at organisation scope\". This is the detection / posture side of VM Manager; the patch-application side is gcp-work-08. Anti-conflation: OS Config Inventory reports what is installed (raw package list, kernel version, agent versions); OS Config Compliance evaluates that inventory against policy (is openssh-server the expected version? does /etc/ssh/sshd_config enforce PermitRootLogin no?); OS Config Patch Deployments (the -08 control) is the remediation surface that closes the loop on a recurring schedule. Same product family, three distinct workflows. MITIGATES: Long-tail \"we don't know what's running on our VMs\" inventory gaps; configuration drift from the hardened baseline that survives reboot; missed CVE exposure surfacing only at audit time. ATTACK VECTOR: A long-lived production VM is launched from an outdated golden image; over months of in-place package updates, drift accumulates (older OpenSSL, unpatched sudo, missed kernel CVE). Without OS Config Inventory, the security team's CVE feed never surfaces this VM as exposed. Without OS Config Compliance, the configuration drift from auditd-enabled to auditd-disabled goes unnoticed; the auditor finds the gap quarters later. BLAST RADIUS: Per VM unobserved: full vulnerability window plus configuration-drift window for the VM's lifetime. With VM Manager: drift is surfaced in SCC within the OS Config polling interval (10–60 minutes); patch latency is bounded by the schedule on the paired Patch Deployment. Remediation — gcloud CLI <code class=\"language-bash\"># gcloud CLI (latest stable) # Step 1: enable the VM Manager APIs. gcloud services enable osconfig.googleapis.com containeranalysis.googleapis.com \\ --project=svc-app-prod # Step 2: enable OS Config on the project (per-instance metadata or project metadata). gcloud compute project-info add-metadata --project=svc-app-prod \\ --metadata=enable-osconfig=TRUE,enable-guest-attributes=TRUE # Step 3: deploy the Ops Agent across the fleet via an OS Policy Assignment. cat > ops-agent-policy.yaml <<'YAML' osPolicies: - id: install-ops-agent mode: ENFORCEMENT resourceGroups: - resources: - id: ops-agent repository: apt: archiveType: DEB uri: https://packages.cloud.google.com/apt distribution: google-cloud-ops-agent-focal-all components: [main] gpgKey: https://packages.cloud.google.com/apt/doc/apt-key.gpg - id: ops-agent-pkg pkg: desiredState: INSTALLED apt: name: google-cloud-ops-agent instanceFilter: all: true rollout: disruptionBudget: percent: 25 minWaitDuration: 300s YAML gcloud compute os-config os-policy-assignments create install-ops-agent \\ --location=europe-west1 \\ --project=svc-app-prod \\ --file=ops-agent-policy.yaml # Step 4: query OS inventory for a single VM. gcloud compute os-config inventories describe app-prod-01 \\ --location=europe-west1-b --project=svc-app-prod # Step 5: query OS compliance for the fleet. gcloud compute os-config os-policy-assignment-reports list \\ --location=europe-west1 --project=svc-app-prod</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform Google provider ~> 5.0 # Source: Google Cloud docs (accessed 2026-05) resource \"google_project_service\" \"osconfig\" { project = var.app_project_id service = \"osconfig.googleapis.com\" } resource \"google_compute_project_metadata_item\" \"enable_osconfig\" { project = var.app_project_id key = \"enable-osconfig\" value = \"TRUE\" } resource \"google_os_config_os_policy_assignment\" \"install_ops_agent\" { project = var.app_project_id name = \"install-ops-agent\" location = \"europe-west1\" os_policies { id = \"install-ops-agent\" mode = \"ENFORCEMENT\" resource_groups { resources { id = \"ops-agent-pkg\" pkg { desired_state = \"INSTALLED\" apt { name = \"google-cloud-ops-agent\" } } } } } instance_filter { all = true } rollout { disruption_budget { percent = 25 } min_wait_duration = \"300s\" } }</code> Remediation — Config Connector <code class=\"language-yaml\">apiVersion: osconfig.cnrm.cloud.google.com/v1beta1 kind: OSConfigOSPolicyAssignment metadata: name: baseline-os-policy namespace: config-control spec: location: us-central1 projectRef: external: \"projects/PROJECT_ID\" instanceFilter: inclusionLabels: - labels: env: prod osPolicies: - id: ensure-osconfig-agent mode: ENFORCEMENT resourceGroups: - resources: - id: osconfig-agent-running exec: validate: interpreter: SHELL script: \"systemctl is-active google-osconfig-agent && exit 100 || exit 101\" rollout: disruptionBudget: percent: 10 minWaitDuration: \"300s\"</code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/a(best-practices)n/a RA-5; SI-4A.8.8CLD.12.4.5 Log signals Cloud Audit Logs on osconfig.googleapis.com for PatchDeployments.delete or PatchDeployments.patch on the production patch schedule. OS Config agent disable: compute.googleapis.com project-metadata mutations"},{"id":"general/compliance-frameworks.html","url":"general/compliance-frameworks.html","title":"Compliance Frameworks — Cloud Hardening Guide","breadcrumb":"Home General Compliance Frameworks","description":"CIS Benchmarks, NIST SP 800-53 rev5, NIST CSF 2.0, ISO/IEC 27001:2022, and ISO/IEC 27017:2015 — what each is for and how this guide maps controls across them.","body":"Compliance Frameworks Overview Cloud security audits and customer questionnaires rarely arrive in a single framework dialect. A finance customer asks about ISO/IEC 27001:2022 Annex A. A U.S. federal program asks about NIST SP 800-53 rev5 control families. A board reports against the NIST CSF 2.0 Govern/Identify/Protect/Detect/Respond/Recover functions, and an engineering team configures hardened defaults from a CIS Benchmark. Each framework describes the same security outcomes in a vocabulary the others do not share. This page documents what each framework is for, which exact version this corpus pins, and where the cross-framework mapping lives. Mapping between frameworks is rarely one-to-one. A single CIS Benchmark recommendation often satisfies one full NIST 800-53 control plus part of another, while an ISO/IEC 27001:2022 Annex A control may correspond to a family of CIS rules and a CSF 2.0 subcategory. NIST publishes the authoritative NIST 800-53 rev5 to ISO/IEC 27001 crosswalk in Appendix B of SP 800-53, and CIS publishes Cloud Companion guides that reference both. This guide relies on those primary mappings rather than reinventing them. Pinned versions matter. CIS bumps benchmarks regularly (CIS GCP moved to v5.0.0 in 2026, with CIS AWS Foundations at v7.0.0 and Azure Foundations at v6.0.0), and ISO/IEC 27001 was substantially restructured in the 2022 revision: the 2013 four-level Annex A numbering does not match the 2022 three-level numbering. Citing \"CIS AWS\" or \"ISO 27001\" without a version is ambiguous, and the ambiguity produces wrong answers every time. The methodology page explains how this corpus enforces pinned versions in every control-box compliance table. Framework summaries Five framework families inform this corpus. Each summary below states what the framework is, what it is used for, the exact version this guide pins, and where the primary source lives. CIS Benchmarks The Center for Internet Security publishes prescriptive, configuration-level hardening benchmarks for individual cloud platforms. Each benchmark enumerates concrete recommendations (\"Ensure MFA is enabled for the root user account\") tied to specific console toggles, API parameters, and CLI invocations, scored Level 1 (broadly safe to apply) or Level 2 (defense-in-depth, which may break legitimate workflows). CIS releases the PDF benchmarks free and sells pre-hardened machine images and CIS-CAT assessment tooling that check against the same recommendations. This corpus pins the four cloud-provider Foundations Benchmarks at the following versions: CIS AWS Foundations Benchmark v7.0.0; CIS Microsoft Azure Foundations Benchmark v6.0.0; CIS Google Cloud Platform Foundation Benchmark v5.0.0; CIS Oracle Cloud Infrastructure Foundations Benchmark v3.1.0. CIS Kubernetes Benchmark v2.0.0 is the pinned generic Kubernetes benchmark version. Every compliance-table row that cites a CIS recommendation prefixes the version exactly as listed; abbreviations such as \"CIS AWS 7\" or \"CIS GCP v5\" fail the STD-02 validation grep. See CIS Center for Internet Security — CIS Benchmarks portal (accessed 2026-05) for downloads and the published change logs. NIST SP 800-53 rev5 NIST Special Publication 800-53, revision 5, update 1 (January 2022) is the United States federal catalog of security and privacy controls. It organizes roughly one thousand controls into twenty families (AC Access Control, AU Audit and Accountability, CM Configuration Management, IA Identification and Authentication, SC System and Communications Protection, and so on), each with optional control enhancements. SP 800-53 is not cloud-specific, but FedRAMP, DoD SRG, CMMC 2.0, and most U.S. federal cloud authorizations consume it directly. Appendix B of SP 800-53 rev5 contains the authoritative crosswalk between NIST control families and ISO/IEC 27001:2013 Annex A. NIST has not yet published a fully revised crosswalk against ISO/IEC 27001:2022, so the 2013-to-2022 transition mapping (published by ISO and BSI) bridges that gap. This corpus cites the controls by their rev5 identifiers (for example IA-2(1) for multifactor authentication to privileged accounts) and uses Appendix B as the primary mapping authority. See NIST SP 800-53 rev5 (upd1, Jan 2022) — Security and Privacy Controls for Information Systems and Organizations (accessed 2026-05). NIST released Revision 5.2.0 on August 27, 2025, introducing 3 new controls. The underlying Revision 5 baseline (upd1, Jan 2022) remains authoritative for citation purposes, and the existing /r5/upd1/final URL remains stable. NIST CSF 2.0 The NIST Cybersecurity Framework 2.0 (February 2024) is an outcome-based framework, not a control catalog. CSF 2.0 organizes security outcomes into six Functions (Govern, Identify, Protect, Detect, Respond, Recover), each subdivided into Categories and Subcategories. The Govern Function was added in CSF 2.0; CSF 1.1 had five Functions. Govern covers risk management strategy, organizational context, supply chain, and policy. CSF 2.0 is useful for executive reporting, program maturity assessments, and as a vocabulary bridge between technical control catalogs (SP 800-53 rev5) and business risk discussions. This corpus references CSF 2.0 in the methodology page and in select control entries where the Subcategory ID adds executive-reporting value (for example PR.AA-01 identity and credential management). CSF 2.0 does not appear as a column in compliance-table rows because the four CIS benchmarks, NIST 800-53, and the two ISO/IEC documents already use up the column budget. See NIST Cybersecurity Framework 2.0 — Feb 2024 release (accessed 2026-05) for the framework documents, informative references, and the official CSF 2.0 Reference Tool. ISO/IEC 27001:2022 ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). The standard itself specifies the management-system requirements (clauses 4-10 covering context, leadership, planning, support, operation, performance evaluation, and improvement); Annex A enumerates 93 reference controls organized into four themes: Organizational (A.5), People (A.6), Physical (A.7), and Technological (A.8). The 2022 revision consolidated and restructured the 114 controls of the 2013 edition; numbering changed from four-level (e.g., A.9.4.2) to three-level (e.g., A.8.5). This corpus cites ISO/IEC 27001:2022 controls by their 2022 three-level identifiers exclusively. It does not use citations to ISO/IEC 27001:2013 (four-level), because a mixed-revision corpus would silently misalign with audit evidence. ISO documents are paywalled and cited by document number plus accessed date, not by URL contents: ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — ISMS requirements (accessed 2026-05). ISO/IEC 27017:2015 ISO/IEC 27017:2015 is the cloud-specific guidance companion to ISO/IEC 27002. It augments the ISO/IEC 27002 control set with seven cloud-specific controls prefixed CLD. (CLD.6.3.1 shared roles and responsibilities within a cloud computing environment; CLD.8.1.5 removal of cloud service customer assets; CLD.9.5.1 segregation in virtual computing environments; CLD.9.5.2 virtual machine hardening; CLD.12.1.5 administrator's operational security; CLD.12.4.5 monitoring of cloud services; CLD.13.1.4 alignment of security management for virtual and physical networks). ISO/IEC 27017 also adds cloud-specific implementation guidance to many existing ISO/IEC 27002 controls. This corpus cites ISO/IEC 27017:2015 in compliance-table rows whenever a control has a meaningful cloud-shared-responsibility dimension that ISO/IEC 27002 alone does not fully capture (for example multitenancy isolation, customer-supplied keys, log delivery from the cloud service provider). The 2015 revision remains current, and no superseding revision has been published as of the accessed date. See ISO/IEC 27017:2015 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services (accessed 2026-05). Crosswalk overview The table below illustrates how a handful of high-level control areas map across the seven pinned columns. It is intentionally short: six rows of common controls, not the full corpus mapping. The complete control-by-control matrix lives in compliance-matrix.html (a Phase 10 deliverable). That page is not yet authored, so this section references it as plaintext rather than a hyperlink to avoid a broken link during the build-up. Reviewers who want exhaustive mapping today can read each domain principle page. Every control on iam.html, network.html, data.html, logging.html, workloads.html, and ir.html already carries a populated compliance-table footer. The crosswalk uses the standard .compliance-table class with seven framework columns. Cells contain the most specific framework identifier this corpus would emit when authoring a real control entry. Where a framework does not address a control area directly (for example ISO/IEC 27017:2015 has no dedicated incident-response control because it inherits from ISO/IEC 27002), the cell carries an em-dash. The \"—\" is a deliberate mapping signal, not an authoring gap. Control area CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 Multi-factor authentication on privileged identities 1.5, 1.10 1.1.1, 1.1.2 1.2 1.7 IA-2(1), IA-2(2) A.5.17, A.8.5 CLD.6.3.1 Encryption of data at rest with managed keys 2.1.1, 3.6 3.1, 3.2 3.1, 4.6 4.1 SC-13, SC-28 A.8.24 CLD.10.1.1 Centralized audit logging (control plane) 3.1, 3.2 5.1.1, 5.1.2 2.1, 2.2 3.1, 3.2 AU-2, AU-6, AU-12 A.8.15, A.8.16 CLD.12.4.5 Network segmentation and default-deny ingress 5.2, 5.3 6.1, 6.2 3.6, 3.7 2.1, 2.2 SC-7, SC-7(5) A.8.20, A.8.22 CLD.13.1.4 Vulnerability management and configuration baseline 4.1, 4.2 5.3, 7.6 4.8, 4.9 4.6, 4.13 RA-5, CM-6 A.8.8, A.8.9 — Incident response readiness 3.14 (org-level) 2.1.21 2.16 — IR-4, IR-8 A.5.24, A.5.26 — This table is illustrative. The complete compliance-matrix.html will list every control authored across the corpus, group them by framework, and provide bidirectional navigation (jump from a CIS recommendation to every domain page that implements it, or from an ISO/IEC 27001:2022 Annex A control to its NIST 800-53 rev5 peers). Until Phase 10 ships that page, the per-control compliance-table footers on each domain page are the authoritative source. The methodology page §Compliance mapping methodology documents how each cell value is verified against the framework's primary source rather than transcribed from a blog. Pinned version contract The seven version strings below are the single source of truth for every compliance-table header in this corpus. They are reproduced verbatim from docs/control-template.md §Pinned framework versions, and any divergence between the two documents is a corpus bug. The STD-02 validation grep matches the exact version suffix, so abbreviations fail the build. Framework family Pinned version (verbatim) Release CIS Amazon Web Services FoundationsCIS AWS Foundations v7.0.02026 CIS Microsoft Azure FoundationsCIS Microsoft Azure Foundations v6.0.02026 CIS Google Cloud Platform FoundationCIS GCP Foundation v5.0.02026 CIS Oracle Cloud Infrastructure FoundationsCIS OCI Foundation v3.1.02025 NIST Special Publication 800-53NIST SP 800-53 rev5 (upd1, Jan 2022)January 2022 ISO/IEC 27001 (ISMS)ISO/IEC 27001:2022October 2022 ISO/IEC 27017 (cloud guidance)ISO/IEC 27017:2015December 2015 The corpus-bump policy is strict: when any framework releases a new version mid-project, the entire corpus is updated in one operation during the Polish phase, never piecemeal. A mixed-version corpus (some pages citing CIS AWS v7.0.0 and others citing an older version, for example) silently breaks the compliance matrix and the search index. The pinned-version table here, the table in docs/control-template.md, and every per-control compliance-table header must agree. See the methodology page §Compliance mapping methodology for the verification procedure."},{"id":"general/data.html","url":"general/data.html","title":"General Data Protection Principles — Cloud Hardening Guide","breadcrumb":"Home General Data Protection","description":"General data protection principles: classification, encryption at rest and in transit, key management, backup and retention posture.","body":"General Data Protection Principles Overview Data is what attackers want. Compute is rented, identities are revocable, and networks are reconfigurable, but stolen customer records, regulated health information, payment data, and source code carry the financial and regulatory consequences that turn a misconfiguration into a breach disclosure. Every other control domain in this corpus (identity, network, logging and detection, and incident response) exists to prevent, detect, or recover from unauthorized access to data. Data protection sits at the centre of the threat model, and the most cost-effective control posture is the one calibrated to the sensitivity of the data being defended. Calibration starts with classification. A four-tier scheme labels every dataset by sensitivity before any encryption, access, or retention decision is made. Classification drives encryption-key custody (provider-managed for low-sensitivity data; customer-managed with hardware-security-module backing for regulated data), retention floors (compliance-driven minimums for PCI, HIPAA, SOX), backup posture (immutable for ransomware-targeted data), and data-loss-prevention coverage (full content inspection for restricted data; metadata-only sampling for internal data). Controls applied without classification are theatre. Encrypting public marketing copy with a customer-managed key wastes operational effort, while encrypting personal health information with a default service key concedes key access to the provider's operations staff in ways the threat model may not tolerate. This page treats encryption in transit as a cross-link to the general network principles page rather than duplicating it here. Keeping one canonical treatment per cross-cutting topic keeps the corpus internally consistent and avoids the divergence that creeps in when the same material is maintained in two places. Forward-links to aws/data.html, azure/data.html, gcp/data.html, and oci/data.html carry the provider-specific implementations of the principles below. Data classification A four-tier classification scheme is the minimum viable taxonomy: Public (intended for unrestricted disclosure, such as marketing collateral, published documentation, and open-source code), Internal (intended for employees and contractors, such as engineering wikis, internal roadmaps, and non-customer operational data), Confidential (subject to contractual or competitive harm if disclosed, such as customer lists, pricing models, unannounced product plans, and security findings), and Restricted (subject to statutory, regulatory, or contractual penalty if disclosed, such as personally identifiable information, protected health information, payment card data, and controlled unclassified information). Restricted data inherits every control applied to Confidential plus additional regulatory-class-specific controls. Regulatory classes that overlay the four-tier scheme include PII (personally identifiable information such as names, addresses, and identifiers; jurisdictionally defined, with GDPR Art. 4(1) and CCPA §1798.140 as the typical references), PHI (protected health information under US HIPAA 45 CFR §160.103; subject to the HIPAA Security Rule's administrative, physical, and technical safeguards), PCI (payment card data under PCI DSS v4.0; cardholder data and sensitive authentication data carry separate handling requirements), and CUI (controlled unclassified information under US federal contracts, governed by NIST SP 800-171). A single record can carry multiple regulatory class labels. A healthcare payment record is simultaneously PHI and PCI, and the controls applied are the union, not the intersection. Classification is most reliably enforced when applied at write time as a label that travels with the data. Provider tag-based labelling (AWS resource tags, Azure resource tags and Microsoft Purview sensitivity labels, GCP labels and Data Catalog tags, OCI defined tags) makes classification queryable and policy-actionable. A deny policy can prohibit Restricted-tagged buckets from being made public, a key-access policy can require additional principals for keys protecting Restricted data, and a backup policy can require longer retention for Restricted-tagged volumes. NIST SP 800-60 vol 1 provides the federal taxonomy for classifying information types and is the reference for any organization mapping its scheme to FIPS 199 impact levels. Classification without enforcement is a documentation exercise. Every classification scheme this corpus references therefore assumes a tagging-and-policy enforcement loop: data is tagged at creation, policies condition on tags, and a periodic scan re-classifies datasets that drift. A bucket that started as Internal and accumulates customer records becomes Restricted by content even if its tag is stale. The data-loss-prevention section below describes the scanning side of that loop. Encryption at rest Encryption at rest protects data persisted to disk: block volumes, object storage, managed databases, snapshots, backups, and log archives. Every major cloud provider encrypts data at rest by default with a provider-managed service key (AWS S3 SSE-S3 and EBS default encryption; Azure Storage service-side encryption; GCP default at-rest encryption with Google-managed keys; OCI Object Storage and Block Volume default encryption). The cryptographic primitive in every case is AES-256-GCM or AES-256-XTS, vetted against FIPS 140-2 / 140-3 module requirements. The question is never whether data is encrypted at rest, but who controls the key. Three key-custody models exist. Provider-managed (SSE) keys are generated, rotated, and accessed by the provider with no customer-visible key material. The customer's IAM permissions on the data resource gate access, but the provider's operations staff can decrypt under legal process or insider-threat scenarios. Customer-managed keys (CMK), namely AWS KMS customer-managed keys, Azure Key Vault keys, GCP Cloud KMS CMEK, and OCI Vault customer-managed keys, are still hosted by the provider's key-management service, but the customer controls the key policy (who can encrypt, who can decrypt, whether the key may leave the region) and can revoke access by deleting or disabling the key. Customer-supplied / external keys (CSE / HYOK / EKM), namely AWS XKS, Azure Key Vault Managed HSM with BYOK, GCP External Key Manager, and OCI Vault with HSM-backed keys, keep key material in customer-controlled hardware (often on-premises or in a sovereign HSM) and have the cloud KMS forward decryption requests to the external system. The customer can sever decryption globally by disabling the external key endpoint. NIST SP 800-111 (Storage Encryption Technologies for End User Devices) and NIST SP 800-175B (Guideline for Using Cryptographic Standards in the Federal Government) define the algorithm-strength and key-handling baselines that the three custody models inherit. The custody decision is a threat-model decision, not a default. CMK is required whenever the threat model treats provider operations staff as a relevant adversary, whenever data sovereignty rules require the customer to attest key control, or whenever key escrow against subpoena needs to be customer-mediated. HSM-backed keys are required whenever FIPS 140-2 Level 3 (tamper-evident, identity-based authentication) or Level 4 (tamper-active) module assurance is mandated by contract or regulation. MISCONFIGURATION \"Default provider SSE is sufficient for regulated data.\" It is not. Default service-key SSE protects against the loss of a physical disk and against unauthenticated reads of stored blocks. It does not protect against a malicious or coerced provider employee with key-access credentials, it does not satisfy a sovereignty regime that requires the customer to attest exclusive key control, and it does not give the customer a unilateral kill-switch when terminating a service relationship. Restricted data (PHI, PCI cardholder data, CUI, and any data subject to a sovereignty regime) requires a customer-managed key with explicit policy and audit logging. Treat default SSE as a hygiene floor for low-sensitivity data, not as a regulated-data control. Key management Key management is the operational discipline that turns a customer-managed key from a checkbox into a control. NIST SP 800-57 Part 1 Rev 5 (Recommendation for Key Management) defines the canonical key lifecycle: generation (inside an HSM or vetted RNG; never derived from low-entropy sources), distribution (key material never leaves the HSM in plaintext; only wrapped DEKs cross the boundary), storage (keys at rest inside the KMS / Vault / Cloud KMS / OCI Vault are themselves wrapped under a service root key), use (key access conditioned on IAM identity, network origin, and request context), rotation (cadenced replacement of the active key version; old versions retained for decrypt-only operations until data is re-encrypted under the new version), and destruction (scheduled deletion with a mandatory waiting period to prevent accidental key loss). Rotation cadence is a function of data sensitivity. Annual rotation is the minimum for any customer-managed key protecting Internal or Confidential data and is the cadence CIS recommends for symmetric KMS keys (CIS AWS Foundations v7.0.0 calls for annual rotation of KMS customer-managed keys; CIS Microsoft Azure Foundations v6.0.0 calls for Key Vault key rotation; CIS GCP Foundation v5.0.0 specifies CMEK rotation; CIS OCI Foundation v3.1.0 specifies Vault key rotation). 90-day rotation applies to keys protecting Restricted data and to keys associated with high-volume signing operations where cryptanalytic exposure scales with use. Immediate rotation is required whenever a key administrator role is revoked, whenever a key is suspected of compromise, or whenever a HSM tamper event is recorded. Key policy hygiene is where most customer-managed-key deployments break. The dominant failure mode is a key policy that grants kms:Decrypt or equivalent to \"Principal\": \"*\" with no condition, intended as a development convenience and forgotten in production. Every key policy in this corpus follows three rules: (1) no wildcard principals, so every grant names an account, role, or workload identity; (2) least-privilege actions, so encrypt-only principals get encrypt-only grants, decrypt-only principals get decrypt-only grants, and key administrators get key-administration actions without data-plane decrypt; (3) cross-account or cross-tenant key sharing is an explicit deliberate decision, documented in the key tags and audited via a dedicated CloudTrail / Activity Log / Cloud Audit Logs / OCI Audit alert. Separation of duties applies inside the KMS as much as it applies in IAM. Key administrators (who can change policy, schedule deletion, rotate) should not be data-plane users (who can call Decrypt against the key). Break-glass key access, for example the principal authorised to recover from a forgotten administrative key, is held by a separately controlled identity with strong MFA, alerting on every use, and a documented runbook tying back to the incident response page. Cross-link to general IAM principles for the underlying identity model that key policies attach to. Encryption in transit Encryption in transit is treated canonically on the general network principles page. The short version: TLS 1.2 is the floor, TLS 1.3 is preferred, mTLS is required for service-to-service inside the trust boundary, and provider-internal traffic between regions or between services is not exempt. Assume the network is hostile and require encryption on every link. See general/network.html §Encryption in transit for the full treatment including IETF RFC 8446, cipher-suite policy, and provider mTLS implementations. Retention, backup, and recovery Retention is the deliberate decision to keep data for a defined period and to delete it afterwards. Both halves matter. Under-retention loses forensic evidence (logs deleted before an intrusion is discovered), breaches contractual minimums (PCI DSS requires audit logs retained 1 year with 3 months immediately available; HIPAA requires 6 years of audit-trail retention; SOX requires 7 years for financial records), and forfeits the ability to restore from before a corruption event. Over-retention accumulates regulated data past the lawful basis for processing (GDPR Art. 5(1)(e) storage-limitation principle), expands the breach blast radius unnecessarily, and inflates storage cost. Retention policy is therefore a per-classification, per-data-type decision, not a global default. Backup is the operational system that makes retention recoverable. The cloud-adapted 3-2-1 backup rule reads: three copies of data, on two different storage classes or providers, with one copy isolated from the primary control plane. \"Isolated\" means the backup cannot be deleted or encrypted by the same identity that compromised the primary, which makes the design ransomware-resistant. Every provider now offers an object-lock or immutable-vault primitive that enforces this isolation cryptographically: AWS S3 Object Lock in Governance or Compliance mode (Compliance mode cannot be disabled even by the root account during the retention period), Azure Backup immutable vaults with locked policies, GCS retention policies with bucket locks, and OCI Object Storage retention rules with locked time-bound retention. Backup encryption MUST use keys distinct from the primary data keys, otherwise compromise of the primary key compromises the backup. Recovery is the part that fails most often because it is rarely tested. Every backup policy in this corpus is paired with a documented restore runbook, a recovery point objective (RPO, the maximum acceptable data loss measured in time), and a recovery time objective (RTO, the maximum acceptable downtime). Restore is exercised at least quarterly against a non-production target; an untested backup is not a backup. Ransomware-specific recovery requires the additional discipline of validating that the immutable-backup copy itself has not been silently corrupted before encryption. CISA's StopRansomware guidance documents the pre-recovery integrity-check pattern. Cross-link to incident response for the full recovery workflow inside an active incident. Data loss prevention Data loss prevention (DLP) closes the gap between intent (classification) and reality (where regulated data actually lives). Every cloud has a DLP scanning service: Amazon Macie (S3 sensitive-data discovery; identifies PII, financial data, credentials), Microsoft Defender for Cloud + Microsoft Purview (cross-workload data discovery and classification; integrates with sensitivity labels), Google Cloud DLP (deep content inspection for over 150 information types across storage, BigQuery, and streams), and Oracle Data Safe (database-focused discovery with sensitive-data masking). The choice between content inspection (the scanner reads payload bytes; highest fidelity, highest cost) and metadata-only sampling (the scanner reads object names, sizes, tags, and a content sample; lower fidelity, lower cost) is a per-classification decision. DLP findings feed into the detection pipeline rather than acting in isolation. A Macie finding, a Defender for Cloud sensitivity-label alert, a Cloud DLP scan job summary, or a Data Safe sensitive-data discovery report becomes a control-plane event ingested by the SIEM. See general/logging.html for the alert-routing pattern. The detection feeds back into classification: data discovered in a location that does not match its sensitivity tag triggers a re-classification or relocation workflow. Cross-provider equivalence The four providers implement the same data-protection primitives under different names. The table below maps the principles in this page to the provider-native service that delivers them. Each provider deep-dive (aws/data.html, azure/data.html, gcp/data.html, and oci/data.html) carries the per-service configuration detail. Principle AWS Azure GCP OCI Default service-side encryption at rest S3 SSE-S3, EBS default encryption, RDS storage encryption Azure Storage service-side encryption, Azure Disk default encryption Default Google-managed at-rest encryption (all GCS, Persistent Disk, Cloud SQL) Object Storage default encryption, Block Volume default encryption Customer-managed key service AWS KMS customer-managed keys Azure Key Vault keys Cloud KMS with CMEK OCI Vault customer-managed keys External / customer-controlled key material AWS XKS (External Key Store) Azure Key Vault Managed HSM with BYOK GCP External Key Manager (EKM) OCI Vault with HSM-backed virtual private vault Immutable backup / ransomware-resistant retention S3 Object Lock (Compliance mode) Azure Backup immutable vaults with locked policy GCS retention policy with bucket lock OCI Object Storage retention rules with retention-rule lock Data loss prevention / sensitive-data discovery Amazon Macie Microsoft Defender for Cloud + Microsoft Purview Google Cloud DLP (Sensitive Data Protection) Oracle Data Safe Illustrative control: CMK with annual rotation The control-box below is an illustrative example of the markup pattern every provider data page applies. It is not a production control entry (provider pages carry CLI and IaC remediations specific to each cloud), but the threat-model framing, severity reasoning, and compliance-mapping pattern transfer directly. The illustrative ID gen-data-ex-01 is reserved and is not reused as a real control identifier. gen-data-ex-01 Customer-managed key with annual rotation for storage at rest ⛔ CRITICAL PREVENTIVE MITIGATES Unauthorized access to data at rest by a provider-side adversary (malicious or coerced operations staff, lawful-process disclosure outside the customer's notification regime) and loss of cryptographic control on contract termination, by requiring the storage layer to encrypt under a key whose policy and lifecycle the customer controls. ATTACK VECTOR Default service-side encryption uses a provider-controlled key. An attacker, or a lawful-process request, that compels the provider to decrypt the underlying storage will succeed without ever touching the customer's IAM. Annual or shorter key rotation additionally bounds the cryptanalytic exposure of any single key version and lets key custody attest freshness for auditors. BLAST RADIUS Every object, volume, snapshot, and managed-database instance encrypted under the affected key. For an organization root key protecting an entire bucket-class or volume-class, the blast radius is the customer's complete persisted-data corpus in the affected region. CRITICAL because absence directly enables data exfiltration via the provider plane: a single-step path from key-access compromise to plaintext recovery that requires no additional vulnerability or pivot. PREVENTIVE because the configured key policy and rotation schedule stop the unsafe state (provider-controlled key, indefinite rotation) from existing rather than detecting it after the fact. Maps cross-provider to CIS AWS Foundations v7.0.0 (KMS customer-managed-key rotation), CIS Microsoft Azure Foundations v6.0.0 (Key Vault key rotation), CIS GCP Foundation v5.0.0 (CMEK rotation), CIS OCI Foundation v3.1.0 (Vault key rotation), NIST SP 800-53 rev5 SC-12 (cryptographic key establishment), SC-13 (cryptographic protection), and SC-28 (protection of information at rest), ISO/IEC 27001:2022 A.8.24 (use of cryptography), and ISO/IEC 27017:2015 CLD.10.1.2 (key management in cloud services)."},{"id":"general/genai.html","url":"general/genai.html","title":"GenAI Security Principles — Cloud Hardening Guide","breadcrumb":"Home General GenAI","description":"Cross-cutting GenAI and LLM security principles: threat model, prompt injection, OWASP LLM Top 10:2025, EU AI Act obligations, and common misconfigurations.","body":"GenAI Security Principles Overview This page sets out the provider-neutral security principles for managed generative AI and large language model (LLM) APIs. Scope is limited to cloud-hosted managed model APIs: AWS Bedrock, Azure OpenAI Service, GCP Vertex AI (Gemini API), and OCI Generative AI Service. Self-hosted models, on-premises inference servers, and cloud training platforms (SageMaker, Azure ML, Vertex AI Training) are out of scope. This page does not contain provider-specific controls. For controls, see the provider pages: Azure OpenAI Service Hardening (live, the Phase 13 pilot). AWS Bedrock Hardening, GCP Vertex AI Hardening, and OCI Generative AI Hardening arrive in Phase 14. The principles on this page apply uniformly across all four providers; the provider pages translate each principle into auditable configurations, CLI commands, and IaC. Before reading the provider GenAI pages, security engineers should be familiar with three cross-cutting domains: Identity and Access Management (workload identities, least-privilege access), Network Security (private endpoints, egress controls), and Logging and Monitoring (audit trail, anomaly detection). GenAI hardening extends these foundations; it does not replace them. A misconfigured IAM role or a missing private endpoint is still critical even when content-safety guardrails are enabled. Threat model LLM-based systems present a different threat surface than traditional cloud workloads. In a conventional data store or compute deployment, the developer authors and deploys the application logic, and the attack surface is the API boundary, the network, and the credentials. In an LLM-based system, the model itself becomes a dynamic execution environment: it interprets natural language instructions from both the developer (system prompt) and the user (completion request), and in agentic configurations it issues tool calls that interact with real services. An attacker who can influence model inputs can influence model outputs and, in agentic systems, downstream actions. That is what makes the LLM threat surface new. LLM threat taxonomy mapped to OWASP LLM Top 10:2025 Threat OWASP LLM Top 10:2025 ID Description Prompt injection (direct) LLM01:2025 Attacker-controlled user input contains instructions that override or supplement the developer-set system prompt, causing the model to behave contrary to its intended design (e.g., bypass restrictions, leak data, execute unauthorised tool calls). Prompt injection (indirect / RAG) LLM01:2025 Malicious instructions are embedded in documents, web pages, or database records retrieved during a RAG (Retrieval-Augmented Generation) lookup. The model treats retrieved content as trusted context and executes the embedded instructions. The attacker never sends a direct request to the model. Sensitive data leakage in completions LLM02:2025 The model reproduces PII, credentials, or other sensitive information verbatim in its output, either from training-data memorisation or because sensitive data was included in the prompt context without redaction. The completion response itself becomes an exfiltration channel. Training-data poisoning LLM04:2025 Malicious data injected into a fine-tuning corpus corrupts model behaviour for specific input patterns (backdoor attacks), causes the model to produce systematically wrong outputs, or embeds extractable PII that can be recovered by later completion queries. RAG / vector-store poisoning LLM08:2025 Malicious content ingested into the vector store during the knowledge-base build phase creates adversarial embeddings. When retrieved, these embeddings inject hostile instructions into the prompt context at inference time. Unlike training-data poisoning, this attack targets the retrieval pipeline rather than model weights. System-prompt leakage LLM07:2025 The model discloses the contents of the developer-controlled system prompt in response to adversarial user queries. System prompts often contain proprietary instructions, API keys embedded as configuration, or business logic that was intended to remain confidential. Excessive agency LLM06:2025 An AI agent granted broad tool permissions (e.g., storage read/write, email send, code execution) can be triggered by a prompt injection or jailbreak to perform destructive, exfiltrating, or irreversible actions using those permissions. The blast radius equals the breadth of the tool permissions granted. Model DoS / unbounded consumption LLM10:2025 An attacker sends crafted inputs that trigger extremely long completions, repeated model calls, or resource-intensive reasoning chains. The result is quota exhaustion, runaway costs, or denial of service for legitimate users. Token-farming attacks (generating large outputs for re-sale) exploit the same surface. RAG pipelines combine two of these threats in a compound attack chain. LLM01:2025 (indirect prompt injection) and LLM08:2025 (vector and embedding weaknesses) interact when an attacker controls content that enters the knowledge base. The attacker poisons the retrieval index during ingestion (LLM08:2025), and those poisoned chunks are later retrieved and injected as adversarial instructions into the model context at inference time (LLM01:2025). The defence must address both stages: access-controlled ingestion pipelines with content provenance checks, and a differential trust treatment of retrieved content at inference time, where retrieved chunks are treated as untrusted user input rather than trusted system-level instructions. Cross-cutting principles Nine architecture-level principles apply regardless of which managed model API you deploy. Each principle is stated once here and referenced from provider pages. Provider pages translate these principles into concrete configurations, CLI commands, and IaC; they do not redefine the principles themselves. 1. Input filtering and validation Validate and sanitise all user-supplied text before it reaches the model. Apply a content-safety classifier or prompt injection detector at the application layer before model invocation. Do not rely solely on provider-managed safety filters at model inference time. An application-layer check provides an independent, earlier defence that catches attacks before they consume model tokens or trigger harmful model outputs. 2. Output filtering Apply content safety checks and PII redaction to model responses before returning them to the caller. Model outputs are untrusted data: they may reproduce memorised PII, generate harmful content that bypassed inference-time filters, or contain injection payloads designed to be executed by a downstream component (LLM05:2025). Treat model output as you would user-supplied input when passing it to other system components. 3. System-prompt isolation Treat the system prompt as trusted configuration, not as a user-addressable surface. Never include secrets (API keys, tokens, connection strings) in the system prompt, because model extraction attacks can surface them. Enforce system-prompt isolation through provider-level controls (e.g., role separation in the OpenAI message format, Bedrock system-prompt role, Vertex AI system instruction field) rather than trusting the model to protect prompt confidentiality. Assume the system prompt will eventually be extracted, and design it to be safe to disclose. 4. Content-safety guardrails Configure harm-category safety filters explicitly at recommended severity thresholds for your workload. Do not rely on provider defaults, which may be permissive or change without notice. Multiple independent layers are required: provider-managed inference-time filters are one layer, and application-layer input and output checks are additional layers. Content filters are not a complete prompt-injection defence; they reduce the attack surface but cannot eliminate it. 5. Tool-use authorisation Scope agent tool permissions to the minimum specific resources and actions required for the task. Validate all tool invocations server-side before execution; do not let the LLM's tool-call output run without an authorisation check at the application layer. Treat every tool invocation as if an untrusted caller had initiated it. This is the primary control against excessive agency (LLM06:2025) and the principal mitigation for the agentic AI blast-radius failure mode. 6. Rate limiting and quota management Apply per-user or per-application token and request quotas to prevent unbounded consumption (LLM10:2025). Instrument token usage per caller and alert on abnormal consumption patterns that suggest token-farming, automated abuse, or runaway inference loops. Rate limits at the application API gateway layer provide an additional check independent of provider-level quotas, which are typically per-deployment rather than per-caller. 7. Prompt and completion logging with PII redaction Log all model invocations with caller identity, timestamp, and request metadata for audit and anomaly detection. Redact PII from prompts and completions as a gate before any log write, not as a later post-processing step. Raw unredacted prompts in logs create a secondary exfiltration surface: a log storage misconfiguration or over-privileged analyst can access every user input sent to the model. The logging pipeline and the model invocation pipeline carry equal data-sensitivity risk. 8. Data-residency for embeddings Confirm that the vector store and embedding compute are processed in the same geographic region as required by your primary data classification for the source documents. RAG pipelines move data across two additional processing stages (embedding generation and vector storage) beyond the model invocation itself, and each stage must satisfy the data-residency requirements that govern the source documents. Providers offer region-locked embedding endpoints; verify the configuration rather than accepting defaults. 9. PII redaction before model invocation Strip or tokenise PII from user input before sending it to the model. This prevents PII from appearing in completions (LLM02:2025) and in prompt logs, and limits the data-sensitivity of the inference request itself. Reversible tokenisation (replacing PII with stable tokens before the prompt and substituting back in the response) allows PII-bearing applications to use managed model APIs without exposing PII to the model provider's inference infrastructure. Common misconfigurations These five patterns appear protective but weaken your GenAI security posture. Each has been observed in production environments. Misconfiguration 1: Raw unredacted prompts in default logs Enabling model invocation logging without a PII filter routes raw unredacted prompts to CloudWatch Logs, Log Analytics, or Cloud Audit Logs. Every user message, including any PII or sensitive context the user typed, is written verbatim to the log destination. Prompt logs become a secondary exfiltration surface with different access controls and retention policies than the primary application. A log-storage misconfiguration, an over-privileged analyst account, or a log-forwarding misconfiguration to a SIEM can expose user conversations at scale. Remediation: Apply PII redaction before log storage, as a pre-write gate rather than a post-processing step. Configure the logging pipeline to tokenise or mask PII fields before any log record is written to a durable destination. Misconfiguration 2: BLOCK_NONE safety filters Setting harm-category safety filters to BLOCK_NONE to reduce false positives eliminates the provider-managed output moderation layer entirely. Any jailbreak, adversarial prompt, or unintentional harmful completion produces unfiltered output that is returned to the caller. Operators frequently set BLOCK_NONE during development to reduce iteration friction, then leave it in place in production. A single misconfigured deployment with BLOCK_NONE becomes the entry point for adversarial users who test filters systematically. Remediation: Tune thresholds rather than disabling. BLOCK_MEDIUM_AND_ABOVE is the minimum recommended setting for regulated contexts. Maintain separate deployment configurations for development and production environments with different filter thresholds. Misconfiguration 3: Shared API key or service account across environments Using a single shared API key or shared service account across development, staging, and production environments means a compromised development credential carries production blast radius. Audit logs cannot distinguish per-workload or per-environment activity, breaking forensic traceability. A developer workstation with the shared API key stored in a dotfile or IDE config is a direct path to production model access. Remediation: Use per-workload, per-environment managed identities or IAM roles, never shared credentials. Each environment (development, staging, production) must have distinct identities with distinct audit trails and distinct permission scopes. Misconfiguration 4: Wildcard tool permissions on agents Granting an AI agent wildcard tool permissions (s3:*, lambda:*, Contributor role) \"for flexibility\" enables any successful prompt injection on the agent's tool-use execution path to perform arbitrary destructive or exfiltrating actions. The agent is the attack amplifier: a single injected instruction turns the agent's granted permissions into the attacker's effective permissions. Configuring wildcard tool permissions on agents is the primary agentic AI failure mode identified in OWASP LLM Top 10:2025. Every penetration test of an agentic AI system with broad permissions finds this path exploitable. Remediation: Scope execution roles to the minimum specific resources required for each tool. Validate tool invocations server-side before execution. Treat the LLM's tool-call output as untrusted input that must pass an authorisation check before any action is taken. Misconfiguration 5: Disabling abuse monitoring human review without compensating controls Applying for the Limited Access exemption to disable Microsoft's human review of flagged completions (citing privacy or latency concerns) without alternative detection controls removes a compensating layer that catches attack patterns automated classifiers miss. Abuse monitoring human review exists specifically to identify novel jailbreaks, prompt-injection campaigns, and policy-violation patterns before they are formalised into automated detectors. Removing it creates a detection gap during the interval between novel attack emergence and detector update. Remediation: Keep default abuse monitoring enabled. If disabling human review is a documented regulatory requirement, implement Defender for Cloud AI workload alerts and a structured incident-review process as compensating controls, and document the risk acceptance formally. Do not disable without a compensating control in place. OWASP LLM Top 10:2025 taxonomy The OWASP LLM Top 10:2025 (published November 2024) supersedes the 2023 edition (v1.1). Provider pages in this guide map controls to stable LLMxx:2025 IDs. LLM07:2025 (System Prompt Leakage) and LLM08:2025 (Vector and Embedding Weaknesses) are new entries in the 2025 edition; they do not exist in the 2023 list. The 2023 entry for position 7 was \"Insecure Plugin Design\", a concept now subsumed by LLM06:2025 Excessive Agency, so that 2023-edition mapping is incorrect when applied to the 2025 edition. Always verify which edition a mapping cites before using it as an audit reference. OWASP Top 10 for LLM Applications 2025: complete taxonomy ID Name Brief description LLM01:2025 Prompt Injection Direct and indirect prompt injection attacks overriding or supplementing model instructions via user input or retrieved context. LLM02:2025 Sensitive Information Disclosure Model reproduces sensitive data, PII, credentials, or proprietary information from training memorisation or prompt context. LLM03:2025 Supply Chain Vulnerabilities introduced via third-party models, datasets, plugins, or dependencies in the model delivery and deployment chain. LLM04:2025 Data and Model Poisoning Malicious injection into training data, fine-tuning datasets, or model weights that corrupts behaviour for specific input patterns. LLM05:2025 Improper Output Handling Downstream components processing LLM output without adequate validation, enabling XSS, SSRF, code injection, or command execution. LLM06:2025 Excessive Agency LLM agents granted excessive permissions or autonomy executing unintended, destructive, or exfiltrating actions via tool calls. LLM07:2025 System Prompt Leakage Disclosure of confidential system prompt contents to users via adversarial extraction queries. New entry in 2025 edition. LLM08:2025 Vector and Embedding Weaknesses RAG pipeline manipulation via poisoned embeddings, adversarial retrieval, or vector-store access control failures. New entry in 2025 edition. LLM09:2025 Misinformation LLM generates plausible but factually false or misleading information with downstream security or compliance consequences. LLM10:2025 Unbounded Consumption Excessive resource use, denial of service, or cost-exhaustion attacks via token farming, runaway inference chains, or quota abuse. Each provider page in this guide maps its controls to these IDs in the compliance table column labelled \"OWASP LLM Top 10:2025\". Source: OWASP Top 10 for LLM Applications 2025 (accessed 2026-05). EU AI Act: provider vs. deployer obligations The EU AI Act (Regulation (EU) 2024/1689) creates distinct obligations for cloud providers acting as general-purpose AI (GPAI) model providers and for enterprises that deploy AI APIs in their applications as deployers of high-risk AI systems. The enforcement timeline is staggered: the articles most relevant to cloud security hardening entered force at different dates spanning 2025 to 2026. EU AI Act enforcement timeline: obligations relevant to managed GenAI API hardening Obligation Article Who it applies to In force date GPAI model provider transparency: technical documentation, training-data summary, copyright policy Art. 53 (in force 2025-08-02) Cloud providers placing GPAI models on the EU market (AWS, Azure, GCP, OCI) 2025-08-02 GPAI systemic-risk provider controls: adversarial testing, systemic risk assessment, serious incident reporting, cybersecurity measures for models trained with >1025 FLOPs Art. 55 (in force 2025-08-02) Major cloud providers whose foundation models qualify as systemic-risk GPAI 2025-08-02 High-risk AI deployer risk management: use per provider instructions, human oversight, input data management, impact assessment, incident monitoring, log retention ≥ 6 months Art. 26 (in force 2026-08-02) Enterprises deploying managed AI APIs in high-risk use cases (as defined in Annex III) 2026-08-02 High-risk AI system transparency to users: instructions for use enabling deployers to understand capabilities and limitations Art. 13 (in force 2026-08-02) Enterprises deploying in high-risk contexts; also obligations on providers to supply documentation 2026-08-02 Temporal qualification (important for audit use): As of this writing (2026-05), Art. 26 deployer obligations are NOT yet enforceable; the in force date is 2026-08-02. Art. 55 GPAI provider obligations ARE currently in force (since 2025-08-02). Do not cite Art. 26 as a current audit requirement; it is a future obligation. Provider compliance tables in this guide use the pattern Art. 55 (in force 2025-08-02) for controls where the cloud provider holds the Art. 55 obligation, and Art. 26 (in force 2026-08-02) where the enterprise deployer holds the obligation. Provider page compliance table cells follow the pattern: Art. 55 (in force 2025-08-02) for controls where the cloud provider holds the Art. 55 GPAI obligation, and Art. 26 (in force 2026-08-02) where the deployer holds the obligation under Art. 26. Every Art. reference in compliance cells includes the enforcement-date qualifier. A bare \"Art. 26\" without a date qualifier does not satisfy the audit-precision standard used throughout this guide. Reading the provider pages The provider GenAI pages translate the principles on this page into auditable, provider-specific controls. Each control article identifies the threat it addresses (by LLMxx:2025 code), the severity of the gap it closes, and the remediation steps including CLI commands and IaC. Compliance table columns on provider pages follow the 10-column GenAI schema: the four CIS Foundations benchmarks (marked n/a (no dedicated CIS GenAI benchmark) as no CIS benchmark exists for managed LLM APIs as of 2026-05), NIST SP 800-53 rev5, ISO/IEC 27001:2022, ISO/IEC 27017:2015, OWASP LLM Top 10:2025, NIST AI 600-1 (Jul 2024), and EU AI Act (2024/1689). Azure OpenAI Service Hardening is the Phase 13 pilot page and is currently live. It covers nine controls addressing all AZOPENAI-01 through AZOPENAI-09 requirements, including Entra ID authentication enforcement, Azure AI Content Safety Prompt Shields, content filter baseline configuration, private endpoint, RBAC least-privilege, diagnostic logging, customer-managed key encryption, quota and token rate limiting, and abuse monitoring configuration. AWS Bedrock Hardening, GCP Vertex AI Hardening, and OCI Generative AI Hardening are forthcoming in Phase 14. Phase 14 will follow the same 10-column compliance table schema validated by the Azure pilot and will add cross-provider equivalence links between all four provider GenAI pages. During Phase 13, equivalence link placeholders appear as HTML comments in the provider page source; live hrefs will be added in the Phase 14 sealing wave once all anchor targets exist. Each control on the provider pages carries an equivalence callout noting the analogous control on sibling provider pages. These callouts are populated progressively as provider pages are authored, and Phase 14 completes the full cross-provider equivalence map."},{"id":"general/iam.html","url":"general/iam.html","title":"General IAM Principles — Cloud Hardening Guide","breadcrumb":"Home General IAM","description":"General IAM principles: least privilege, separation of duties, MFA, identity federation, secrets management, privileged access.","body":"General IAM Principles Overview Identity and access management is the cloud's primary attack surface. The cloud control plane is reached over the public internet through an API that authenticates the caller and authorises the action; whoever holds the credential holds the resource. Network perimeters, host hardening, and data encryption are all secondary defences once an attacker can sign a legitimate API call. The ENISA Threat Landscape 2025 names identity-related compromise (phishing, credential stuffing, infostealer-sourced session theft, OAuth consent abuse) as the dominant initial-access vector against cloud tenants, and successive Verizon Data Breach Investigations Reports continue to attribute the largest single share of breaches to stolen or misused credentials. This page sets out the provider-neutral principles to absorb before opening any provider's IAM page. Six principles cover the material: least privilege, separation of duties, multi-factor authentication, identity federation, secrets management, and privileged access. Each is named once here, then mapped onto provider primitives on the four provider IAM pages: AWS IAM Hardening, Azure IAM Hardening, GCP IAM Hardening, and OCI IAM Hardening. The same principles connect to the broader threat model: see general/threat-model.html for Chain A (credential theft to lateral movement to exfiltration), and shared-responsibility.html for the customer-owned identity layer that this page elaborates. A note on scope. This page covers principles, not controls. Concrete configurations, such as Service Control Policy syntax, Conditional Access expressions, IAM Conditions CEL, and OCI policy statements, live on the provider pages. The cross-provider mentions here are one sentence each; the depth lives in the Phase 5 provider IAM pages and the controls they list. Principle 1: Least privilege Least privilege means a principal (a human user, a workload identity, an automation service account) holds only the permissions required for its assigned task, no more, and only for as long as the task needs them. The principle is older than the cloud; NIST SP 800-53 rev5 control AC-6 has codified it for decades. What is new in the cloud is the granularity. A modern provider IAM model exposes thousands of distinct actions across hundreds of services, and the path of least resistance for an engineer in a hurry, attaching the broadest managed policy that makes the deploy succeed, produces the over-permissive identity that turns a credential leak into a tenant-wide compromise. The four major cloud providers expose closely related least-privilege primitives, but the surface shape differs in ways that matter for design. AWS implements least privilege through identity-based policies attached to users, groups, and roles, combined with resource-based policies attached to specific resources (S3 buckets, KMS keys, Lambda functions), bounded organisation-wide by Service Control Policies and per-identity permission boundaries. Microsoft Azure expresses authorisation as role-based access control with Attribute-Based Access Control conditions, scoped through a four-tier hierarchy (management group, subscription, resource group, resource) that inherits downward. Google Cloud binds members to roles on resources, with hierarchical inheritance through the organisation and folder structure, augmented by IAM Conditions and (for data-plane perimeter enforcement) VPC Service Controls. Oracle Cloud Infrastructure expresses authorisation through compartment-scoped policy statements written in a constrained natural-language syntax, where compartments form the principal isolation primitive that inherits permissions downward. Across providers, three operational habits turn the principle into practice. First, start from zero permissions and add only what is actually exercised. Access Analyzer (AWS), Permissions Management (Entra), IAM Recommender (GCP), and Cloud Guard policy advisor (OCI) all surface unused privilege so it can be revoked. Second, prefer narrowly-scoped resource-level permissions over wildcards; an s3:GetObject on a named bucket prefix is structurally safer than s3:* on *. Third, separate authoring privilege from runtime privilege; the identity that deploys infrastructure should not be the identity the deployed application runs as. Principle 2: Separation of duties Separation of duties requires that no single identity can author, approve, and execute a privileged change. The threat model is straightforward: one compromised credential should not be enough to push a malicious change to production, exfiltrate data, or disable detective controls. The principle is enforced at two layers. The workflow layer covers code review, change approval, and deploy gates; the identity layer ensures the human who approves a change is not the identity that executes it. In a cloud context the principle has three concrete implications. Privileged actions (production deploys, IAM policy changes, KMS key policy edits, log destination changes, billing access) pass through a pipeline that records the proposer, the reviewer, and the executor as distinct identities. Break-glass accounts are configured for emergency use only; they are stored offline, rotated after every use, and their use produces a high-priority alert (see general/ir.html for credential-isolation and break-glass patterns). And privileged human identities cannot grant themselves additional privilege without secondary review. Service Control Policies, management-group policy assignments, organisation policy bindings, and tenancy-level admin separation are the four provider mechanisms that close this loop. A common failure mode is the \"super-admin\" account that holds both organisational policy authority and day-to-day administrative access. Split these into two distinct identities, one for policy authoring (rare use, MFA-only, alerted) and one for routine administration (more frequent, still MFA, less alerted). That split closes the largest separation-of-duties gap most cloud tenants exhibit. Principle 3: Multi-factor authentication Multi-factor authentication binds an authentication event to possession of a second factor in addition to knowledge of a password. The threat model is the credential-stuffing and phishing class: the attacker holds a valid username and password (sourced from an infostealer log, a credential-stuffing list, or a phishing kit) and attempts to sign in to the cloud control plane. With single-factor authentication this succeeds; with MFA it does not, provided the second factor is phishing-resistant. NIST SP 800-63B Digital Identity Guidelines define three Authenticator Assurance Levels (AAL1, AAL2, AAL3). AAL2 requires possession of a software or hardware authenticator in addition to a memorised secret; AAL3 additionally requires hardware-based cryptographic proof and verifier impersonation resistance, the property that defeats real-time phishing proxies. FIDO2 / WebAuthn authenticators (security keys, platform authenticators on managed devices) meet AAL3; SMS, voice, and email one-time codes do not meet AAL2 because the channel is bound to a phone number or mailbox rather than a device the user controls. Time-based one-time codes (TOTP) meet AAL2 but do not resist phishing kits that proxy the second factor in real time (the Evilginx-class adversary-in-the-middle pattern); FIDO2 binds the assertion to the legitimate origin and refuses to release credentials to the proxy. The four major providers all support phishing-resistant MFA, and the operational baseline has tightened over the last two years. AWS began enforcing root-account MFA on AWS Organizations management accounts in 2024 and is extending the enforcement to standalone and member accounts; root accounts without MFA can no longer perform sensitive operations. Google Cloud announced mandatory MFA for all Cloud user accounts, with a phased rollout completing in 2025; the enforcement defaults to 2-Step Verification with FIDO2 security keys (Titan or third-party) recommended. Microsoft Azure has historically driven MFA enrolment through Conditional Access and Security Defaults, and Microsoft has announced mandatory MFA for accessing Azure resources via the portal, CLI, and PowerShell. Oracle Cloud Infrastructure supports MFA per IAM Domain with multiple factor types including FIDO2, mobile authenticator, and time-based OTP. The illustrative control later on this page elaborates the phishing-resistant MFA pattern with full compliance-table markup. Principle 4: Identity federation Identity federation centralises authentication in a single identity provider (Microsoft Entra ID, Okta, Ping, Google Workspace, or equivalent) and grants the cloud tenants access via SAML 2.0 or OpenID Connect single sign-on. The alternative, local user accounts per cloud tenant, multiplies the credential surface, splits MFA enforcement across uncoordinated systems, and turns off-boarding into a manual checklist across four consoles. A single IdP collapses these into one enrolment, one MFA enforcement, one off-boarding action, and one consolidated sign-in log. On the human side, the pattern is mature. AWS exposes federation through AWS IAM Identity Center (formerly AWS Single Sign-On), which fronts the four AWS account roles a federated user assumes; Azure relies on Entra ID natively (the Azure tenant is the Entra tenant); GCP integrates Cloud Identity with external IdPs over SAML/OIDC; OCI Identity Domains federate to external IdPs with the same protocols. In all four cases the local cloud user accounts are reserved for break-glass and the occasional IdP-cannot-reach-cloud emergency path; the day-to-day human population lives in the IdP. On the workload side, federation eliminates static service-account keys, the credentials that have historically leaked to public source repositories, CI logs, and infostealer captures. AWS IAM Roles for Service Accounts (IRSA) and EKS Pod Identity grant Kubernetes pods AWS roles via an OIDC trust between the EKS OIDC provider and IAM; the pod presents a ServiceAccount token, IAM exchanges it for temporary credentials. GCP Workload Identity Federation extends the same pattern to GitHub Actions, GitLab CI, and any OIDC-issuing system. Azure Workload Identity Federation does the same for AKS and external CI; OCI supports workload identity for OKE through Instance Principals and Resource Principals. The design rule across providers: workload credentials should be short-lived, identity-federated, and tied to the workload's runtime context, never long-lived JSON keys stored in a CI variable. Principle 5: Secrets management Secrets management is the discipline of keeping credentials, API keys, database passwords, signing keys, and certificate private material out of source repositories, CI logs, container images, environment-variable dumps, and any other forensically loud location. This page is the canonical place this guide treats secrets management; other pages (notably general/workloads.html) link here rather than repeating the material. The provider secret stores (AWS Secrets Manager and the Parameter Store SecureString tier, Azure Key Vault, Google Cloud Secret Manager, and OCI Vault) share a small set of properties: secrets are encrypted at rest with a customer-controllable key, access is logged through the control-plane audit log, retrieval is granted through IAM rather than through possession of the secret value, and rotation is either built-in (Secrets Manager) or scriptable through provider primitives. The operational pattern is consistent: the application's IAM principal holds permission to retrieve the named secret at runtime; the secret value never crosses into a source repository, a CI log, or a container image layer; rotation is automated and the application reads the latest version on each retrieval or at a configured interval. Static cloud access keys are the canonical anti-pattern. An AWS IAM user access key, a GCP service-account JSON key, an Azure client-secret string, or an OCI API signing key checked into a source repository or pasted into a CI variable is the credential class that infostealer scans and public-repo crawlers harvest at industrial scale. The Snowflake credential-stuffing incidents of 2024 are the recent example: the credentials in those breaches did not need to be cloud-provider keys to enable mass data exfiltration; any long-lived authentication secret without MFA on the destination account suffices. The remediation is the same in every case: rotate and revoke the static credential, migrate the workload to workload-identity federation (see Principle 4), and add a secret-scanning hook to every commit and CI pipeline. Common misconfiguration: secrets in serverless environment variables. A Lambda function, Azure Function, Cloud Run service, or OCI Functions application configured with database passwords or API keys in plain-text environment variables exposes those values to anyone with read access to the function configuration, a far broader permission than read access to the corresponding secret-store entry. The provider console UI renders the values in cleartext; the deployment pipeline persists them in version-controlled IaC unless explicitly redacted; the runtime logs may emit them on cold-start error paths. The pattern across providers is identical: store the value in the provider secret store, grant the function's execution identity permission to retrieve it, and read it once per invocation (or cache it briefly within the function instance). Environment variables remain useful for non-sensitive configuration such as region, log level, and feature flags, but not for credentials. Principle 6: Privileged access Privileged access is the practice of granting elevated permission only when it is needed, only for as long as it is needed, and from administrative endpoints whose own hygiene is verified. Standing privileged access, a human user with a permanent global-administrator, organisation-administrator, or tenancy-administrator role assignment, is the single largest blast-radius identity in any cloud tenant; the operational discipline is to make standing privilege the exception and just-in-time elevation the default path. Microsoft Entra Privileged Identity Management is the most mature implementation: users are eligible for privileged roles, and activation requires MFA, optional approval, optional ticket reference, and a bounded duration after which the role assignment is revoked automatically. AWS IAM Identity Center supports session policies that scope an active session below the assumable role's permissions; combined with permission-set duration limits and CloudTrail visibility into role assumption, this approximates just-in-time elevation. Google Cloud's IAM Conditions and the (recently general-availability) Privileged Access Manager provide time-bound role grants. OCI Identity Domains separate administrators by domain and support time-bounded policy statements through dynamic groups. Privileged administrative actions should also originate from administrative endpoints: workstations or jump hosts that are managed, patched, EDR-equipped, and isolated from the day-to-day browsing surface that delivers phishing payloads. The discipline matters because phishing-resistant MFA defeats credential theft but not endpoint takeover; an attacker with code execution on an admin's laptop can ride the existing authenticated session through the proxy. Cross-provider equivalence Provider-specific control IDs that implement each principle in this summary are catalogued on the per-provider IAM pages: AWS IAM, Azure IAM, GCP IAM, OCI IAM. The table below summarises the primary provider primitive that implements each principle. The mapping is deliberately one cell per provider per principle; the provider IAM pages (AWS, Azure, GCP, OCI) extend each entry to the depth a hardening reviewer requires. Where a provider exposes multiple primitives for the same principle (AWS's identity-based vs resource-based policies, for example) the cell names the load-bearing primitive; the others are described inline in §Least privilege above. Principle AWS Azure GCP OCI Least privilege IAM identity + resource policies, SCPs, permission boundaries Entra RBAC + ABAC conditions + management-group hierarchy IAM bindings with conditions, organisation policies, VPC SC Compartment policies, IAM domains Separation of duties SCP-enforced policy-author / executor split, pipeline gates Management-group policy assignment + change-approval workflow Organisation policies + Cloud Deploy approvals Tenancy admin separation + compartment-bounded policies Multi-factor authentication Root MFA enforced + IAM Identity Center MFA + WebAuthn Conditional Access + Entra MFA + FIDO2 / Windows Hello Mandatory 2-Step Verification + Titan / FIDO2 security keys Identity Domain MFA factors + FIDO2 Identity federation IAM Identity Center + SAML/OIDC + IRSA / Pod Identity Entra ID + SAML/OIDC + Workload Identity Federation Cloud Identity + Workload Identity Federation Identity Domains federation + Instance / Resource Principals Secrets management Secrets Manager + Parameter Store SecureString Key Vault (secrets + keys + certificates) Secret Manager OCI Vault Privileged access IAM Identity Center session policies + permission-set duration Entra Privileged Identity Management (PIM) IAM Conditions + Privileged Access Manager Identity Domain admin separation + time-bounded policies Illustrative control: phishing-resistant MFA The control entry below is an illustrative example of the control-box markup every Phase 5 provider IAM page mirrors. It is included on this principles page to show how a principle (Multi-factor authentication, §3 above) translates into a concrete, severity-rated, compliance-mapped control. Provider-specific controls, with CLI remediation, Terraform IaC, and per-provider compliance-row specificity, live in the four provider IAM pages and not here. gen-iam-ex-01 (illustrative example) Enable phishing-resistant MFA on all human identities ⛔ CRITICAL PREVENTIVE MITIGATES Account takeover via credential theft, credential stuffing, or real-time phishing proxy attacks against human identities with cloud control-plane access (Chain A on general/threat-model.html). ATTACK VECTOR Attacker obtains a valid username and password from an infostealer log, credential-stuffing list, or phishing kit. Without phishing-resistant MFA, the attacker authenticates directly. TOTP-only MFA does not defeat a real-time adversary-in-the-middle proxy (Evilginx-class) that captures both the password and the time-bound code. FIDO2 / WebAuthn binds the assertion to the legitimate origin and refuses to release credentials to the proxy. BLAST RADIUS Every resource the compromised identity can access. For an organisation administrator or global administrator, this is the entire tenant; for a developer with broad IAM, an entire account, subscription, project, or compartment. Lateral movement via assumed roles, OAuth consent grants, or session-token replay extends blast radius beyond the initially compromised identity. Phishing-resistant MFA means hardware-backed FIDO2 / WebAuthn authenticators (security keys or platform authenticators on managed devices) or equivalent. SMS, voice, email OTP, and unbound TOTP do not meet the bar. NIST SP 800-63B Authenticator Assurance Level 3 specifies the verifier-impersonation-resistance property that resists real-time phishing proxies; FIDO2 is the most widely deployed AAL3-compatible authenticator across the four major providers. This control is illustrative; the provider-specific Phase 5 controls (AWS, Azure, GCP, OCI) carry CLI and Terraform remediation snippets for each provider. CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.10 — Ensure MFA is enabled for all IAM users with a console password 1.1.2 — Ensure that multi-factor authentication is required for all users 1.2 — Ensure that multi-factor authentication is enabled for all non-service accounts 1.7 — Ensure MFA is enabled for all users with a console password IA-2(1), IA-2(2) — Multifactor authentication to privileged and non-privileged accounts A.5.17 — Authentication information CLD.6.3.1 — Shared roles and responsibilities"},{"id":"general/index.html","url":"general/index.html","title":"General Cloud Security — Cloud Hardening Guide","breadcrumb":"Home General","description":"Cross-cutting cloud security topics: shared responsibility, threat model, compliance frameworks, and domain principles (IAM, network, data, logging, workloads, IR, methodology).","body":"General Cloud Security This section covers cross-cutting cloud security topics that apply across all providers. It sets up the shared-responsibility frame, the cloud threat model, the compliance frameworks crosswalk, and the methodology used to select and rate controls across the rest of the corpus. Domain principles (IAM, network, data protection, logging & detection, workloads, incident response) are introduced here in provider-neutral terms, then mapped onto AWS, Azure, GCP, and OCI primitives in the per-provider sections. Shared responsibility model Every control in this guide is organised around the shared responsibility model. It splits security obligations between the cloud provider (security of the cloud, meaning physical facilities, host hypervisors, and managed-service control planes) and the customer (security in the cloud, meaning identity, data, network configuration, and workload posture). The boundary shifts across IaaS, PaaS, and SaaS, and most cloud-security incidents start with a misunderstanding of who owns which layer at which abstraction. Read the full shared-responsibility page → Cloud threat model Threat modelling in the cloud applies the same first principles as on-premise work (what is the asset, who wants it, how do they get it) while accounting for cloud-specific access paths: leaked access keys, misconfigured public buckets, over-privileged identities, exposed control-plane APIs, and supply-chain compromise of build pipelines. The page lists five adversary classes (opportunistic scanners, credential thieves, supply-chain attackers, insiders, nation-states) and walks through named incident chains. Read the full threat-model page → Compliance frameworks crosswalk Cloud security audits rarely arrive in a single framework dialect: a finance customer asks about ISO/IEC 27001:2022, a federal program asks about NIST SP 800-53 rev5, a board reports against NIST CSF 2.0, and an engineering team configures hardened defaults from a CIS Benchmark. This page documents what each framework is for, which exact version this corpus pins (CIS AWS v3.0.0, CIS Azure v3.0.0, CIS GCP v4.0.0, CIS OCI v2.0.0, NIST 800-53 rev5, ISO 27001:2022, ISO 27017:2015), and where the cross-framework mappings live. Read the full compliance-frameworks page → Methodology: how controls are selected and rated This guide claims technical depth beyond a free CIS Benchmark PDF or a vendor whitepaper. That claim only holds if a reader can audit the editorial process: how each control is chosen, where its severity comes from, which framework versions back its compliance mappings, and how the page is kept current. The methodology page is that audit trail. It covers source-eligibility rules, how the severity rubric is applied, citation-quality requirements, and the build-time validation that enforces them. Read the full methodology page → Domain principles IAM: least privilege, separation of duties, MFA, identity federation, secrets management Network: segmentation, default-deny egress, private connectivity, DNS hygiene Data Protection: encryption at rest and in transit, key management, classification, backup posture Logging & Detection: audit trails, log centralisation, detection engineering, retention Workloads: baseline hardening, patching, image provenance, runtime protection Incident Response: preparation, containment, eradication, recovery, lessons learned GenAI Security: cross-cutting threat model, OWASP LLM Top 10:2025, common misconfigurations, and EU AI Act obligations."},{"id":"general/ir.html","url":"general/ir.html","title":"General Incident Response Principles — Cloud Hardening Guide","breadcrumb":"Home General Incident Response","description":"General incident response principles for cloud: lifecycle, preparation, containment, forensics, communication, recovery, tabletops.","body":"General Incident Response Principles Overview Cloud incident response inherits the lifecycle of on-premise incident response but operates in a substrate where the control plane is the new physical access, evidence is ephemeral, infrastructure can be re-created in seconds, and the provider sometimes plays a participatory role. A compromised long-lived static key reaches every region of the account before a defender finishes reading the alert; a terminated EC2 instance, deleted Azure VM, or destroyed Compute Engine VM takes its ephemeral disk and memory with it unless a snapshot has already been taken; a tenancy whose break-glass account has expired multi-factor enrolment discovers the gap only when it is too late to fix. The principles on this page exist because each of these failure modes has been observed, written up by an incident-response firm, and turned into a CISA or NSA advisory. The cost of re-learning them is paid in real customer data. This page is organised around the canonical IR lifecycle (preparation, detection and analysis, containment and eradication and recovery, and post-incident activity) adapted to cloud-specific containment patterns, forensics primitives, communication chains, and recovery procedures. Each section forward-links to the principles pages that own the day-zero controls IR depends on: logging and detection for the alert pipeline, IAM for the credential isolation primitives, data protection for the immutable backups recovery relies on, and the cloud threat model for the attack chains containment must close. IR lifecycle The lifecycle terminology this corpus uses is the four-phase model that appears in both NIST SP 800-61 Rev 2 (Computer Security Incident Handling Guide, August 2012) and its successor NIST SP 800-61 Rev 3 (Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile, April 2025). Rev 3 reframes the same lifecycle through the lens of the NIST Cybersecurity Framework 2.0 outcomes (Govern, Identify, Protect, Detect, Respond, Recover) but preserves the operational vocabulary that practitioners use: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. Where this page cites the lifecycle, it cites Rev 3 as the current authoritative publication; teams whose runbooks are still Rev 2-aligned should read the Rev 3 transition note in the publication's introduction. Preparation is the work done before the alert fires: break-glass accounts pre-provisioned, runbooks rehearsed, communication channels exercised, forensic evidence-collection accounts pre-warmed. The quality of the incident response is largely determined here. In cloud, the preparation surface includes identity (break-glass, MFA enrolment, IdP independence), structure (security-dedicated accounts, subscriptions, projects, compartments), and process (runbooks specific to the cloud control plane). Detection and analysis begins with the alert pipeline documented in the General logging and detection principles page. Cloud detection is unusually rich, since CloudTrail / Activity Log / Cloud Audit Logs / OCI Audit capture the entire control-plane history, and unusually fragile, because an attacker who reaches the audit configuration can suppress the very feed that would detect them. Analysis triages the alert against the threat model on threat-model.html, assigns a severity (P0/P1/P2/P3/P4 in the convention this corpus uses), and starts the IR clock. Containment, eradication, and recovery are three sub-phases that overlap in practice. Containment isolates the compromise without destroying the evidence (the misconfiguration callout in §Containment patterns walks through the canonical \"do not delete the principal\" rule). Eradication removes the adversary's footholds: invalidated tokens, removed back-door identities, rotated KMS material, revoked OAuth consent grants. Recovery restores service from a known-good state, drawing on the immutable backup primitives documented in the General data protection principles page. Post-incident activity closes the loop: root-cause analysis, control-gap identification, runbook updates, posture re-baselining. The output of this phase is a backlog of preventive and detective controls that feed back into the hardening programme. An incident that does not produce a backlog item, at minimum \"this should have been detected sooner\" or \"this should have been impossible\", has not finished its lifecycle. Preparation Preparation is where cloud incident response is won or lost. The work is unglamorous: runbooks, accounts, contact lists, rehearsal. The principles below are the floor below which IR readiness should not fall. Runbooks pre-positioned, per-scenario, and rehearsed. A runbook is a step-by-step procedure for a specific class of incident: compromised IAM user, compromised role with AssumeRole privileges, ransomware on an EC2 fleet, accidentally-public storage bucket, OAuth consent-phishing across the tenant, exposed credentials in a public Git repository. Each runbook names the responsible role (incident commander, scribe, IAM analyst, network analyst, legal liaison), the first ten minutes of actions, the escalation criteria, and the success criteria for closure. A runbook that has never been rehearsed in a tabletop is a first-draft document, not a runbook. Break-glass accounts maintained with hardware MFA. Every cloud has scenarios in which the federated identity provider, the conditional-access policy, or the IAM control plane is the thing under attack. The break-glass account is the local-to-the-cloud identity that bypasses the federation path and admits the responder regardless. It must exist before the incident; it must enrol a hardware MFA token whose backup is stored in physical custody (a safe, a sealed envelope in legal counsel's office); its credentials must be tested quarterly; and any use must generate a CRITICAL alert. The illustrative control in §Illustrative control formalises this in DS-05 markup. Security-dedicated account, subscription, project, and compartment. The detection pipeline, the forensic-evidence retention bucket, the SIEM, the incident-response runner: none of these should live in the account under attack. AWS Organizations security-tooling account, Azure landing-zone management subscription, GCP security-foundations folder/project, OCI security compartment: each provider has the construct, and the structural separation pays out the first time an attacker reaches a workload account and the SIEM keeps writing. Out-of-band communication. The chat platform, ticketing system, and pager rotation the organisation uses every day are themselves cloud-hosted and themselves potential incident scope. The IR plan names a fallback channel (a managed Signal group, a Wickr equivalent, a phone tree, a Matrix server outside the affected provider) and exercises it. Trying to discover the fallback during the incident is the worst possible time to discover it does not work. Legal, regulatory, and external-party contact lists maintained. The cyber-insurance carrier's incident hotline, the FBI and CISA points of contact, the data protection authority for every jurisdiction the organisation operates in, outside counsel, and the public-relations escalation chain are all required reading on day one of an incident. Breach-notification clocks are unforgiving: the GDPR Article 33 obligation is seventy-two hours from awareness for personal-data breaches; CIRCIA (the Cyber Incident Reporting for Critical Infrastructure Act, with CISA's implementing rule in finalisation at writing time; verify current status against the CISA CIRCIA page) imposes a seventy-two-hour reporting window for covered cyber incidents and a twenty-four-hour window for ransom payments at critical-infrastructure entities once the rule is in force. Sector regulators (HIPAA, PCI DSS, NYDFS, MAS-TRM) impose their own windows on top. Containment patterns Cloud containment differs from on-premise containment because the unit of isolation is an IAM construct, a VPC route, or a security-group rule rather than a network cable. The patterns below are the canonical containment moves; the per-provider IR pages document the exact CLI and IaC. Credential isolation. When a human or workload identity is suspected compromised, the goal is to neutralise the credential while preserving everything an investigation will need. The canonical move is to attach a Deny-All inline policy to the principal, revoke active sessions (AWS GlobalSignOut and StsRevokeOldSessions, Azure AD revoke-signin-sessions, Google Cloud revoke OAuth grants, OCI session termination), rotate any static credential the principal holds, and leave the principal itself in place. Deleting the principal seems decisive but deletes the evidence trail that maps actions to actors and breaks the forensic timeline at exactly the moment it is most needed. Misconfiguration: \"just delete the compromised principal.\" Deleting a compromised user, role, service principal, service account, or IAM resource principal during containment destroys forensic evidence. Audit-log entries that reference the principal lose their resolvable name; policy-evaluation traces lose their context; the timeline of \"which actions did this identity actually perform\" becomes harder to reconstruct. The correct move is to attach a Deny-All policy, revoke active sessions, rotate any static credentials, and leave the principal in place until the investigation is closed. Preserve first; eradicate second. Workload isolation. A compromised VM or container is moved to a forensic isolation network (an AWS forensic VPC with no egress, an Azure forensic VNet with NSG deny-all, a GCP forensic VPC with firewall deny-all egress, an OCI forensic VCN with Security List deny-all) and snapshotted before any remediation runs. The snapshot is the artefact the forensic investigation works against; the running workload is held in isolation long enough to capture volatile state (process tree, network connections, memory image) where the tooling permits, and then terminated rather than left in service. Termination without a snapshot destroys the evidence; live remediation contaminates it. Blast-radius assessment. Once the immediate containment is in place, the question shifts to \"what else did this principal or workload touch?\" The blast-radius framework documented in the cloud threat model page (single resource, single account, organisation, cross-tenant) drives the next containment moves. A compromised IAM user with read-only privileges is one scope; a compromised role with cross-account AssumeRole into a payments environment is a vastly larger scope, and the containment work expands to match. Forensics Forensic evidence in cloud is built from three substrates: block-storage snapshots (EBS snapshots, Azure managed-disk snapshots, GCP persistent-disk snapshots, OCI block-volume backups), the control-plane audit log (CloudTrail, Azure Activity Log and Microsoft Entra audit logs, Google Cloud Audit Logs, OCI Audit), and where supported, memory acquisition from running workloads. NIST SP 800-86 (Guide to Integrating Forensic Techniques into Incident Response, August 2006) is the canonical reference for evidence handling; its core principles, chain of custody, original preservation, and working-copy analysis, apply unchanged to cloud artefacts. Block-storage snapshots are the cheapest and most reliable piece of cloud forensic evidence. Taken before any remediation runs, a snapshot freezes the state of the compromised volume at a point in time; the snapshot can be attached read-only to an isolated forensic VM in the security-dedicated account, hashed for chain-of-custody, and copied to write-once forensic storage with object-lock retention. The forensic environment is itself a piece of preparation, not improvisation: an account or subscription dedicated to incident response, pre-warmed with the analysis tooling (Volatility, Autopsy, the SANS SIFT workstation image), with retention configured so that an attacker who later reaches the security account cannot tamper with the evidence. Memory acquisition is harder. Microsoft Defender for Servers Plan 2 includes memory-dump capabilities for Windows VMs; AWS Lambda-based memory acquisition with frameworks like Margarita Shotgun or fmem works for Linux; GCP and OCI rely on agent-based capture configured in advance. Memory is where post-exploitation tooling lives (in-memory loaders, unbacked code, decrypted secrets) and is the most volatile evidence: it is captured live or lost. The audit log is the timeline. CloudTrail Lake, Azure Activity Log archived to a Log Analytics workspace and to a tamper-evident storage account, Cloud Audit Logs piped to a dedicated logs project and BigQuery dataset, OCI Audit archived to Object Storage with retention rules: each provides a tamper-evident, queryable record of every control-plane action. Chain-of-custody for the audit log means knowing that nothing in the path from API call to archived record allows undetected modification, which is why log-integrity validation (CloudTrail log file validation, immutable storage accounts, Cloud Logging's integrity guarantees, OCI Audit retention rules) is treated as a foundational control on the General logging and detection principles page. Exporting evidence for legal or regulatory purposes follows a documented procedure: hash before export, package with metadata describing provenance and acquisition method, transfer over an authenticated channel to legal counsel or the receiving regulator, and retain the original copy in forensic storage. The procedure is the same whether the recipient is in-house counsel, outside counsel, a regulator, or law enforcement. Communication Internal communication during an incident is driven by an incident commander (a single accountable role with decision-making authority) and a severity classification that bounds the response (P0 = active business-critical impact, all hands; P1 = serious but bounded impact, on-call plus subject-matter experts; P2 = limited impact, normal working hours; P3/P4 = informational, follow-up only). The incident commander is not necessarily the most senior technical responder; the role is coordination, not investigation. Scribes maintain the running log; subject-matter experts execute containment and remediation; the incident commander makes the call to escalate, to communicate, and to close. External communication runs through a legal-counsel approval gate. Every statement to a regulator, a customer, a law enforcement agency, or the public passes through counsel before transmission, because every statement creates legal exposure. The CSA Cloud Incident Response Framework formalises this with explicit roles for legal counsel, the data protection officer, and the communications lead, and recommends pre-drafted templates for the common notification scenarios (customer notification, regulatory breach notice, public statement) so the drafting cycle is short during the live incident. Regulatory notification windows are unforgiving and jurisdiction-specific. The seventy-two-hour GDPR Article 33 clock starts at organisational awareness of a personal-data breach. CIRCIA's seventy-two-hour reporting window for covered cyber incidents at covered entities starts at reasonable belief that a covered incident has occurred, with a twenty-four-hour clock for ransom payments. Sector regulators stack their own clocks. The notification matrix for the jurisdictions and sectors the organisation operates in is part of preparation, not part of the incident. Recovery and post-incident Recovery restores service from a state the organisation trusts. The substrate is immutable backups whose canonical treatment lives on the General data protection principles page §Retention, backup, and recovery: S3 Object Lock with compliance-mode retention, Azure Backup immutable vaults, Cloud Storage object retention policies and bucket lock, OCI Object Storage retention rules. The ransomware-resistant property of these substrates is that the credentials available to a compromised account cannot shorten the retention window or delete the backup. Recovery procedures restore from these backups, not from snapshots that the attacker had time to encrypt or delete. Root-cause analysis follows recovery. The output is a written incident report with a timeline (when did detection fire, when did containment apply, when did the adversary have access), a root-cause statement (the specific misconfiguration, control gap, or process failure that allowed the incident), and a remediation backlog (preventive and detective controls that would have closed the gap). The remediation backlog is not aspirational; each item has an owner, a target date, and a tracking ticket. Posture re-baselining closes the loop with the configuration management substrate. Microsoft Secure Score, AWS Security Hub security score, Google Security Command Center Premium security posture, and OCI Cloud Guard problem counts each provide a quantitative posture metric; the incident's remediation backlog should produce a measurable improvement in that metric. An incident whose backlog does not move the posture metric was probably not analysed deeply enough. Tabletop exercises and game days Runbooks that have never been exercised are first drafts. Quarterly tabletop exercises (facilitated scenarios where the IR team walks a hypothetical incident through the runbook without touching production) surface stale contact lists, ambiguous escalation paths, and runbook steps that do not survive contact with reality. Annual purple-team exercises, in which a red team exercises real attack chains against a production-equivalent environment while the blue team responds against real runbooks, are the higher-cost, higher-value complement. Both feed back into preparation: every exercise produces a list of runbook edits, contact-list corrections, and control gaps, and every list closes before the next exercise. Cross-provider equivalence The principles above map to provider-specific products and patterns. The table below is a navigation aid, not a compliance crosswalk; per-provider depth lives in the IR pages of each provider section. Capability AWS Azure GCP OCI Detection aggregation GuardDuty + Security Hub Microsoft Defender for Cloud + Microsoft Sentinel Security Command Center (Premium / Enterprise) Oracle Cloud Guard Block-storage snapshot EBS snapshot Managed Disk snapshot Persistent Disk snapshot Block Volume backup / clone Forensic network isolation Forensic VPC + SCP deny-all on principal Forensic VNet + NSG deny-all + Conditional Access block Forensic VPC + firewall deny-all + IAM Deny policy Forensic VCN + Security List deny-all + IAM Deny statement Break-glass identity pattern Root user with hardware MFA + IAM Identity Center emergency-access role Global Administrator break-glass account excluded from Conditional Access Organisation Admin break-glass group with hardware MFA Tenancy Administrator break-glass user in Default identity domain Illustrative control: pre-positioned break-glass account The control below illustrates the canonical <article class=\"control-box\"> markup with a CRITICAL PREVENTIVE pairing. It is provider-neutral; each provider's IR page restates the same intent with provider-specific CLI and IaC. The control mitigates the scenario in which an attacker (or, more commonly, a misconfigured Conditional Access policy or expired federation certificate) locks out the very responders who would otherwise contain the incident. gen-ir-ex-01 Maintain pre-positioned break-glass account with hardware MFA ⛔ CRITICAL PREVENTIVE MITIGATES Total IAM lockout during incident response: an attacker who reaches federated-identity infrastructure, a misconfigured Conditional Access policy that excludes every administrator, or an expired federation certificate makes the cloud control plane unreachable through the normal authentication path; the break-glass account is the local-to-the-cloud identity that admits responders regardless. ATTACK VECTOR Adversary compromises the identity provider (Entra ID, Okta, Google Workspace, OCI federation source) and forces a malicious Conditional Access policy; or organisational error (expired SAML signing certificate, accidental administrator removal, MFA registration failure) locks every administrator out. Without a break-glass account whose authentication does not depend on the broken element, the responder has no path back into the tenancy. BLAST RADIUS If the control is absent and the lockout scenario materialises, the entire cloud control plane is unreachable for the duration of the federation-recovery process (hours at best, days at worst), during which detection feeds may continue to fire on an actively progressing incident with no human able to act on them. The control provisions one (preferably two, for geographically separated custody) break-glass identity per cloud tenant or organisation: AWS root user plus an IAM Identity Center emergency-access role; Microsoft Entra Global Administrator excluded from Conditional Access policies that could lock it out; Google Cloud organisation administrator in a dedicated break-glass group; OCI Tenancy Administrator in the Default identity domain. Each account enrols a hardware FIDO2 / WebAuthn authenticator whose backup is stored in sealed physical custody (a safe, outside counsel's office, an envelope in a bank deposit box). The account's credentials are tested quarterly via an in-rehearsal sign-in to a non-destructive read-only scope, and every use generates a CRITICAL alert routed through the security findings substrate and an out-of-band channel. The account is excluded from the federation path that day-to-day administrators traverse; the entire point is that it works when federation does not. CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 Root user hardware MFA + IAM Identity Center separation recommendations (verify section number against pinned version) Global Administrator role separation and break-glass exclusion recommendations (verify section number) Organisation-admin separation recommendations (verify section number) Tenancy Administrator separation recommendations (verify section number) IR-1 (Policy and Procedures), IR-4 (Incident Handling), CP-2 (Contingency Plan) A.5.24 — Information security incident management planning and preparation; A.5.29 — Information security during disruption CLD.6.3.1 — Shared roles and responsibilities within a cloud computing environment Sources NIST SP 800-61 Rev 3 — Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile, April 2025 (accessed 2026-05) NIST SP 800-86 — Guide to Integrating Forensic Techniques into Incident Response, August 2006 (accessed 2026-05) Cloud Security Alliance — Cloud Incident Response Framework (accessed 2026-05) CISA — Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) implementation page (accessed 2026-05) EU General Data Protection Regulation — Article 33: Notification of a personal data breach to the supervisory authority (accessed 2026-05) NIST SP 800-53 rev5 (upd1, Jan 2022) — Security and Privacy Controls for Information Systems and Organizations (accessed 2026-05) CISA — Incident Response Plan (IRP) Basics (accessed 2026-05) MITRE ATT&CK — Cloud matrix (accessed 2026-05)"},{"id":"general/kubernetes.html","url":"general/kubernetes.html","title":"Kubernetes Security Principles — Cloud Hardening Guide","breadcrumb":"Home General Kubernetes","description":"Cross-cutting Kubernetes security principles: threat model including CVE-2025-1974 IngressNightmare, cluster-baseline principles, common misconfigurations, compliance framework reference, and deprecated-technology warnings.","body":"Kubernetes Security Principles Overview This page sets the provider-neutral security principles for managed Kubernetes services. Scope is limited to managed control-plane offerings: Google Kubernetes Engine (GKE), Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), and Oracle Container Engine for Kubernetes (OKE). Self-managed Kubernetes (kubeadm, k3s, k0s), on-premises deployments, and container runtimes below the cluster API are out of scope. This page does not contain provider-specific controls or CLI commands. For provider controls, see the provider pages: GCP GKE Hardening (live, the Phase 16 pilot); AWS EKS Hardening, Azure AKS Hardening, and OCI OKE Hardening arrive in Phase 17. The principles on this page apply uniformly across all four providers, and the provider pages translate each one into auditable configurations, CLI commands, and IaC. Before reading the provider Kubernetes pages, security engineers should be familiar with three cross-cutting domains: Identity and Access Management (RBAC underpins all Kubernetes access control), Network Security (network policy, private cluster design), and Logging and Monitoring (audit log patterns, immutable log sinks). Kubernetes hardening extends these foundations. It does not replace them. Threat Model The Kubernetes control plane is the primary attack entry point. Compromise of the kube-apiserver grants arbitrary cluster access: any authenticated principal (or an unauthenticated one, if anonymous authentication is enabled) can enumerate secrets, create privileged pods, or modify workloads. Lateral movement from a compromised pod is the main way blast radius grows. A single pod with an overly permissive service-account token or a privileged security context can pivot to the underlying node, then to the cloud provider metadata service, and from there to broader cloud credentials. The nine threat categories below are the principal attack paths seen in production cluster incidents. Threat Category Attack Description Addressed By Control-plane compromise Unauthenticated or weakly-authenticated kube-apiserver; etcd port 2379 exposed without mutual TLS. An attacker who reaches the API server or etcd directly can read all cluster secrets and issue arbitrary API calls. Private cluster / authorized networks; etcd encryption at rest; mutual TLS on etcd; network policy restricting control-plane access Kubelet auth bypass --anonymous-auth=true on kubelet port 10250 allows unauthenticated exec, log retrieval, and metrics endpoints from any network-reachable host. Set --anonymous-auth=false; kubelet authentication.anonymous.enabled: false; webhook authentication mode Supply-chain image pull Mutable container image tags (e.g., :latest) allow silent image replacement; unsigned images provide no provenance guarantee. A poisoned image in a trusted registry executes on cluster nodes. Image signing and attestation (Binary Authorization / Notary / Sigstore); immutable digest-pinned image references; admission webhooks requiring attestations Privileged pod escape Pods running with securityContext.privileged: true, hostPID: true, hostNetwork: true, or hostPath: / mounts can escape container isolation and gain full node access. Pod Security Standards (PSS) Restricted or Baseline profile enforcement via PodSecurity admission controller; deny privileged pod specs at admission Network lateral movement Flat pod network with no network policy allows any compromised pod to reach any other pod or service in the cluster. Cloud IMDS endpoint (169.254.169.254) reachable from pods enables credential theft. Default-deny NetworkPolicy; IMDS network policy blocking pod egress; VPC-native clusters; GKE Dataplane V2 / Cilium CNI Secrets exposure Kubernetes Secrets stored unencrypted in etcd; service-account tokens auto-mounted into pods that never call the API (automountServiceAccountToken: true default); secrets in environment variables leak into application logs. Encryption at rest for etcd (customer-managed key); automountServiceAccountToken: false on pods and ServiceAccounts; workload identity replacing static tokens; envelope encryption via cloud KMS etcd direct access etcd port 2379 accessible without mutual TLS allows direct read/write of all cluster state, including unencrypted secrets and credentials. Mutual TLS on all etcd connections; encryption at rest; network-level restriction of etcd port to control-plane nodes only RBAC privilege escalation ClusterRoles with wildcard verbs (verbs: [\"*\"]) or wildcard resources (resources: [\"*\"]) grant cluster-admin equivalents. Binding the cluster-admin role to service accounts or default SA abuse allows any compromised workload to escalate privileges. Enumerate specific verbs and resources; prefer namespace-scoped Roles; audit clusterrolebindings for wildcard grants; restrict default ServiceAccount permissions Admission-bypass via webhooks A ValidatingWebhookConfiguration with failurePolicy: Ignore silently allows policy-violating workloads when the webhook is unavailable. In March 2025, CVE-2025-1974 (IngressNightmare) demonstrated that a misconfigured ingress-nginx ValidatingWebhookConfiguration with failurePolicy: Ignore allowed remote code execution on any pod. This is the canonical example of why webhook failure policies must be set to Fail and webhook namespaceSelectors must be reviewed. Set failurePolicy: Fail on ValidatingWebhookConfigurations; restrict webhook namespaceSelectors; audit all admission webhooks; keep ingress controllers up to date Cluster-Baseline Principles These 8 principles form the minimum acceptable security baseline for any managed Kubernetes cluster, regardless of provider. Provider pages in this guide map each principle to auditable controls and CLI commands. 1. Defense-in-depth. No single control is sufficient. Kubernetes security needs layered controls: network isolation at the cluster perimeter, admission enforcement at the API boundary, Pod Security Standards at the workload level, and audit logging for detection. Each layer independently limits blast radius when another fails. Design on the assumption that any single control will eventually be bypassed. 2. Least-privileged RBAC. Namespace-scoped Role objects are preferred over ClusterRole objects. No production workload should carry wildcard verbs (*) or wildcard resources (*). Service accounts should be provisioned per-workload, not shared across deployments. Audit ClusterRoleBinding objects regularly; any binding to cluster-admin requires documented business justification. 3. Pod Security Standards (PSS). The built-in PodSecurity admission controller enforces three profiles: Privileged (no restrictions), Baseline (prevents known privilege escalations), and Restricted (heavily restricted, follows current hardening best practices). The restricted profile is the target for all new workloads; baseline is the floor for legacy workloads that cannot yet meet restricted requirements. Enforce via namespace label: pod-security.kubernetes.io/enforce: restricted. 4. Network policy default-deny. All ingress and egress for every namespace should be denied by default using a NetworkPolicy with an empty pod selector and an empty ingress/egress block. Allow rules are then added explicitly for required communication paths. This requires a NetworkPolicy-capable CNI (Calico, Cilium, or a provider-managed equivalent such as GKE Dataplane V2). A cluster without network policies has a flat pod network where any compromised pod can reach any other workload. 5. Encryption at rest for etcd. All Kubernetes Secrets, ConfigMaps, and other sensitive resources stored in etcd must be encrypted at rest using a customer-managed key (CMK) via the cloud provider's key management service (KMS). Managed Kubernetes offerings provide envelope encryption: the data encryption key (DEK) is encrypted by the CMK; rotation of the CMK triggers re-encryption of DEKs. Encryption at rest limits the impact of direct etcd access or backup media compromise. 6. Audit logging. Kubernetes audit log and control-plane component logs (API server, scheduler, controller-manager) must be collected to an immutable log sink before any workload runs on the cluster. Audit logs are the primary forensic record for incident response. Without them, there is no way to determine what happened during or after a breach. Many compliance frameworks mandate audit log retention of 12 to 36 months. 7. Immutable infrastructure. Node operating systems should be immutable: read-only root filesystems, no in-place package updates, and nodes replaced rather than patched. Provider-managed hardened images give you this property: Bottlerocket (AWS), Container-Optimized OS (GCP), Azure Linux (formerly CBL-Mariner), and Oracle Linux 8 minimal (OCI). Immutable nodes block persistence mechanisms that rely on writing to the host filesystem or installing packages after boot. 8. Ephemeral credentials. No static key files or long-lived service account JSON credentials should be mounted into pods. Workload identity provides short-lived, automatically rotated credentials bound to a Kubernetes service account: EKS Pod Identity (AWS), Workload Identity Federation for GKE (GCP), AKS Workload Identity (Azure), and OKE Workload Identity (OCI). Ephemeral credentials narrow the window for credential theft and remove the need for secret rotation procedures. Common Misconfigurations These 7 patterns turn up often in production clusters, and each one is a significant security control gap. Gate G16.3 validates that all 7 patterns are documented here. 1. kubelet --anonymous-auth=true Enabling --anonymous-auth=true on the kubelet exposes port 10250 to unauthenticated exec, log, and metrics operations. Any network-reachable attacker can run arbitrary commands on the node without authentication. This is the default on older Kubernetes versions and some managed offerings unless it is explicitly hardened. Remediation: Set --anonymous-auth=false with explicit authentication mode Webhook. Verify with kubectl get --raw /api/v1/nodes/NODE/proxy/configz. 2. Default service-account token automount (automountServiceAccountToken) Kubernetes automatically mounts a service-account token (automountServiceAccountToken: true by default) into every pod, including pods that never call the Kubernetes API. An attacker who compromises any pod inherits that token's RBAC permissions. In clusters where service accounts have broad permissions, this is a direct privilege escalation path. Remediation: Set automountServiceAccountToken: false in the pod spec or ServiceAccount object for workloads that do not need cluster API access. Opt-in explicitly for workloads that do. 3. Wildcard RBAC permissions ClusterRoles with verbs: [\"*\"] or resources: [\"*\"] are cluster-admin equivalents by another name. A single compromised workload with wildcard RBAC can read all Secrets, create privileged pods, or delete critical namespaces. Wildcard grants often arrive through operators, Helm charts, and service mesh installations that over-provision permissions for convenience. Remediation: Enumerate specific verbs and resources; prefer namespace-scoped Roles over ClusterRoles. Audit with kubectl auth can-i --list --as system:serviceaccount:NAMESPACE:NAME. 4. Privileged pods without PSS enforcement Running pods with securityContext.privileged: true, hostPID: true, hostNetwork: true, or hostPath: / mounts grants container-escape capability. Without Pod Security Standards enforcement at the namespace level, any workload can request these capabilities and there is no admission gate blocking them. Remediation: Enforce PSS Restricted or Baseline profile at namespace level; require documented justification for any namespace using the Privileged profile. Apply the label pod-security.kubernetes.io/enforce: restricted. 5. Public API endpoint without IP allow-list Exposing the kube-apiserver on a public endpoint without an IP allow-list means any credential leak (a service account token, a kubeconfig, or a CI/CD secret) is immediately exploitable from the internet. A public API endpoint without access restrictions is the leading Kubernetes breach vector in cloud environments. Attackers continuously scan for exposed kube-apiservers on port 6443. Remediation: Enable private cluster mode (no public API endpoint) or, at minimum, restrict the public endpoint to specific authorized CIDR ranges before placing any workload on the cluster. 6. docker.sock or sensitive hostPath mounts in untrusted pods Mounting the Docker socket (docker.sock) or sensitive hostPath volumes (/, /etc, /var/run) into containers grants the container full host access. Containers with these mounts can escape isolation entirely, read host credentials, install persistent backdoors, or pivot to other nodes. This pattern is commonly introduced by CI/CD tooling and monitoring agents. Remediation: Deny docker.sock and sensitive hostPath mounts via PSS Restricted profile or an admission webhook. Audit existing workloads: kubectl get pods -A -o json | jq '.items[].spec.volumes[]?'. 7. Disabled audit logging Disabling Kubernetes audit log or control-plane log collection removes forensic capability. Without audit logs, there is no way to determine what happened during or after an incident: which credentials were used, which resources were accessed, and what changes were made. Many compliance frameworks (SOC 2, PCI DSS, ISO 27001) require audit log retention. Missing audit logging often turns a containable incident into an unresolvable one. Remediation: Enable audit log and control-plane log collection to an immutable log sink before placing any workload on the cluster. Verify that log forwarding is active, not just enabled. Compliance Framework Reference The following compliance frameworks provide specific Kubernetes hardening guidance. Provider pages in this guide map each control to applicable sections in the frameworks below. Framework Version Coverage Scope CIS Kubernetes Benchmark v2.0.0 v2.0.0 (2026) 5 sections: Control Plane Components, etcd, Control Plane Configuration, Worker Nodes, Policies Upstream Kubernetes; run with kube-bench --benchmark cis-1.11 CIS EKS Benchmark v1.8.0 Extends CIS Kubernetes Benchmark v2.0.0 for EKS-managed control plane and worker nodes AWS EKS CIS AKS Benchmark v2.0.0 Extends CIS Kubernetes Benchmark v2.0.0 for AKS-managed control plane, Azure-specific RBAC, and node configuration Azure AKS CIS GKE Benchmark v1.9.0 (+ Autopilot v1.3.0) Extends CIS Kubernetes Benchmark v2.0.0 for GKE-managed clusters; CIS GKE Autopilot Benchmark v1.3.0 covers Autopilot-specific defaults GCP GKE CIS OKE Benchmark v1.8.0 Extends CIS Kubernetes Benchmark v2.0.0 for OKE Enhanced Clusters OCI OKE NIST SP 800-190 Sep 2017 (active) Container security: image risks, registry risks, orchestrator risks, container risks, host OS risks Cross-platform containers NSA/CISA Kubernetes Hardening Guide v1.2 Aug 2022 Pod security, network policies, RBAC, threat model, incident response Kubernetes (not provider-specific) kube-bench (v0.13.0+) is the authoritative automated tool for CIS Kubernetes Benchmark v2.0.0 assessment. Source: github.com/aquasecurity/kube-bench (accessed 2026-05). Deprecated Technology Warnings These technologies were widely recommended in earlier Kubernetes documentation but have since been deprecated, removed, or superseded. Any guide that still presents them as current recommendations is out of date. PSP (Pod Security Policy): REMOVED in Kubernetes 1.25 The PSP admission controller (kind: PSP, the legacy pod security admission controller removed in Kubernetes 1.25, September 2022) cannot be used on any cluster running Kubernetes 1.25 or later. Any guide, operator, Helm chart, or Terraform module that provisions PSP resources is incompatible with modern Kubernetes. Migration path: Pod Security Standards (PSS) enforced by the built-in PodSecurity admission controller. Apply the namespace label pod-security.kubernetes.io/enforce: restricted. Clusters still running Kubernetes 1.24 or earlier with PSP enabled must plan migration immediately. aad-pod-identity (Azure AAD Pod Identity): END OF LIFE Sep 2025 The aad-pod-identity project reached end-of-life on September 30, 2025, including the NMI (Node Managed Identity) and MIC (Managed Identity Controller) components. Any AKS cluster still running aad-pod-identity receives no security patches. Replacement: Microsoft Entra Workload Identity (the azure-workload-identity webhook). AKS clusters should be created with --enable-workload-identity and use federated identity credentials. Migration documentation: azure.github.io/azure-workload-identity. aws-auth ConfigMap as primary EKS access: DEPRECATED Using the aws-auth ConfigMap as the primary mechanism for granting IAM principals access to EKS is deprecated. The ConfigMap is prone to misconfiguration and lacks audit-trail visibility. Replacement: EKS Cluster Access Management API access entries (aws eks create-access-entry). The ConfigMap still works for backward compatibility but should not be used in new cluster provisioning. New EKS clusters should use access entries exclusively. Amazon Linux 2 EKS nodes: END OF LIFE Nov 2025 Amazon Linux 2 (AL2) EKS node images reach end-of-life in November 2025. After that date AL2 nodes no longer receive security patches or CVE fixes, leaving clusters exposed to unpatched vulnerabilities. Replacement: Amazon Linux 2023 (AL2023) or Bottlerocket OS. AL2023 uses a minimal package set and SELinux enforcing mode; Bottlerocket is an immutable OS purpose-built for container workloads. Migrate before November 2025. Reading the Provider Pages Each provider Kubernetes page in this guide contains a set of auditable hardening controls. Each control is an <article class=\"control-box\"> element with these components: a control ID (e.g., gcp-k8s-01), a severity rating (CRITICAL, HIGH, or MEDIUM), a control type (configuration, IAM, network, logging), and a threat model reference that maps the control to the applicable threat category from the Threat Model section above. Each control includes: a CLI remediation block (provider CLI commands to audit and remediate the control), a Terraform IaC block (infrastructure-as-code to provision the control correctly), and an 11-column compliance table mapping the control to applicable framework sections. The 11 compliance columns are: Control / Severity / Type / Provider (4 metadata columns) followed by CIS Kubernetes Benchmark v2.0.0, the provider-specific CIS managed-service benchmark, NIST SP 800-53 rev5, ISO/IEC 27001:2022, ISO/IEC 27017:2015, NIST SP 800-190 (Sep 2017), and NSA/CISA Kubernetes Hardening Guide v1.2. For GKE controls, any control that behaves differently between GKE Autopilot and GKE Standard clusters includes a callout-info block immediately after the control header. That block explains the default behaviour and the required configuration for each cluster mode. CIS GKE Autopilot Benchmark v1.3.0 documents Autopilot-specific defaults. For provider-specific Kubernetes hardening guides, see AWS EKS, Azure AKS, GCP GKE, and OCI OKE. Sources CIS Kubernetes Benchmark v2.0.0. Center for Internet Security. cisecurity.org/benchmark/kubernetes (accessed 2026-05). NSA/CISA Kubernetes Hardening Guide v1.2. National Security Agency / CISA. Aug 2022. media.defense.gov (PDF) (accessed 2026-05). NIST SP 800-190: Application Container Security Guide. National Institute of Standards and Technology. Sep 2017. csrc.nist.gov/pubs/sp/800/190/final (accessed 2026-05). CVE-2025-1974 IngressNightmare. Kubernetes Blog. Mar 2025. kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/ (accessed 2026-05). kube-bench: automated assessment tool for CIS Kubernetes Benchmark v2.0.0 assessment. Aqua Security. github.com/aquasecurity/kube-bench (accessed 2026-05). Kubernetes Pod Security Standards. kubernetes.io. kubernetes.io/docs/concepts/security/pod-security-standards/ (accessed 2026-05). GKE Security Overview. Google Cloud. cloud.google.com/kubernetes-engine/docs/concepts/security-overview (accessed 2026-05). Kubernetes Audit Logging. kubernetes.io. kubernetes.io/docs/tasks/debug/debug-cluster/audit/ (accessed 2026-05)."},{"id":"general/logging.html","url":"general/logging.html","title":"General Logging & Detection Principles — Cloud Hardening Guide","breadcrumb":"Home General Logging & Detection","description":"General logging and detection principles: audit trails, log centralisation, detection engineering, retention, alert quality.","body":"General Logging & Detection Principles Overview Logging is the foundation every other detective and responsive control in the cloud rests on. Without an authoritative, tamper-evident record of who did what to which resource, incident response is forensically blind: the responder cannot tell whether an attacker reached a database, whether credentials were used after exfiltration, or whether a configuration change was authorised. The corollary is operational. A control that exists only as a configuration setting, with no corresponding log entry, cannot be audited and in practice is not enforced. This page sets the provider-neutral principles that the four provider logging pages (aws/logging.html, azure/logging.html, gcp/logging.html, oci/logging.html) then instantiate. Detection is logging plus interpretation. A CloudTrail event, an Azure Activity Log entry, a Google Cloud Audit Log record, or an OCI Audit event is raw material; turning it into a finding takes a detection rule, an analyst who maintains the rule, a tested true-positive case, and an alert pipeline that reaches the on-call responder before the attacker has finished. The MITRE ATT&CK for Cloud matrix is the standard taxonomy of attacker techniques that detection engineering aims to cover. Coverage is measured by mapping each maintained detection rule to one or more ATT&CK techniques and reporting gap regions to leadership, rather than by reporting raw rule counts. The rest of this page treats the logging-and-detection pipeline as a single discipline. Three log classes (control-plane, data-plane, network) are aggregated to a security-dedicated destination, made tamper-evident, retained against compliance- and forensic-driven floors, ingested by a SIEM, turned into alerts through maintained detection content, and routed to runbook-equipped responders via the incident response workflow. The pipeline is the control. See general/threat-model.html for the adversary techniques each stage is designed to surface, and general/network.html for VPC and subnet flow-log sourcing. What to log Three log classes are mandatory in every cloud-resident environment. Control-plane audit logs record every API call against the provider's management plane: identity, action, target resource, source IP, success or failure, request parameters. AWS CloudTrail, Azure Activity Log (and Microsoft Entra ID audit and sign-in logs), Google Cloud Audit Logs (Admin Activity, Data Access, System Event, Policy Denied streams), and OCI Audit are the four standard sources. Control-plane logs are the single most important log class, because almost every cloud-resident attack chain (credential abuse, role assumption, key disablement, public-resource creation) passes through the control plane at some point. Data-plane access logs record every read and write against storage and database services: S3 server-access logs, Azure Storage diagnostic logs, GCS data-access logs (a subset of Cloud Audit Logs), OCI Object Storage request logs. Data-plane volume runs one to three orders of magnitude higher than control-plane volume, so the design choice is which buckets, databases, and PaaS endpoints warrant data-plane logging (typically every Restricted-tagged resource, every public-facing endpoint, and every cross-account-accessed resource) rather than whether to enable it globally. Network flow logs record connection metadata at the subnet, NIC, or virtual-network level: VPC Flow Logs in AWS, NSG Flow Logs (legacy) and VNet Flow Logs in Azure, VPC Flow Logs in GCP, and VCN Flow Logs in OCI. Flow logs carry no payload, but they do carry source, destination, port, protocol, and action, which makes them the primary evidence source for post-compromise lateral-movement analysis. See general/network.html for the segmentation model that flow logs validate. NIST SP 800-92 (Guide to Computer Security Log Management) formalises the discipline of selecting, prioritising, and managing log sources; CIS Control 8 (Audit Log Management) in CIS Controls v8 sets out the operational checklist (enable audit logs, centralise collection, ensure adequate storage, configure detailed audit logging, review logs). The principle behind both is the same: log selection is a deliberate, classification-driven decision, not a side effect of enabling every available source. Log integrity A log the attacker can edit, delete, or silently halt is not evidence. Log integrity is engineered, not assumed. Three controls combine to provide tamper-evidence. First, cryptographic chaining binds log entries together so that any deletion or modification breaks the chain. AWS CloudTrail log file validation produces a digest file that hashes every delivered log file, signed by AWS; equivalent integrity hashing is available in Azure Monitor diagnostic settings exports and in OCI Audit export pipelines. Second, write-once storage places log archives in an object store configured with object-lock or retention-rule policies (S3 Object Lock in Compliance mode, Azure immutable storage with time-based retention, GCS retention policy with bucket lock, OCI Object Storage retention rules) so that even an account-administrator principal cannot delete logs within the locked retention period. Third, cross-account isolation, covered in the next section, separates the identity that writes logs from the identity that can administer the log store, so that compromise of the workload account does not grant access to retroactively modify the logs that captured the compromise. NIST SP 800-92 §5.4 (Protecting Log Data) defines the integrity model these controls instantiate: logs at rest are protected with the same rigour as the data they describe; logs in transit are encrypted under TLS; access to log infrastructure is restricted to a small, monitored set of administrators. CloudTrail log file validation should be verified continuously by an automated job that re-runs the digest check and alerts on any mismatch. A \"validation succeeded\" check that nobody runs is the same as no check at all. MISCONFIGURATION \"Logs are written to a bucket in the same account as the workload.\" This is the dominant log-integrity failure mode. An attacker who compromises the workload account inherits the IAM permissions that govern the in-account log bucket; with sufficient privilege, the attacker can disable the trail, delete the historical archive, or replace it with sanitised content before the next forensic review. Logs MUST flow into a security-dedicated account, subscription, project, or compartment whose administrators are organisationally separate from the workload account's administrators and whose log bucket is configured with object lock that survives root-account credentials. The reference architecture is a hub-and-spoke \"log archive\" account modelled after the AWS Control Tower Log Archive account, the Azure landing-zone Management subscription's centralised log workspace, the GCP organization log sink to a security folder's project, and the OCI security tenancy compartment with an aggregated logging compartment. Centralization Centralisation is the architectural pattern that turns the integrity rules above into operational reality. The pattern is hub-and-spoke: every workload account, subscription, project, or tenancy compartment (\"spokes\") emits its logs to a single security-dedicated destination (\"hub\") whose administration is segregated. Centralisation provides three properties at once: tamper-evidence (the hub's object lock survives the compromise of any spoke), unified detection scope (a SIEM ingests from one location rather than N), and economy of analyst attention (cross-spoke correlation surfaces attacks that touch multiple accounts). Each provider names the centralisation primitive differently. AWS uses an Organization Trail in CloudTrail (one configuration covers every account in the organization) delivering to an S3 bucket in the dedicated Log Archive account, with Object Lock enabled and a bucket policy that permits the organization to PutObject but denies any DeleteObject or modification action. Azure uses Diagnostic Settings on every subscription, routing Activity Log and resource logs to a central Log Analytics workspace (and/or a storage account for long retention) in a dedicated security subscription, optionally fed into an enterprise Microsoft Sentinel workspace. GCP uses Aggregated Sinks at the organization or folder level (one sink, many source projects) routing to a Cloud Storage bucket, BigQuery dataset, or Pub/Sub topic in a security folder's project. OCI uses Connector Hub to route audit and service logs from every compartment into a centralised destination (Object Storage with retention rules, or directly into Logging Analytics for query). Cross-account and cross-tenant log routing requires explicit trust configuration. In AWS, the central S3 bucket policy permits the organization principal via aws:PrincipalOrgID; in Azure, diagnostic settings can target a Log Analytics workspace in a different subscription as long as the writing identity holds the appropriate role; in GCP, the aggregated sink's writer service account must be granted IAM access on the destination project; in OCI, the Connector Hub identity must hold IAM policies in both source and destination compartments. In every case the trust is one-way: the spoke can write but cannot read or modify, and the hub can read but has no administrative rights back into the spoke. Retention Retention floors are compliance-driven and must be encoded into the centralised log destination's retention configuration, not left to operator memory. PCI DSS v4.0 requires audit log retention of at least one year, with the most recent three months immediately available for analysis. HIPAA's Security Rule (45 CFR §164.316(b)(2)) requires retention of documentation, including audit trails, for six years from the date of creation or last effective date. SOX (Sarbanes-Oxley) financial-controls logs are typically retained seven years. SOC 2 requires retention sufficient to support the audit period (usually one year minimum). The applicable floor for any given log is the maximum of the regulatory floors the underlying data class is subject to. Hot versus cold tiering reconciles retention floors with searchability cost. The hot tier (CloudWatch Logs, Log Analytics workspace, BigQuery, OCI Logging Analytics) is queryable in seconds, expensive per-GB-month, and typically holds 30 to 90 days of data. The cold tier (S3 with Glacier transitions, Storage Account with archive tier, GCS Coldline-Archive, OCI Archive Storage) is queryable in hours, cheap per-GB-month, and holds the rest of the retention floor. Lifecycle rules automate the transition: a SIEM ingest pipeline reads from hot, and ad-hoc forensic retrieval reads from cold via a rehydration job documented in the incident response runbook. SIEM and detection engineering A SIEM is the system that converts centralised logs into prioritised findings via maintained detection content. Provider-native SIEMs integrate by default with the corresponding provider's audit, posture, and threat-detection signals: AWS Security Hub (ingesting GuardDuty, Inspector, Config, Macie, and IAM Access Analyzer findings), Microsoft Sentinel (cloud-native SIEM/SOAR with KQL detection rules and built-in workbooks), Google Chronicle Security Operations (paired with Security Command Center for posture findings), and OCI Cloud Guard (with Logging Analytics for log-based detections). Third-party SIEMs (Splunk, Elastic Security, Sumo Logic, IBM QRadar, Devo) ingest from the same centralised log destinations via Lambda, Logic App, Cloud Function, or Service Connector forwarders, and are the typical choice when a single SIEM must span multiple clouds plus on-premises sources. Detection engineering is the discipline of building and maintaining the rules that turn logs into findings. Every detection rule in this corpus follows a four-part contract: a hypothesis (a one-paragraph attacker behaviour described in MITRE ATT&CK terms, e.g., \"T1078.004: adversary signs in to a cloud account using valid credentials from an unusual geography\"), a log-source dependency (which log class and which fields the rule reads), a true-positive test case (a reproducible event sequence that triggers the rule, verified at least quarterly), and an owner (a named team responsible for tuning the rule). Detection-as-code formalises this: rules live in version control as Sigma (vendor-neutral), Sentinel KQL files, Chronicle YARA-L rules, or Splunk SPL saved searches, with pull-request review and CI-time validation against a golden-event corpus. Coverage is measured against MITRE ATT&CK for Cloud (the IaaS, SaaS, Office 365, Azure AD, and Google Workspace sub-matrices) rather than against raw rule counts. A team with 800 detection rules concentrated in two ATT&CK tactics has worse coverage than a team with 200 rules spanning twelve tactics. The detection-engineering output therefore includes a heatmap that maps each maintained rule to one or more ATT&CK techniques, plus an annual review that prioritises new rules into gap regions. Joint CISA and National Security Agency guidance on detection engineering for cloud environments supports this technique-driven coverage model. Alerting and runbook integration Alert fatigue is the single most common reason detection programmes fail. A responder who receives 200 alerts per shift, 195 of which are false positives or low-severity noise, will stop reading the channel, and the five real findings travel through the same dead channel. The mitigation is severity-tiered routing combined with continuous false-positive review. CRITICAL findings page the on-call engineer directly (PagerDuty, Opsgenie, Splunk On-Call). HIGH findings open a ticket in the security ticketing queue (Jira Security, ServiceNow SIR) for review within one business day. MEDIUM findings populate a daily-review dashboard. LOW findings populate a weekly-review dashboard. Each tier carries a documented true-positive rate target; rules whose true-positive rate falls below the target are tuned or retired rather than left to noise the channel. Every CRITICAL and HIGH detection rule is paired with a runbook: a documented step-by-step response procedure that the on-call responder executes. The runbook references the general incident response page for the lifecycle phases (containment, eradication, recovery, post-incident) and the standard actions per phase. Without a runbook, a paged responder spends the first thirty minutes deciding what to do; with a runbook, those thirty minutes go to containment. Cross-provider equivalence The four providers implement the logging-and-detection pipeline under different names. The table below maps the principles in this page to the provider-native primitives. Each provider deep-dive (aws/logging.html, azure/logging.html, gcp/logging.html, oci/logging.html) carries the per-service configuration detail and the per-provider detection-content libraries. Principle AWS Azure GCP OCI Control-plane audit log CloudTrail (Organization Trail) Activity Log + Microsoft Entra audit and sign-in logs Cloud Audit Logs (Admin Activity stream) OCI Audit service Centralisation primitive Organization Trail → S3 in Log Archive account with Object Lock Diagnostic Settings → central Log Analytics workspace in security subscription Organization-level Aggregated Sink → GCS / BigQuery / Pub/Sub in security project Connector Hub → Object Storage / Logging Analytics in security tenancy compartment Provider-native SIEM Security Hub + GuardDuty findings aggregation Microsoft Sentinel Chronicle Security Operations + Security Command Center Cloud Guard + Logging Analytics Network flow logs VPC Flow Logs VNet Flow Logs (NSG Flow Logs legacy) VPC Flow Logs VCN Flow Logs Log integrity / tamper evidence CloudTrail log file validation + S3 Object Lock Immutable storage with time-based retention policy GCS retention policy with bucket lock Object Storage retention rules with retention-rule lock Illustrative control: centralized immutable audit log The control-box below is an illustrative example of the markup pattern every provider logging page applies. It is not a production control entry (provider pages carry CLI and IaC remediations specific to each cloud), but the threat-model framing and the CRITICAL DETECTIVE pairing transfer directly. Reading this box alongside the CRITICAL PREVENTIVE example on the data-protection page exercises the distinction the methodology page emphasises: same severity, different operational meaning. The illustrative ID gen-log-ex-01 is reserved and is not reused as a real control identifier. gen-log-ex-01 Centralized immutable audit log for all control-plane API calls ⚠ HIGH DETECTIVE MITIGATES Post-compromise forensic blindness and attacker tampering of evidence. A centralised, organisation-wide control-plane audit log delivered to a tamper-evident store in a security-dedicated account records every privileged action (IAM change, key access, public-resource creation, security-tool disablement) outside the blast radius of the workload account being audited. ATTACK VECTOR Absent centralisation and immutability, an attacker who reaches the workload account's audit-log administration permission can disable the local trail, delete the historical archive, or replace it with sanitised content before the next review. Capital One (2019), Snowflake / UNC5537 (2024), and Midnight Blizzard / Microsoft (2024) each show variants of this kill chain, where the logs that would have surfaced the intrusion earlier were incomplete, decentralised, or accessible to the same identity scope as the compromised workload. BLAST RADIUS Without this control: every account, subscription, project, or compartment in the organization is forensically blind once the workload identity is compromised. With this control: the workload account compromise is bounded by the workload account's permissions; the forensic record remains available in the security tenancy for incident response and regulatory reporting. HIGH (not CRITICAL) because the absence of this control does not by itself enable compromise: an attacker still needs an initial-access vector, a credential, or a vulnerability. It does, however, materially raise the cost and likelihood of successful exploitation and forfeits the ability to detect and respond. DETECTIVE (not PREVENTIVE) because the control surfaces unsafe states after they occur rather than preventing them. Paired with alerting and runbook integration it becomes the trigger for response, but it does not stop an action at the control plane. This exercises the methodology distinction that a HIGH DETECTIVE differs operationally from a HIGH PREVENTIVE even though both carry the same severity colour: the responder receives an alert and acts; the preventive control would have refused the action entirely. Maps cross-provider to CIS AWS Foundations v7.0.0 (CloudTrail enabled in all regions, log file validation enabled, log delivery to dedicated S3 bucket), CIS Microsoft Azure Foundations v6.0.0 (Activity Log diagnostic settings, log retention, immutability), CIS GCP Foundation v5.0.0 (Cloud Audit Logs configured for all services, sink to immutable storage), CIS OCI Foundation v3.1.0 (Audit retention and centralisation), NIST SP 800-53 rev5 AU-2 (event logging), AU-9 (protection of audit information), and AU-12 (audit record generation), ISO/IEC 27001:2022 A.8.15 (logging), and ISO/IEC 27017:2015 CLD.12.4.1 (monitoring of cloud services)."},{"id":"general/methodology.html","url":"general/methodology.html","title":"Methodology — Cloud Hardening Guide","breadcrumb":"Home General Methodology","description":"How controls are selected, sourced, severity-rated, and kept current in this guide.","body":"Methodology Overview This guide claims to offer technical depth beyond a free CIS Benchmark PDF, a Microsoft Learn article, or an AWS Well-Architected whitepaper. That claim only holds if a reader can audit the editorial process: how each control is chosen, where its severity comes from, which framework versions back its compliance mappings, and how the page is kept current. This methodology page is that audit trail. It exists because adding real value beyond authoritative source PDFs means showing the work, not just paraphrasing the bullets. The constitution below is enforced by build-time validation, not author goodwill. Severity tags must use the three-channel markup defined in docs/severity-rubric.md; compliance tables must carry the seven pinned-version column headers defined in docs/control-template.md and reproduced on the compliance frameworks page; citations must use citation-quality anchor text per STD-06; and every page carries a <time datetime=\"…\"> last-reviewed stamp checked by the Phase 4 content gate. Readers who disagree with a severity assignment, a compliance mapping, or a sourcing choice should read this page first, then file an issue against the specific criterion that the call violates. Disagreements are resolved by re-reading the criterion section, not by majority vote (see §Severity assignment). Control selection criteria A control is eligible to appear in this corpus only if it is sourced from at least one of four categories: (1) a pinned-version CIS Benchmark recommendation; (2) an official provider security best-practices document (AWS Well-Architected Security Pillar, Microsoft Cloud Security Benchmark, Google Cloud Architecture Framework Security pillar, OCI Security Best Practices); (3) a NIST Special Publication, most commonly SP 800-53 rev5 or one of its companion publications (SP 800-63B, SP 800-207, SP 800-57, SP 800-92, SP 800-190); or (4) a publicly documented, primary-source incident lesson (Capital One 2019 DOJ filing, Mandiant UNC5537 / Snowflake 2024 advisory, Microsoft Security Response Center Midnight Blizzard write-up, CISA / NSA cybersecurity information sheets). Marketing statistics are rejected. Claims of the form \"X% of organizations do Y\" do not enter the corpus unless they originate from a primary research publication with disclosed methodology, such as the Verizon DBIR, ENISA Threat Landscape, or IBM Cost of a Data Breach Report. A vendor blog post that asserts \"78% of breaches involve identity\" without a citation is not a primary source even when the underlying claim is true. The cost of admitting weak sources is that any reader who spot-checks one and finds it unsupported stops trusting the whole corpus. A control is excluded if it is essentially provider marketing (for example, \"enable Premium tier of feature X\" without a security-outcome justification), if it duplicates an existing control without adding cross-provider coverage, or if it cannot be expressed as a configurable, observable state on a production tenant. \"Have a security culture\" is not a control. \"Enforce MFA on all human identities via a Conditional Access policy that blocks legacy authentication\" is a control. The bar is configurability and observability. Severity assignment Severity is applied from docs/severity-rubric.md, not from intuition, vendor severity ratings, or CVSS scores. The rubric defines four tiers: CRITICAL: the misconfiguration provides a direct, single-step path to data exfiltration, full account takeover, or unauthenticated remote code execution against a production-equivalent resource. No additional vulnerability, social engineering, or pivot is required. HIGH: the misconfiguration creates significant attack-surface expansion or a clear privilege-escalation path that needs one more step (a stolen credential, an additional vulnerability, a pre-positioned attacker) to turn into compromise. MEDIUM: a defense-in-depth control whose absence raises attacker cost or reduces detection fidelity but does not directly enable compromise. LOW: configuration hygiene with minimal direct risk; absence affects observability completeness, compliance posture, or operational tidiness rather than the attacker's ability to compromise the environment. When a candidate misconfiguration does not cleanly match exactly one tier, the author rounds up and records the ambiguity in the control's threat-model \"Attack vector\" sub-field. Round-down-on-ambiguity inflates the corpus toward MEDIUM and destroys triage value; round-up preserves the signal that CRITICAL controls warrant pager-grade response. The worked example below illustrates the full control-box markup that every domain page entry mirrors. It exercises every CSS class touched by the DS-05 control-authoring contract: .control-box, .control-header, .control-id, .control-title, .sev, .sev-critical, .sev-icon, .sev-label, .control-type, .threat-model, .label, and .compliance-table. The walk-through after the markup traces why this control receives CRITICAL PREVENTIVE. ex-mfa-01 Enable phishing-resistant MFA on all human identities ⛔ CRITICAL PREVENTIVE MITIGATES Full account takeover via credential theft (phishing, infostealer, credential stuffing against leaked passwords) against any human identity that can reach the cloud control plane. ATTACK VECTOR Attacker obtains valid username and password (phishing kit, infostealer log, credential-stuffing list). Without phishing-resistant MFA, the attacker logs in directly. TOTP-only MFA does not block phishing kits that proxy the second factor in real time (Evilginx-class adversary-in-the-middle). FIDO2 / WebAuthn binds the assertion to the legitimate origin and resists this class of attack. BLAST RADIUS Every resource the compromised identity can access. For an organization administrator, this is the entire tenant; for a developer with broad IAM, the entire account or subscription. Lateral movement via assumed roles, OAuth consent grants, or session-token replay extends blast radius beyond the initial identity. Phishing-resistant MFA means hardware-backed FIDO2 / WebAuthn authenticators (security keys, platform authenticators on managed devices) or equivalent. SMS, voice, email OTP, and unbound TOTP do not meet the bar. NIST SP 800-63B defines this assurance level as AAL3 for the authenticator and verifier requirements that resist phishing. CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.10 — Ensure MFA is enabled for all IAM users with console password 1.1.2 — Ensure that multi-factor authentication is required for all users 1.2 — Ensure that multi-factor authentication is enabled for all non-service accounts 1.7 — Ensure MFA is enabled for all users with a console password IA-2(1), IA-2(2) — Multifactor authentication to privileged and non-privileged accounts A.5.17 — Authentication information CLD.6.3.1 — Shared roles and responsibilities Walk-through against the rubric. The CRITICAL criterion says: \"Misconfiguration provides a direct, single-step path to data exfiltration, full account takeover, or unauthenticated remote code execution. No additional vulnerability, social engineering, or pivot is required to realize the impact.\" Absent phishing-resistant MFA, a stolen password is enough to log in as the target identity and reach every resource that identity can access. The \"single-step\" criterion is met because the attacker has only to type the credential; no additional vulnerability is required. The control type is PREVENTIVE because the configuration stops the unsafe state (password-only or passwordless authentication) from existing. It is not a detective alert raised after compromise (DETECTIVE), nor an auto-remediation triggered post-detection (RESPONSIVE). The CRITICAL PREVENTIVE pairing follows directly; no author intuition is involved. Control type labeling Every severity tag is paired with a control type label rendered as <span class=\"control-type\">. Three values are defined: PREVENTIVE: stops the unsafe state from existing (deny-by-default bucket policy, hardware MFA enforcement, KMS key policy without wildcard principals). DETECTIVE: surfaces the unsafe state after it exists (CloudTrail, GuardDuty findings, Defender for Cloud alerts, AWS Config non-compliant resource notification). RESPONSIVE: acts on the unsafe state once detected (EventBridge auto-remediation, Logic App disable-on-impossible-travel, SOAR playbook). A CRITICAL DETECTIVE control is operationally distinct from a CRITICAL PREVENTIVE control even though both carry the same severity tag color and icon. \"No audit log in any region\" (CRITICAL DETECTIVE) delays discovery of compromise but does not enable it; \"root account without MFA\" (CRITICAL PREVENTIVE) directly enables compromise. Conflating the two, by reading severity without control type, produces incorrect triage. Authors emit both spans adjacent in the control header per the markup in docs/control-template.md. Visual reference at reference/components.html. Compliance mapping methodology Every control entry carries a <table class=\"compliance-table\"> whose header row pins seven framework columns: CIS AWS Foundations v7.0.0, CIS Microsoft Azure Foundations v6.0.0, CIS GCP Foundation v5.0.0, CIS OCI Foundation v3.1.0, NIST SP 800-53 rev5, ISO/IEC 27001:2022, and ISO/IEC 27017:2015. The full pinned-version contract, including release dates and the corpus-wide bump policy, lives on the compliance frameworks page §Pinned version contract and is not duplicated here. This methodology page documents only how each cell is verified. A cell value is admissible only when traced to the framework primary source. For CIS rows, the cell carries the recommendation number from the published PDF benchmark at the pinned version, never from a third-party summary or an older benchmark version. For NIST SP 800-53 rev5 rows, the cell carries the control identifier from the NIST CSRC publication (for example IA-2(1), not \"IA-2\" without the enhancement number when the enhancement is what applies). For ISO/IEC 27001:2022 rows, the cell uses the three-level 2022 numbering (for example A.8.24), never the four-level 2013 numbering. For ISO/IEC 27017:2015 rows, the cell uses the CLD.x.y.z identifiers when the control is cloud-specific, or an em-dash when ISO/IEC 27017 inherits without adding cloud-specific guidance. NIST SP 800-53 rev5 Appendix B is the authoritative NIST-to-ISO/IEC 27001 crosswalk and is the primary source consulted when mapping a NIST control to its ISO peer. Where the 2013→2022 ISO renumbering changes the destination control, the corresponding ISO/BSI 2022 transition document supplements Appendix B. Mappings are not invented; if a primary-source crosswalk does not assert the relationship, the cell carries an em-dash and the absence is recorded as a deliberate editorial choice. Multiple legitimate framework targets are listed when more than one applies. A single CIS recommendation that satisfies both IA-2(1) and IA-2(2) lists both NIST identifiers; cherry-picking only the most flattering target is forbidden. The validation grep for STD-02 enforces the verbatim header strings; cell content correctness is a content review responsibility. Citation standards STD-06 requires that every <a> in this corpus use citation-quality anchor text. The format is: publisher, document title, accessed date. Example: <code class=\"language-html\"><a href=\"https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final\"> NIST SP 800-53 rev5 (upd1, Jan 2022) — Security and Privacy Controls (accessed 2026-05) </a></code> The following anchor texts are banned and fail the Phase 4 content gate when found in any page: click here, see this, more info, this link, bare here (case-insensitive), read more, and bare URLs (no surrounding citation text). The reasoning is two-fold. First, screen-reader users navigating by link list see only the anchor text out of context; \"click here\" is non-navigable. Second, anchor text is the most reliable signal that the author actually read the cited source. A citation written as \"NIST SP 800-53 rev5 (upd1, Jan 2022) — IA-2 Identification and Authentication (accessed 2026-05)\" shows a different relationship to the source than \"see this\". The accessed date is part of the citation, not an optional decoration. Cloud documentation changes weekly; provider URLs are renamed; ISO documents are revised. The accessed date tells a reader checking the citation in 2027 whether the link was current when the author cited it. Build enforcement of the accessed-date substring in <ul class=\"source-list\"> anchors lives in the Phase 4 content gate; a broader build/check-citations.sh sweep across in-body anchors is planned for Phase 12. Content currency and review cadence Every page in this corpus carries a <time datetime=\"YYYY-MM-DD\"> last-reviewed stamp rendered in the footer. The Phase 4 content gate fails any page missing the stamp. The stamp is updated whenever the page is materially edited or when a source document the page references changes, whichever comes first. The review cadence is twelve months as a floor. Every page is re-reviewed at least annually; reviewers re-check that pinned framework versions are still current, that provider documentation URLs still resolve, and that the recommendations have not been deprecated by a provider security advisory. Pages are reviewed sooner than the twelve-month floor when one of the following triggers occurs: a pinned CIS Benchmark publishes a new version; a provider deprecates a feature or service named on the page (for example IMDSv1 removal, classic Application Gateway end-of-life); a NIST publication is superseded; a referenced incident lesson receives an updated authoritative writeup. Errata and corrections are tracked publicly via GitHub Issues against the repository at github.com/Artur12555/cloud_hardening. Every page footer carries a \"Report an issue\" link to https://github.com/Artur12555/cloud_hardening/issues/new, enforced by build/check-shell-required.sh (SHELL-06). Substantive corrections require a follow-up commit that bumps the last-reviewed stamp; typo fixes do not. How to read a control entry Every control on every domain page mirrors the markup of the example in §Severity assignment above. From top to bottom, a reader sees: the control identifier (lowercase, kebab-case, immutable once published, and used as the anchor for deep-linking from the future compliance-matrix.html), the control title (an imperative noun phrase that names the configured outcome), the severity tag (CRITICAL / HIGH / MEDIUM / LOW with icon, label, and color per DS-07's three-channel guarantee), and the control type label (PREVENTIVE / DETECTIVE / RESPONSIVE). Beneath the header, the threat-model aside carries three labeled sub-fields: MITIGATES (one-sentence threat statement), ATTACK VECTOR (the concrete kill-chain step that becomes possible absent this control), and BLAST RADIUS (scope of compromise if exploited). The threat-model box is the per-control bridge to the corpus-wide threat model on threat-model.html; readers tracing an attack chain from threat to mitigation enter via the threat-model and exit at the controls that close the chain. The body of the control entry contains the CLI remediation (provider native command-line, executable as-is against a configured CLI), the IaC remediation (Terraform HCL with a mandatory provider version comment on the first line per STD-07), the compliance-table footer (seven pinned-version framework columns), and a per-control source list with citation-quality anchors. The canonical markup is documented in docs/control-template.md §Reference HTML markup; a rendered visual reference lives at reference/components.html. How to contribute / report issues Contributions and errata are filed against the repository at github.com/Artur12555/cloud_hardening. Issues for content corrections, broken links, severity-assignment disputes, and missing controls are welcome; please reference the specific control identifier or the page anchor in the issue title so a reviewer can locate the contested claim quickly. Pull requests are welcome for in-place corrections; substantive new content goes through a planning step first to maintain corpus consistency. Security-sensitive disclosures (for example, a guide entry that inadvertently teaches an unsafe pattern) are handled via the security disclosure channel documented in the repository SECURITY.md; do not file them as public GitHub Issues."},{"id":"general/network.html","url":"general/network.html","title":"General Network Principles — Cloud Hardening Guide","breadcrumb":"Home General Network","description":"General network principles: defense in depth, segmentation, zero trust, egress control, private connectivity, encryption in transit, DNS security.","body":"General Network Principles Overview Cloud network security differs from on-premises network security in one foundational way: the control plane is reached over the public internet through an authenticated API, and that API is the real perimeter. Traditional defence-in-depth thinking, with concentric rings around a data centre and the firewall as the trust boundary, does not survive contact with a cloud tenant where any caller anywhere with a valid credential can provision, modify, or delete resources. NIST SP 800-207 Zero Trust Architecture describes the shift: trust is established per request, against an authenticated identity and a verified device posture, not inherited from a network location. That said, network controls have not disappeared. Cloud workloads still expose listening services that need protection from internet scanning, lateral movement within a virtual network is still a real attack chain (Capital One 2019, summarised on general/threat-model.html as Chain B, which traversed network primitives to reach the IMDS endpoint), and exfiltration over outbound connections is still the egress most cloud tenants fail to filter. This page sets out provider-neutral principles (defence in depth, segmentation, zero trust, egress control, private connectivity, encryption in transit, DNS security) and the cross-provider primitives that implement them. Provider-specific depth lives on the AWS, Azure, GCP, and OCI network pages; this page is the principles reference those pages link back to. Encryption-in-transit guidance lives here; general/data.html cross-references it rather than duplicating it. Defense in depth for cloud networks Defence in depth means layered controls such that the failure of any single layer does not directly enable compromise. In a cloud network the layers stack from the cloud-provider primitive at the bottom to the application-layer identity at the top, and each layer is a distinct configuration surface with distinct failure modes. The lowest layer is the cloud firewall attached to the workload's network interface: AWS Security Groups, Azure Network Security Groups, Google Cloud VPC firewall rules, and Oracle Cloud Infrastructure Security Lists. These are stateful packet filters scoped per instance or per subnet, and they are the most common point at which a misconfigured deploy exposes a database or management port to the public internet. Above that layer sits the subnet-level control: AWS Network ACLs (stateless), Azure route tables and subnet-attached NSGs, GCP VPC firewall rules at the network level, OCI Security Lists at the subnet level. These give a coarser-grained filter that the cloud firewall layer cannot bypass, useful for enforcing organisation-wide bans (no SSH from the internet anywhere in this VPC, regardless of individual SG misconfigurations). Above the cloud firewall and subnet layers, workload-level controls enforce policy that the network primitives cannot express. Host firewalls (iptables, nftables, Windows Defender Firewall) still run on individual instances and remain useful for defence in depth, even when the cloud firewall is correctly configured. Service-mesh identity (mTLS via Istio, Linkerd, Consul Connect, App Mesh) authenticates service-to-service traffic on identity rather than IP. At the application layer, Web Application Firewalls (AWS WAF, Azure Front Door / Application Gateway WAF, Google Cloud Armor, OCI WAF) filter application-layer attacks (OWASP Top 10 patterns) on hostnames the cloud-firewall layer can only filter on by port. API gateway authentication enforces caller identity on every API request. The point of layered controls is not redundancy for its own sake. Misconfigurations are common, and the operating discipline is to assume any single layer is misconfigured at any time. A defence-in-depth design tolerates that assumption. Network segmentation Network segmentation isolates workloads of different trust levels into distinct network domains, so that compromise in one domain does not propagate to another. The cloud's strongest isolation primitive is the account, subscription, project, or compartment boundary itself. These are administrative containers with separate IAM, separate billing, separate audit trails, and, importantly, no implicit network connectivity. A workload in a production AWS account cannot reach a workload in a development AWS account over the network unless an explicit peering, Transit Gateway attachment, or VPN tunnel has been provisioned. Within an account, the next isolation primitive is the virtual network: an AWS Virtual Private Cloud (VPC), an Azure Virtual Network (VNet), a Google Cloud VPC, or an Oracle Cloud Infrastructure Virtual Cloud Network (VCN). Each is an isolated address space with its own routing, its own internet gateway (or absence of one), and its own firewall posture. Below the VPC, subnets partition the address space and attach distinct routing policies: public subnets route via an internet gateway, private subnets route via NAT or not at all, and intra-cloud subnets route via VPC endpoints to provider services without touching the public internet. The hub-and-spoke topology is the dominant pattern for multi-VPC estates. A central hub VPC holds shared inspection appliances (firewall, IDS/IPS, DNS resolver, egress proxy) and connects to spoke VPCs through Transit Gateway (AWS), Virtual WAN (Azure), Network Connectivity Center (GCP), or Dynamic Routing Gateway (OCI). Spoke-to-spoke traffic routes through the hub and is inspected; spoke-to-internet traffic routes through the hub's egress controls. The design centralises inspection at one operational cost and lets spokes stay simple. Provider-specific topology depth is covered on aws/network.html, azure/network.html, gcp/network.html, and oci/network.html; this page treats only the topology pattern. A common segmentation failure is the flat production VPC (one VPC, one subnet, every workload in the same broadcast domain) paired with permissive security groups that allow intra-VPC traffic by default. The remediation is mechanical: split workloads by tier (web, application, data) into distinct subnets, default-deny intra-VPC traffic at the security-group layer, and require explicit allow rules between tiers. Zero trust principles Zero trust is the design discipline of treating every network request as untrusted regardless of its source, then authenticating and authorising the request against the requesting identity, the device posture, and the requested resource, never against the network location alone. NIST SP 800-207 (Zero Trust Architecture, Aug 2020) is the foundational reference; CISA's Zero Trust Maturity Model 2.0 (Apr 2023) extends it with a maturity-based path organised around five pillars. The CISA pillars are Identity, Devices, Networks, Applications & Workloads, and Data, with Visibility & Analytics, Automation & Orchestration, and Governance as cross-cutting capabilities. For a cloud tenant, the implications are concrete. The Identity pillar drives federated authentication and phishing-resistant MFA, covered on general/iam.html §Identity federation and §Multi-factor authentication. The Devices pillar drives endpoint posture verification (managed laptops, EDR enrolment, OS-level encryption) before granting access. The Networks pillar, most directly relevant to this page, replaces the flat virtual-network trust assumption with micro-segmentation: every service-to-service connection is authenticated, authorised, and ideally encrypted with mutual TLS regardless of whether the source and destination sit in the same VPC. The Applications & Workloads pillar drives identity-aware proxies: Google Cloud Identity-Aware Proxy, AWS Verified Access, Azure AD Application Proxy, and equivalent third-party access brokers (Cloudflare Access, Tailscale, Zscaler Private Access). These products front internal applications with an authenticated reverse proxy so that the application is never directly reachable on the network: the reverse proxy authenticates the user and forwards the request only if policy permits. The Data pillar drives encryption, classification, and authorisation at the data layer (treated on general/data.html); the network pillar does not stop at the network alone. Workload-to-workload zero trust is implemented through service mesh: Istio, Linkerd, AWS App Mesh, Azure Service Fabric Mesh, OCI Service Mesh. The mesh gives each workload a SPIFFE identity, enforces mTLS on every service call, and applies authorisation policy that names the calling identity rather than its IP address. The result is that a compromised pod cannot reach another pod simply because they share a subnet; it must hold the calling identity's certificate, which is short-lived and rotated automatically. Egress control Egress control is the deliberate filtering of outbound traffic from workloads, allowing only the destinations a workload provably requires and denying the rest. The principle is the inverse of the well-understood ingress posture (deny by default, allow only the listening services the workload publishes), and across all four major providers it is the most-missed control, because the cloud-provider defaults allow outbound traffic to anywhere on the public internet. The threat model is data exfiltration and command-and-control callback. An attacker who establishes code execution in a workload, through a vulnerable dependency, a poisoned container image, or a misconfigured admin endpoint, needs a return channel to receive instructions and to send stolen data. If the workload's outbound traffic is default-allow, the attacker uses any outbound port to any destination. If outbound traffic is restricted to a small allow-list of known-required destinations (the application's database, the provider's KMS endpoint, a small set of dependency mirrors), exfiltration and C2 become structurally difficult and far easier to detect. The implementation pattern is consistent across providers. Workloads have no direct internet route; instead, their outbound traffic flows through an egress proxy (Squid, Envoy, or a managed offering such as AWS Network Firewall, Azure Firewall, Cloud NGFW Enterprise on GCP, OCI Network Firewall) that enforces FQDN-aware allow lists. The proxy logs every request, supports DNS-aware policy (allow connections to *.example.com rather than to IP ranges that change), and integrates with the cloud audit log so that policy violations produce alerts. Workloads that need to reach the provider's own API surface use VPC endpoints, Private Link, Private Service Connect, or Service Gateway (see §Private connectivity) so that traffic never crosses the public internet at all. Common misconfiguration: default-allow outbound on production workloads. Every provider's VPC, VNet, and VCN ship with default routes that permit outbound traffic to the public internet through a NAT or internet gateway. Security groups, NSGs, firewall rules, and security lists default to allow-all egress; only ingress is restricted by default. A production workload deployed without explicit egress policy can therefore reach any destination on the internet (including attacker-controlled exfiltration endpoints, cryptocurrency mining pools, and command-and-control servers) without crossing any deny rule. The remediation is to default-deny outbound at the security-group, NSG, or firewall-rule layer, route required traffic through an egress proxy with FQDN-aware policy, and log denied connections. The illustrative control later on this page works through this pattern with full compliance-table markup. Private connectivity Private connectivity means reaching cloud-provider services and third-party SaaS endpoints without traversing the public internet. The motivation is twofold: the public internet is a wider blast surface (any DNS hijack, any BGP leak, any TLS-stripping intermediary affects the connection), and traffic that traverses the public internet is also visible to the provider's egress accounting and to any network-layer adversary on the path. Private connectivity keeps traffic on the provider's backbone and, in most cases, inside the customer's own address space. The four major providers expose three categories of primitive. The first is the service endpoint: a private routable address inside the customer's VPC that resolves to the provider service. AWS VPC Endpoints (interface and gateway varieties) provide private addresses for S3, DynamoDB, KMS, Secrets Manager, and most other AWS services. Azure Private Endpoint provides equivalent access for Storage, Key Vault, SQL Database, and most other Azure services. Google Cloud Private Service Connect provides private endpoints for Google APIs, third-party SaaS, and customer-published services. Oracle Cloud Infrastructure Service Gateway provides private routes from a VCN to OCI services within a region. The second category is private-to-private connection brokering. AWS PrivateLink, Azure Private Link, and Google Private Service Connect publish a customer's service to other customers' VPCs as a private endpoint; the consumer reaches the producer over the provider backbone without exposing a public endpoint. Third-party SaaS providers increasingly publish their services via these mechanisms, eliminating the need for an internet-routable address on either side. The third category is hybrid connectivity (Direct Connect, ExpressRoute, Cloud Interconnect, OCI FastConnect) for traffic between on-premises and cloud. These dedicated lines remove the public-internet path entirely for the office-to-cloud connection. The design rule across all three categories: if a piece of traffic can be expressed as private connectivity instead of public-internet connectivity, it should be. The cost is configuration; the benefit is reduced surface and reduced exposure to the entire class of public-network attacks. Encryption in transit Encryption in transit protects network traffic against interception and modification by adversaries on the path. The current standard is Transport Layer Security version 1.3 (IETF RFC 8446, Aug 2018), which closes the protocol-downgrade and cipher-negotiation weaknesses of TLS 1.2 and earlier. The minimum acceptable floor across all cloud workloads is TLS 1.2 with modern cipher suites; TLS 1.3 is preferred wherever client compatibility allows. TLS 1.0 and 1.1 are forbidden. They remain enabled on some legacy provider endpoints for backward compatibility, but the customer's own load balancers, API gateways, and application listeners must refuse them. For service-to-service traffic inside the cloud, mutual TLS (mTLS) authenticates both ends of the connection cryptographically. Service-mesh implementations (Istio, Linkerd, App Mesh, Azure Service Fabric Mesh) provision short-lived certificates per workload and rotate them automatically, which makes mTLS the default for east-west traffic without per-application configuration effort. This page treats encryption in transit as the canonical reference; general/data.html §Encryption in transit cross-references it rather than duplicating it. DNS security DNS is the network layer most often overlooked in cloud network design. Three controls matter. First, DNSSEC verifies authoritative DNS responses against a chain of trust rooted at the DNS root zone; enabling DNSSEC on customer-managed zones (Route 53, Azure DNS, Cloud DNS, and OCI DNS all support it) defeats spoofed responses. Second, private DNS zones (Route 53 private hosted zones, Azure Private DNS, Cloud DNS managed private zones, OCI private zones) provide split-horizon resolution so that internal hostnames resolve to private endpoints from within the VPC and to nothing from outside. Third, DNS query logging (Route 53 Resolver query logs, Azure DNS analytics, Cloud DNS logging, OCI DNS analytics) surfaces the destinations a workload is trying to reach, including the DNS-based exfiltration patterns (NXDOMAIN tunnelling, beaconing to look-alike domains) that pure connection-based egress filtering can miss. Cross-provider equivalence The table below maps the principal network primitives across the four major providers. Each cell names the load-bearing service; provider IAM and routing details belong on the provider network pages and are not duplicated here. The provider pages (AWS, Azure, GCP, OCI) extend each entry to the depth a hardening reviewer requires. Primitive AWS Azure GCP OCI Stateful firewall Security Group Network Security Group (NSG) VPC firewall rule Security List, Network Security Group Private service endpoint VPC Endpoint, PrivateLink Private Endpoint, Private Link Private Service Connect Service Gateway, Private Endpoint Web Application Firewall AWS WAF Azure Front Door / Application Gateway WAF Cloud Armor OCI WAF DDoS protection Shield (Standard / Advanced) Azure DDoS Protection (Standard) Cloud Armor (Standard / Managed Protection) OCI DDoS protection (always-on layer 3/4) Egress filtering (FQDN-aware) Network Firewall, Route 53 Resolver DNS Firewall Azure Firewall (FQDN tags + threat intel) Cloud NGFW Enterprise, Secure Web Proxy OCI Network Firewall Identity-aware proxy AWS Verified Access Entra Application Proxy, Microsoft Entra Private Access Cloud Identity-Aware Proxy (IAP) OCI Bastion + Identity Domains Illustrative control: default-deny egress The control entry below is an illustrative example of how the egress-control principle (§4 above) translates into a concrete, severity-rated, compliance-mapped control. Provider-specific controls with CLI and Terraform remediation live on the four provider network pages (AWS, Azure, GCP, OCI), not here. gen-net-ex-01 (illustrative example) Default-deny outbound network egress for production workloads ⚠ HIGH PREVENTIVE MITIGATES Data exfiltration to attacker-controlled destinations and command-and-control callback channels from compromised workloads. This is the post-exploitation phase of Chain B on general/threat-model.html (SSRF / metadata service to credential theft to S3 exfiltration), where the final exfiltration step is structurally blocked when outbound traffic cannot reach arbitrary internet destinations. ATTACK VECTOR Attacker establishes code execution in a workload through a vulnerable application dependency, a poisoned container image, a misconfigured admin endpoint, or stolen workload credentials. With default-allow outbound, the attacker initiates an outbound connection to an attacker-controlled endpoint, opens a return channel for command-and-control, and exfiltrates discovered data. With default-deny outbound and an FQDN-aware allow list, every such connection is denied at the network layer and the attempt is logged. BLAST RADIUS The blast radius absent this control is the data the compromised workload can read, frequently the entire production dataset of that workload, since application identities typically hold broad data-plane read permission. With this control, blast radius reduces to data accessible through allow-listed destinations only (typically a small set of internal services), and the attacker must additionally compromise one of those allow-listed services to exfiltrate. Implementation: configure security groups, NSGs, firewall rules, or security lists to default-deny outbound; route required traffic through an egress proxy or managed network firewall that enforces FQDN-aware allow lists; log denied connections to the central audit pipeline. Workloads needing provider-service access use VPC endpoints / Private Link / Private Service Connect / Service Gateway so the connection never traverses the public internet. The provider-specific Phase 5 controls carry CLI and Terraform snippets per provider. CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 5.2: Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (egress equivalent: restrict outbound to known destinations) 6.x: Ensure that NSG rules restrict outbound traffic from production subnets 3.x: Ensure VPC firewall rules restrict egress to required destinations 2.x: Ensure security lists restrict egress to required destinations SC-7, SC-7(5): Boundary protection; deny by default, allow by exception A.8.22, A.8.23: Segregation of networks; web filtering CLD.13.1.4: Alignment of security management for virtual and physical networks"},{"id":"general/shared-responsibility.html","url":"general/shared-responsibility.html","title":"Shared Responsibility Model — Cloud Hardening Guide","breadcrumb":"Home General Shared Responsibility Model","description":"How security responsibilities partition between cloud provider and customer across IaaS, PaaS, and SaaS — and where the most common cloud breach root causes live.","body":"Shared Responsibility Model Overview The shared responsibility model is the axis on which every control in this guide turns. It partitions security obligations between two parties. The cloud service provider (CSP) owns the security of the cloud: the physical facilities, the hypervisor, the host operating system, the storage substrate, and the global network. The customer owns security in the cloud, meaning everything they configure, deploy, identify, and store. The boundary between those two halves is not fixed. It shifts every time a workload moves up the IaaS → PaaS → SaaS abstraction ladder, and provider-specific terminology (compartments, projects, subscriptions, accounts) hides the fact that the underlying partition follows the same five-layer logic across all four hyperscalers. The model is the starting point rather than a footnote because misunderstandings of the boundary are the single most common documented root cause of cloud breach. The Cloud Security Alliance Top Threats to Cloud Computing 2024 (accessed 2026-05) report places \"misconfiguration and inadequate change control\" and \"identity and access management failures\" in its top three, both of which are customer-side obligations that survey respondents frequently attribute, incorrectly, to the provider. The cloud definition published in NIST SP 800-145 — The NIST Definition of Cloud Computing (accessed 2026-05) formally distinguishes the three service models referenced throughout this page (IaaS, PaaS, SaaS), and remains the citation of record for the abstraction layering used below. Before reading any provider-specific domain page, work through the cloud threat model: adversary classes and attack chains alongside this page. Together they establish what attackers want and which half of the partition each attack targets. The IaaS/PaaS/SaaS responsibility gradient The usual depiction of the shared responsibility model is a three-column gradient table, with one column per service model and one row per logical layer of the stack. Reading the table from top to bottom traces the physical-to-conceptual progression of a deployed workload; reading it from left to right traces the increase in CSP-managed responsibility as the customer rents more of the platform. The cells classify each intersection as CSP (provider-owned), Customer (customer-owned), or Shared (provider supplies the primitive; customer configures it). Most misconfigurations cluster in the \"Shared\" category, because the provider has supplied a mechanism (encryption-at-rest defaults, identity federation, network ACLs) but the customer must opt in to a hardened configuration. Default-deny is rarely the default. Layer IaaS PaaS SaaS Physical facilitiesCSPCSPCSP Host hypervisorCSPCSPCSP Guest OSCustomerCSPCSP Runtime / middlewareCustomerCSPCSP ApplicationCustomerCustomerCSP DataCustomerCustomerCustomer Identity & accessCustomerCustomerCustomer Configuration & hardeningCustomerSharedShared Two layers refuse to move with the service model, and the table calls them out explicitly: data and identity. Whether the customer rents a bare virtual machine or a fully managed mailbox, the contents of records inside the service, and the principal directory that authorises access to them, are customer obligations. That asymmetry is why the General IAM principles page treats identity as the cloud's primary attack surface, and why the General data protection principles page treats classification, not encryption mechanics, as the first control. Every provider page in this guide assumes that data and identity remain customer-owned even when the rest of the stack is managed. AWS shared responsibility Amazon Web Services frames the partition as \"security of the cloud versus security in the cloud\" in AWS Shared Responsibility Model (accessed 2026-05). AWS owns the hardware, the virtualization layer, and the managed services' control planes; the customer owns guest OS patching on EC2, all IAM policies including the root user, every S3 bucket policy, and the data-classification decision behind which encryption key to use. The AWS Well-Architected Framework — Security Pillar (accessed 2026-05) extends this into eight design principles and treats the boundary as the working assumption behind every recommendation. The AWS-specific nuance worth marking is the managed services in the middle: RDS, ElastiCache, Lambda, and Fargate sit on a sliding boundary where AWS patches the OS and engine but the customer still owns the parameter group, IAM authentication policy, and the data inside. The Well-Architected guidance is explicit that \"AWS managing the infrastructure\" never implies \"AWS managing your identity, access controls, or data,\" a distinction repeatedly missed in audit findings. Azure shared responsibility Microsoft's canonical statement of the partition is Microsoft Learn — Shared responsibility in the cloud (accessed 2026-05), which presents a seven-row matrix (information and data; devices; accounts and identities; identity and directory infrastructure; applications; network controls; OS; physical hosts/network/datacenter) with cells coloured by service model. The Microsoft Cloud Security Benchmark (accessed 2026-05) (MCSB v1) then operationalises the partition into prescriptive baselines that map to NIST SP 800-53 rev5 and CIS controls. The Azure-specific nuance is the dual identity plane: a tenant subscribes to Entra ID (formerly Azure AD) for identity and to Azure Resource Manager for resource control, and the same principal can carry roles in both planes. Misconfigurations frequently arise when a Global Administrator role in Entra is assumed to control subscription-level resources without the paired Owner assignment, or vice versa, which the MCSB identity baseline calls out explicitly. GCP shared responsibility Google Cloud extends the partition with the concept of shared fate, a commitment that Google supplies opinionated secure defaults, blueprints, and Assured Workloads guardrails rather than leaving the customer to derive a hardened baseline from first principles. The model is documented in Google Cloud Architecture Framework — Shared responsibilities and shared fate on Google Cloud (accessed 2026-05). Like AWS and Azure, Google places the data and identity layers on the customer side at every service model. The GCP-specific nuance is the project-as-isolation-boundary: unlike AWS accounts or Azure subscriptions, a GCP project carries its own billing identity, its own IAM policy, and its own API enablement state. Cross-project access is explicit and granted via IAM rather than network reachability, which moves a meaningful chunk of segmentation work from network controls to identity policy. The General network principles page revisits that partition shift when it covers zero-trust pillars. OCI shared responsibility Oracle Cloud Infrastructure documents its partition under OCI Documentation — Security Overview and Shared Security Model (accessed 2026-05), which divides obligations between Oracle (data centre, hardware, virtualization, OCI services control plane) and the customer (workloads, identities, data, configurations within the tenancy). OCI's compartments are hierarchical containers within a tenancy that carry their own IAM policies, and they are the segmentation primitive across which the customer's half of the partition is enforced. The OCI-specific nuance is the Identity Domain abstraction: tenancies can host multiple Identity Domains, each with its own users, groups, applications, and MFA policies. Customers migrating from legacy IDCS deployments frequently inherit domain-level policy gaps that the OCI Security Best Practices (accessed 2026-05) checklist flags as the first hardening pass. Common misunderstandings Three misunderstandings recur often enough that every general-section reader should recognise them by sight. Each is captured below as a misconfiguration callout: the pattern identifies the false belief, names the obligation the customer actually holds, and cites the primary source that documents the partition. Common misunderstanding \"The provider backs up my SaaS data.\" No major SaaS provider commits to point-in-time recovery of customer-deleted records beyond a brief operational retention window (commonly 14 – 93 days). The CSA Top Threats to Cloud Computing 2024 (accessed 2026-05) report lists \"data loss\" as a top concern precisely because customers conflate provider durability (multi-AZ replication against hardware failure) with logical backup (recovery from accidental deletion, ransomware encryption, or insider destruction). The customer obligation is third-party backup, export, or retention-policy configuration; see the General data protection principles page for the immutable-backup pattern. Common misunderstanding \"PaaS means the provider handles security configuration.\" PaaS removes OS and runtime obligations; it does not remove configuration obligations. App Service authentication settings, Cloud Run ingress controls, Lambda execution roles, and OCI Functions invoker policies are all customer-owned. The Microsoft Cloud Security Benchmark (accessed 2026-05) documents this explicitly under its \"Configuration management\" domain, which applies to managed services as much as to VMs. Common misunderstanding \"AWS patches my EC2 instance OS.\" For IaaS compute, the guest OS is a customer responsibility for patching, vulnerability remediation, EDR/host-IDS deployment, and CIS benchmark hardening. AWS supplies Systems Manager Patch Manager as a convenience, but the obligation and the audit evidence both sit with the customer. The AWS Well-Architected Security Pillar (accessed 2026-05) is unambiguous: AWS manages the hypervisor and below; everything above is the customer's, including the kernel image. Cross-cutting implications The shared responsibility model is not a one-time orientation. It is the recurring lens through which every subsequent General-page control is framed. Six cross-cutting consequences carry into the domain principle pages and are worth previewing here. Identity is wholly customer-owned at every service model, which is why the General IAM principles page treats least privilege, MFA, and federation as first-class obligations rather than provider-supplied features. Network segmentation is also customer-owned at the configuration layer, so the General network principles page treats default-deny egress and private connectivity as design obligations rather than defaults. Data classification, the choice of which key, which retention policy, and which DLP rule applies, is permanent customer territory, expanded in the General data protection principles page. Logging configuration and SIEM routing are customer responsibilities even when the log substrate is provider-managed, which the General logging and detection principles page treats as the foundation for every detection control. Workload hardening (image baselines, supply-chain provenance, runtime security) is squarely customer-owned at IaaS and remains a configuration obligation at PaaS, as the General workloads principles page documents. Finally, the partition shapes incident response: when the control plane is customer-owned but the data plane is provider-managed, evidence acquisition and credential isolation procedures diverge from on-premise IR practice, which the General incident response principles page captures in its containment patterns. The conceptual companion to this page is the cloud threat model; the compliance crosswalk for the partition is documented in the compliance frameworks page; and the editorial process is described in the methodology page. Sources NIST SP 800-145 — The NIST Definition of Cloud Computing (accessed 2026-05) Amazon Web Services — Shared Responsibility Model (accessed 2026-05) AWS Well-Architected Framework — Security Pillar (accessed 2026-05) Microsoft Learn — Shared responsibility in the cloud (accessed 2026-05) Microsoft Cloud Security Benchmark (accessed 2026-05) Google Cloud Architecture Framework — Shared responsibilities and shared fate on Google Cloud (accessed 2026-05) Oracle Cloud Infrastructure Documentation — Security Overview and Shared Security Model (accessed 2026-05) Oracle Cloud Infrastructure — Security Best Practices Checklist (accessed 2026-05) Cloud Security Alliance — Top Threats to Cloud Computing 2024 (accessed 2026-05) CISA and NSA — Cybersecurity Information Sheets: Cloud Security Best Practices, March 2024 (accessed 2026-05)"},{"id":"general/threat-model.html","url":"general/threat-model.html","title":"Cloud Threat Model — Cloud Hardening Guide","breadcrumb":"Home General Cloud Threat Model","description":"Adversary classes, common attack chains, and blast-radius analysis for cloud environments — the threat backdrop for every domain control.","body":"Cloud Threat Model Overview Threat modelling in the cloud applies the same first principles as threat modelling on premise (what is the asset, who wants it, how can they reach it, and what happens if they succeed), but the attack surface and the response options differ in two consequential ways. First, the control plane (the provider API that creates, modifies, and destroys resources) is itself reachable over the public internet from anywhere a valid credential lives, which collapses the network distance between a phished laptop and a production database into a single API call. Second, the customer's portion of the shared responsibility model puts identity, configuration, and data protection on the customer side at every service model, so the bulk of the exploitable surface is not provider infrastructure but customer policy. The classical STRIDE taxonomy (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege) documented in the Microsoft Learn — Microsoft Threat Modeling Tool (accessed 2026-05) maps cleanly onto the control plane: spoofing becomes credential stuffing against the IdP, tampering becomes API-level resource modification, elevation of privilege becomes role assumption across trust boundaries. The MITRE ATT&CK for Cloud matrix (accessed 2026-05) provides the empirical complement: a curated catalogue of tactics and techniques observed in real cloud intrusions, from Valid Accounts (T1078) through Cloud Service Discovery (T1526) to Exfiltration Over Web Service (T1567). This page synthesises both: who is attacking (adversary classes), how a chain runs end-to-end (attack chains), and how to bound the consequences (blast radius). Adversary classes Cloud defenders face five distinguishable adversary classes. The classes differ in motivation, capability, observed campaigns, and the controls that interrupt them. Later control pages tag their Mitigates field against one or more of the classes below. Opportunistic scanners The lowest-capability and highest-volume class. Opportunistic scanners enumerate publicly exposed assets (open S3 buckets, unauthenticated Elasticsearch clusters, Kubernetes dashboards on public IPs, exposed Docker daemons) using internet-wide scanning services and commodity tooling. Campaigns are not target-selected: they take whatever they find. The recurring \"leaky bucket\" incidents are the common public example, where a single misconfigured storage object ACL exposes millions of records to anyone who can guess the bucket name. The ENISA Threat Landscape 2025 (accessed 2026-05) places opportunistic scanning in the top tier of observed cloud attack volume. Credential thieves Cyber-criminal operators whose business model is acquiring valid cloud credentials and either selling them or using them to monetise the underlying account (cryptomining, data theft for extortion, BEC payment redirection). Acquisition vectors include infostealer malware on developer laptops, phishing kits that harvest IdP cookies, leaked secrets in public source repositories, and credential stuffing against IdPs without MFA. The clearest example is the Snowflake/UNC5537 campaign of 2024, where an infostealer-derived credential set was used to access more than 165 customer tenancies that had not enforced MFA. Mandiant's public advisory at Google Cloud / Mandiant — UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion (accessed 2026-05) documents the tradecraft. Supply-chain attackers Adversaries that compromise an upstream dependency (a build server, a base container image, a CI/CD action, a developer tool, a managed service provider) to reach the real target by transit. Cloud environments are particularly exposed because workload identities are often granted broad permissions on the assumption that the supply chain is trusted. The 2020 SolarWinds intrusion remains the reference cross-domain example; CI/CD-flavoured variants include the 2023 CircleCI incident and recurring compromises of public GitHub Actions marketplace entries. NIST documents the defensive posture in NIST SP 800-218 — Secure Software Development Framework (SSDF) Version 1.1 (accessed 2026-05). Insiders Authorised principals (employees, contractors, partners) acting outside the bounds of their authorisation, whether maliciously or through negligence. The negligence subclass dominates by volume: developers committing keys to public repos, administrators leaving break-glass roles assumable without MFA, terminated employees retaining cloud access. The malicious subclass is lower in volume but disproportionate in blast radius because insiders already hold valid credentials and knowledge of the environment. Mitigations are mostly process and detective rather than preventive: separation of duties, just-in-time elevation, anomaly detection on privilege use, and credential rotation on offboarding. Nation-state APTs The highest-capability class, characterised by patience, custom tooling, operational security, and willingness to combine multiple low-and-slow techniques over months. Cloud targeting by APTs has grown sharply since 2020 as enterprise identity moved into Entra ID, Okta, and similar consolidated IdPs, because compromising the IdP yields access to the entire downstream estate. The 2024 example is the Midnight Blizzard (also tracked as APT29) intrusion into Microsoft corporate, where a legacy non-production OAuth application was abused to grant the actor access to Microsoft executive mailboxes; the Microsoft Security Response Center — Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard (accessed 2026-05) post is the primary public record. Common attack chains Three attack chains recur across the public incident record often enough to be treated as reference patterns. Each is walked end-to-end below: a real incident callout names the precedent, a numbered list traces the steps, a figure describes the flow, and a threat-model summary names the controls that break the chain at each link. The chains map to MITRE ATT&CK technique IDs where applicable. Chain A: credential stuffing without MFA Incident Snowflake customer tenancies / UNC5537, 2024. Mandiant's advisory documents that the threat actor used credentials harvested years earlier by commodity infostealers to authenticate to Snowflake customer accounts that lacked MFA and network allow-listing. More than 165 organisations were notified, including Ticketmaster and Santander. Provider infrastructure was uninvolved; every breach was a consequence of customer-side IAM configuration. Source: Google Cloud / Mandiant UNC5537 advisory (accessed 2026-05). Infostealer malware (RedLine, Vidar, Raccoon) lands on a contractor or developer laptop and exfiltrates browser-stored credentials, including a Snowflake account password. Credential is sold or shared on a criminal marketplace. Adversary authenticates to the Snowflake tenancy directly over the internet, with no MFA challenge, no IP allow-list, and no conditional access policy. Adversary enumerates accessible warehouses and schemas (ATT&CK T1526 — Cloud Service Discovery). Bulk data export via COPY INTO to an attacker-controlled S3 bucket (T1567 — Exfiltration Over Web Service). Extortion message delivered to the victim organisation referencing the exfiltrated record counts. Mitigates Credential-stuffing chains against IdP and direct-service authentication. Phishing- resistant MFA (FIDO2/WebAuthn) at the IdP, network allow-list policies on the data service, conditional-access rules that require managed-device posture, and detection rules on impossible-travel and bulk-export anomalies each break Chain A at distinct links. See General IAM principles for the MFA obligation and General logging principles for the detection layer. Chain B: SSRF to instance metadata to S3 exfiltration Incident Capital One, 2019. A misconfigured ModSecurity WAF on an EC2 instance was abused to issue a server-side request forgery (SSRF) against the IMDSv1 metadata endpoint at 169.254.169.254, retrieving temporary credentials for the instance role. The role carried s3:ListBucket and s3:GetObject on a bucket containing approximately 100 million customer records, which the attacker exfiltrated. The DOJ filing and KrebsOnSecurity — What We Can Learn from the Capital One Hack (accessed 2026-05) walk-through document the chain. Attacker discovers a WAF endpoint that proxies arbitrary URLs (SSRF primitive). Attacker requests http://169.254.169.254/latest/meta-data/iam/security-credentials/<role> through the SSRF proxy. IMDSv1 has no session-token requirement, so the metadata service answers. The response contains an AccessKeyId, SecretAccessKey, and Token for the EC2 instance role. Attacker calls s3:ListBucket across the account from outside AWS using the stolen credentials. Attacker calls s3:GetObject against the customer records bucket and exfiltrates the contents. Mitigates Server-side-request forgery and over-permissive instance-role chains. IMDSv2 token-required mode breaks the SSRF-to-metadata step; least- privilege instance roles bound the post-credential blast radius; VPC endpoints with bucket policies that condition on aws:SourceVpce prevent off-VPC use of stolen credentials; CloudTrail and GuardDuty CredentialExfiltration findings detect the credential leaving the VPC. See General network principles, General IAM principles, and General data protection principles for the layered defence. Chain C: OAuth application abuse to tenant access Incident Midnight Blizzard / Microsoft, January 2024. APT29 password-sprayed a non-production Microsoft tenant and compromised a legacy test OAuth application that retained elevated permissions to the corporate Exchange Online tenant. Using the application's consent grant, the actor accessed a small number of executive mailboxes. The Microsoft Security Response Center — Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard (accessed 2026-05) post details the chain and Microsoft's remediation steps. Password-spray attack against a legacy non-production tenant identifies a low-privilege account with a weak password and no MFA (ATT&CK T1110.003 — Password Spraying). Inside the tenant, attacker enumerates registered applications and identifies a legacy test OAuth app holding elevated EWS.full_access_as_app grants on the corporate tenant. Attacker creates additional malicious OAuth applications and consents them with the compromised principal (T1098.003 — Additional Cloud Roles). OAuth app tokens authenticate to corporate Exchange Online as the application identity, bypassing user-MFA controls. Attacker reads selected executive mailboxes via Exchange Web Services (T1114.002 — Remote Email Collection). Mitigates OAuth application abuse and cross-tenant grant inheritance. Conditional access on app-consent grants, regular audit of application permissions and consented scopes, removal of unused legacy tenants, MFA enforcement on every principal (including non-production), and detection rules on application credential addition events break this chain. See General IAM principles for federation and consent hygiene and General incident response principles for the credential-isolation containment pattern that Microsoft applied during remediation. Blast radius taxonomy Every control in this guide carries a Blast radius sub-field that records the scope of compromise if the control fails. Blast radius is the unit in which incident severity is measured, and it is also the unit on which segmentation investments are justified. Four scope tiers recur, ordered smallest to largest. Single resource. Compromise is bounded to one object: a single S3 bucket, a single Cloud SQL instance, a single VM. The control plane and the identity plane are unaffected; remediation is the resource owner's responsibility and does not require coordinated organisational action. Single account, subscription, project, or compartment. Compromise reaches every resource inside one provider accounting boundary. This is the primary segmentation unit on all four hyperscalers and is the level at which the shared-responsibility model is most often instantiated. Containment requires revoking principal credentials in that boundary and rotating any keys, secrets, or service-account tokens that lived inside it. Entire organisation. Compromise reaches across provider accounting boundaries via an inherited trust relationship: AWS Organizations OrganizationAccountAccessRole, Azure Management Group inheritance, GCP Folder-level IAM, OCI tenancy-level policies. Containment requires action at the organisation root and is the scenario for which break-glass procedures exist. Data classification (see General data protection principles) determines the regulatory and reputational impact at this tier. Cross-tenant. Compromise reaches resources outside the customer's contractual boundary: into a partner tenancy via federation trust, into a downstream customer via MSP credentials, or into the provider control plane itself. Cross-tenant blast is rare but disproportionately consequential because containment depends on a third party's response. The Midnight Blizzard chain is the recent reference example. The taxonomy aligns with the impact framing in NIST SP 800-30 Revision 1 — Guide for Conducting Risk Assessments (accessed 2026-05). Mapping threats to controls Every control article in Phases 5 through 9 of this guide carries a <aside class=\"threat-model\"> box with three labelled sub-fields: Mitigates (the threat this control prevents, detects, or responds to), Attack vector (how the attack proceeds in the control's absence), and Blast radius (the scope of compromise if the control fails). The threat names referenced in the Mitigates field draw from the adversary classes and attack chains catalogued above; the blast-radius values draw from the taxonomy in the previous section. This page is therefore implicitly cited by every downstream control, and the reciprocal link from each domain page back to this one is the editorial guarantee that the guide's threat coverage is consistent across providers. The mapping is not one-to-one. A single control can mitigate multiple chains (MFA breaks both Chain A and Chain C), and a single chain is typically broken by overlapping controls at different layers. Defenders should expect this redundancy and should resist the temptation to remove \"duplicative\" controls on the grounds that another control already covers the chain; defence in depth is the entire point. The methodology by which controls are selected, severities assigned, and threat coverage audited is described in the methodology page; the framework crosswalk used to align controls with external regulatory expectations lives in the compliance frameworks page; and the upstream partition that determines which threats are even the customer's to mitigate is the shared responsibility model. The six domain principle pages (IAM, network, data, logging, workloads, and incident response) each operationalise the controls that break the chains documented above into provider-neutral principles, which the provider-specific domain pages then realise as concrete configurations. Sources MITRE ATT&CK for Enterprise — Cloud Matrix (accessed 2026-05) ENISA Threat Landscape 2025 (accessed 2026-05) NIST SP 800-30 Revision 1 — Guide for Conducting Risk Assessments (accessed 2026-05) NIST SP 800-154 (Initial Public Draft) — Guide to Data-Centric System Threat Modeling (accessed 2026-05; Initial Public Draft — no final version published as of 2026-05) Google Cloud / Mandiant — UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion (accessed 2026-05) Microsoft Security Response Center — Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard (accessed 2026-05) KrebsOnSecurity — What We Can Learn from the Capital One Hack (accessed 2026-05) Microsoft Learn — Microsoft Threat Modeling Tool (accessed 2026-05) CISA and NSA — Cybersecurity Information Sheets: Cloud Security Best Practices, March 2024 (accessed 2026-05) NIST SP 800-218 — Secure Software Development Framework (SSDF) Version 1.1 (accessed 2026-05)"},{"id":"general/workloads.html","url":"general/workloads.html","title":"General Workloads Principles — Cloud Hardening Guide","breadcrumb":"Home General Workloads","description":"General workload hardening principles: image and OS baselines, patch cadence, runtime security, container and serverless specifics, software supply chain, and secrets at runtime.","body":"General Workloads Principles Overview A workload, in this corpus, is any executable artefact a customer runs against a cloud-provider compute substrate: a virtual machine booted from an image, a container scheduled by Kubernetes or a managed runtime, a function invoked by an event source, or a managed-runtime application packaged behind a platform abstraction such as AWS App Runner, Azure App Service, Google Cloud Run, or Oracle Container Instances. The abstractions differ; the principles that determine whether an attacker's dropper, a stolen credential, or a malicious dependency turns into customer data loss do not. Workload hardening reduces the population of resources an attacker can land on, raises the cost of code execution on those resources, and makes the resulting activity visible to the detection pipeline documented in the General logging and detection principles page. This page treats six principles as the workload-hardening backbone (image and OS hardening, patch management, runtime security, container-specific controls, serverless-specific controls, and software supply chain integrity) plus a brief cross-reference to secrets at runtime, whose canonical treatment lives on the General IAM principles page. Configuration knobs that implement each principle on AWS, Azure, GCP, and OCI are deferred to the per-provider workload pages at aws/workloads.html, azure/workloads.html, gcp/workloads.html, and oci/workloads.html. The threats these principles answer are catalogued on the cloud threat model page; the partition of responsibility between provider and customer is established on the shared responsibility model page. Image / OS hardening The base image is the cheapest place in a workload's life cycle to remove attack surface. A custom AMI, managed image, custom image, or custom OCI image that begins from a CIS Hardened Image or an equivalent provider-blessed minimal image inherits the configuration baselines codified in the CIS Benchmark for the underlying operating system (locked-down sysctl, disabled legacy services, sane file permissions, NIST SP 800-53 rev5 CM-6 (Configuration Settings) compliance) without the customer re-deriving them. The CIS-CAT tool measures drift against the benchmark and produces audit-grade reports; running it in the image-build pipeline catches drift before it ships, not in production. Whether the base is a CIS Hardened Image or a custom build, the surface area that ships with the image is the floor of the surface area in production. Default accounts (root, ec2-user, opc, azureuser) that are not strictly required should be disabled or password-locked; an SSH daemon that is not strictly required for a workload type (everything that is not a bastion, and most container hosts) should be removed entirely rather than firewalled. Removing unnecessary packages (compilers, debuggers, interactive editors, package managers in production images) shrinks both the attack surface and the credibility of any lateral-movement attempt. The same logic applies to listening network services: an image whose ss -lntp output is minimal at boot has fewer paths a compromised neighbour can probe. On top of the hardened image, three observability primitives should be installed at build time, not bolted on at runtime: host audit logging via auditd or its equivalent (writing to the centralised logging substrate of the General logging and detection principles page); a host inventory and configuration-introspection agent such as osquery; and an endpoint detection-and-response sensor sized to the workload's risk class. The image-build pipeline produces provenance metadata (SBOM, signature, build attestation), covered in §Supply chain security; that metadata connects the hardened image to the supply-chain controls that protect what is inside it. Patch management Patch cadence is one of the few security metrics that is easy to measure and difficult to argue with. The cadence this corpus recommends, which also appears in CIS Controls v8 Safeguard 7.3 and 7.4 and in NIST SP 800-53 rev5 SI-2 (Flaw Remediation), is forty-eight to seventy-two hours for critical CVEs against internet-facing or high-privilege workloads, and thirty days for everything else. Faster is better; the floor exists to make slipped cadences visible as findings rather than as permanently absent controls. Each major provider ships a cloud-native patch service that removes the operational excuse of \"we lacked tooling.\" AWS Systems Manager Patch Manager orchestrates baseline selection, maintenance windows, and compliance reporting across EC2 and on-premise hybrid fleets. Azure Update Manager (the Arc-aware successor to Update Management) drives patch scans and deployments across Azure VMs and Arc-enabled servers from a single plane. Google Cloud OS Patch Management (under VM Manager) covers Compute Engine instances with patch deployments and compliance reports. Oracle OS Management Hub provides the equivalent across OCI Compute and on-premise hosts. Adopting one of these, and routing its compliance status into the security findings substrate rather than an email folder, is the cheapest path to a measurable patch posture. Patch compliance reporting belongs in the security findings pane (AWS Security Hub, Microsoft Defender for Cloud, Google Security Command Center, OCI Cloud Guard) alongside configuration and threat findings. When a critical CVE publishes, the question \"how many of our workloads are exposed?\" should be answerable in minutes, not days. Where patching is impossible (third-party appliances, embedded firmware, fragile legacy applications) compensating controls such as network isolation, EDR-enforced behavioural detection, and more aggressive logging become explicit rather than implicit. Runtime security Patching addresses known flaws; runtime security addresses the space between disclosure and patch and the long tail of misuse, abuse, and zero-day exploitation that no patch schedule closes. On virtual machines, an endpoint detection-and-response sensor (Microsoft Defender for Endpoint, Amazon GuardDuty Runtime Monitoring, Google Cloud Security Command Center virtual machine threat detection, or Oracle Cloud Guard Instance Security) provides behavioural telemetry such as process trees, network connections, and file integrity, and a detection signal far more durable than antivirus signatures. The sensor should be installed in the base image (image-time, not runtime), should report into the same centralised security findings substrate as configuration findings, and should have its own alerting on health: a missing or muted EDR sensor is itself an incident-worthy condition. Containers run too briefly and at too high a density for per-host EDR to be the only line of defence. Container runtime security tooling watches kernel-level syscalls and container life-cycle events instead. Falco, the CNCF runtime-security project, expresses detections as YAML rules over syscall and Kubernetes audit events. Provider equivalents and integrations include Microsoft Defender for Containers (with its built-in runtime threat detection for AKS, EKS, and GKE), Google Kubernetes Engine Security Posture and GKE runtime threat detection, and Oracle Cloud Guard with the Kubernetes engine agent. The detections worth wiring up first are the ones covered by NIST SP 800-190 §4: a shell spawned in a production container, unexpected outbound network from a workload pod, a mount of the host filesystem, or escalation via a writable /etc. They are observable, low-noise, and high-signal. Misconfiguration: \"EDR replaces patching.\" EDR detects post-exploitation behaviour; it does not prevent exploitation. A workload running a kernel vulnerable to an unauthenticated remote code execution CVE remains exploitable whether or not an EDR sensor is installed. Behavioural detection narrows the window between exploitation and response; patching closes the window before it opens. Treating EDR as a substitute for SI-2 patch cadence converts a CRITICAL preventive control into a HIGH detective control and accepts the resulting blast-radius expansion silently. Behavioural detection is also worth more than signature detection on cloud workloads because attackers increasingly live off the land: a legitimate aws sts get-caller-identity call from an unusual instance, a kubectl exec from a service-account that has never exec'd before, an outbound DNS request to a never-resolved domain. Signatures catch the previous campaign; behaviour catches the next one. Detection coverage maps cleanly onto the MITRE ATT&CK Cloud and Containers matrices, which is the recommended baseline for runtime-detection content per General logging and detection principles. Container-specific Containers add four hardening principles on top of the general workload baseline: image provenance, admission control, pod-level least privilege, and namespace and network isolation. NIST SP 800-190 (Application Container Security Guide) is the canonical reference for the first three; the fourth overlaps with the General network principles page. Image provenance answers the question \"did we, in fact, build and approve this image?\" The answer is a cryptographic signature produced at build time and verified at deploy time. Sigstore's cosign, the Notary v2 / Notation toolchain, and AWS Signer all sign container images using short-lived identities (OIDC-bound, in the cosign keyless model) or long-lived KMS-backed keys. The signature is attached to the image (as an OCI artefact in the registry) and verified by the cluster before the image runs. Without verified provenance, the supply chain ends at the registry, and any attacker who can write to the registry can replace what runs. Admission control is the enforcement point that consumes the provenance signal. Kubernetes admission controllers (Kyverno, OPA Gatekeeper, Google Binary Authorization, Azure Policy for AKS, the AWS GuardDuty / Defender for Containers admission integrations on EKS) evaluate every pod, deployment, and custom resource against a policy set before it admits to the cluster. The minimum useful policy set rejects unsigned images, rejects images from registries outside an allow-list, rejects containers running as root, rejects writable root filesystems, rejects pods that mount the host filesystem or escalate privileges, and rejects pods that grant themselves excessive capabilities. The illustrative control in §Illustrative control expands this pattern in full DS-05 markup. Pod-level least privilege is the in-cluster mirror of IAM least privilege: containers should run as a non-root UID, with a read-only root filesystem, with the Linux capabilities set dropped to the minimum the workload actually requires (most workloads need none), with seccomp profile RuntimeDefault or stricter, and with no privileged: true, no hostNetwork, no hostPID, no host-path volumes. Combined with Kubernetes NetworkPolicy and provider VPC primitives (cross-linked from network principles), these settings shrink the blast radius of a single compromised pod from \"the cluster\" to \"the pod.\" Serverless-specific Serverless functions (AWS Lambda, Azure Functions, Google Cloud Run functions, OCI Functions) eliminate host patching and image hardening as customer concerns but introduce three workload-specific hardening principles of their own. First, the function execution role is the credential the function holds for every invocation; it is the single highest-value secret in the function's life cycle and must be scoped to the function's actual data and API needs per the least-privilege principle on the General IAM principles page. A function whose execution role grants * on DynamoDB or Storage is a one-shot data-exfiltration tool for anyone who triggers it with malicious input. Second, environment variables are not a secrets store. Function environment variables are visible to anyone with read access to the function configuration (and, in some providers, to anyone with read access to the deployment metadata in the platform's audit trail). Secrets belong in the provider secret store (AWS Secrets Manager, Azure Key Vault, Google Secret Manager, OCI Vault), fetched at invocation time with the execution role acting as the authoriser; canonical treatment lives in General IAM principles §Secrets management. Third, functions that interact with private data planes (databases, internal APIs) should be attached to a VPC, VNet, or VCN with controlled egress; functions that do not need internet egress should not have it. The cold-start identity window, the moment the platform assumes the execution role for the first invocation, is also the moment any platform compromise would be most visible, which is why audit-log coverage of function invocations and role assumptions is non-negotiable. Supply chain security Software supply chain attacks (SolarWinds, the xz-utils backdoor, malicious npm typosquats, compromised GitHub Actions runners) are by now a mature category, not an edge case. The defensive baseline is codified across three publications that should be read as a set: NIST SSDF SP 800-218 (Secure Software Development Framework), which enumerates the practices every producer of software should adopt; NIST SP 800-204D, which adapts SSDF for CI/CD environments; and the SLSA framework (Supply-chain Levels for Software Artefacts), which formalises a maturity ladder from SLSA 1 (build provenance exists) through SLSA 4 (hermetic, reproducible, two-person-reviewed builds). The SLSA specification is community-maintained and versions frequently; verify the current level definitions at writing time against the slsa.dev specification page. The artefact that ties supply-chain controls together is the software bill of materials. CycloneDX and SPDX are the two standards in use; either is acceptable, both should be consumable by downstream tooling. CISA's SBOM guidance and the NTIA \"Minimum Elements for a Software Bill of Materials\" (July 2021) define what a usable SBOM contains: supplier, component name, version, unique identifiers, dependency relationships, author of SBOM data, and timestamp. SBOMs should be generated during the build (not after, not on demand), signed alongside the artefact, and stored in a queryable substrate so that \"are we exposed to CVE-YYYY-NNNNN?\" becomes a SQL query rather than a fire drill. Dependency scanning is the operational layer below SBOM. GitHub Dependabot, Snyk, Sonatype, AWS Inspector v2 (which scans ECR images and Lambda functions), Microsoft Defender for Cloud's vulnerability assessment for containers, Google Artifact Registry vulnerability scanning, and Oracle Vulnerability Scanning Service all surface known-vulnerable dependencies against published CVE feeds. The value of these tools is proportional to how quickly findings reach a developer who can fix them; a 14-day SLA on dependency findings in production artefacts is a reasonable starting baseline, tighter for high-privilege internet-facing services. Build-system isolation closes the last gap. CI/CD runners that have access to production credentials or signing keys are themselves part of the supply chain; they should run on ephemeral, locked-down infrastructure, authenticate to clouds via short-lived OIDC tokens (AWS IAM Roles for GitHub Actions, Azure workload identity federation, GCP Workload Identity Federation, OCI identity federation) rather than long-lived static keys, and emit verifiable build provenance attestations alongside the artefacts they produce. Secrets in workloads Workloads consume credentials: database passwords, API keys for downstream services, signing keys, OAuth client secrets. The canonical treatment of secrets, including the rotation cadence, provider-store comparison (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, OCI Vault), workload-identity-federation patterns that eliminate static keys, and the static-key-elimination requirement, lives on the General IAM principles page §Secrets management rather than being duplicated here. This page reiterates the three workload-side rules: secrets do not live in source repositories, container images, function environment variables, or CI logs; secrets are fetched from a provider secret store at runtime by an identity (instance profile, managed identity, service account, resource principal) whose privilege is narrow; and secret access is itself an audit event worth alerting on. Cross-link to the General incident response principles page for the credential-isolation containment pattern that consumes secret-access telemetry during a live incident. Cross-provider equivalence The four major providers cover the same hardening principles with different products. The table below is a quick-reference for \"where do I look in provider X for control Y?\", not a compliance crosswalk. Per-provider depth lives in the workload pages of each provider's domain section, which document the configuration knobs, CLI invocations, and Terraform resources that this general page intentionally elides. Principle AWS Azure GCP OCI EDR / VM runtime detection GuardDuty Runtime Monitoring + Inspector v2 Microsoft Defender for Servers (Plan 2) Security Command Center VM Threat Detection Oracle Cloud Guard Instance Security Container registry vulnerability scan Amazon Inspector v2 (ECR) Microsoft Defender for Containers Artifact Registry vulnerability scanning OCI Vulnerability Scanning Service (Container Registry) Admission control for signed images No native control plane; OPA / Kyverno on EKS, plus Defender for Containers admission integration Azure Policy for AKS + Defender for Containers admission Google Binary Authorization OPA Gatekeeper / Kyverno on OKE Patch management service AWS Systems Manager Patch Manager Azure Update Manager OS Patch Management (VM Manager) OS Management Hub Build provenance / signing AWS Signer + Sigstore cosign Notation / cosign + Azure Container Registry signing Binary Authorization + cosign attestations cosign / Notation against OCI Container Registry Illustrative control: signed image admission The control below illustrates the canonical <article class=\"control-box\"> markup as it appears across the corpus. It is provider-neutral and intended to be read as a worked example rather than as a directly-applicable recommendation; each provider's workloads page restates the same intent with provider-specific CLI and IaC. The control mitigates supply-chain image substitution attacks: an adversary with write access to a container registry replaces a legitimate image, or pushes a new tag, expecting the cluster to pull it unchecked. The attack chain is enumerated in the cloud threat model page under software-supply-chain adversary classes. gen-work-ex-01 Enforce signed container images via admission control ⚠ HIGH PREVENTIVE MITIGATES Supply-chain image substitution: an attacker with write access to a container registry (compromised CI credentials, leaked registry token, malicious insider) replaces a legitimate image, or pushes a new tag the cluster trusts, and the cluster executes adversary-controlled code under the workload's IAM identity. ATTACK VECTOR Without admission-level signature verification, the cluster pulls whatever image satisfies the deployment's image reference. If the reference is a mutable tag, registry-side replacement is sufficient. If the reference is a digest, the attacker pivots to compromising the CI pipeline that selects digests. Either way, no cluster-side check distinguishes legitimate from substituted images. BLAST RADIUS Every workload running the affected image, plus everything reachable via that workload's IAM identity, service-account bindings, mounted secrets, and in-cluster network position. For a high-privilege controller (ingress, service mesh, secrets operator), the blast radius is the entire cluster and every data plane it can reach. The control admits only images whose digest is signed by a trusted key (cosign keyless via OIDC, AWS Signer KMS-backed key, Google Binary Authorization attestor, or equivalent) and whose signature chain resolves to a build pipeline the organisation controls. Tag-based references are rejected; references resolve to immutable digests before signature verification. The policy is enforced at admission, not at scheduling, so a rejected image never gets a pod-spec. Compliance mappings follow the canonical seven-column framework header per docs/control-template.md; the cell content below names benchmark recommendations whose exact numbering must be verified against the pinned version in use, per the corpus's pinned-version contract documented on the compliance frameworks page. CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 Software supply-chain recommendations in companion Software Supply Chain Security Guide (verify section number) Defender for Containers — image signing enforcement (verify section number) Binary Authorization recommendations in CIS GKE companion benchmark (verify section number) OKE / Container Registry hardening recommendations (verify section number) CM-14 (Signed Components), SI-7 (Software, Firmware, and Information Integrity); see also NIST SP 800-190 §4 A.8.30 — Outsourced development; A.8.28 — Secure coding CLD.9.5.1 — Segregation in virtual computing environments (compensating reference) Sources NIST SP 800-190 — Application Container Security Guide (accessed 2026-05) NIST SP 800-218 — Secure Software Development Framework (SSDF) Version 1.1 (accessed 2026-05) NIST SP 800-204D — Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines (accessed 2026-05) SLSA — Supply-chain Levels for Software Artefacts specification (accessed 2026-05) CISA — Software Bill of Materials (SBOM) guidance hub (accessed 2026-05) NTIA — The Minimum Elements For a Software Bill of Materials, July 2021 (accessed 2026-05) NIST SP 800-53 rev5 (upd1, Jan 2022) — Security and Privacy Controls for Information Systems and Organizations (accessed 2026-05) CIS Center for Internet Security — CIS Benchmarks portal (accessed 2026-05) MITRE ATT&CK — Containers matrix (accessed 2026-05)"},{"id":"index.html","url":"index.html","title":"Cloud Hardening Guide — Period-Authentic Cloud Security Reference","breadcrumb":"","description":"A 37-page period-authentic static cloud security hardening reference covering AWS, Azure, GCP, and OCI, mapped to CIS, NIST 800-53, and ISO 27001/27017.","body":"AWS · Azure · GCP · OCI Harden your cloud, control by control. A hand-written, period-authentic reference for securing workloads across the four major cloud providers. Every page is self-contained static HTML — no build step, no framework, no JavaScript required to read a word of it. Controls are mapped to CIS, NIST SP 800-53 rev5, and ISO 27001/27017 with pinned benchmark versions. Start with the General Guide Compliance Matrix 37Pages 4Cloud Providers 6Security Domains 3Compliance Frameworks Choose your provider Each provider section maps the cross-cutting principles onto concrete services and configuration primitives. aws AWS IAM · Network · Data · Logging · Workloads · IR Azure Entra ID · NSGs · Key Vault · Defender · Sentinel GCP IAM · VPC SC · CMEK · SCC · Org Policy OCI OCI IAM Policies · NSGs · Vault · Cloud Guard · Audit Six security domains, per provider A consistent structure across every provider so you can navigate sideways — find the same control wherever you work. Identity & Access Root MFA, least privilege, permission boundaries, access review. Network Segmentation, private endpoints, egress control, WAF & DDoS. Data Protection Encryption at rest, KMS key policy, public-access blocks, DLP. Logging & Detection Audit trails, flow logs, threat detection, alerting baselines. Workloads Instance metadata, image scanning, function least privilege, K8s. Incident Response Break-glass, evidence preservation, containment, forensics. Provider sections also cover GenAI Security and Kubernetes hardening. Built to be read, audited, and printed Compliance-mapped Every control carries a table mapping it to CIS Foundations Benchmarks, NIST SP 800-53 rev5, and ISO 27001/27017 — with pinned versions. Copy-paste remediation CLI and infrastructure-as-code fixes for each control, with one-click copy buttons — Terraform, CloudFormation, Bicep, and gcloud. No JavaScript to read Pure static HTML and CSS. It loads instantly, prints cleanly, survives in the Wayback Machine, and works with JavaScript switched off."},{"id":"oci/data.html","url":"oci/data.html","title":"OCI Data Protection Hardening — Cloud Hardening Guide","breadcrumb":"Home OCI Data Protection","description":"OCI data protection: Object Storage privacy, OCI Vault BYOK/HYOK, Block Volume CMEK, Autonomous DB encryption, Vault policy + rotation, Data Safe, Object Storage retention.","body":"OCI Data Protection Hardening Overview This page covers Oracle Cloud Infrastructure data protection across the surfaces that decide whether an attacker who has reached a credential, a workload, or a managed-service control plane can read, exfiltrate, or destroy stored data. Scope is the commercial OCI realms (OC1); OCI Government Cloud and dedicated-region tenancies inherit the same controls but expose realm-specific endpoints and a smaller set of regions for some services — re-verify region availability for Data Safe, Vault HSM partitions, and Autonomous Database flavours in the relevant docs.oracle.com realm-endpoint documentation before applying the IaC below to a sovereign or dedicated-region deployment. CIS sub-IDs and NIST / ISO mappings on this page reference the CIS Oracle Cloud Infrastructure Foundations Benchmark v2.0.0 (accessed 2026-05) unless explicitly annotated as a post-v2.0.0 feature or a best-practice recommendation that the v2.0.0 benchmark has not yet codified. CIS published the Oracle Cloud Infrastructure Foundations Benchmark v3.1.0 in 2026; this site cites v2.0.0 throughout the corpus for consistency with the locked compliance-table contract. The crosswalk page at compliance frameworks describes how the seven pinned framework columns relate to each other. The OCI data model is the product of Object Storage (regional buckets in a tenancy-scoped namespace; the bulk-object surface — analogue of S3 / Azure Blob / GCS), Block Volume (boot and data volumes attached to Compute instances; per-volume encryption with Vault keys), File Storage Service (FSS) (NFS-style shared filesystems with in-transit encryption), Autonomous Database (ADB) (the fully-managed Oracle database flavour with self-tuning, self-patching, and TDE built in), Base Database (DB Systems — operator-managed Oracle DB on Compute, also TDE-capable), MySQL Database Service and PostgreSQL (managed open-source database offerings), OCI Vault (the key-management service; formerly OCI KMS pre-rebrand; \"KMS keys\" or \"Vault keys\" remain the primitive object name inside Vault), and Data Safe (a database-security control plane providing activity auditing, sensitive-data discovery, data masking, and security-assessment scoring against Autonomous + Base + MySQL DB targets). Encryption-in-transit is owned by General Network — encryption in transit as the canonical-content cross-link; this page does not re-author the TLS / mTLS treatment. The cross-cutting principles — encryption at rest, key management, data classification, data loss prevention, and retention, backup, and recovery — are owned by the General Data page; this page maps them to OCI primitives. Three anti-conflation callouts up front, because each pair gets confused in audit reports and architecture reviews and the distinction matters for control design. First: OCI Vault vs OCI KMS terminology. OCI Vault is the service brand — the service-level surface in the console, the IAM resource family oci_kms_vault, and the unit of regional deployment. Inside a Vault, the cryptographic objects are called Vault keys or KMS keys (both appear in Oracle docs and CLI output); the legacy product name \"OCI KMS\" survives only as the primitive name of the keys themselves and in some API paths (the oci kms management ... CLI tree). On this site we say \"OCI Vault\" for the service surface and \"Vault keys (KMS primitive)\" or \"Vault keys\" for the keys. The bare phrase \"OCI KMS\" without the Vault qualifier same-line is the legacy terminology pattern and should be rewritten. Second: Data Safe vs Vault. Data Safe (oci-data-07) is the database-side activity-auditing, sensitive-data-discovery, data-masking, and security-assessment service that registers Autonomous + Base + MySQL DB targets and produces compliance reports against the database surface — it has nothing to do with cryptographic key management. Vault (oci-data-02 / oci-data-05 / oci-data-06) is the key-management service that owns key custody for Object Storage, Block Volume, Autonomous DB, and any other consumer that references a kms_key_id. They are different services with different consoles, different IAM resource families, different audit-event sources, and different compliance domains. Conflating them produces a control matrix where \"encryption\" and \"database auditing\" become a single checkbox; both invariants must be authored and verified independently. Third: Virtual Private Vault (HYOK) vs software-backed Vault (BYOK). OCI Vault offers two tiers: the default software-backed Vault (multi-tenant HSM partition shared across the realm) and the Virtual Private Vault (a dedicated HSM partition with isolated key material — the HYOK-style custody tier for regulated workloads). oci-data-02 demonstrates both: BYOK (Bring Your Own Key — import customer-supplied key material wrapped with the Vault's wrapping key) on a software-backed Vault, and HYOK-style isolation on a Virtual Private Vault. BYOK is about where the material originated (customer-generated and imported, not Oracle-generated); HYOK is about which HSM partition holds it (a dedicated partition, not the shared one). They are orthogonal — a Virtual Private Vault can hold either Oracle-generated or BYOK-imported keys; a software-backed Vault can hold either. Order and scope matter. Controls 01–04 are foundational invariants: keep Object Storage buckets private at the explicit NoPublicAccess setting, anchor the key chain in Vault with BYOK plus a Virtual Private Vault tier available for regulated workloads, encrypt every Block Volume with a Vault key, and provision Autonomous DB with customer-managed Vault keys plus a private endpoint and mTLS. Control 05 scopes Vault IAM policy at the key level (not the vault level) so that separation of vault-admin from key-use is enforced — CRITICAL because compromise of this policy unwinds the entire Vault chain. Control 06 rotates Vault keys on a regular cadence; MEDIUM DETECTIVE because rotation bounds the compromise window of an already-leaked key but does not prevent compromise. Control 07 enables Data Safe across the database estate as the DB-side audit and discovery surface. Control 08 closes the retention loop with Object Storage retention rules locked via time_rule_locked so that compromise-time deletion cannot complete inside the retention window. The IAM compartment hierarchy (oci-iam-07-compartment-hierarchy) and the least-privilege policy primitive (oci-iam-08-policy-least-privilege) are owned by the OCI IAM page and cross-referenced from this page where they bound the blast radius of Vault and Data Safe administration. Resource Manager vs OSS Terraform: Using ORM? Variables are entered via Console UI (schema-driven by an optional schema.yaml); state is stored in OCI Object Storage automatically; no terraform.tfvars needed. Using OSS Terraform? Standard terraform.tfvars + local/remote state apply. Both paths use the same oracle/oci ~> 6.0 provider declared above. oci-data-01-object-storage-private ! CRITICAL PREVENTIVE Every Object Storage bucket must carry the explicit attribute public_access_type = \"NoPublicAccess\". OCI buckets default to NoPublicAccess at creation, but the attribute is mutable — a single oci os bucket update --public-access-type ObjectRead or ObjectReadWithoutList flips the bucket to anonymous-read on its objects (or, with ObjectReadWithoutList, anonymous-read without bucket listing). Pinning the attribute at NoPublicAccess in IaC and re-asserting it via compartment-level policy is the structural defence. Pre-authenticated requests (PARs) — OCI's signed-URL equivalent for time-bounded anonymous access to specific objects — must be inventoried via oci os preauth-request list on every bucket, with a documented expiry policy and Audit-service alarms on creation of long-lived PARs (Oracle Cloud Infrastructure — Object Storage overview (accessed 2026-05)). Bucket-level IAM is enforced through compartment policy (Allow group X to read objects in compartment Y where target.bucket.name = '...') — OCI Object Storage does not use AWS-style per-bucket ACLs. The principle is reinforced in General Data — data classification: the cost of accidental publication of a single object can be the cost of the entire dataset, and a single-attribute change (or a single permissive PAR) is enough to publish. MITIGATES: Anonymous-read exposure of Object Storage objects via the public bucket endpoint, accidental creation of long-lived pre-authenticated requests, and lateral discovery of object inventory via bucket-list when a bucket is briefly switched to ObjectRead. ATTACK VECTOR: A workload team needs to share a build artefact with an external vendor and flips a bucket to ObjectRead \"temporarily\"; the change is never reverted. Within hours, opportunistic scanners that enumerate OCI bucket namespaces locate the bucket and exfiltrate the object inventory. Worse, a long-lived PAR with a multi-year expiry is created and shared via email; the PAR URL leaks through inbox archives and becomes a multi-year anonymous-access channel. Compounds when PARs are not inventoried. BLAST RADIUS: Per bucket: every object the bucket holds for as long as the bucket remains ObjectRead (or until the offending PAR expires). For multi-terabyte buckets the exfiltration window is measured in days even on commodity bandwidth. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Step 1: pin the bucket to NoPublicAccess explicitly. oci os bucket update \\ --namespace \"$OS_NAMESPACE\" \\ --bucket-name \"$BUCKET\" \\ --public-access-type NoPublicAccess # Step 2: enable versioning + bind a Vault key (CMEK; see oci-data-02). oci os bucket update \\ --namespace \"$OS_NAMESPACE\" \\ --bucket-name \"$BUCKET\" \\ --versioning Enabled \\ --kms-key-id \"$BUCKET_CMK_OCID\" # Step 3: audit pre-authenticated requests (long-lived PARs are anonymous-access channels). oci os preauth-request list \\ --namespace \"$OS_NAMESPACE\" \\ --bucket-name \"$BUCKET\" \\ --query 'data[*].{name:name, expires:\"time-expires\", access:\"access-type\"}' \\ --output table # Step 4: tenancy-wide search for any bucket NOT at NoPublicAccess. oci search resource structured-search \\ --query-text \"query bucket resources where (lifecycleState = 'ACTIVE')\" \\ --output table</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Source: Oracle Cloud docs (accessed 2026-05) data \"oci_objectstorage_namespace\" \"ns\" { compartment_id = var.tenancy_ocid } resource \"oci_objectstorage_bucket\" \"secure\" { compartment_id = var.workload_compartment_id namespace = data.oci_objectstorage_namespace.ns.namespace name = \"app-prod-data\" public_access_type = \"NoPublicAccess\" versioning = \"Enabled\" kms_key_id = oci_kms_key.bucket_cmk.id # Object Events emitted for downstream Cloud Guard / Notifications wiring. object_events_enabled = true } # Compartment-policy IAM (bucket-level IAM via policy, not ACL). resource \"oci_identity_policy\" \"bucket_read_only\" { compartment_id = var.workload_compartment_id name = \"app-prod-bucket-readers\" description = \"Read-only access to app-prod-data bucket\" statements = [ \"Allow group AppReaders to read objects in compartment id ${var.workload_compartment_id} where target.bucket.name = 'app-prod-data'\" ] }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-data-01-object-storage-private\" \\ --display-name \"oci-data-01-object-storage-private\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-data-01-object-storage-private\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as oci from \"@pulumi/oci\"; // Private Object Storage bucket: no public access, KMS-CMK encryption, versioning on. const cfg = new pulumi.Config(); const compartmentId = cfg.require(\"compartmentOcid\"); const kmsKeyOcid = cfg.require(\"kmsKeyOcid\"); const ns = oci.objectstorage.getNamespace({ compartmentId }); const bucket = new oci.objectstorage.Bucket(\"hardened-private-bucket\", { compartmentId: compartmentId, namespace: ns.then((n) => n.namespace), name: \"hardening-evidence-private\", accessType: \"NoPublicAccess\", // hard-deny public reads publicAccessType: \"NoPublicAccess\", // legacy alias — both required kmsKeyId: kmsKeyOcid, // customer-managed encryption versioning: \"Enabled\", // immutable history for audit objectEventsEnabled: true, // emit ObjectStorage events for Cloud Guard autoTiering: \"Disabled\", // explicit lifecycle only }); export const bucketName = bucket.name; </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/an/a3.x (verify) AC-3; AC-6; SC-7A.5.10; A.8.3CLD.9.5.1 Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'object-storage' with eventName = 'UpdateBucket' whose payload sets publicAccessType to ObjectRead or ObjectReadWithoutList. Object Storage read-event records from 'Log Source' = 'OCI Object Storage Access Logs' showing anonymous-principal GetObject calls against tenancy-owned buckets. Pre-Authenticated Request (PAR) creation events with a scope of AnyObjectRead and an expiry exceeding seven days on a production-tagged bucket. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'object-storage' and eventName in ('UpdateBucket', 'CreatePreauthenticatedRequest') | eval pub = data.request.payload.publicAccessType | eval par_scope = data.request.payload.accessType | where pub in ('ObjectRead', 'ObjectReadWithoutList') or par_scope = 'AnyObjectRead' | stats count by 'User Name', data.target.bucket.name, eventName, pub, par_scope</code> The bucket-publicity attribute is a single enum; PAR creation events are individually addressed and inventoriable. Alert threshold Any bucket flipped to ObjectRead or ObjectReadWithoutList outside the public-bucket allow-list — page on first event. PAR created with AnyObjectRead scope and expiry > 7 days — page; tighten the PAR lifetime to the workload-window minimum. Initial response Re-apply the bucket private-publicity setting via Resource Manager and revoke the offending PAR via oci os preauth-request delete. Audit Object Storage access logs across the exposure window for anonymous-principal reads; export the affected object keys for the data-owner team to assess sensitivity. If sensitive objects were read, escalate per general/ir.html and engage the data-classification owner for breach-disclosure assessment. References Oracle — managing Object Storage buckets (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-data-02-vault-byok ! HIGH PREVENTIVE Provision a per-compartment OCI Vault and import customer-supplied key material (BYOK) for keys that cover Object Storage, Block Volume, and Autonomous DB. For regulated workloads (PCI-DSS, HIPAA, BaFin / FFIEC-style banking supervision), provision the Vault with vault_type = \"VIRTUAL_PRIVATE\" — a Virtual Private Vault binds a dedicated HSM partition to the tenancy, isolating key material from the multi-tenant shared HSM that backs default software-backed Vaults. BYOK key import uses the Vault's wrapping key: the customer generates the master key offline (HSM, on-prem KMS, or air-gapped key ceremony), wraps it with the Vault's RSA-OAEP wrapping key, and imports the wrapped blob via oci kms management key import; Oracle never has access to the plaintext key material at any point in the workflow (OCI — Bring Your Own Key (BYOK) documentation (accessed 2026-05)). The principle is reinforced in General Data — key management: customer-managed key custody, plus a HYOK-style dedicated-HSM tier, plus a key-policy that gates use (oci-data-05) and a rotation cadence (oci-data-06) is the four-corner Vault contract. BYOK vs HYOK orthogonality: BYOK is about origin (customer-generated, imported wrapped); HYOK is about partition (dedicated HSM, not shared). A Virtual Private Vault can hold either Oracle-generated or BYOK-imported keys, and a software-backed Vault can hold either; the four combinations express four points on the custody / cost / regulatory matrix. MITIGATES: Reliance on Oracle-generated, Oracle-resident key material for data that the regulator or contract requires the customer to be able to demonstrate sole custody over; lack of HSM-partition isolation that some regulated industries demand; inability to revoke key material if the regulator orders cryptoshredding. ATTACK VECTOR: A regulatory audit asks the customer to prove that the encryption key for a class of regulated data is not accessible to Oracle staff. With Oracle-generated keys on a shared software-backed Vault, the demonstration is policy-and-attestation only. With BYOK on a Virtual Private Vault, the customer can demonstrate (a) Oracle never saw the plaintext material (key was wrapped before import) and (b) the HSM partition holding the wrapped material is dedicated to the tenancy and not shared with other Oracle customers. BLAST RADIUS: Per Vault: every consumer of every key in the Vault (Object Storage buckets, Block Volumes, Autonomous DBs that reference kms_key_id values). A Vault compromise (or a regulatory cryptoshred order) cascades to every consumer; this is why oci-data-05 key-level policy and oci-data-06 rotation matter. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Step 1: create the Virtual Private Vault (HYOK-style dedicated HSM partition). oci kms management vault create \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --display-name vault-prod-private \\ --vault-type VIRTUAL_PRIVATE # Step 2: create an Oracle-generated AES-256 key (control case for non-BYOK consumers). oci kms management key create \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --display-name key-bucket-cmk \\ --key-shape '{\"algorithm\":\"AES\",\"length\":32}' \\ --protection-mode HSM \\ --endpoint \"$VAULT_MGMT_ENDPOINT\" # Step 3: retrieve the wrapping key for BYOK import. oci kms management wrapping-key get \\ --endpoint \"$VAULT_MGMT_ENDPOINT\" \\ --query 'data.\"public-key\"' --raw-output > vault-wrapping-key.pem # Step 4: wrap the customer-supplied master key offline, then import. oci kms management key import \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --display-name key-byok-prod \\ --key-shape '{\"algorithm\":\"AES\",\"length\":32}' \\ --protection-mode HSM \\ --wrapped-import-key file://wrapped-key.bin \\ --endpoint \"$VAULT_MGMT_ENDPOINT\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Source: Oracle Cloud docs (accessed 2026-05) resource \"oci_kms_vault\" \"prod_private\" { compartment_id = var.workload_compartment_id display_name = \"vault-prod-private\" vault_type = \"VIRTUAL_PRIVATE\" # HYOK: dedicated HSM partition } resource \"oci_kms_key\" \"bucket_cmk\" { compartment_id = var.workload_compartment_id display_name = \"key-bucket-cmk\" management_endpoint = oci_kms_vault.prod_private.management_endpoint protection_mode = \"HSM\" key_shape { algorithm = \"AES\" length = 32 } } # BYOK-imported key — wrapped material loaded out-of-band via the management API. # Terraform manages the resource record; the wrapped-key payload is supplied via # oci kms management key import in CI (Terraform does not carry wrapped material). resource \"oci_kms_key\" \"byok_prod\" { compartment_id = var.workload_compartment_id display_name = \"key-byok-prod\" management_endpoint = oci_kms_vault.prod_private.management_endpoint protection_mode = \"HSM\" key_shape { algorithm = \"AES\" length = 32 } # is_auto_rotation_enabled set in oci-data-06. lifecycle { ignore_changes = [key_shape] # imported key material; do not let TF rotate-via-replace } }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-data-02-vault-byok\" \\ --display-name \"oci-data-02-vault-byok\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-data-02-vault-byok\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/an/a3.x (verify) SC-13; SC-28A.8.24; A.5.34n/a Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'kms' with eventName in (CreateKey, UpdateKey, ImportKey) where protectionMode changes from HSM to SOFTWARE. Bucket and Block Volume update events where kmsKeyId moves from a customer Vault key OCID to null (Oracle-managed default). Vault audit deltas indicating the master key replication binding to the disaster-recovery region was removed. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and ( ('Service Name' = 'kms' and eventName in ('CreateKey','UpdateKey','ImportKey') and data.request.payload.protectionMode = 'SOFTWARE') or ('Service Name' in ('object-storage','core','database') and eventName like 'Update%' and data.request.payload.kmsKeyId is null) ) | stats count by 'User Name', data.target.id, 'Service Name', eventName</code> Key-binding regressions show up across multiple services; the gate evaluates Vault key creation and downstream resource bindings together. Alert threshold Any key created or imported with protectionMode = SOFTWARE — page; HSM-backed keys are the BYOK baseline. Any production-tagged resource whose kmsKeyId is nulled — page; the resource falls back to the Oracle-managed default. Initial response Rotate the resource binding back to the documented HSM-backed Vault key via Resource Manager; OCI re-wraps the resource DEK on the next reconciliation cycle. Verify the Vault key's protectionMode is HSM via oci kms management key get; if a SOFTWARE-protected key was created, decommission it and re-issue an HSM key. Confirm the replication binding to the DR region is restored and document the rebind per general/ir.html. References Oracle — OCI Vault key management (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-data-03-block-volume-encryption ! HIGH PREVENTIVE Every Block Volume — boot volume and data volume — must carry a kms_key_id pointing at a Vault key in the workload's Vault. OCI encrypts Block Volumes by default with Oracle-managed keys; the hardened invariant is customer-managed Vault keys (referenced as a CMK on every volume resource), so that cryptoshredding (key deletion) is sufficient to render the volume content unrecoverable without going through Oracle's data-erasure SLA (Oracle Cloud Infrastructure — Block Volume encryption (accessed 2026-05)). Volume backups inherit the parent volume's encryption key by default; this means that to truly destroy a regulated-data volume, the operator must delete the volume, the volume backup chain, and (if appropriate) the Vault key. The principle is reinforced in General Data — encryption at rest: a backup chain that does not inherit the key story extends the attacker's window past volume deletion. For boot volumes attached to Compute instances, the CMK assignment lives on oci_core_instance.source_details.kms_key_id at instance launch and is immutable after launch — re-keying a boot volume requires creating a new instance from a backup. MITIGATES: Reliance on Oracle-managed default key for regulated-data volumes; inability to cryptoshred a compromised or end-of-life volume by key deletion; backup chains that retain plaintext-equivalent access after the parent volume is destroyed. ATTACK VECTOR: A regulated-data Block Volume is provisioned with the default Oracle-managed key. At end of life the operator deletes the volume but the policy requires demonstrable cryptoshredding within a defined window; with the Oracle-managed key the operator cannot demonstrate key destruction at the customer's discretion. Separately, a compromised tenancy admin retains read access to the Oracle-managed key path; with a Vault key under oci-data-05 policy, the same admin lacks kms-key.use on the key. BLAST RADIUS: Per volume: the entire volume content plus every backup snapshot in the backup chain. Multiplied by the number of regulated-data volumes in the tenancy. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Step 1: create a data Block Volume with a Vault CMK. oci bv volume create \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --availability-domain \"$AD_NAME\" \\ --display-name vol-app-prod-data \\ --size-in-gbs 100 \\ --kms-key-id \"$DATA_CMK_OCID\" # Step 2: launch a Compute instance with a CMK-encrypted boot volume. oci compute instance launch \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --availability-domain \"$AD_NAME\" \\ --shape VM.Standard.E5.Flex \\ --shape-config '{\"ocpus\":2,\"memoryInGBs\":16}' \\ --subnet-id \"$PRIVATE_SUBNET_OCID\" \\ --display-name app-prod-01 \\ --source-details '{\"sourceType\":\"image\",\"imageId\":\"'\"$OL9_IMAGE_OCID\"'\",\"kmsKeyId\":\"'\"$BOOT_CMK_OCID\"'\"}' \\ --metadata '{\"ssh_authorized_keys\":\"'\"$(cat ~/.ssh/id_ed25519.pub)\"'\"}' # Step 3: confirm the volume is CMK-bound. oci bv volume get \\ --volume-id \"$VOL_OCID\" \\ --query 'data.{name:\"display-name\", kms:\"kms-key-id\"}' # Step 4: bind a backup policy (backups inherit the parent volume's key). oci bv volume-backup-policy-assignment create \\ --asset-id \"$VOL_OCID\" \\ --policy-id \"$BRONZE_POLICY_OCID\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Source: Oracle Cloud docs (accessed 2026-05) resource \"oci_kms_key\" \"data_cmk\" { compartment_id = var.workload_compartment_id display_name = \"key-blockvol-cmk\" management_endpoint = oci_kms_vault.prod_private.management_endpoint protection_mode = \"HSM\" key_shape { algorithm = \"AES\" length = 32 } } resource \"oci_core_volume\" \"app_prod_data\" { compartment_id = var.workload_compartment_id availability_domain = var.ad_name display_name = \"vol-app-prod-data\" size_in_gbs = 100 # Customer-managed Vault key — required for cryptoshred at end of life. kms_key_id = oci_kms_key.data_cmk.id } resource \"oci_core_instance\" \"app_prod_01\" { compartment_id = var.workload_compartment_id availability_domain = var.ad_name shape = \"VM.Standard.E5.Flex\" display_name = \"app-prod-01\" shape_config { ocpus = 2 memory_in_gbs = 16 } create_vnic_details { subnet_id = var.private_subnet_id } source_details { source_type = \"image\" source_id = var.ol9_image_ocid # Boot volume CMK — immutable after launch. kms_key_id = oci_kms_key.data_cmk.id } }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-data-03-block-volume-encryption\" \\ --display-name \"oci-data-03-block-volume-encryption\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-data-03-block-volume-encryption\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/an/a3.x (verify) SC-28; SC-13A.8.24n/a Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'core' with eventName in (UpdateVolume, UpdateBootVolume) whose payload removes kmsKeyId from a Block or Boot Volume. Volume-attachment events binding an Oracle-managed-encryption volume to a Compute instance that previously held a customer-key-encrypted volume. Volume cross-region copy events with kmsKeyId unset — the copy lands in the DR region under the Oracle-managed default. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'core' and eventName in ('UpdateVolume', 'UpdateBootVolume', 'CopyVolumeBackup') | eval key = data.request.payload.kmsKeyId | where key is null | stats count by 'User Name', data.target.id, eventName, 'Compartment Name'</code> Volumes track their key binding individually; the gate fires on the absence of kmsKeyId in mutation payloads on production-tagged volumes. Alert threshold Any Block or Boot Volume whose kmsKeyId is nulled on a production-tagged compartment — page. Cross-region volume copy without a target-region customer key — page; the DR copy now lives outside BYOK posture. Initial response Rebind the volume to a customer-controlled Vault key via Resource Manager; OCI re-wraps the volume DEK online without volume reattachment. If the volume was copied cross-region, delete the unencrypted-by-customer-key copy and re-issue the copy with the target-region customer key. Verify the volume's kms-key-id attribute matches the documented binding and capture the rebind per general/ir.html. References Oracle — Block Volume encryption (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-data-04-autonomous-db-encryption ! HIGH PREVENTIVE Provision every Autonomous Database (ADB) with customer-managed Vault keys (kms_key_id), a private endpoint (private_endpoint_label + subnet_id), mandatory mTLS (is_mtls_connection_required = true), and an access-control-list restricting source IPs / VCN OCIDs / NSG OCIDs to the workloads that legitimately need to connect (Oracle — Autonomous Database security (accessed 2026-05)). ADB applies Transparent Data Encryption (TDE) by default with Oracle-managed keys; the hardened invariant is the customer-managed Vault key (CMEK), so the encryption chain anchors in the customer's Vault (oci-data-02) and the key-policy gate (oci-data-05) applies. The principle is reinforced in General Data — key management: a managed-database surface that does not anchor to the customer's key custody is harder to cryptoshred at end of life. ADB Always-Free tier caveat: Always-Free ADB instances do not support BYOK / customer-managed Vault keys and do not support private endpoints — they are public-endpoint-only with Oracle-managed TDE. For any data that warrants a Vault key story, the paid (Serverless or Dedicated) tier is required; this is a hard product boundary, not an IaC configuration concern. Cross-link: General Network — encryption in transit for the mTLS / wallet treatment (canonical-content cross-link; not re-authored on this data page). MITIGATES: Public-endpoint exposure of regulated-data ADBs; reliance on Oracle-managed TDE keys for data subject to customer-key-custody regulation; password-only ADB authentication (mTLS replaces it with wallet-based auth). ATTACK VECTOR: An ADB is provisioned on the default public mTLS endpoint with an ACL \"secured\" by client-IP allowlist. The ACL is widened during a debugging exercise; a stolen wallet file plus the public hostname is enough to connect from any source IP. Separately, with Oracle-managed TDE the customer cannot demonstrate that a leaked Oracle internal credential would not provide read access to the underlying data files. BLAST RADIUS: Per ADB: full table content, full backup chain, full audit-log content (ADB ships internal audit). With private endpoint + mTLS + CMEK, the blast radius is constrained to within-VCN reachability plus key-policy holders. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Step 1: provision ADB with all five hardened attributes (CMEK + PE + mTLS + ACL + private-endpoint-label). oci db autonomous-database create \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --db-name PRODADB \\ --display-name adb-app-prod \\ --cpu-core-count 2 \\ --data-storage-size-in-tbs 1 \\ --admin-password \"$ADB_ADMIN_PW\" \\ --kms-key-id \"$ADB_CMK_OCID\" \\ --subnet-id \"$PRIVATE_SUBNET_OCID\" \\ --private-endpoint-label adb-app-prod-pe \\ --nsg-ids '[\"'\"$APP_NSG_OCID\"'\"]' \\ --is-mtls-connection-required true # Step 2: download the mTLS wallet for client connections (kept under Vault secret). oci db autonomous-database generate-wallet \\ --autonomous-database-id \"$ADB_OCID\" \\ --password \"$WALLET_PW\" \\ --file wallet.zip # Step 3: confirm CMEK + private-endpoint configuration. oci db autonomous-database get \\ --autonomous-database-id \"$ADB_OCID\" \\ --query 'data.{kms:\"kms-key-id\", pe:\"private-endpoint\", mtls:\"is-mtls-connection-required\"}'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Source: Oracle Cloud docs (accessed 2026-05) resource \"oci_database_autonomous_database\" \"app_prod\" { compartment_id = var.workload_compartment_id db_name = \"PRODADB\" display_name = \"adb-app-prod\" cpu_core_count = 2 data_storage_size_in_tbs = 1 admin_password = var.adb_admin_password # Customer-managed Vault key (CMEK) — TDE anchored to customer Vault. kms_key_id = oci_kms_key.adb_cmk.id # Private endpoint into the workload VCN — no public ADB endpoint. subnet_id = var.private_subnet_id private_endpoint_label = \"adb-app-prod-pe\" nsg_ids = [oci_core_network_security_group.app_tier.id] # Mandatory mTLS — wallet-based client auth. is_mtls_connection_required = true # ACL restricting source — VCN OCIDs are the production pattern. whitelisted_ips = [\"VCN:${var.vcn_ocid};${var.private_subnet_cidr}\"] } resource \"oci_kms_key\" \"adb_cmk\" { compartment_id = var.workload_compartment_id display_name = \"key-adb-cmk\" management_endpoint = oci_kms_vault.prod_private.management_endpoint protection_mode = \"HSM\" key_shape { algorithm = \"AES\" length = 32 } }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-data-04-autonomous-db-encryption\" \\ --display-name \"oci-data-04-autonomous-db-encryption\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-data-04-autonomous-db-encryption\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/an/a3.x (verify) SC-2"},{"id":"oci/genai.html","url":"oci/genai.html","title":"OCI Generative AI Hardening — Cloud Hardening Guide","breadcrumb":"Home OCI GenAI","description":"OCI Generative AI hardening: compartment isolation, IAM least privilege, AI Guardrails content moderation, private endpoint, Vault CMK, Audit Logs, dedicated AI cluster isolation, Security Zone policy.","body":"OCI Generative AI Hardening Overview This page covers the OCI Generative AI Service managed inference API — on-demand endpoints, AI Guardrails, Dedicated AI Clusters, and the service's IAM, network, and logging controls. Not in scope: OCI Data Science platform and self-hosted model containers on OCI Compute. For the underlying threat model and cross-cutting principles that apply to all managed LLM API services, see General GenAI Hardening. Key infrastructure prerequisites are on sibling pages: oci-iam-07 — compartment hierarchy (foundational pattern for oci-genai-01), and OCI Logging (audit log configuration pattern for oci-genai-06). OCI has two differentiators with no direct cloud-peer equivalent: Dedicated AI Cluster RDMA isolation (oci-genai-07) provides tenant-exclusive GPU allocation where no other customer's workloads share the underlying hardware, and Security Zone policy enforcement (oci-genai-08) via Zero Trust Packet Routing applies standing invariants (no public endpoints, encryption required) that survive IAM policy changes. Controls are ordered severity-descending: one CRITICAL, six HIGH, one MEDIUM. Note: Equivalence links to AWS Bedrock, Azure OpenAI, and GCP Vertex AI controls are HTML comments during authoring and will be made live in the Wave 4 seal. Resource Manager vs OSS Terraform: Using ORM? Variables are entered via Console UI (schema-driven by an optional schema.yaml); state is stored in OCI Object Storage automatically; no terraform.tfvars needed. Using OSS Terraform? Standard terraform.tfvars + local/remote state apply. Both paths use the same oracle/oci ~> 6.0 provider declared above. oci-genai-01-compartment-isolation ! CRITICAL PREVENTIVE Place all OCI Generative AI resources — endpoints, dedicated clusters, fine-tuning jobs, and models — in a dedicated compartment, never in the root compartment or tenancy-wide scope. Apply IAM policies at the compartment level and never grant manage generative-ai-family in tenancy to application service accounts. The compartment boundary is the OCI blast-radius containment primitive: a compromised identity can only affect resources within the compartments it is granted access to. See oci-iam-07 — compartment hierarchy for the recommended compartment tree structure. MITIGATES: LLM06:2025 excessive agency and lateral movement via over-permissioned tenancy-level grant. ATTACK VECTOR: An application service principal with manage generative-ai-family in tenancy can enumerate, modify, or delete all Generative AI resources across all compartments in the tenancy, including other teams' endpoints and fine-tuning jobs. BLAST RADIUS: Full tenancy-wide Generative AI resource access — endpoint deletion, fine-tuning job cancellation, model weight exfiltration, and unrestricted inference spending on all GenAI resources across all compartments. Remediation — OCI CLI <code class=\"language-bash\"># OCI CLI 3.x — find and audit the GenAI compartment # Step 1: locate the dedicated GenAI compartment oci iam compartment list \\ --compartment-id \"${ROOT_COMPARTMENT_OCID}\" \\ --name genai \\ --output table # Step 2: audit policies scoped to the compartment (should NOT contain \"in tenancy\") oci iam policy list \\ --compartment-id \"${COMPARTMENT_OCID}\" \\ --output table # Step 3: check for overly broad tenancy-level GenAI policies oci iam policy list \\ --compartment-id \"${ROOT_COMPARTMENT_OCID}\" \\ --output json | \\ jq '.data[].statements[] | select(contains(\"generative-ai-family in tenancy\"))'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 resource \"oci_identity_compartment\" \"genai\" { compartment_id = var.root_compartment_ocid name = \"genai\" description = \"Dedicated compartment for OCI Generative AI resources\" } resource \"oci_identity_policy\" \"genai_inference\" { name = \"genai-inference-policy\" description = \"Allow inference-only group to use Generative AI within the genai compartment\" compartment_id = oci_identity_compartment.genai.id statements = [ \"Allow group ${var.inference_group_name} to use generative-ai-family in compartment id ${oci_identity_compartment.genai.id}\", ] }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-genai-01-compartment-isolation\" \\ --display-name \"oci-genai-01-compartment-isolation\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-genai-01-compartment-isolation\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as oci from \"@pulumi/oci\"; // Dedicated compartment for Generative AI workloads with strict policy fence. const cfg = new pulumi.Config(); const parentCompartmentId = cfg.require(\"parentCompartmentOcid\"); const genaiCompartment = new oci.identity.Compartment(\"genai-isolated\", { compartmentId: parentCompartmentId, name: \"genai-prod\", description: \"Isolated compartment for Generative AI inference + agent workloads\", enableDelete: false, // soft-delete only — audit trail preservation }); // Fence: only GenAI workload identities may invoke models in this compartment. const genaiFencePolicy = new oci.identity.Policy(\"genai-fence\", { compartmentId: parentCompartmentId, name: \"genai-compartment-fence\", description: \"Only GenAI workload SAs may invoke generative-ai service inside genai-prod\", statements: [ pulumi.interpolate`Allow dynamic-group GenAIWorkloads to use generative-ai-family in compartment id ${genaiCompartment.id}`, pulumi.interpolate`Allow group GenAIOps to read generative-ai-family in compartment id ${genaiCompartment.id}`, ], }); export const genaiCompartmentOcid = genaiCompartment.id; </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) AC-2; AC-6; AC-17 A.5.15; A.5.18 n/a LLM06:2025 Information Security Art. 55 (in force 2025-08-02) Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'generative-ai' with eventName in (CreateDedicatedAiCluster, CreateModel, CreateEndpoint) landing inside a compartment outside the documented Generative-AI subtree. Compartment-move events that re-parent a Generative-AI endpoint compartment under a tenant-root subtree carrying shared-services workloads. Policy statements newly created on the Generative-AI compartment granting manage generative-ai-family rights to non-AI-platform groups. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'generative-ai' and eventName in ('CreateDedicatedAiCluster', 'CreateModel', 'CreateEndpoint') | eval compartment_ok = if(data.target.compartment.id in_subset 'AICompartmentInventory', 'YES', 'NO') | where compartment_ok = 'NO' | stats count by 'User Name', data.target.id, eventName</code> Maintain a managed list of approved Generative-AI compartment OCIDs; the gate fires when a resource creation lands outside the list. Alert threshold Any Generative-AI resource created in a compartment outside the documented AI subtree — page on first event. New policy granting manage generative-ai-family outside the AIPlatform group — page. Initial response Move the resource back to the AI subtree via oci iam compartment move; OCI applies the move online with no impact on endpoint serving. Revert the policy via OCI Identity's policy version history; the prior statement set was the last-known-good compartment-scoped grant. Document the topology delta in the AI platform team's change log per general/ir.html. References Oracle — OCI Generative AI service (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP oci-genai-02-iam-least-privilege ! HIGH PREVENTIVE Configure OCI IAM policies with granular resource-type verbs for Generative AI, creating separate groups and policies for different use cases: an inference-only group using use generative-ai-family; a management group using manage generative-ai-endpoint; and a read-only audit group using read generative-ai-family. The generative-ai-family aggregate resource type includes generative-ai-chat, generative-ai-endpoint, generative-ai-model, and generative-ai-fine-tuning-job — grant the minimum necessary sub-type verbs rather than the aggregate to production application identities. MITIGATES: LLM06:2025 excessive agency and LLM08:2025 agentic tool misuse via over-permissioned group with management-level Generative AI access. ATTACK VECTOR: An application group with manage generative-ai-family can create, modify, or delete dedicated AI clusters and fine-tuning jobs with significant cost and compliance implications, even when the application only needs to call inference endpoints. BLAST RADIUS: Full Generative AI control-plane access within the compartment — cluster creation (cost), fine-tuning job submission (data exfiltration risk), endpoint modification (availability), and model weight access. Remediation — OCI CLI <code class=\"language-bash\"># OCI CLI 3.x — audit IAM policies for GenAI permissions # List all policies in the GenAI compartment oci iam policy list \\ --compartment-id \"${COMPARTMENT_OCID}\" \\ --output table # Map groups to policies oci iam group list --output table # Check for overly broad 'manage' grants on inference-only groups oci iam policy list \\ --compartment-id \"${COMPARTMENT_OCID}\" \\ --output json | \\ jq '.data[].statements[] | select(contains(\"manage generative-ai-family\"))'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Inference-only group: can call endpoints but cannot create/modify/delete resource \"oci_identity_group\" \"genai_inference\" { compartment_id = var.tenancy_ocid name = \"genai-inference-users\" description = \"Group for application identities that call GenAI inference endpoints only\" } resource \"oci_identity_policy\" \"genai_inference_policy\" { name = \"genai-inference-policy\" description = \"Inference-only access to Generative AI endpoints\" compartment_id = var.genai_compartment_ocid statements = [ # 'use' verb: can call endpoints; cannot create, update, or delete \"Allow group genai-inference-users to use generative-ai-family in compartment id ${var.genai_compartment_ocid}\", ] } # Management group: for operations teams only — NOT application service accounts resource \"oci_identity_group\" \"genai_admins\" { compartment_id = var.tenancy_ocid name = \"genai-admins\" description = \"Group for GenAI platform operators (endpoint creation, fine-tuning)\" } resource \"oci_identity_policy\" \"genai_admin_policy\" { name = \"genai-admin-policy\" description = \"Management access to Generative AI resources for ops team\" compartment_id = var.genai_compartment_ocid statements = [ \"Allow group genai-admins to manage generative-ai-family in compartment id ${var.genai_compartment_ocid}\", ] }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-genai-02-iam-least-privilege\" \\ --display-name \"oci-genai-02-iam-least-privilege\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-genai-02-iam-least-privilege\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) AC-2; AC-6; IA-2 A.5.15; A.5.18 CLD.12.1.5 LLM06:2025; LLM08:2025 Information Security Art. 55 (in force 2025-08-02) Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'identity' with eventName = 'UpdatePolicy' whose statement body widens grants on generative-ai-inference or generative-ai-model resource types. Dynamic-group matchingRule mutations that newly include workloads outside the documented inference-tier identity pool. Generative-AI inference-event audit records where the calling principal lacks an expected tag on the inference dynamic group. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'identity' and eventName in ('CreatePolicy', 'UpdatePolicy') | eval stmt = data.request.payload.statements | where stmt like '%generative-ai-inference%' and (stmt like '%manage%' or stmt like '%in tenancy%') | stats count by 'User Name', data.target.policy.name, 'Compartment Name'</code> Generative-AI inference grants are sensitive because model-output exfiltration scales with caller rights — every widening event should be ticketed. Alert threshold Any policy granting tenancy-scoped manage on generative-ai-family outside the AI platform admin group — page. Dynamic-group rule widening that adds non-AI-tier workloads to the inference identity pool — page. Initial response Revert the policy via OCI Identity's policy version history and re-scope the grant to the documented compartment-bounded statement. Audit Generative-AI inference events for any calls made under the widened policy and rate-limit or block downstream model endpoints if abuse is suspected. Rotate any OCI inference-tier credentials used during the widened window per general/ir.html. References Oracle — Generative AI IAM policies (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP oci-genai-03-guardrails-content-moderation ! HIGH PREVENTIVE Enable OCI AI Guardrails with all three modules active: Content Moderation (CM) for hate speech, sexual content, violence, and self-harm; Prompt Injection (PI) detection for direct jailbreak and indirect injection attempts; and PII detection and redaction. OCI AI Guardrails is GA for on-demand inference mode. Configure thresholds above the default for production workloads — do not rely solely on OCI's default safety settings. Disabling Content Moderation, Prompt Injection detection, or PII detection to improve latency or \"UX\" is the BLOCK_NONE anti-pattern documented in general/genai.html — Common Misconfigurations. All three guardrail modules should be enabled for production GenAI workloads. MITIGATES: LLM01:2025 prompt injection (attacker overrides system prompt via adversarial user input or retrieved document) and LLM02:2025 harmful content disclosure (model generates hate speech, violence, or self-harm content without guardrail enforcement). ATTACK VECTOR: Adversarial prompt elicits harmful content or injects instructions that override the system prompt; PII leaks from RAG context into completions without redaction. BLAST RADIUS: Regulatory exposure under GDPR and EU AI Act, reputational harm from harmful content generation, and data protection violation from PII leakage in model completions. Remediation — OCI CLI <code class=\"language-bash\"># OCI CLI 3.x — check current guardrail configuration on GenAI endpoints oci generative-ai endpoint list \\ --compartment-id \"${COMPARTMENT_OCID}\" \\ --output json | \\ jq '.[].guardRails' # Inspect a specific endpoint's guardrail config oci generative-ai endpoint get \\ --endpoint-id \"${ENDPOINT_OCID}\" \\ --query \"data.contentModerationConfig\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 resource \"oci_generative_ai_endpoint\" \"this\" { compartment_id = var.genai_compartment_ocid dedicated_ai_cluster_id = var.dedicated_cluster_ocid model_id = var.model_ocid display_name = var.endpoint_name content_moderation_config { # Enable all three guardrail modules is_enabled = true # Verify exact nested argument names in OCI Terraform provider documentation at authoring time; # the provider exposes content_moderation_config at the endpoint level for on-demand mode. } }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-genai-03-guardrails-content-moderation\" \\ --display-name \"oci-genai-03-guardrails-content-moderation\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-genai-03-guardrails-content-moderation\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) SI-10; SI-15 A.8.28 n/a LLM01:2025; LLM02:2025 Dangerous/Violent Content; Data Privacy Art. 55 (in force 2025-08-02) Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'generative-ai' with eventName = 'UpdateEndpoint' whose contentModerationConfig.isEnabled flips to false. Inference-event records emitted by the Generative-AI service log showing content-moderation verdict FLAGGED but the request still completed — surfaces guardrail bypass. Endpoint creation events without an attached content-moderation configuration on a tenant-customer-facing endpoint. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'generative-ai' and eventName in ('UpdateEndpoint', 'CreateEndpoint') | eval moderation_off = if(data.request.payload.contentModerationConfig.isEnabled = 'false', 'YES', 'NO') | where moderation_off = 'YES' | stats count by 'User Name', data.target.endpoint.id, eventName</code> Content moderation is a single boolean per endpoint; flipping it off removes the prompt-and-completion safety filter. Alert threshold Any endpoint with contentModerationConfig.isEnabled = false on a customer-facing endpoint — page on first event. More than three FLAGGED inference verdicts on a single endpoint per hour without an accompanying block — page. Initial response Re-enable content moderation on the endpoint via Resource Manager; OCI Generative AI applies the change to the next inference call. Audit inference logs for any flagged completions returned during the disabled window; export prompt-response pairs to the responsible-AI review queue. Brief the model-serving team on the guardrail contract and document per general/ir.html. References Oracle — Generative AI content moderation (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP oci-genai-04-private-endpoint ! HIGH PREVENTIVE Configure a private endpoint for OCI Generative AI within your VCN using the Service Gateway, ensuring inference traffic routes through OCI's internal backbone without traversing the public internet. Disable the public endpoint on the OCI Generative AI endpoint resource. The Service Gateway provides connectivity to OCI services — including Generative AI — from your VCN without requiring an Internet Gateway or NAT Gateway, keeping all prompt and completion data on the OCI backbone. MITIGATES: LLM10:2025 network interception of prompts and completions traversing the public internet. ATTACK VECTOR: Inference traffic (including confidential system prompts, user inputs, and RAG context) traverses the public internet where it is subject to interception by network-level adversaries, particularly in shared network environments or over unencrypted legacy protocols. BLAST RADIUS: Full prompt and completion content exposure — confidential system prompts, user PII in prompts, RAG-retrieved sensitive documents, and model responses all transmitted over public infrastructure. Remediation — OCI CLI <code class=\"language-bash\"># OCI CLI 3.x — verify Service Gateway and endpoint configuration # Check for Service Gateway in the VCN oci network service-gateway list \\ --compartment-id \"${COMPARTMENT_OCID}\" \\ --output table # Verify endpoint type on GenAI endpoints oci generative-ai endpoint list \\ --compartment-id \"${COMPARTMENT_OCID}\" \\ --output json | \\ jq '.[].endpointType' # List route table rules to verify GenAI traffic routes through Service Gateway oci network route-table list \\ --compartment-id \"${COMPARTMENT_OCID}\" \\ --output table</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Service Gateway — connect VCN to OCI services (including Generative AI) without internet routing resource \"oci_core_service_gateway\" \"genai\" { compartment_id = var.genai_compartment_ocid vcn_id = var.vcn_ocid display_name = \"genai-service-gateway\" services { service_id = data.oci_core_services.all.services[0].id # OCI Services CIDR } } # Route table rule: send Generative AI service traffic through the Service Gateway resource \"oci_core_route_table\" \"genai_private\" { compartment_id = var.genai_compartment_ocid vcn_id = var.vcn_ocid display_name = \"genai-private-route-table\" route_rules { destination = \"all-${var.region}-services-in-oracle-services-network\" destination_type = \"SERVICE_CIDR_BLOCK\" network_entity_id = oci_core_service_gateway.genai.id } }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-genai-04-private-endpoint\" \\ --display-name \"oci-genai-04-private-endpoint\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-genai-04-private-endpoint\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) SC-7; AC-17 A.8.20; A.8.22 CLD.13.1.4 LLM10:2025 Information Security Art. 55 (in force 2025-08-02) Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'generative-ai' with eventName = 'UpdateEndpoint' whose payload sets networkConfig.networkType to PUBLIC. Endpoint-create events with networkType = PUBLIC on customer-data-bearing endpoints. VCN private-endpoint detachment events on a Generative-AI service-bound PE OCID. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'generative-ai' and eventName in ('CreateEndpoint', 'UpdateEndpoint') | eval net_type = data.request.payload.networkConfig.networkType | where net_type = 'PUBLIC' | stats count by 'User Name', data.target.endpoint.id, eventName</code> Endpoint network exposure is a single enum on the endpoint resource; PUBLIC moves inference traffic to the open internet. Alert threshold Any endpoint flipped to networkType = PUBLIC outside a documented engineering exception — page. Private-endpoint detachment on a Generative-AI service-bound PE — page. Initial response Re-set the endpoint networkType = PRIVATE via Resource Manager and re-attach the documented private-endpoint OCID. Audit inference traffic across the public-exposure window for any source IP outside the corporate VPN allocation; export the request 5-tuples for forensic retention. Rotate any client-side credentials that may have been observed on the public path and document per general/ir.html. References Oracle — Generative AI private endpoints (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP oci-genai-06-audit-logging ! HIGH DETECTIVE Enable OCI Audit Logs for all OCI Generative AI API calls. OCI Audit captures all API calls to OCI services as structured events, including the caller identity, source IP, action, and resource affected. Route Generative AI audit logs to Object Storage for long-term retention beyond the default 90-day Audit service retention. See OCI Logging for the OCI Audit Logs configuration pattern and Service Connector Hub routing. MITIGATES: LLM10:2025 undetected inference abuse — compromised OCI user or service account calling Generative AI API with no audit trail for compliance audits or incident response. ATTACK VECTOR: A compromised OCI identity makes repeated inference calls, submits fine-tuning jobs with exfiltrated data, or modifies endpoint configurations with no forensic evidence due to disabled or expired audit logs. BLAST RADIUS: Zero forensic evidence for compliance audits and incident response — inability to attribute API calls, reconstruct the timeline of an incident, or satisfy regulatory retention requirements. Remediation — OCI CLI <code class=\"language-bash\"># OCI CLI 3.x — query audit events for Generative AI operations # List recent audit events for GenAI API calls in the compartment oci audit event list \\ --compartment-id \"${COMPARTMENT_OCID}\" \\ --start-time \"${ISO_DATE}\" \\ --stream-specifier AUDIT \\ --output json | \\ jq '.data[] | select(.data.request.action | contains(\"generative-ai\"))' # Verify audit log retention Object Storage bucket oci os bucket list \\ --compartment-id \"${COMPARTMENT_OCID}\" \\ --output table | grep audit</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Object Storage bucket for long-term audit log archival resource \"oci_objectstorage_bucket\" \"audit_logs\" { compartment_id = var.genai_compartment_ocid namespace = data.oci_objectstorage_namespace.this.namespace name = \"genai-audit-logs\" access_type = \"NoPublicAccess\" retention_rules { display_name = \"90-day-minimum-retention\" duration { time_unit = \"DAYS\" time_amount = 90 } } } # Service Connector Hub — route OCI Audit events to Object Storage for long-term retention resource \"oci_sch_service_connector\" \"audit_to_object_storage\" { compartment_id = var.genai_compartment_ocid display_name = \"genai-audit-to-object-storage\" state = \"ACTIVE\" source { kind = \"logging\" log_sources { compartment_id = var.genai_compartment_ocid log_group_id = \"_Audit\" # OCI Audit log group } } target { kind = \"objectStorage\" bucket_name = oci_objectstorage_bucket.audit_logs.name namespace = data.oci_objectstorage_namespace.this.namespace } }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-genai-06-audit-logging\" \\ --display-name \"oci-genai-06-audit-logging\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-genai-06-audit-logging\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 OWASP LLM Top 10:2025 NIST AI 600-1 (Jul 2024) EU AI Act (2024/1689) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) n/a (no dedicated CIS GenAI benchmark) AU-2; AU-12; SI-4 A.8.15; A.8.16 CLD.12.4.5 LLM10:2025 Information Security Art. 55 (in force 2025-08-02) Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'logging' with eventName = 'DeleteLog' targeting a service-log OCID backing Generative-AI invocation logging. Inference-event ingestion gap on the Generative-AI log source longer than 10 minutes during steady-state hours. Service-log configuration update events flipping the category attribute away from invocation. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'logging' and eventName in ('DeleteLog', 'UpdateLog') | eval is_genai = if(data.target.log.configuration.source.service = 'generative-ai', 'YES', 'NO') | where is_genai = 'YES' | stats count by 'User Name', data.target.log.displayName, eventName</code> Generative-AI service logs are individually addressed and their OCIDs are bounded; deletes are exceptional events. Alert threshold Any DeleteLog on a Generative-AI invocation log — page. Ingestion gap exceeding 10 minutes on the Generative-AI log source — page; downstream model-abuse detections cannot evaluate without log flow. Initial response Re-create the deleted service log via Resource Manager; OCI Logging restores the invocation pipeline and resumes ingestion within minutes. Back-fill the gap window from the dedicated AI cluster's local audit feed (accessible via the cluster admin REST endpoint) and load the slice into the Logging Analytics namespace. Confirm Logging Analytics resumes inference-event ingestion and update the AI-platform observability dashboard per general/ir.html. References Oracle — Generative AI logging (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP oci-genai-07-dedicated-ai-cluster-isolation ! HIGH PREVENTIVE For regulated workloads requiring tenant-exclusive GPU allocation, deploy OCI Dedicated AI Clusters (oci_generative_ai_dedicated_ai_cluster). Dedicated clusters provide RDMA-isolated GPU allocation in a single-tenant configuration — no other customer's workloads share the underlying hardware. This is an OCI-unique differentiator with no direct equivalent on other providers. When to require dedicated clusters: healthcare workloads governed by HIPAA (shared-hardware side-channel risk for PHI in inference context), financial workloads under PCI DSS Level 1, government classified workloads, and any workload where shared-hardware speculative execution risk or GPU memory residue is unacceptable under your threat model. Dedicated AI Clusters are significantly more expensive than on-demand inference. Reserve for workloads with explicit regulatory requirements for hardware isolation (HIPAA, PCI DSS Level 1) or workloads processing highly sensitive personal data. On-demand inference is sufficient for the majority of enterprise GenAI workloads. MITIGATES: LLM10:2025 cross-tenant hardware side-channel risk — speculative execution attacks and GPU memory residue exposing inference data to other tenants sharing the same physical hardware. ATTACK VECTOR: On shared multi-tenant GPU hardware, a malicious tenant may exploit speculative execution vulnerabilities or probe GPU memory residue to recover fragments of other tenants' inference inputs or outputs from recently completed inference jobs. BLAST RADIUS: Leakage of model inputs (prompts containing PHI, PCI data, or classified information) or outputs to other cloud tenants via hardware-level side channels — a data breach without any network or API exploitation. Remediation — OCI CLI <code class=\"language-bash\"># OCI CLI 3.x — enumerate and inspect dedicated AI clusters # List all dedicated AI clusters in the GenAI compartment oci generative-ai dedicated-ai-cluster list \\ --compartment-id \"${COMPARTMENT_OCID}\" \\ --output table # Inspect a specific cluster's isolation configuration oci generative-ai dedicated-ai-cluster get \\ --dedicated-ai-cluster-id \"${CLUSTER_OCID}\" \\ --output json | \\ jq '{id: .data.id, type: .data.type, unitCount: .data.unitCount, lifecycleState: .data.\"lifecycle-state\"}'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 resource \"oci_generative_ai_dedicated_ai_cluster\" \"regulated\" { compartment_id = var.genai_compartment_ocid display_name = \"regulated-workload-cluster\" type = \"HOSTING\" # HOSTING for inference; FINE_TUNING for training jobs unit_count = 1 unit_shape = \"LARGE_COHERE\" # Verify available shapes in target region # dedicated_infrastructure_type ensures single-tenant GPU allocation # Verify exact argument name in OCI Terraform provider documentation at authoring time # dedicated_infrastructure_type = \"DEDICATED\" # consult provider docs for current argument }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-genai-07-dedicated-ai-cluster-isolation\" \\ --display-name \"oci-genai-07-dedicated-ai-cluster-isolation\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-genai-07-dedicated-ai-cluster-isolation\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack"},{"id":"oci/iam.html","url":"oci/iam.html","title":"OCI IAM Hardening — Cloud Hardening Guide","breadcrumb":"Home OCI IAM","description":"OCI IAM hardening: tenancy admin disable, named admins, MFA, Identity Domains, API key rotation, instance principals, compartment hierarchy, policy least-privilege.","body":"OCI IAM Hardening Overview This page covers Oracle Cloud Infrastructure Identity & Access Management hardening across the surfaces that determine whether an attacker who lands a credential in an OCI tenancy can pivot to full tenancy takeover. OCI's IAM model differs from the AWS, Azure, and GCP siblings in three load-bearing ways: compartments are the primary scoping primitive (not accounts, subscriptions, or projects), policy syntax is human-readable (statements such as Allow group GroupName to manage resource-type in compartment CompartmentName are written verbatim, not compiled from JSON), and as of the 2024 Identity Domains general-availability, the tenancy's IAM service is itself federated by default through one or more Identity Domains rather than the legacy IDCS (Identity Cloud Service) instance. The control inventory here is eight items mirroring the Azure, GCP, and oci sibling pages; AWS has ten on account of its larger root + Organizations surface. Scope is commercial OCI realms; Government Cloud and dedicated-region tenancies inherit the same controls but require realm-specific endpoints and have their own Identity Domain enrolment ceremonies. The mental model: OCI authentication and authorisation are the product of users and groups (humans and service accounts inside an Identity Domain), compartments (the logical container for all OCI resources, nested to arbitrary depth with the tenancy as the root compartment), policies (statements granting groups, dynamic groups, or services the ability to act on resource families inside a compartment subtree), and dynamic groups + instance principals (a per-resource identity for compute, functions, and other workloads, eliminating user-style API keys on machines). The cross-cutting principles — least privilege, separation of duties, credential rotation, secrets management, MFA — are explained in the General IAM page; this page maps them to OCI primitives. Federation patterns (SAML and OIDC) and the MFA factor matrix are detailed in General IAM — MFA and General IAM — Identity federation. Equivalence callouts at the bottom of each control point to the matching control on the AWS, Azure, and GCP pages so a reader can compare modelling across providers. Order matters in this list. Controls 01–03 are CRITICAL/HIGH PREVENTIVE and address the single biggest residual risk in nearly every audited OCI tenancy: standing administrative credentials in the default Administrators group with MFA gaps. Control 04 establishes Identity Domains and federation so subsequent human onboarding flows do not re-introduce local IAM users. Controls 05–06 progressively eliminate long-lived API signing keys by moving workload authentication onto instance principals + dynamic groups. Controls 07–08 fence the blast radius via the compartment hierarchy and least-privilege policy statements. Detective coverage (Cloud Guard policy advisor, audit log review) is handled in the Logging domain at Phase 9 and referenced by the equivalence callouts on control 08. Reviewing the compliance-frameworks page first will clarify why each control row lists CIS, NIST 800-53 rev5, and ISO 27001/27017 cells in the same order across all four provider pages. Resource Manager vs OSS Terraform: Using ORM? Variables are entered via Console UI (schema-driven by an optional schema.yaml); state is stored in OCI Object Storage automatically; no terraform.tfvars needed. Using OSS Terraform? Standard terraform.tfvars + local/remote state apply. Both paths use the same oracle/oci ~> 6.0 provider declared above. oci-iam-01-tenancy-admin-disabled ! CRITICAL PREVENTIVE After the OCI landing-zone deployment completes and named human administrators are onboarded into the Identity Domain, the initial tenancy admin user — the one created at tenancy provisioning time with credentials emailed to the account owner — must be deactivated (not deleted; deletion would orphan resources it owns). The initial admin is the OCI analogue of the AWS root user: it sits in the Administrators group with manage all-resources in tenancy, and its credentials typically arrive in a fan-out of provisioning emails that a typical SOC has no way to audit. CIS OCI Foundations v2.0.0 control 1.1 calls for separating tenancy administration from day-to-day administration; deactivating the initial admin is the operational form of that separation (OCI IAM security structure — cloud adoption framework (accessed 2026-05)). The principle is reinforced in the General IAM — MFA section, which makes the broader point that \"the principal that bootstrapped the tenancy is the principal you most want never to use\". MITIGATES: Full OCI tenancy takeover via compromised initial-admin credentials (phishing of the provisioning email recipient, password reuse on the account owner's personal address, leaked recovery mailbox). ATTACK VECTOR: Attacker obtains the initial admin password from the original tenancy-provisioning email thread sitting in a personal inbox three years later; signs into the OCI console without a second factor (the initial admin's MFA enrolment is frequently never completed because the account is \"only used for setup\"); creates a new admin user inside Administrators, generates an API signing key, and starts exfiltrating data from object storage across every compartment. BLAST RADIUS: The entire tenancy: every compartment, every region, every service. The initial admin inherits manage all-resources in tenancy through the default Tenant Admin Policy, which means it can disable the Audit service, rotate vault master keys, alter Identity Domain policies, and create back-door federated identity providers — destroying both forensic evidence and the operational ability to detect the back door. Remediation — OCI CLI <code class=\"language-bash\"># Step 1 — confirm named human admins exist in the Administrators group before # deactivating the initial admin (otherwise you lock yourself out). oci iam group list-users \\ --group-id \"$(oci iam group list \\ --compartment-id $OCI_TENANCY_OCID \\ --query 'data[?name==`Administrators`].id | [0]' --raw-output)\" \\ --query 'data[].{name:name,active:\"lifecycle-state\"}' --output table # Step 2 — locate the initial tenancy admin user (created at tenancy birth; # email typically matches the original tenancy-provisioning recipient). oci iam user list \\ --compartment-id $OCI_TENANCY_OCID \\ --query 'data[?email==`<provisioning-email>`].{id:id,name:name,active:\"lifecycle-state\"}' # Step 3 — deactivate (do NOT delete; deletion orphans resources the user owns). oci iam user update \\ --user-id <initial-admin-ocid> \\ --is-active false</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Model the initial admin's deactivation as desired state. The user resource is # imported (terraform import oci_identity_user.initial_admin <user-ocid>) rather # than created here, because it pre-dates Terraform management. resource \"oci_identity_user\" \"initial_admin\" { compartment_id = var.tenancy_ocid name = var.initial_admin_name description = \"Initial tenancy admin — deactivated post landing-zone bootstrap\" email = var.initial_admin_email # The Terraform provider does not expose an is_active toggle directly; this # block models the documented post-bootstrap state and forces drift detection # if the user is reactivated out-of-band. lifecycle { prevent_destroy = true ignore_changes = [email, description] } } # Companion: a tenancy-wide policy denies reactivation of the initial admin # except by a small break-glass group, scoped to a single audited compartment. resource \"oci_identity_policy\" \"initial_admin_lockdown\" { compartment_id = var.tenancy_ocid name = \"initial-admin-lockdown\" description = \"Forbid reactivation of the initial tenancy admin user.\" statements = [ \"Allow group BreakGlass to use users in tenancy where target.user.id = '${oci_identity_user.initial_admin.id}'\" ] }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-iam-01-tenancy-admin-disabled\" \\ --display-name \"oci-iam-01-tenancy-admin-disabled\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-iam-01-tenancy-admin-disabled\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as oci from \"@pulumi/oci\"; // Replace tenancy-admin direct membership with a break-glass-only policy. // The Administrators group should remain empty in steady state. const cfg = new pulumi.Config(); const tenancyOcid = cfg.require(\"tenancyOcid\"); // Audit current Administrators membership via the IAM resource (read-only state). const admins = oci.identity.getGroup({ groupId: cfg.require(\"administratorsGroupOcid\"), }); // Deny-by-default policy on the tenancy: only break-glass users may join Administrators. const denyAdminPolicy = new oci.identity.Policy(\"deny-tenancy-admin\", { compartmentId: tenancyOcid, name: \"deny-tenancy-admin-direct-membership\", description: \"Block direct Administrators membership; break-glass only via PIM-like workflow\", statements: [ \"Deny group Administrators to manage all-resources in tenancy where request.user.mfaTotp.is.absent='true'\", ], }); export const policyOcid = denyAdminPolicy.id; </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.51.1.11.11.1 AC-6(7)A.5.15; A.5.16n/a Log signals OCI Logging Analytics entries where 'Log Source' = 'OCI Audit Logs' and eventName in (CreatePolicy, UpdatePolicy, DeletePolicy) at the tenancy compartment scope. Audit entries where data.identity.principalName matches the default Administrators group or any policy statement granting manage all-resources in tenancy. OCI Identity Domains audit feed deltas tracking the tenancy-admin allow-list membership over time. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and eventName in ('CreatePolicy', 'UpdatePolicy', 'DeletePolicy') and 'Compartment Name' = 'tenancy' | timestats count as logrecords by 'User Name', eventName | sort -logrecords</code> Run in OCI Logging Analytics against the tenancy-level Audit log group. Persist as a saved search backing a Management Agent alarm; OCI Logging Analytics natively interprets the SQL-flavoured query syntax. Alert threshold Any CreatePolicy / UpdatePolicy / DeletePolicy from a User Name not on the tenancy-admin allow-list — page on first occurrence. Tune per compartment baseline using Logging Analytics timestats over a 30-day calibration window; expect near-zero policy-change cadence outside scheduled IAM-tier reviews. Initial response Verify the policy change against the documented OCI Bastion break-glass log and the named tenancy administrator; if no break-glass entry exists, treat as confirmed compromise. Roll back: diff the policy statement against the prior version captured in source-control, revert to the last known-good HCL via Resource Manager, and rotate compartment-admin credentials (console password + API signing keys). Escalate per general/ir.html — open an incident, export the affected tenancy audit window to Object Storage for forensic retention, and confirm the IAM Bastion + MFA-enforced compartment guardrails remain in effect. References Oracle — OCI Audit service overview (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-iam-02-named-admin-accounts ! HIGH PREVENTIVE Every human administrator must hold a named OCI user with their own credentials; shared tenancy credentials are forbidden. The named-admin pattern is what makes audit logs attributable, what makes offboarding tractable (deactivate one user, not re-key a shared password), and what makes MFA enforceable per-human. CIS OCI Foundations v2.0.0 control 1.1 calls for separating tenancy administration from day-to-day operations; named admin accounts inside a per-role group structure (for example NetworkAdmins, DatabaseAdmins, SecurityAdmins) are the operational form (OCI Identity and Access Management documentation (accessed 2026-05)). Named admins should live inside an Identity Domain rather than the legacy local IAM user store (see control 04); MFA enrolment for them is mandatory and covered by control 03. MITIGATES: Shared-credential abuse — when one password sits in a 1Password vault shared by twelve engineers, attribution collapses, offboarding leaks credentials to ex-employees, and MFA cannot be enforced per-human because there is no per-human identity. ATTACK VECTOR: A \"shared admin\" user named opcadmin exists; six engineers know the password; one engineer leaves the company and copies the password to a personal note before offboarding; eight months later that password is reused from a personal laptop to authenticate against the OCI console. BLAST RADIUS: Whatever opcadmin can do — invariably full tenancy admin in real environments, because shared-admin patterns concentrate privilege rather than distribute it. The audit log shows actions performed by opcadmin with no attribution to the actual human, defeating incident-response triage. Remediation — OCI CLI <code class=\"language-bash\"># Create a named admin user inside the default Identity Domain. oci iam user create \\ --name alice.example \\ --description \"Alice Example — Cloud Platform admin (named)\" \\ --email alice@corp.example # Add the user to a per-role group (not the catch-all Administrators group). oci iam group add-user \\ --user-id <alice-user-ocid> \\ --group-id \"$(oci iam group list \\ --compartment-id $OCI_TENANCY_OCID \\ --query 'data[?name==`SecurityAdmins`].id | [0]' --raw-output)\" # Audit: list every user in the Administrators group; expect a small, named set. oci iam group list-users \\ --group-id \"$(oci iam group list \\ --compartment-id $OCI_TENANCY_OCID \\ --query 'data[?name==`Administrators`].id | [0]' --raw-output)\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 resource \"oci_identity_user\" \"alice\" { compartment_id = var.tenancy_ocid name = \"alice.example\" description = \"Alice Example — Cloud Platform admin (named)\" email = \"alice@corp.example\" } resource \"oci_identity_group\" \"security_admins\" { compartment_id = var.tenancy_ocid name = \"SecurityAdmins\" description = \"Named security administrators — MFA enforced via Identity Domain policy.\" } resource \"oci_identity_user_group_membership\" \"alice_security_admins\" { user_id = oci_identity_user.alice.id group_id = oci_identity_group.security_admins.id } resource \"oci_identity_policy\" \"security_admins_scope\" { compartment_id = var.tenancy_ocid name = \"security-admins-scope\" description = \"Named SecurityAdmins manage security-list, vault, and audit; not the entire tenancy.\" statements = [ \"Allow group SecurityAdmins to manage vaults in tenancy\", \"Allow group SecurityAdmins to read audit-events in tenancy\", \"Allow group SecurityAdmins to manage cloud-guard-family in tenancy\" ] }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-iam-02-named-admin-accounts\" \\ --display-name \"oci-iam-02-named-admin-accounts\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-iam-02-named-admin-accounts\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.41.1.31.11.1 AC-2; IA-2A.5.16n/a Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'identity' filtered to eventName in (CreateUser, UpdateUserCapabilities, AddUserToGroup) targeting the Administrators group OCID. Identity Domain SCIM audit deltas where a UserResource is added to the tenancy-admin group without an accompanying corporate ticket reference in the request metadata. Shared-credential heuristic: multiple distinct source IPs authenticating as the same 'User Name' within a short rolling window across geographically distinct OCI realms. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'identity' and eventName in ('CreateUser', 'AddUserToGroup', 'UpdateUserCapabilities') and data.response.payload.groupName = 'Administrators' | stats count by 'User Name', eventName, 'Compartment Name' | sort -count</code> Save the search inside the tenancy-root Logging Analytics namespace and pipe it to an OCI Monitoring alarm scoped to the audit log group. Alert threshold Any addition to Administrators outside the documented quarterly admin review window — page on the first event. More than one distinct source IP signing in as the same named admin across two OCI home regions inside 60 minutes — page as a credential-sharing indicator. Initial response Cross-reference the AddUserToGroup event against the change-advisory ticket queue; if no matching ticket exists, treat the new membership as out-of-band and freeze the user pending review. Remove the user from Administrators with oci iam group remove-user-from-group, leaving the user object intact so the audit trail remains attributable. Open an incident per general/ir.html, rotate any console password on the affected user via the Identity Domain self-service flow, and require FIDO2 re-enrolment before re-granting admin rights. References Oracle — managing OCI IAM users in Identity Domains (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-iam-03-mfa-console ! CRITICAL PREVENTIVE Every OCI user with console (non-programmatic) access must have MFA enrolled and enforced. In OCI Identity Domains — the post-2024 default — MFA factor configuration lives in the Identity Domain's Sign-On Policies and the Authentication Factor Settings, where a tenant administrator selects which factors are enabled (TOTP, mobile push via Oracle Mobile Authenticator, FIDO2 security key, SMS, email) and which sign-on rules require a second factor for which user populations. Phishing-resistant factors (FIDO2 security keys) should be required for any user in an admin-tier group; TOTP is acceptable as a baseline for non-admin populations. CIS OCI Foundations v2.0.0 control 1.7 codifies the MFA-on-console requirement (OCI Identity Domains overview (accessed 2026-05)). The severity derivation matches the worked example in methodology EX-MFA-01: single-step path from a leaked password to console takeover, CRITICAL PREVENTIVE. MITIGATES: Console-password compromise of OCI users via phishing, credential stuffing, or password reuse from a third-party breach. ATTACK VECTOR: A platform engineer reuses their corporate password on a SaaS service that is later breached; the leaked credential pair is replayed against the OCI Identity Domain sign-in endpoint and succeeds because MFA was never enrolled, or because MFA was opt-in and the user opted out. BLAST RADIUS: Bounded by the user's group memberships — for admin-tier users, equivalent to manage all-resources in tenancy; for application-team users, equivalent to manage rights inside their compartment subtree. Either way, the cost of \"MFA is opt-in\" is the cost of the most-privileged person who opted out. Remediation — OCI CLI <code class=\"language-bash\"># List authentication factors currently enabled in the default Identity Domain. DOMAIN_ID=$(oci iam domain list \\ --compartment-id $OCI_TENANCY_OCID \\ --query 'data[?\"display-name\"==`Default`].id | [0]' --raw-output) oci iam domain get \\ --domain-id $DOMAIN_ID \\ --query 'data.{name:\"display-name\",url:\"url\",state:\"lifecycle-state\"}' # Update the Identity Domain's authentication factor settings via the REST API # wrapper (oci iam domain update covers domain-level mutable fields; granular # AuthenticationFactorSetting mutations use the Identity Domain admin REST endpoint). # Example: require MFA on Sign-On Policy \"Console Admins\". oci iam domain update \\ --domain-id $DOMAIN_ID \\ --description \"Default domain — MFA enforced via Sign-On Policies; FIDO2 mandatory for admin groups.\" # For legacy IAM users (pre-Identity Domain, retained for migration windows), # manage TOTP devices directly: oci iam mfa-totp-device create --user-id <user-ocid> oci iam mfa-totp-device list --user-id <user-ocid></code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Domain-level authentication factor settings: enable TOTP + FIDO2 + push; # disable SMS and security questions; require MFA for the Admin sign-on rule. data \"oci_identity_domain\" \"default\" { domain_id = var.default_domain_ocid } resource \"oci_identity_domains_authentication_factor_setting\" \"default\" { idcs_endpoint = data.oci_identity_domain.default.url authentication_factor_setting_id = \"AuthenticationFactorSettings\" schemas = [\"urn:ietf:params:scim:schemas:oracle:idcs:AuthenticationFactorSettings\"] totp_enabled = true push_enabled = true fido_authenticator_enabled = true sms_enabled = false security_questions_enabled = false mfa_enrollment_type = \"Required\" totp_settings { time_step_in_secs = 30 passcode_length = 6 sms_otp_validity_duration_in_mins = 10 } }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-iam-03-mfa-console\" \\ --display-name \"oci-iam-03-mfa-console\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-iam-03-mfa-console\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as oci from \"@pulumi/oci\"; // Enforce MFA for console sign-in via Identity Domain authentication policy. const cfg = new pulumi.Config(); const idcsEndpoint = cfg.require(\"idcsEndpoint\"); const domainOcid = cfg.require(\"identityDomainOcid\"); // Console sign-on policy: require MFA factor (TOTP / FIDO2) for all users. const consoleSignOnPolicy = new oci.identity.DomainsAuthenticationFactorSetting( \"console-mfa-required\", { idcsEndpoint: idcsEndpoint, schemas: [\"urn:ietf:params:scim:schemas:oracle:idcs:AuthenticationFactorSetting\"], totpEnabled: true, fidoAuthenticatorEnabled: true, mfaEnabled: \"ENABLED\", autoEnrollEmailFactorDisabled: false, bypassCodeEnabled: false, // no bypass — break-glass uses separate workflow }, ); export const mfaSettingOcid = consoleSignOnPolicy.id; </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.101.1.21.21.7 IA-2(1)A.5.17; A.8.5n/a Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' referencing the Identity Domain AuthenticationFactorSettings SCIM endpoint with eventName in (UpdateAuthenticationFactorSettings) lowering mfaEnrollmentType from Required. Identity Domain sign-on events showing a successful console login where 'Authentication Factor' attribute is empty or equals Password only — indicating MFA was bypassed for that session. SignOnPolicy mutation events where a rule covering an admin group population moves from requireMFA = true to requireMFA = false. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'identity' and eventName in ('UpdateAuthenticationFactorSettings', 'UpdateSignOnPolicy', 'PatchSignOnPolicy') | eval drift = if(data.response.payload.mfaEnrollmentType = 'Optional', 'WEAKENED', 'OK') | where drift = 'WEAKENED' | timestats count as changes by 'User Name', 'Compartment Name'</code> Schedule as a 5-minute interval saved search; emit a Service Connector Hub message to a Notifications topic on any non-zero count. Alert threshold Any movement of mfaEnrollmentType away from Required at the Identity Domain scope — page immediately, this is a control-fence break. Any console-tier sign-on event lacking a second-factor assertion attribute on a user member of an admin-tier group — open an incident. Initial response Restore the prior AuthenticationFactorSettings SCIM payload from the Terraform state stored in Resource Manager; re-apply to revert the enrolment policy in one declarative step. Force termination of every active Identity Domain session via the admin console (Sessions → Terminate all) so that current single-factor sessions are invalidated. Notify each affected admin to re-enrol a FIDO2 factor before next sign-in; document the rollback per general/ir.html. References Oracle — Identity Domain sign-on policies (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-iam-04-identity-domains ! HIGH PREVENTIVE Migrate human identity off the local OCI IAM user store (legacy; migrated to OCI Identity Domains) and onto one or more Identity Domains, federated via SAML 2.0 or OpenID Connect to the corporate identity provider (Okta, Entra ID, Ping, Auth0). Identity Domains were generally available across all OCI commercial realms in 2024 and are the supported go-forward identity surface; new tenancies are provisioned with a Default domain at creation time. Federation eliminates per-user OCI passwords for the human population, removes the offboarding race (deprovision in the corporate IdP → access disappears from OCI within the IdP's session-lifetime window), and inherits the IdP's MFA, conditional-access, and risk-signal infrastructure (OCI Identity Domains overview (accessed 2026-05)). MITIGATES: Standing local OCI IAM users for humans, which accumulate over time and survive employee departures — the OCI analogue of long-lived AWS IAM users. ATTACK VECTOR: A contractor provisioned a local OCI user in 2022 for a one-off migration; the offboarding ticket twelve months later closed the contractor's corporate SSO but missed the local OCI user; the credential is found in an old laptop image and used to authenticate against the OCI console. BLAST RADIUS: Bounded by whatever group the local user retained — typically broad in pre-Identity-Domains tenancies where group hygiene was lax; eliminated entirely when humans only receive ephemeral federated sessions backed by the corporate IdP. Remediation — OCI CLI <code class=\"language-bash\"># Create a new Identity Domain (a tenancy may operate multiple domains, e.g. # Workforce + Customer; here we add one for B2B partners). oci iam domain create \\ --compartment-id $OCI_TENANCY_OCID \\ --display-name \"Partners\" \\ --description \"Federated B2B partner identity domain\" \\ --home-region eu-frankfurt-1 \\ --license-type premium # Replicate the domain to additional regions for low-latency sign-in. oci iam domain replicate-to-region \\ --domain-id <domain-ocid> \\ --replica-region eu-amsterdam-1 # Federation: an Identity Provider (SAML or OIDC) is configured inside the # domain via the Identity Domain admin endpoints (the IdentityProvider SCIM # resource); the OCI CLI surface for this is the domains identity-provider # sub-tree once the domain is in ACTIVE state. oci iam domains identity-provider list --idcs-endpoint <domain-url></code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 resource \"oci_identity_domain\" \"partners\" { compartment_id = var.tenancy_ocid display_name = \"Partners\" description = \"Federated B2B partner identity domain\" home_region = \"eu-frankfurt-1\" license_type = \"premium\" } # SAML federation to the corporate IdP (Okta in this example). resource \"oci_identity_domains_identity_provider\" \"okta\" { idcs_endpoint = oci_identity_domain.partners.url schemas = [\"urn:ietf:params:scim:schemas:oracle:idcs:IdentityProvider\"] partner_name = \"okta-corp\" partner_provider_id = \"http://www.okta.com/exk1abcDEFGHIJKL\" metadata = file(\"${path.module}/okta-metadata.xml\") name_id_format = \"saml-emailaddress\" jit_user_prov_enabled = true enabled = true }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-iam-04-identity-domains\" \\ --display-name \"oci-iam-04-identity-domains\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-iam-04-identity-domains\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 1.211.1.4best-practicesbest-practices IA-2; IA-8A.5.17n/a Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' with eventName in (CreateIdentityProvider, UpdateIdentityProvider, DeleteIdentityProvider) against any non-corporate SAML metadata URL. Federation trust deltas: new IdentityProvider SCIM resource inserted with jitUserProvisioning = true outside the documented federation onboarding flow. Local-user creation events inside an Identity Domain configured for federation-only — these should be impossible by design and indicate a federation bypass. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'identity' and eventName in ('CreateIdentityProvider', 'UpdateIdentityProvider', 'DeleteIdentityProvider', 'CreateUser') | eval idp_metadata = data.request.payload.metadataUrl | where (eventName like 'IdentityProvider' and not idp_metadata like '%corp.example%') or (eventName = 'CreateUser' and data.request.payload.federated = 'false') | stats count by eventName, 'User Name', idp_metadata</code> Run continuously against the tenancy audit log group; pivot output into a Cloud Guard managed list as enrichment data. Alert threshold Any new IdentityProvider SCIM entry whose metadata URL does not match the corporate IdP allow-list — page on first occurrence. Any local OCI user creation in a federation-only Identity Domain — page as a federation-bypass attempt. Initial response Disable the rogue IdentityProvider via oci iam domains identity-provider patch setting enabled = false while preserving the audit record. Revoke any sessions issued by that IdP using the Identity Domain admin console session inventory. Roll the trust back to the approved corporate IdP via the Resource Manager stack that owns the federation configuration, and notify the Identity team per general/ir.html. References Oracle — Federating OCI Identity Domains (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-iam-05-api-key-rotation ! HIGH PREVENTIVE OCI API access uses RSA signing keys (PEM-encoded keypairs, the public half registered against an OCI user) rather than symmetric secrets, but the operational risk of a leaked signing key is identical to a leaked symmetric secret: anyone holding the private half can sign arbitrary OCI API requests as the user. Two invariants apply. First, admin-tier users (members of Administrators or any per-role admin group) must not hold API keys at all — admin actions go through the console with MFA, and any programmatic admin work flows through a separately-audited automation principal. Second, the API keys that remain (on non-admin users for legitimate programmatic workflows) must be rotated at most every 90 days. CIS OCI Foundations v2.0.0 control 1.14 codifies the rotation cadence (CIS Oracle Cloud Infrastructure Benchmark v2.0.0 (accessed 2026-05)); the admin-no-API-keys invariant is reinforced by OCI's own published best practices (OCI Identity and Access Management documentation (accessed 2026-05)). MITIGATES: Indefinite usability of a compromised API signing key after the original compromise channel (laptop theft, leaked Git commit, exposed CI artefact) is closed. For admin users, the additional risk is that the API key bypasses MFA entirely. ATTACK VECTOR: An admin user has an API signing key generated three years ago and stored in ~/.oci/config on a laptop; the laptop is lost on a train; the key is extracted and used from the finder's network to sign API requests against the OCI control plane — no MFA challenge, no anomalous-login alert because the IP is not blocked. BLAST RADIUS: For admin API keys: entire tenancy, including disabling Audit, rotating vault keys, and creating back-door users. For non-admin API keys: whatever the user's groups allow — typically the workload's compartment subtree. The rotation control bounds time-on-target; the admin-key prohibition bounds power. Remediation — OCI CLI <code class=\"language-bash\"># Audit: list API keys per user with their fingerprints + creation timestamps. oci iam user list \\ --compartment-id $OCI_TENANCY_OCID \\ --query 'data[].id' --output text \\ | tr '\\t' '\\n' \\ | while read uid; do oci iam user api-key list --user-id \"$uid\" \\ --query 'data[?\"time-created\"<=`'\"$(date -u -d '90 days ago' +%Y-%m-%dT%H:%M:%SZ)\"'`].[fingerprint,\"time-created\"]' \\ --output table 2>/dev/null done # Admin users must have zero API keys; assert this invariant. ADMIN_GROUP_ID=$(oci iam group list \\ --compartment-id $OCI_TENANCY_OCID \\ --query 'data[?name==`Administrators`].id | [0]' --raw-output) oci iam group list-users --group-id $ADMIN_GROUP_ID \\ --query 'data[].id' --output text \\ | tr '\\t' '\\n' \\ | while read uid; do n=$(oci iam user api-key list --user-id \"$uid\" --query 'length(data)' --output text) [ \"$n\" != \"0\" ] && echo \"VIOLATION: admin user $uid holds $n api-key(s)\" done # Rotate: upload new public key, then delete the old key by fingerprint. oci iam user api-key upload --user-id <uid> --key-file new-public.pem oci iam user api-key delete --user-id <uid> --fingerprint <old-fingerprint></code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Manage an automation user's API key as state, so rotation is a plan/apply # rather than a manual console action. The public key material is sourced from # a secrets backend (Vault, OCI Vault); the private key never enters Terraform. resource \"oci_identity_api_key\" \"ci_"},{"id":"oci/index.html","url":"oci/index.html","title":"OCI Hardening — Cloud Hardening Guide","breadcrumb":"Home OCI","description":"Oracle Cloud Infrastructure security hardening reference: IAM, network, data protection, logging, workloads, and incident response.","body":"OCI Hardening This section covers Oracle Cloud Infrastructure hardening across the six security domains. Each domain page maps cross-cutting principles (covered in the General section) onto specific OCI services and configuration primitives. Content is authored progressively: IAM ships first as a pilot (Phase 5), followed by Network, Data Protection, Logging & Detection, Workloads, and Incident Response in subsequent phases. Domains IAM — compartment hierarchy, tenancy admin separation, IAM policies, domains/federation, MFA, instance principals Network — VCN design, security lists vs NSGs, Service Gateway, Private Endpoint, WAF, Bastion service Data Protection — Object Storage visibility, Vault for KMS/BYOK, Block Volume encryption, Data Safe, Autonomous DB hardening Logging & Detection — Audit retention, Logging service, Logging Analytics, Cloud Guard, Vulnerability Scanning, Security Zones Workloads — Compute hardening, OS Management Hub, OKE hardening, Functions identity, Bastion sessions, image signing Incident Response — Cloud Guard remediation, Notifications + Functions automation, forensic snapshots, tenant lockdown GenAI Security — compartment isolation, IAM least privilege, AI Guardrails content moderation, private endpoints, Vault CMK, Audit Logs, Dedicated AI Cluster isolation, Security Zone policy Kubernetes — OKE Enhanced Cluster baseline, OKE Workload Identity, OCI Vault CMK, least-privilege IAM dynamic groups, OCI Audit + Logging, NSGs on node subnets, image verification policy, network policy default-deny, hardened node OS, add-on lifecycle management This page is a Phase 2 stub. Section overview content arrives in later phases."},{"id":"oci/ir.html","url":"oci/ir.html","title":"OCI Incident Response Hardening — Cloud Hardening Guide","breadcrumb":"Home OCI Incident Response","description":"OCI incident response: tenant recovery break-glass, Cloud Guard responder remediation, forensic Block Volume + LOCKED Object Storage retention, Audit search, instance isolation, API key revoke, tabletops.","body":"OCI Incident Response Hardening Overview This page covers Oracle Cloud Infrastructure incident response across the surfaces that decide whether a tenancy can detect, contain, and reconstruct an active compromise before the attacker exhausts the blast radius the cloud control plane makes reachable. Scope is the commercial OCI realms (OC1); OCI Government Cloud and dedicated-region tenancies inherit the same controls but expose realm-specific endpoints, region availability, and Identity Domain federation constraints — re-verify region availability and the relevant docs.oracle.com realm-endpoint documentation before applying any of the IaC below to a sovereign or dedicated-region deployment. CIS sub-IDs and NIST / ISO mappings throughout this page reference the CIS Oracle Cloud Infrastructure Foundations Benchmark v2.0.0 (accessed 2026-05) unless explicitly annotated as a post-v2.0.0 feature or a best-practice recommendation that the v2.0.0 benchmark has not yet codified. CIS published the Oracle Cloud Infrastructure Foundations Benchmark v3.1.0 in 2026; this site cites v2.0.0 throughout the corpus for consistency with the locked compliance-table contract. The crosswalk page at compliance frameworks describes how the seven pinned framework columns relate to each other. The authoritative IR lifecycle reference is NIST SP 800-61 rev 3 — Computer Security Incident Handling Guide, April 2025 release (accessed 2026-05), which restructures rev 2's four-phase model around the CSF 2.0 community profile (Govern / Identify / Protect / Detect / Respond / Recover) — pre-2025 runbooks built against rev 2's Preparation → Detection → Containment-Eradication-Recovery → Post-Incident structure remain valid; the rev 3 mapping is a re-framing, not a contradiction. The OCI IR surface is the product of a small set of primitives and the runbooks that compose them. Cloud Guard responder recipes own the automated-containment path: detector findings (problems) trigger responder rules that disable users, isolate Compute instances via NSG swap, revoke API keys, and snapshot disks within seconds — the detective half of this loop lives on the OCI Logging page as oci-log-03-cloud-guard, which this page strictly pair-links to. Notifications + Functions own custom-playbook automation: a Notifications topic subscribed to a Cloud Guard problem stream invokes an OCI Function that performs containment actions Cloud Guard's stock responders do not cover (revoke Vault key permissions, freeze instance pool auto-scaling, post to PagerDuty + the security on-call channel). Audit search owns forensic queries: the Audit service Search API filters events by user, resource, event-name, and time range, and the longer-term archive lives in a dedicated Object Storage bucket — the archive sink is canonically owned by oci-log-08-audit-archive, which this page strictly pair-links to. Block Volume backup + Object Storage forensic bucket with LOCKED retention owns evidence preservation: a forensic snapshot policy captures boot and data volumes at incident-declaration time, and a forensic Object Storage bucket with a locked retention rule (the OCI analog of S3 Object Lock COMPLIANCE / Azure Immutable Blob Storage with locked time-based retention / GCP Bucket Lock LOCKED) holds evidence for one year or more without the possibility of early deletion even by a tenancy admin — the LOCKED retention pattern is canonically owned by oci-data-08-object-retention, which this page strictly pair-links to. Bastion Service owns forensic instance access: a per-session time-limited SSH or managed-port-forwarding session to an isolated instance with no public IP, used by responders to capture in-memory artefacts before the instance is destroyed. Identity Domains user disable + API key delete + session enumeration own the compromised-identity runbook: a single workflow disables the user, deletes every API key fingerprint the user owns, enumerates and revokes active sessions inside the Identity Domain (formerly IDCS — see OCI IAM for the canonical Identity Domains treatment), and rotates every Vault secret the user could read. Cross-cutting principles — preparation, containment, forensics, recovery / post-incident, and tabletops — are owned by the General Incident Response page; this page maps them to OCI primitives. Order and scope matter. Control 01 pre-positions the break-glass tenancy-admin identities that make every later step possible — the IdP that federates day-to-day administrators is exactly the surface the incident may take out, and creating a non-federated admin during the incident is structurally impossible. Control 02 is the Cloud Guard responder + Notifications + Functions automation chain that closes the detection-to-containment gap to seconds rather than the 15-to-45-minute pager-to-keyboard window. Control 03 captures forensic evidence — Block Volume backups for in-memory and on-disk state, plus an Object Storage forensic bucket whose locked retention rule cannot be reduced even by a tenancy admin under attacker control. Control 04 is the Audit search and longer-term archive that lets a responder reconstruct who did what, when, from which IP, against which resource. Control 05 is the documented Compute isolation runbook for the surfaces Cloud Guard's stock responders do not cover. Control 06 is the compromised-identity runbook for the API-key + session-revoke + secret-rotate cycle. Control 07 is the quarterly tabletop exercise that keeps the runbook from rotting between incidents. The admin-no-API-keys invariant (canonical on the OCI IAM page) is the prevention pair to oci-ir-06's response; the tenancy-wide Audit retention control is the detection pair to oci-ir-04's forensic search. Severity is assigned from the methodology severity rubric; equivalence callouts at the bottom of each control point at the matching control on the AWS, Azure, and GCP sibling pages. Resource Manager vs OSS Terraform: Using ORM? Variables are entered via Console UI (schema-driven by an optional schema.yaml); state is stored in OCI Object Storage automatically; no terraform.tfvars needed. Using OSS Terraform? Standard terraform.tfvars + local/remote state apply. Both paths use the same oracle/oci ~> 6.0 provider declared above. oci-ir-01-tenant-recovery ! CRITICAL PREVENTIVE Pre-provision two to four named break-glass tenancy-admin identities that live inside the default Identity Domain as local accounts — explicitly not federated from the organisation's primary IdP (Okta, Entra ID, Ping, Google Workspace, or an Identity Domain federation to another identity provider). Each break-glass identity is protected by a FIDO2 hardware key (YubiKey 5 series or equivalent) physically stored in a locked safe; two safes in two separate buildings is the canonical two-person-integrity pattern. Every sign-in by a break-glass account fires an Events rule on the com.oraclecloud.identitycontrolplane.signin event type that publishes to a Notifications topic the security on-call subscribes to via email, PagerDuty webhook, and Slack webhook within seconds (OCI — API key management documentation (accessed 2026-05)). The principle is reinforced in General IR — preparation: the first incident that takes out the IdP is exactly the scenario IR exists to handle, and an IdP-only access model has zero recovery path in that scenario. Quarterly access tests — a named responder retrieves their FIDO2 key from the safe, signs into the tenancy, performs a single read-only API call, signs out — keep the credential, the hardware token, and the alarm pipeline all known-working; tests not performed in the last 90 days are tracked on the security team's drift dashboard. The control is typed CRITICAL PREVENTIVE, not RESPONSIVE: the control is the pre-positioning that makes response possible. Creating a break-glass identity during the incident that just took out the Identity Domain federation is structurally impossible — the responder needs an unfederated local-domain account to sign in at all. This mirrors the typing decisions on aws-ir-01, azure-ir-01, and gcp-ir-01: every provider's first IR control is the pre-positioning the rest of the runbook depends on. The tenancy-recovery runbook itself — what to do when the primary IdP is compromised — documents the steps to disable the federation trust, replace the SAML/OIDC provider, and re-enable federation under a new IdP without losing the audit trail of which break-glass identity performed which step. MITIGATES: Loss of administrative access to the tenancy during the exact incident class IR exists to handle — Identity Domain federation outage, IdP compromise (Okta 2022/2023 incidents, Entra ID token-theft chains), or accidental misconfiguration of the federation trust that locks every federated administrator out of the tenancy. ATTACK VECTOR: An attacker who compromises the IdP can either lock legitimate responders out (revoke their IdP entitlements) or assume their identities (forged SAML assertions, Midnight Blizzard / Storm-0558-style token forgery). Without a non-federated break-glass identity inside the OCI Identity Domain, responders have no out-of-band path to the OCI Console at the precise moment they need to revoke the federation trust and contain the blast radius. Equally common: a botched IdP config push removes the Identity Domain SAML attribute mapping and no human can authenticate to the tenancy until the IdP team rolls back — which they may not be able to do quickly if the IdP itself is the incident. BLAST RADIUS: The entire tenancy. Without break-glass, time-to-recover an Identity-Domain-wide federation failure is bounded below by the IdP vendor's recovery time, which can be hours to days for severe incidents and is outside the OCI customer's control. With break-glass, recovery time is bounded by the responder's drive-to-the-safe time plus a single federation-provider replacement — typically under an hour. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Step 1: create the named break-glass user as a local Identity Domain account. # This is a tenancy-admin identity; it MUST NOT be created via federation. oci iam user create \\ --compartment-id \"$TENANCY_OCID\" \\ --name breakglass-admin-01 \\ --email-address ir-pager+bg01@example.com \\ --description \"Tenancy break-glass; FIDO2 only; do not federate\" # Step 2: place the break-glass user into the tenancy-admin group. oci iam group add-user \\ --user-id \"$BG_USER_OCID\" \\ --group-id \"$TENANCY_ADMIN_GROUP_OCID\" # Step 3: enrol the FIDO2 device. The hardware-key enrolment uses the OCI # Console (Identity Domain user security factors page); CLI enrolment of FIDO2 # devices is not currently supported and must be completed interactively by the # named human responder during initial setup. # Step 4: create the Events rule that alarms on every break-glass sign-in. oci events rule create \\ --compartment-id \"$TENANCY_OCID\" \\ --display-name \"break-glass-signin\" \\ --is-enabled true \\ --condition '{ \"eventType\":[\"com.oraclecloud.identitycontrolplane.signin\"], \"data\":{\"identity\":{\"principalName\":[\"breakglass-admin-01\",\"breakglass-admin-02\"]}} }' \\ --actions '{\"actions\":[{\"actionType\":\"ONS\",\"topicId\":\"'\"$IR_NOTIFICATIONS_TOPIC_OCID\"'\",\"isEnabled\":true}]}' # Step 5: subscribe the on-call rotation to the Notifications topic. oci ons subscription create \\ --compartment-id \"$TENANCY_OCID\" \\ --topic-id \"$IR_NOTIFICATIONS_TOPIC_OCID\" \\ --protocol PAGERDUTY \\ --subscription-endpoint \"https://events.pagerduty.com/integration/$PAGERDUTY_KEY/enqueue\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Break-glass tenancy-admin identities inside the default Identity Domain. # These accounts MUST NOT be sourced from the federated IdP. resource \"oci_identity_user\" \"break_glass\" { for_each = toset([\"breakglass-admin-01\", \"breakglass-admin-02\"]) compartment_id = var.tenancy_ocid name = each.key email = \"ir-pager+${each.key}@example.com\" description = \"Tenancy break-glass; FIDO2 only; do not federate\" } resource \"oci_identity_user_group_membership\" \"break_glass_admins\" { for_each = oci_identity_user.break_glass user_id = each.value.id group_id = var.tenancy_admin_group_ocid } # Notifications topic the on-call rotation subscribes to. resource \"oci_ons_notification_topic\" \"ir_alerts\" { compartment_id = var.tenancy_ocid name = \"ir-break-glass-alerts\" description = \"Every break-glass sign-in alarms here\" } resource \"oci_ons_subscription\" \"ir_pagerduty\" { compartment_id = var.tenancy_ocid topic_id = oci_ons_notification_topic.ir_alerts.id protocol = \"PAGERDUTY\" endpoint = \"https://events.pagerduty.com/integration/${var.pagerduty_key}/enqueue\" } # Events rule that fires on every break-glass sign-in. resource \"oci_events_rule\" \"break_glass_signin\" { compartment_id = var.tenancy_ocid display_name = \"break-glass-signin\" is_enabled = true condition = jsonencode({ eventType = [\"com.oraclecloud.identitycontrolplane.signin\"] data = { identity = { principalName = [for u in oci_identity_user.break_glass : u.name] } } }) actions { actions { action_type = \"ONS\" topic_id = oci_ons_notification_topic.ir_alerts.id is_enabled = true } } }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-ir-01-tenant-recovery\" \\ --display-name \"oci-ir-01-tenant-recovery\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-ir-01-tenant-recovery\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as oci from \"@pulumi/oci\"; // Break-glass tenancy recovery account: separate IdP, hardware MFA, audited. const cfg = new pulumi.Config(); const tenancyOcid = cfg.require(\"tenancyOcid\"); const breakGlassDomainOcid = cfg.require(\"breakGlassIdentityDomainOcid\"); const breakGlassIdcsEndpoint = cfg.require(\"breakGlassIdcsEndpoint\"); // Break-glass user in dedicated Identity Domain (not the default one). const breakGlassUser = new oci.identity.DomainsUser(\"tenant-recovery\", { idcsEndpoint: breakGlassIdcsEndpoint, schemas: [\"urn:ietf:params:scim:schemas:core:2.0:User\"], userName: \"break-glass-recovery\", active: true, emails: [{ value: \"break-glass@example.com\", type: \"work\", primary: true, }], // No password — hardware FIDO2 only, enrolled via separate out-of-band workflow. }); // Emergency Administrators policy — invokable only by break-glass identity domain users. const breakGlassPolicy = new oci.identity.Policy(\"break-glass-admin\", { compartmentId: tenancyOcid, name: \"break-glass-tenancy-recovery\", description: \"Emergency-only tenancy admin via dedicated identity domain\", statements: [ \"Allow group BreakGlassAdmins to manage all-resources in tenancy where request.user.identityDomain='break-glass-domain'\", ], }); export const breakGlassUserOcid = breakGlassUser.id; </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/an/a(best-practices) IR-4; AC-2(8); AC-6A.5.24; A.5.26CLD.9.5.1 Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' with eventName in (CreateApiKey, UpdateAuthToken, CreateOAuth2ClientCredential) targeting the documented break-glass user OCID. Console-tier sign-on events under the break-glass identity outside the documented annual exercise window. Identity Domain Sessions records showing the break-glass user holding an active session — these must be zero outside drills. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'identity' and (data.identity.principalId = '$BREAK_GLASS_USER_OCID' or data.target.user.id = '$BREAK_GLASS_USER_OCID') | stats count by 'User Name', eventName, 'Compartment Name'</code> The break-glass identity is a single OCID with explicit out-of-band credentials; any audit-feed activity on it is an event of interest. Alert threshold Any audit event naming the break-glass OCID — page on first event; the only legitimate occurrences are scheduled drills and emergencies. Identity Domain sessions for the break-glass user lasting longer than 8 hours — page; emergency sessions must be short and explicit. Initial response If the activity is not a scheduled drill, contact the on-call security lead via the secondary paging channel and confirm whether an emergency is in progress. Terminate the break-glass session via the Identity Domain admin console session inventory; rotate the break-glass user's console password and FIDO2 enrolment immediately. Triage every action taken under the break-glass session in the OCI Audit feed and produce an incident report per general/ir.html. References Oracle — managing OCI break-glass users (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-ir-02-cloud-guard-remediation ! HIGH RESPONSIVE Configure a custom Cloud Guard responder recipe that overrides the Oracle-managed defaults for the small set of responders the security team has decided to run in AUTOACTION mode rather than USERACTION mode — disable user, isolate Compute instance via NSG swap, revoke API key, snapshot Block Volume — and bind that recipe to the tenancy-root target so it covers every compartment subtree. The detector half of the loop lives on the OCI Logging page as oci-log-03-cloud-guard (DETECTIVE pair); without Cloud Guard enabled tenancy-wide with the standard detector recipes, this control has nothing to respond to. The responder recipe is the contract: Cloud Guard problem severity and risk score trigger a responder rule that performs a deterministic remediation action against the resource named in the problem payload, end-to-end in seconds (OCI — Cloud Guard responder recipes (accessed 2026-05)). The custom-playbook half — for containment actions Cloud Guard's stock responders do not cover, such as revoking a Vault key permission, freezing an Instance Pool's auto-scaling, or paging the on-call channel — lives in a Notifications topic that subscribes to the Cloud Guard problem stream and invokes an OCI Function with the problem payload as input. The Function performs the custom action with a resource principal that has only the IAM permissions it needs (least-privilege; cross-link to oci-iam-08). Cloud Guard's responder recipes are the natural automation layer because they give the security team a programmable handoff per detector: the recipe binds a detector rule to a responder rule, the responder mode (AUTOACTION runs immediately; USERACTION requires console approval) is set per rule, and the condition groups filter which problems fire which responders by compartment, by resource OCID prefix, by risk score, or by an arbitrary JMESPath expression on the problem payload. Time-to-contain on the auto-remediation chain is bounded by Cloud Guard's problem-emission latency (low single-digit minutes from the underlying Audit / Configuration / VSS / Threat-Intelligence detector firing) plus the responder action's own latency (seconds for a user disable or an NSG swap; tens of seconds for a Block Volume snapshot). Compared to the manual path — finding sits in the Cloud Guard problems view until a human triages it, the human signs in, the human runs the remediation — automation collapses the time-to-contain window from tens of minutes to seconds or low single-digit minutes. MITIGATES: The gap between detection and containment during active compromise of a Compute instance, a tenancy user, or an API key — a window in which the attacker is actively pivoting, exfiltrating data, or escalating privilege via the principal's IAM policy. Without automation, time-to-contain is bounded below by the on-call responder's pager-to-keyboard time (15–45 minutes typical); with automation, it is bounded by Cloud Guard problem-emission latency. ATTACK VECTOR: Cloud Guard raises a CRITICAL problem on an \"admin-action-from-untrusted-IP\" pattern at risk score 9. In the manual-response path, the problem sits in the Cloud Guard problems view until a human triages it, the human signs in, the human enumerates the offending session and runs oci iam user update --is-active false, and by the time all of that completes the attacker has already created a new API key for a persistence identity, modified a Vault key policy, or exfiltrated objects via a pre-authenticated request. The window typical attackers operate inside is well under the manual-response time. BLAST RADIUS: Per problem — responder actions are scoped to a single resource OCID extracted from the problem payload. A buggy responder recipe that mis-targets is bounded by the same scope; the responder will not (and per condition-group filtering, structurally cannot) touch a resource not named in the problem. The Function playbook adds its own resource-principal IAM boundary on top. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Step 1: clone the Oracle-managed responder recipe into a custom one. oci cloud-guard responder-recipe create \\ --compartment-id \"$TENANCY_OCID\" \\ --display-name \"ir-auto-contain\" \\ --description \"Auto-disable users, isolate instances, revoke keys\" \\ --source-responder-recipe-id \"$ORACLE_MANAGED_RESPONDER_RECIPE_OCID\" # Step 2: enable the DISABLE_USER responder rule in AUTOACTION mode. oci cloud-guard responder-recipe-responder-rule update \\ --responder-recipe-id \"$CUSTOM_RECIPE_OCID\" \\ --responder-rule-id DISABLE_USER \\ --details '{ \"isEnabled\": true, \"mode\": \"AUTOACTION\", \"conditionGroups\": [{ \"compartmentId\": \"'\"$TENANCY_OCID\"'\", \"conditionType\": \"FILTERS\", \"condition\": \"{\\\"kind\\\":\\\"COMPOSITE\\\",\\\"leftOperand\\\":{\\\"kind\\\":\\\"SIMPLE\\\",\\\"parameter\\\":\\\"riskScore\\\",\\\"operator\\\":\\\"GREATER_THAN_OR_EQUAL_TO\\\",\\\"value\\\":\\\"7\\\",\\\"valueType\\\":\\\"VALUE\\\"},\\\"compositeOperator\\\":\\\"AND\\\",\\\"rightOperand\\\":{\\\"kind\\\":\\\"SIMPLE\\\",\\\"parameter\\\":\\\"problemLifecycleState\\\",\\\"operator\\\":\\\"IN\\\",\\\"value\\\":\\\"[\\\\\\\"OPEN\\\\\\\"]\\\",\\\"valueType\\\":\\\"MULTI_VALUE\\\"}}\" }] }' # Step 3: rebind the Cloud Guard target on the tenancy root to use the custom recipe. oci cloud-guard target update \\ --target-id \"$TENANCY_ROOT_TARGET_OCID\" \\ --target-responder-recipes '[{\"responderRecipeId\":\"'\"$CUSTOM_RECIPE_OCID\"'\"}]' # Step 4: Notifications topic + Function for custom-playbook containment. oci ons topic create \\ --compartment-id \"$IR_COMPARTMENT_OCID\" \\ --name ir-cloud-guard-problems \\ --description \"Cloud Guard problem stream for Function playbooks\" # Subscribe the Function to the topic; the Function receives the full problem payload. oci ons subscription create \\ --compartment-id \"$IR_COMPARTMENT_OCID\" \\ --topic-id \"$CG_TOPIC_OCID\" \\ --protocol ORACLE_FUNCTIONS \\ --subscription-endpoint \"$IR_FUNCTION_OCID\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Source: OCI Cloud Guard responder recipes (accessed 2026-05) resource \"oci_cloud_guard_responder_recipe\" \"ir_auto_contain\" { compartment_id = var.tenancy_ocid display_name = \"ir-auto-contain\" description = \"Auto-disable users, isolate instances, revoke keys\" source_responder_recipe_id = var.oracle_managed_responder_recipe_ocid responder_rules { responder_rule_id = \"DISABLE_USER\" details { is_enabled = true mode = \"AUTOACTION\" condition = jsonencode({ kind = \"COMPOSITE\" compositeOperator = \"AND\" leftOperand = { kind = \"SIMPLE\", parameter = \"riskScore\", operator = \"GREATER_THAN_OR_EQUAL_TO\", value = \"7\", valueType = \"VALUE\" } rightOperand = { kind = \"SIMPLE\", parameter = \"problemLifecycleState\", operator = \"IN\", value = \"[\\\"OPEN\\\"]\", valueType = \"MULTI_VALUE\" } }) } } } # Rebind the tenancy-root Cloud Guard target onto the custom responder recipe. resource \"oci_cloud_guard_target\" \"tenancy_root\" { compartment_id = var.tenancy_ocid display_name = \"tenancy-root\" target_resource_id = var.tenancy_ocid target_resource_type = \"COMPARTMENT\" target_responder_recipes { responder_recipe_id = oci_cloud_guard_responder_recipe.ir_auto_contain.id } } # Custom-playbook Function fired from a Notifications topic on the problem stream. resource \"oci_ons_notification_topic\" \"cg_problems\" { compartment_id = var.ir_compartment_ocid name = \"ir-cloud-guard-problems\" description = \"Cloud Guard problem stream for Function playbooks\" } resource \"oci_functions_function\" \"ir_playbook\" { application_id = var.ir_functions_application_ocid display_name = \"ir-playbook\" image = \"${var.region_key}.ocir.io/${var.tenancy_namespace}/ir/playbook:latest\" memory_in_mbs = 256 } resource \"oci_ons_subscription\" \"playbook\" { compartment_id = var.ir_compartment_ocid topic_id = oci_ons_notification_topic.cg_problems.id protocol = \"ORACLE_FUNCTIONS\" endpoint = oci_functions_function.ir_playbook.id }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-ir-02-cloud-guard-remediation\" \\ --display-name \"oci-ir-02-cloud-guard-remediation\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-ir-02-cloud-guard-remediation\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/an/a(best-practices) IR-4(1); IR-4(7); SI-4(7)A.5.26CLD.12.4.5 Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'cloud-guard' with eventName = 'UpdateResponderRecipe' whose payload flips a responder rule isEnabled from true to false. Cloud Guard problem records that should have triggered an auto-remediation responder but show responderActivities as empty. Service Connector Hub events that disable the connector wiring Cloud Guard problems into the Functions auto-remediation handler. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'cloud-guard' and eventName in ('UpdateResponderRecipe', 'TriggerResponder') | eval disabled = if(data.request.payload.responderRules like '%isEnabled\":false%', 'YES', 'NO') | where disabled = 'YES' | stats count by 'User Name', data.target.responderRecipe.id, eventName</code> Responder rule mutations are infrequent; the gate fires on disable-events at any rule level. Alert threshold Any responder rule disabled outside the documented Cloud Guard tuning window — page. Cloud Guard problem record without a matching responder activity in the next 5 minutes — page; auto-remediation pipeline broke. Initial response Re-enable the responder rule via the recipe REST endpoint; Cloud Guard re-evaluates pending problems and applies the responder action on the next scan. Restore the Service Connector Hub binding via Resource Manager; SCH replays buffered problems into the Functions responder. Manually remediate any problem that was open while the responder was off and document per general/ir.html. References Oracle — Cloud Guard responder recipes (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-ir-03-forensic-snapshot ! CRITICAL RESPONSIVE Capture forensic evidence at incident-declaration time and preserve it in an Object Storage bucket whose retention rule is LOCKED — meaning the rule cannot be reduced or deleted even by a tenancy admin under attacker control. The capture surface is the Block Volume backup API (FULL backups of boot and data volumes, tagged with a defined-tag Forensics namespace carrying incident_id, captured_by, and capture_timestamp for chain-of-custody); the preservation surface is a dedicated Object Storage forensic bucket in an IR-owned compartment with a retention rule whose time_rule_locked is set to a time at least 14 days in the past so the rule is immediately locked at creation — the OCI analog of S3 Object Lock COMPLIANCE mode (aws-ir-03), Azure Immutable Blob Storage with locked time-based retention (azure-ir-03), and GCP Bucket Lock LOCKED mode (gcp-ir-03). The LOCKED retention pattern itself — the mechanism by which a retention rule becomes immutable — is canonically owned by oci-data-08-object-retention; this control consumes that pattern for the forensic-evidence use case (OCI — Block Volume backups documentation (accessed 2026-05)). The defined-tag Forensics namespace is the chain-of-custody contract. Three required tag keys — incident_id (the security team's case identifier), captured_by (the OCID of the responder who initiated the capture), and capture_timestamp (ISO-8601 UTC) — are applied to every Block Volume backup and every Object Storage object stored in the forensic bucket. The tag-namespace itself is owned by the IR compartment and scoped so only the IR-responder dynamic group may write tags within it; tampering with the chain-of-custody requires escalating into a separate compartment with a separate policy path that the incident-response runbook itself logs. The Object Storage forensic bucket carries the same Vault key as the rest of the IR compartment's storage (cross-link to oci-data-02-vault-byok) so evidence is encrypted at rest under a key whose use is itself audited; deleting the bucket while a locked retention rule is in force is structurally blocked by OCI even for a tenancy admin until the rule expires, which is the design intent. The runbook step that ships volume images into the forensic bucket is itself a Function fired from a Notifications topic the responder writes to during the incident — there is no console step in the forensic-preservation path so the chain-of-custody is auditable. MITIGATES: Loss of forensic evidence during active compromise — either because the attacker destroyed disks before responders captured them, or because a well-meaning tenancy admin \"cleaned up\" the compromised instance and its backups during initial response. A locked retention rule on the forensic bucket means even a tenancy admin under attacker control cannot reduce the rule and bulk-delete evidence. ATTACK VECTOR: An attacker with tenancy-admin or compartment-admin reach destroys Block Volumes, deletes Block Volume backups, and tries to delete the Object Storage forensic bucket to prevent reconstruction of their actions. Without LOCKED retention, the attacker simply reduces the retention rule to zero, deletes the objects, and the forensic record is gone. With LOCKED retention, the same actor receives a permission-denied error at the storage-API layer — the locked rule cannot be reduced by anyone for the duration of its term. BLAST RADIUS: Per incident — forensic captures are scoped to the resources named in the incident's runbook; the forensic bucket is scoped to the IR compartment. The locked retention rule's blast radius is intentional: it deliberately removes \"delete forensic evidence\" from the tenancy-admin's reachable action set for as long as the rule is locked. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Step 1: capture a FULL Block Volume backup at incident-declaration time. INCIDENT_ID=\"INC-2026-0142\" NOW=$(date -u +%Y%m%dT%H%M%SZ) oci bv volume-backup create \\ --volume-id \"$COMPROMISED_VOLUME_OCID\" \\ --display-name \"incident-${INCIDENT_ID}-volume-${NOW}\" \\ --type FULL \\ --defined-tags '{ \"Forensics\": { \"incident_id\":\"'\"$INCIDENT_ID\"'\", \"captured_by\":\"'\"$RESPONDER_OCID\"'\", \"capture_timestamp\":\"'\"$NOW\"'\" } }' # Step 2: create the forensic bucket (in the IR compartment, with Vault CMK). oci os bucket create \\ --compartment-id \"$IR_COMPARTMENT_OCID\" \\ --name forensic-evidence \\ --namespace \"$TENANCY_NAMESPACE\" \\ --public-access-type NoPublicAccess \\ --versioning Enabled \\ --kms-key-id \"$IR_VAULT_KEY_OCID\" # Step 3: apply a LOCKED retention rule. The time_rule_locked timestamp must be # in the past at apply time so the rule is locked immediately on creation; once # locked, the rule cannot be reduced or deleted even by a tenancy admin. oci os retention-rule create \\ --bucket-name forensic-evidence \\ --namespace \"$TENANCY_NAMESPACE\" \\ --display-name \"forensic-1y-locked\" \\ --duration '{\"timeAmount\":365,\"timeUnit\":\"DAYS\"}' \\ --time-rule-locked \"$(date -u -d '-1 day' --iso-8601=seconds)\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Forensic defined-tag namespace; written only by the IR-responder dynamic group. resource \"oci_identity_tag_namespace\" \"forensics\" { compartment_id = var.ir_compartment_ocid name = \"Forensics\" description = \"Chain-of-custody tags for incident-response captures\" } resource \"oci_identity_tag\" \"incident_id\" { tag_namespace_id = oci_identity_tag_namespace.forensics.id name = \"incident_id\" description = \"Security team's case identifier (e.g. INC-2026-0142)\" } resource \"oci_identity_tag\" \"captured_by\" { tag_namespace_id = oci_identity_tag_namespace.forensics.id name = \"captured_by\" description = \"OCID of the responder who initiated the capture\" } resource \"oci_identity_tag\" \"capture_timestamp\" { tag_namespace_id = oci_identity_tag_namespace.forensics.id name = \"capture_timestamp\" description = \"ISO-8601 UTC timestamp of capture\" } # Block Volume backup policy that fires forensic FULL backups on demand. resource \"oci_core_volume_backup_policy\" \"forensic\" { compartment_id = var.ir_compartment_ocid display_name = \"forensic-on-demand\" # No schedules: this policy is assigned at incident-declaration time and the # backup is then created out-of-band via the CLI block above. The policy # exists so chain-of-custody tagging and KMS-key assignment are pre-positioned. destination_region = var.home_region } # Forensic Object Storage bucket with LOCKED retention. resource \"oci_objectstorage_bucket\" \"forensic\" { compartment_id = var.ir_compartment_ocid namespace = var.tenancy_namespace name = \"forensic-evidence\" access_type = \"NoPublicAccess\" versioning = \"Enabled\" kms_key_id = var.ir_vault_key_ocid retention_rules { display_name = \"forensic-1y-locked\" duration { time_amount = 365 time_unit = \"DAYS\" } # time_rule_locked in the past => locked immediately; once locked, OCI # blocks any reduction or deletion of the rule for the duration of its term. time_rule_locked = timeadd(timestamp(), \"-24h\") } }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-ir-03-forensic-snapshot\" \\ --display-name \"oci-ir-03-forensic-snapshot\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-ir-03-forensic-snapshot\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as oci from \"@pulumi/oci\"; // Forensic-quality block volume snapshot with KMS-CMK + retention lock. const cfg = new pulumi.Config(); const compartmentId = cfg.require(\"compartmentOcid\"); const sourceVolumeOcid = cfg.require(\"sourceVolumeOcid\"); const forensicKmsKeyOcid = cfg.require(\"forensicKmsKeyOcid\"); const forensicBackup = new oci.core.Volu"},{"id":"oci/kubernetes.html","url":"oci/kubernetes.html","title":"OCI OKE Hardening — Cloud Hardening Guide","breadcrumb":"Home OCI Kubernetes","description":"Oracle Container Engine for Kubernetes (OKE) Enhanced Cluster hardening: private API endpoint, OKE Workload Identity, OCI Vault CMK secrets encryption, image verification policy, NSGs for node pool segmentation, OCI Audit + Kubernetes audit logging, Pod Security Standards, Calico network policy default-deny, least-privilege IAM dynamic groups.","body":"OCI OKE Hardening Overview This page targets OKE Enhanced Cluster as the baseline. Basic clusters silently lack three critical security capabilities — Workload Identity (oci-k8s-02), image verification policy (oci-k8s-05), and add-on lifecycle management (covered in oci-k8s-04). Auditors evaluating an OCI Kubernetes deployment against this guide should first confirm the cluster type is ENHANCED_CLUSTER (not BASIC_CLUSTER) before applying the remaining controls. See general/kubernetes.html for the cross-cutting threat model and cluster-baseline principles that apply to all providers. Enhanced-only controls — Workload Identity (oci-k8s-02), image verification policy (oci-k8s-05), and the Enhanced-scoped variants of Vault CMK encryption (oci-k8s-03) and NSG-based segmentation (oci-k8s-06) — carry an inline <div class=\"callout-warning\">Requires Enhanced OKE cluster</div> annotation so an auditor can flag them on a Basic deployment. Control oci-k8s-04 is the explicit Enhanced Cluster gate: if it is RED, every other Enhanced-only control on this page is implicitly RED regardless of any other configuration. Supporting IAM prerequisites are on oci/iam.html; VCN networking prerequisites are on oci/network.html; OCI Audit + Logging sink configuration is on oci/logging.html. Terraform examples use oracle/oci ~> 6.0 as the page pin. The sealed v1.0 OCI pages use ~> 5.0 — do not edit those pages. No HashiCorp-namespaced OCI provider exists — the OCI provider has always been published under oracle/oci. (Authoring-time verification: the 6.x line of oracle/oci includes both oci_containerengine_cluster.type = \"ENHANCED_CLUSTER\" and the OKE Workload Identity annotation surface needed by oci-k8s-02; no upgrade to ~> 8.0 was required.) Resource Manager vs OSS Terraform: Using ORM? Variables are entered via Console UI (schema-driven by an optional schema.yaml); state is stored in OCI Object Storage automatically; no terraform.tfvars needed. Using OSS Terraform? Standard terraform.tfvars + local/remote state apply. Both paths use the same oracle/oci ~> 6.0 provider declared above. oci-k8s-01 ! CRITICAL PREVENTIVE Enhanced Cluster (default for this page): private API endpoint is enabled via endpoint_config.is_public_ip_enabled = false with an NSG attached to the API endpoint subnet. Basic Cluster: a private API endpoint is also supported, but the absence of Enhanced-only controls (Workload Identity, image verification) means the cluster fails the page baseline regardless of this control's status. Disable the public IP on the Kubernetes API endpoint so the kube-apiserver is reachable only from authorized subnets via Network Security Group rules. Use private DNS for API resolution and bastion-mediated access for human operators. A public OKE control-plane endpoint is the number-one credential-leak blast amplifier — any leaked kubeconfig becomes immediately exploitable from the internet without network-level checks. MITIGATES: Public kube-apiserver exploitation — unauthenticated or stolen-credential access to the Kubernetes API from the internet. ATTACK VECTOR: Attacker obtains a service-account token from a leaked kubeconfig or CI environment variable, issues kubectl exec or kubectl get secrets from any internet host. BLAST RADIUS: Full cluster administrative access — pod execution, secret exfiltration, workload modification, lateral movement to OCI APIs via node instance-principal. Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 6.0 terraform { required_providers { oci = { source = \"oracle/oci\" version = \"~> 6.0\" } } } resource \"oci_containerengine_cluster\" \"hardened\" { compartment_id = var.compartment_id name = \"hardened-cluster\" kubernetes_version = \"v1.30.0\" vcn_id = oci_core_vcn.k8s.id type = \"ENHANCED_CLUSTER\" endpoint_config { is_public_ip_enabled = false subnet_id = oci_core_subnet.api.id nsg_ids = [oci_core_network_security_group.api.id] } }</code> Remediation — OCI CLI <code class=\"language-bash\">oci ce cluster create \\ --compartment-id <COMPARTMENT-OCID> \\ --name hardened-cluster \\ --kubernetes-version v1.30.0 \\ --vcn-id <VCN-OCID> \\ --type ENHANCED_CLUSTER \\ --endpoint-public-ip-enabled false \\ --endpoint-subnet-id <PRIV-SUBNET-OCID> \\ --endpoint-nsg-ids '[\"<NSG-OCID>\"]'</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-k8s-01-private-api-endpoint\" \\ --display-name \"oci-k8s-01-private-api-endpoint\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-k8s-01-private-api-endpoint\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as oci from \"@pulumi/oci\"; // OKE cluster with PRIVATE API endpoint (no public Kubernetes API surface). const cfg = new pulumi.Config(); const compartmentId = cfg.require(\"compartmentOcid\"); const vcnOcid = cfg.require(\"vcnOcid\"); const privateApiSubnetOcid = cfg.require(\"privateApiSubnetOcid\"); const apiNsgOcid = cfg.require(\"apiNsgOcid\"); const cluster = new oci.containerengine.Cluster(\"hardened-oke\", { compartmentId: compartmentId, vcnId: vcnOcid, kubernetesVersion: \"v1.30.1\", name: \"hardened-oke\", type: \"ENHANCED_CLUSTER\", // enables more controls (audit, addons) endpointConfig: { subnetId: privateApiSubnetOcid, isPublicIpEnabled: false, // PRIVATE endpoint nsgIds: [apiNsgOcid], // restrict to bastion/jumpbox NSG }, options: { serviceLbSubnetIds: [privateApiSubnetOcid], admissionControllerOptions: { isPodSecurityPolicyEnabled: false, // PSP deprecated — Pod Security Standards via OPA-Gatekeeper }, }, }); export const clusterOcid = cluster.id; </code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Oracle Container Engine for Kubernetes (OKE) Benchmark v1.8.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 oci-k8s-01 CRITICAL PREVENTIVE OCI OKE n/a (managed control plane) n/a (verify against CIS Oracle Container Engine for Kubernetes (OKE) Benchmark v1.8.0 PDF) AC-17; SC-7 A.8.20; A.8.22 CLD.13.1.4 NIST SP 800-190 §4.4.1 NSA/CISA Kubernetes Hardening Guide v1.2 §2 (Network separation) Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'containerengine' with eventName = 'UpdateCluster' whose request payload flips endpointConfig.isPublicIpEnabled from false to true. Cluster create events landing an OKE control-plane endpoint inside a subnet whose route table contains an Internet Gateway target. OKE API-server kube-apiserver audit deltas indicating sustained authentication attempts originating from public IP ranges outside the documented bastion CIDR. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'containerengine' and eventName in ('CreateCluster', 'UpdateCluster') | eval public_api = data.request.payload.endpointConfig.isPublicIpEnabled | where public_api = 'true' | stats count by 'User Name', data.target.cluster.id, 'Compartment Name'</code> The OKE control-plane visibility surface is the single most expensive misconfiguration on the cluster — saving this search at 5-minute cadence is the recommended baseline. Alert threshold Any UpdateCluster turning the public API endpoint on — page; this is a regression of the cluster's network exposure posture. Any new cluster created with isPublicIpEnabled = true outside a documented green-field engineering exception — page. Initial response Re-apply the Terraform stack via Resource Manager to flip endpoint_config.is_public_ip_enabled back to false; OKE accepts the change online. Audit OKE API-server access from the period when the endpoint was public via the 'kube-apiserver' audit feed; identify any non-bastion principals. Rotate the cluster's kubeconfig admin tokens and any service-account tokens older than the public-exposure window per general/ir.html. References Oracle — OKE network configuration (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent controls in other providers: GKE private cluster + authorized networks, EKS private endpoint, AKS private cluster. oci-k8s-02 ! HIGH PREVENTIVE Requires Enhanced OKE cluster Enhanced Cluster: OKE Workload Identity issues federated principals to pods via a ServiceAccount annotation, so each workload authenticates to OCI services with its own scoped identity. Basic Cluster: Workload Identity is NOT available — pods fall back to the node's instance principal (node-scoped IAM), which violates least-privilege because every pod on a node inherits the same permissions. Enable OKE Workload Identity so a Kubernetes ServiceAccount authenticates to OCI services using a federated principal rather than sharing the node's instance principal. The cluster identity provider issues a short-lived token bound to the pod's ServiceAccount; OCI IAM policies can then grant permissions to the specific workload identity (cluster <cluster-ocid> + ServiceAccount) instead of to the entire node pool. MITIGATES: Node-scoped IAM blast radius — a compromised pod cannot exceed its ServiceAccount's grants. ATTACK VECTOR: Attacker exploits a pod vulnerability and reads the instance metadata endpoint, inheriting all OCI permissions granted to the node's instance-principal dynamic group. BLAST RADIUS: All OCI resources granted to the node pool — typically buckets, vaults, and any compartment the node dynamic group can reach. Remediation — Kubernetes ServiceAccount <code class=\"language-yaml\">apiVersion: v1 kind: ServiceAccount metadata: name: app-sa namespace: production annotations: oci.oraclecloud.com/workload-identity: \"true\"</code> Remediation — OCI IAM policy granting access to the workload identity <code class=\"language-bash\">oci iam policy create \\ --compartment-id <COMPARTMENT-OCID> \\ --name oke-workload-app-policy \\ --statements '[\"allow any-user to read objects in compartment APP where all { request.principal.type='\\''workload'\\'', request.principal.cluster_id='\\''<CLUSTER-OCID>'\\'', request.principal.namespace='\\''production'\\'', request.principal.service_account='\\''app-sa'\\'' }\"]' \\ --description \"OKE Workload Identity scoped grant for production/app-sa\"</code> Remediation — Terraform (IAM side) <code class=\"language-hcl\"># Terraform OCI provider ~> 6.0 terraform { required_providers { oci = { source = \"oracle/oci\" version = \"~> 6.0\" } } } resource \"oci_identity_policy\" \"workload_identity_app\" { compartment_id = var.compartment_id name = \"oke-workload-app-policy\" description = \"OKE Workload Identity scoped grant\" statements = [ \"allow any-user to read objects in compartment APP where all { request.principal.type='workload', request.principal.cluster_id='${oci_containerengine_cluster.hardened.id}', request.principal.namespace='production', request.principal.service_account='app-sa' }\" ] }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-k8s-02-workload-identity\" \\ --display-name \"oci-k8s-02-workload-identity\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-k8s-02-workload-identity\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Oracle Container Engine for Kubernetes (OKE) Benchmark v1.8.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 oci-k8s-02 HIGH PREVENTIVE OCI OKE n/a (provider-specific identity federation) n/a (verify against CIS Oracle Container Engine for Kubernetes (OKE) Benchmark v1.8.0 PDF) IA-2; AC-6; IA-5 A.5.15; A.5.18 n/a NIST SP 800-190 §4.4.2 NSA/CISA Kubernetes Hardening Guide v1.2 §4 (Authentication and authorization) Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and eventName = 'UpdateCluster' whose payload removes or nulls the workloadIdentityConfig block. Pods inside OKE clusters carrying static OCI API signing keys mounted as Kubernetes Secrets — anti-pattern detectable via Cloud Guard OCIK8SExposedSecret detector. Kubernetes ServiceAccount mutations adding the oci.oraclecloud.com/workload-identity annotation pointing to a dynamic group outside the cluster's documented allow-list. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'containerengine' and eventName = 'UpdateCluster' | eval wi_disabled = if(data.request.payload.workloadIdentityConfig.workloadIdentityEnabled = 'false', 'YES', 'NO') | where wi_disabled = 'YES' | stats count by 'User Name', data.target.cluster.id</code> Pair with a Cloud Guard custom detector recipe rule on the same JMESPath; the Cloud Guard finding fans out to the OKE platform team's Notifications topic. Alert threshold Any UpdateCluster turning workload-identity off on a cluster previously running with it on — page; this strips per-pod IAM scoping. A ServiceAccount annotation that points to a dynamic group outside the documented OKE-bound allow-list — page. Initial response Re-enable workload identity on the cluster via Resource Manager terraform apply; OKE accepts the toggle online without node-pool disruption. Audit the pods running during the disabled window for any that fell back to baked-in API keys; rotate those signing keys against OCI Vault. Restore the supported per-pod dynamic-group binding and reconcile any drifted ServiceAccount annotations from the cluster Git state. References Oracle — OKE workload identity (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent controls in other providers: GKE Workload Identity Federation, EKS Pod Identity, AKS Workload Identity. oci-k8s-03 ! HIGH PREVENTIVE Requires Enhanced OKE cluster Enhanced Cluster: customer-managed key (CMK) envelope encryption for Kubernetes Secrets stored in OKE-managed etcd via OCI Vault. The cluster references the key OCID at create time through kms_key_id. Basic Cluster: CMK encryption is technically configurable but the full Enhanced-scoped key-rotation and audit integration depends on Enhanced Cluster features; treat as Enhanced-only for this guide. Enable customer-managed key encryption for Kubernetes Secrets in OKE-managed etcd. Create a Vault and a Master Encryption Key (HSM or software protection mode); reference the key OCID on the cluster. Restrict access to the key with a vault-id-bound IAM condition so only the OKE cluster identity and break-glass administrators can use it. MITIGATES: Oracle-managed-key compromise or insider read of platform-encrypted etcd — only the customer CMK unwraps the Data Encryption Key. ATTACK VECTOR: A platform-side incident exposes Oracle-managed default keys; without CMK, all platform-encrypted Secrets become readable. With CMK, the data remains protected. BLAST RADIUS: Every Kubernetes Secret in the cluster — database passwords, OAuth tokens, TLS private keys, image-pull credentials. Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 6.0 terraform { required_providers { oci = { source = \"oracle/oci\" version = \"~> 6.0\" } } } resource \"oci_kms_vault\" \"oke\" { compartment_id = var.compartment_id display_name = \"oke-secrets-vault\" vault_type = \"DEFAULT\" } resource \"oci_kms_key\" \"oke_secrets\" { compartment_id = var.compartment_id display_name = \"oke-secrets-cmk\" management_endpoint = oci_kms_vault.oke.management_endpoint key_shape { algorithm = \"AES\" length = 32 } protection_mode = \"HSM\" } resource \"oci_containerengine_cluster\" \"hardened\" { compartment_id = var.compartment_id name = \"hardened-cluster\" kubernetes_version = \"v1.30.0\" vcn_id = oci_core_vcn.k8s.id type = \"ENHANCED_CLUSTER\" kms_key_id = oci_kms_key.oke_secrets.id }</code> Remediation — OCI CLI <code class=\"language-bash\">oci ce cluster create \\ --compartment-id <COMPARTMENT-OCID> \\ --name hardened-cluster \\ --kubernetes-version v1.30.0 \\ --vcn-id <VCN-OCID> \\ --type ENHANCED_CLUSTER \\ --kms-key-id <VAULT-KEY-OCID></code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-k8s-03-vault-secrets-encryption\" \\ --display-name \"oci-k8s-03-vault-secrets-encryption\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-k8s-03-vault-secrets-encryption\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Oracle Container Engine for Kubernetes (OKE) Benchmark v1.8.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 oci-k8s-03 HIGH PREVENTIVE OCI OKE §1.2 (etcd encryption — managed control plane) n/a (verify against CIS Oracle Container Engine for Kubernetes (OKE) Benchmark v1.8.0 PDF) SC-28; IA-5 A.8.24; A.8.10 n/a NIST SP 800-190 §4.3.2 NSA/CISA Kubernetes Hardening Guide v1.2 §5 (Secret management) Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and eventName = 'UpdateCluster' whose request payload removes or nulls kmsKeyId on the OKE etcd-encryption configuration. Cluster create events where kmsKeyId is unset, indicating etcd at-rest encryption falls back to the Oracle-managed default rather than a customer Vault key. Vault audit entries showing ScheduleKeyDeletion against a key actively bound to one or more OKE clusters. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'containerengine' and eventName in ('CreateCluster', 'UpdateCluster') | eval key = data.request.payload.kmsKeyId | where key is null | stats count by 'User Name', data.target.cluster.id, 'Compartment Name'</code> Correlate the result with the kms service event feed for ScheduleKeyDeletion against the cluster-bound key OCID inventory. Alert threshold Any new or updated cluster with kmsKeyId null — page; etcd at rest must hold a customer-controlled key for tenancy-wide BYOK posture. Any ScheduleKeyDeletion on a key OCID present in the OKE cluster inventory — page within the Vault key's pending-deletion window. Initial response Re-bind the cluster to its customer-controlled Vault key via Resource Manager; OKE re-wraps the etcd DEK on the next reconciliation cycle without data movement. Cancel any pending ScheduleKeyDeletion targeting bound keys using oci kms management key cancel-key-deletion. Confirm the cluster's etcd-encryption status reaches ACTIVE with the expected kmsKeyId via oci ce cluster get; document the rollback per general/ir.html. References Oracle — encrypting OKE Kubernetes secrets with OCI Vault (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent controls in other providers: GKE application-layer secrets encryption, EKS KMS envelope encryption, AKS KMS etcd encryption. oci-k8s-04 ! CRITICAL PREVENTIVE Enhanced Cluster (REQUIRED for this guide): create with type = \"ENHANCED_CLUSTER\". Enhanced unlocks Workload Identity (oci-k8s-02), image verification policy (oci-k8s-05), full NSG attachment surface (oci-k8s-06), and OKE-managed add-on lifecycle (CoreDNS, kube-proxy, OCI VCN-Native Pod Networking). Basic Cluster: silently lacks the controls above. Migration from Basic to Enhanced is supported via in-place upgrade. This is the explicit Enhanced Cluster gate control for the page. Deploy OKE with type = \"ENHANCED_CLUSTER\" to access the full security capability surface. Enhanced also enables OKE-managed add-on lifecycle — CoreDNS, kube-proxy, and OCI VCN-Native Pod Networking can be installed and version-managed via the oci_containerengine_addon resource, addressing the add-on lifecycle requirement (REQ OKE-10). Node OS hardening is a related concern handled in oci-k8s-09; reference that control for Oracle Linux 8 minimal images and private node pool placement. MITIGATES: The silent absence of Workload Identity, image verification, and managed add-on lifecycle on Basic clusters — three controls that an auditor inspecting cluster JSON alone would not notice missing. ATTACK VECTOR: A misconfigured Basic cluster passes a high-level review (private endpoint, NSGs, audit logging all visible) but is unable to enforce per-pod identity or image provenance. BLAST RADIUS: All Enhanced-only controls invisibly missing — every pod authenticates as the node, every image runs unverified, every add-on drifts to whatever version was bootstrapped. Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 6.0 terraform { required_providers { oci = { source = \"oracle/oci\" version = \"~> 6.0\" } } } resource \"oci_containerengine_cluster\" \"hardened\" { compartment_id = var.compartment_id name = \"hardened-cluster\" kubernetes_version = \"v1.30.0\" vcn_id = oci_core_vcn.k8s.id type = \"ENHANCED_CLUSTER\" # Enhanced gate cluster_pod_network_options { cni_type = \"OCI_VCN_IP_NATIVE\" } } # Managed add-on lifecycle (Enhanced-only) resource \"oci_containerengine_addon\" \"coredns\" { cluster_id = oci_containerengine_cluster.hardened.id addon_name = \"CoreDNS\" remove_addon_resources_on_delete = false } resource \"oci_containerengine_addon\" \"kube_proxy\" { cluster_id = oci_containerengine_cluster.hardened.id addon_name = \"KubeProxy\" remove_addon_resources_on_delete = false }</code> Remediation — OCI CLI <code class=\"language-bash\">oci ce cluster create \\ --compartment-id <COMPARTMENT-OCID> \\ --name hardened-cluster \\ --kubernetes-version v1.30.0 \\ --vcn-id <VCN-OCID> \\ --type ENHANCED_CLUSTER oci ce cluster install-addon \\ --cluster-id <CLUSTER-OCID> \\ --addon-name CoreDNS oci ce cluster install-addon \\ --cluster-id <CLUSTER-OCID> \\ --addon-name KubeProxy</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-k8s-04-enhanced-cluster\" \\ --display-name \"oci-k8s-04-enhanced-cluster\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-k8s-04-enhanced-cluster\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as oci from \"@pulumi/oci\"; // ENHANCED_CLUSTER type — required for cluster add-ons (Calico, Kyverno, Audit-to-Logging). const cfg = new pulumi.Config(); const compartmentId = cfg.require(\"compartmentOcid\"); const vcnOcid = cfg.require(\"vcnOcid\"); const apiSubnetOcid = cfg.require(\"apiSubnetOcid\"); const enhancedCluster = new oci.containerengine.Cluster(\"oke-enhanced\", { compartmentId: compartmentId, vcnId: vcnOcid, kubernetesVersion: \"v1.30.1\", name: \"oke-enhanced\", type: \"ENHANCED_CLUSTER\", // BASIC_CLUSTER lacks add-on framework + per-cluster SLA endpointConfig: { subnetId: apiSubnetOcid, isPublicIpEnabled: false, }, clusterPodNetworkOptions: [{ cniType: \"OCI_VCN_IP_NATIVE\", // native VCN CNI — required for NSG-per-pod }], }); // Pin add-ons explicitly so version drift is impossible. const calicoAddon = new oci.containerengine.Addon(\"calico\", { clusterId: enhancedCluster.id, addonName: \"Calico\", removeAddonResourcesOnDelete: false, configurations: [{ key: \"numOfReplicas\", value: \"1\" }], }); export const clusterOcid = enhancedCluster.id; </code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Oracle Container Engine for Kubernetes (OKE) Benchmark v1.8.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 oci-k8s-04 CRITICAL PREVENTIVE OCI OKE n/a (provider-specific cluster tier) n/a (verify against CIS Oracle Container Engine for Kubernetes (OKE) Benchmark v1.8.0 PDF) CM-6; SI-2 A.5.37; A.8.9 CLD.9.5.2 NIST SP 800-190 §4.1; §4.4 NSA/CISA Kubernetes Hardening Guide v1.2 §7 (Upgrading and application security practices) Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and eventName = 'UpdateCluster' whose payload sets type to BASIC on a cluster previously running as ENHANCED. OKE Cluster Add-On disable events (DisableAddon) on Enhanced-only managed add-ons (CertManager, ClusterAutoscaler, Database operator), indicating loss of managed-lifecycle coverage. OKE service-limit notifications signalling drift in node-pool count beyond the BASIC tier ceiling — a downgrade tells. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'containerengine' and eventName = 'UpdateCluster' | eval tier = data.request.payload.type | where tier = 'BASIC' | stats count by 'User Name', data.target.cluster.id, 'Compartment Name'</code> Run hourly; a tier downgrade is a planned, ticketed activity, so a non-zero count outside the maintenance calendar is anomalous. Alert threshold Any cluster type transition from ENHANCED to BASIC — page; this strips managed add-on lifecycle and per-node-pool customisation. Disable events targeting any Oracle-managed add-on listed in the cluster's documented allow-list — open a ticket on the platform team. Initial response Promote the cluster back to ENHANCED via oci ce cluster update --type ENHANCED; the upgrade is non-destructive and online. Re-enable any Oracle-managed add-ons that were disabled during the downgrade window via the Resource Manager state; reconcile any custom add-on configuration that lapsed. Document the rollback per general/ir.html and update the OKE tier inventory dashboard. References Oracle — comparing OKE Enhanced and Basic clusters (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP oci-k8s-05 ! HIGH PREVENTIVE Requires Enhanced OKE cluster Enhanced Cluster: configure image_policy_config with up to 5 KMS keys for signed-image enforcement at pod scheduling time. Pods whose images are not signed by a referenced key are rejected by admission. Basic Cluster: image verification policy is NOT available — any image the node can pull will run. Enable sign-required image admission: pods are blocked from scheduling unless their container image is signed by an attested KMS key. Up to 5 KMS keys can be referenced per cluster, supporting trust hierarchies (per-team build pipelines plus a central security override key). Combine with OCIR repository policies that require signatures on push to close the supply-chain loop. MITIGATES: Supply-chain image substitution — replaces an expected image with a malicious one at the registry layer. ATTACK VECTOR: Attacker pushes a malicious image to OCIR with a known tag or compromises a CI pipeline to publish a tampered image; the cluster pulls it on next deploy. BLAST RADIUS: Untrusted code running with the workload's IAM permissions, the namespace's network policies, and the cluster's outbound paths. Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 6.0 terraform { required_providers { oci = { source = \"oracle/oci\" version = \"~> 6.0\" } } } resource \"oci_kms_key\" \"image_signing\" { compartment_id = var.compartment_id display_name = \"oke-image-signing-key\" management_endpoint = oci_kms_vault.oke.management_endpoint key_shape { algorithm = \"RSA\" length = 512 # 4096-bit RSA } protection_mode = \"HSM\" } resource \"oci_containerengine_cluster\" \"hardened\" { compartment_id = var.compartment_id name = \"hardened-cluster\" kubernetes_version = \"v1.30.0\" vcn_id = oci_core_vcn.k8s.id type = \"ENHANCED_CLUSTER\" image_policy_config { is_policy_enabled = true key_details { kms_key_id = oci_kms_key.image_signing.id } } }</code> Remediation — OCI CLI <code class=\"language-bash\">oci ce cluster update \\ --cluster-id <CLUSTER-OCID> \\ --image-policy-config 'isPolicyEnabled=true,keyDetails=[{kmsKeyId=<KMS-KEY-OCID>}]'</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-k8s-05-image-verification-policy\" \\ --display-name \"oci-k8s-05-image-verification-policy\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-k8s-05-image-verification-policy\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping Control Severity Type Provider CIS Kubernetes Benchmark v2.0.0 CIS Oracle Container Engine for Kubernetes (OKE) Benchmark v1.8.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 NIST SP 800-190 (Sep 2017) NSA/CISA Kubernetes Hardening Guide v1.2 oci-k8s-05 HIGH PREVENTIVE OCI OKE n/a (provider-specific admission) n/a (verify against CIS Oracle Container Engine for Kubernetes (OKE) Benchmark v1.8.0 PDF) CM-14; SA-10; SI-7 A.8.9; A.8.29 CLD.9.5.2 NIST SP 800-190 §4.1 (Image risks) NSA/CISA Kubernetes Hardening Guide v1.2 §3 (Pod security) Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'containerengine' with eventName = 'UpdateImagePolicyConfig' turning verification off on an OKE cluster. OCIR signing-verification failures emitted as Cloud Guard problems where image pull would have been blocked had the policy remained on. Kubernetes pod admission events admitting an image whose digest is absent from the OCIR signature index — surface via Cloud Guard OCIK8SUnsignedImage finding type. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'containerengine' and eventName in ('UpdateImagePolicyConfig', 'CreateImagePolicyConfig') | eval enabled = data.request.payload.imagePolicyConfig.isPolicyEnabled | where enabled = 'false' | stats count by 'User Name', data.target.cluster.id, 'Compartment Name'</code> OKE image-policy configuration is a single boolean on the cluster resource; a flip to false is unambiguous. Alert threshold Any UpdateImagePolicyConfig with isPolicyEnabled = false on a cluster running production workloads — page. More than two OCIR signature-verification failures per cluster per hour — open a workload-team ticket on the image build pipeline. Initial response Re-enable image-policy verification on the cluster via Resource Manager and re-attach the signed-image key inventory. Review the pods scheduled during the disabled window; cordon any node running an unsigned image until the build pipeline can re-issue a signed digest. Brief the workload team on the image-signing pipeline expectations and capture the rollback per general/ir.html. References Oracle — enabling signed images on OKE (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent controls in other providers: GKE Binary Authorization (closest parallel). oci-k8s-06 ! HIGH PREVENTIVE Requires Enhanced OKE cluster Enhanced Cluster: attach NSGs at three layers — API endpoint subnet, node pool subnet, and pod subnet (when using OCI VCN-Native Pod Networking) — for granular east-west and egress control. Basic Cluster: NSG attachment at the pod-subnet layer is more limited; defense-in-depth is reduced. Apply Network Security Groups at multiple layers — API endpoint subnet, node pool subnet, and pod subnet (VCN-Native Pod Networking) — for defense-in-depth network segmentation. Default-deny outbound to the public internet; allow only required egress, such as OCI service endpoints via a Service Gateway and the OKE management plane endpoints. NSGs complement (do not replace) Kubernetes NetworkPolicy (oci-k8s-09) — NSGs operate at the VCN layer; NetworkPolicy operates inside the cluster. MITIGATES: East-west and egress lateral movement at the VCN layer — confines a compromised node or pod to its expected blast radius. ATTACK VECTOR: Compromised pod attempts to reach IMDS, other VCN subnets, or arbitrary internet hosts for command-and-control / data exfiltration. BLAST RADIUS: All subnets reachable from the node pool — without NSGs, this is the full VCN plus any peered VCNs. Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 6.0 terraform { required_providers { oci = { source = \"oracle/oci\" version = \"~> 6.0\" } } } resource \"oci_core_network_security_group\" \"api\" { compartment_id = var.compartment_id vcn_id = oci_core_vcn.k8s.id display_name = \"oke-api-endpoint-nsg\" } resource \"oci_core_network_security_group_security_rule\" \"api_ingress_mgmt\" { network_security_group_id = oci_core_network_security_group.api.id direction = \"INGRESS\" protocol = \"6\" # TCP source = var.management_cidr source_type = \"CIDR_BLOCK\" tcp_options { destination_port_range { min = 6443 max = 6443 } } } resource \"oci_core_network_security_group\" \"nodes\" { compartment_id = var.compartment_id vcn_id = oci_core_vcn.k8s.id display_name = \"oke-node-pool-nsg\" } resource \"oci_containerengine_node_pool\" \"app\" { cluster_id = oci_containerengine_cluster.hardened.id compartment_id = var.compartment_id name = \"app-nodes\" node_shape = \"VM.Standard.E4.Flex\" node_config_details { placement_configs { availability_domain = var.ad_1 subnet_id = oci_core_subnet.nodes.id } nsg_ids = [oci_core_network_security_group.nodes.id] size = 3 } }</code> Remediation — OCI CLI <code class=\"language-bash\">oci network nsg create \\ --compartment-id <COMPARTMENT-OCID> \\ --vcn-id <VCN-OCID> \\ --display-name oke-node-pool-nsg oci ce node-pool update \\ --node-pool-id <NODE-POOL-OCID> \\ --nsg-ids '[\"<"},{"id":"oci/logging.html","url":"oci/logging.html","title":"OCI Logging & Detection Hardening — Cloud Hardening Guide","breadcrumb":"Home OCI Logging & Detection","description":"OCI logging & detection: Audit retention, Logging service, Cloud Guard, Vulnerability Scanning Service, Security Zones, VCN Flow Logs, Notifications, Audit archive.","body":"OCI Logging & Detection Hardening Overview This page covers Oracle Cloud Infrastructure logging and detection across the surfaces that decide whether the tenancy can observe what its workloads and identities are doing, surface unsafe state, and reject unsafe state at request time. Scope is the commercial OCI realms (OC1); OCI Government Cloud and dedicated-region tenancies inherit the same controls but expose realm-specific endpoints, Identity Domain federation constraints, and (for Cloud Guard) different reporting-region availability — re-verify region availability and the relevant docs.oracle.com realm-endpoint documentation before applying any of the IaC below to a sovereign or dedicated-region deployment. CIS sub-IDs and NIST / ISO mappings throughout this page reference the CIS Oracle Cloud Infrastructure Foundations Benchmark v2.0.0 (accessed 2026-05) unless explicitly annotated as a post-v2.0.0 feature or a best-practice recommendation that the v2.0.0 benchmark has not yet codified. CIS published the Oracle Cloud Infrastructure Foundations Benchmark v3.1.0 in 2026; this site cites v2.0.0 throughout the corpus for consistency with the locked compliance-table contract, and Cloud Guard's detector pack is certified against v2.0.0 — v3.1.0 evaluation requires Vulnerability Scanning Service plus manual compartment-policy checks until OCI ships the v3.1.0 detector recipe. The crosswalk page at compliance frameworks describes how the seven pinned framework columns relate to each other. The OCI logging and detection model is the product of several distinct surfaces and each one has to be configured correctly because none of them is on-by-default in a useful way. The Audit service records every management-plane API call across the tenancy (write and read) into the tenancy-wide audit log group; it is enabled by default but the retention period defaults to 365 days (the maximum the Audit service itself stores) and an export to Object Storage is required for any compliance window longer than that. The Logging service (distinct from the Audit service — the equivalent discipline to Phase 8 GCP Cloud Audit Logs Admin vs Data Access is in play here) carries compartment-scoped service logs (Object Storage data events, KMS key use, VCN Flow Logs, Functions invocations) and custom application logs, organised into Log Groups and Logs; service logs are opt-in per service per category. Logging Analytics is OCI's SIEM-adjacent product (parser, dashboards, saved searches) — referenced in prose because it is the natural sink for high-volume log analysis, but not deep-dived per scope. Cloud Guard is the tenancy-scope detective posture engine — managed detector recipes evaluate configuration and activity, problems surface in the Cloud Guard problems view, and responder recipes wire the responsive pair to oci-ir-02-cloud-guard-remediation. Vulnerability Scanning Service (VSS) is the workload-scope detective engine — host scan recipes scan Compute instance OS for CVEs and open ports, container scan recipes scan Container Registry images on push. Security Zones is the tenancy-scope preventive engine — a compartment designated a Security Zone rejects non-compliant resource-creation API calls at request time using a Security Recipe (Maximum Security Recipe is Oracle-managed). Notifications is the topic-and-subscription fan-out service (with Events as the rules layer) that turns audit / Cloud Guard / Vault events into operator-visible alerts. Severity is assigned from the methodology severity rubric; equivalence callouts at the bottom of each control point at the matching control on the AWS, Azure, and GCP sibling pages. The cross-cutting principles — what to log, log integrity, centralization, retention, SIEM and detection engineering, and alerting — are owned by the General Logging & Detection page; this page maps them to OCI primitives. Three anti-conflation callouts up front, because Cloud Guard, Vulnerability Scanning Service, and Security Zones are frequently confused as \"the one OCI security posture thing\" and each has a distinct scope and control-type that matters for both audit reporting and remediation design. This mirrors the Phase 7 Microsoft Defender for Cloud three-surface (regulatory dashboard / threat protection / Secure Score) discipline and the Phase 8 Security Command Center Premium three-surface (CSPM / threat detection / IAM Recommender) discipline. The three statements below are not optional flavour text — they are the load-bearing scope definitions that downstream auditors and incident responders rely on, and the page-level G13 gate enforces their presence with positive-grep. Cloud Guard is DETECTIVE at tenancy scope. Cloud Guard monitors the tenancy for misconfigurations and suspicious activity using Oracle-managed detector recipes (Configuration detector for misconfigured resources, Activity detector for suspicious API patterns), responds to findings via responder recipes (which integrate with Notifications and Functions for custom playbooks), and surfaces problems in the Cloud Guard problems view for triage. Scope is the tenancy root compartment subtree — Cloud Guard is the cross-tenancy detection plane and the home of oci-log-03. Cloud Guard does not block resource creation; it observes unsafe state after it occurs. The responsive pair (responder recipes auto-remediating findings) lives canonically on oci-ir-02-cloud-guard-remediation; do not re-author here. Vulnerability Scanning Service (VSS) is DETECTIVE on workloads. VSS host scan recipes scan Compute instance operating systems for CVEs and open ports on a schedule; container scan recipes scan Container Registry (OCIR) images on push (and on schedule) for CVEs in OS and language packages. Findings are surfaced both in the VSS console and into Cloud Guard via the VSS detector (so a tenancy that ships both gets a single problem-triage view). VSS is the workload-level CVE detection surface — distinct from Cloud Guard's tenancy-level misconfiguration detection scope. The closest cross-provider analog is AWS GuardDuty / Amazon Inspector, Azure Defender for Servers / Defender for Containers, and GCP Security Command Center Premium threat detection plus Container Analysis. The anchor literal oci-log-04-cloud-guard-detectors is historical (sibling-anchors.tsv lock from Phase 6); the functional Title for this control on this page is \"Vulnerability Scanning Service\" because it gives the cleanest cross-provider functional analog. See oci-log-04 for the full treatment. Security Zones is PREVENTIVE via compartment policy. A compartment designated as a Security Zone rejects non-compliant resource-creation API calls at request time: a Public Object Storage bucket cannot be created in a Security Zone (the API call returns a 4xx, not a Cloud Guard problem after the fact); an unencrypted Block Volume cannot be created (must reference a Vault key); a Compute instance with a public IP cannot be created. The Maximum Security Recipe is the Oracle-managed default that bundles these rules; custom Security Recipes (cloned from Maximum Security Recipe and edited) handle environments where a strict Maximum Security Recipe rule legitimately conflicts (a static-website public bucket use case is the canonical example). Security Zones is distinct from Cloud Guard's detective scope — Security Zones blocks unsafe creation; Cloud Guard surfaces unsafe state. See oci-log-05 for the full treatment. The anchor literal oci-log-05-cloud-guard is historical (sibling-anchors.tsv lock); the functional Title for this control on this page is \"Security Zones\". Order and scope matter. Controls 01–02 establish the management-plane and data-plane audit invariants: tenancy-wide Audit retention (365 days service + 2-year Object Storage archive with LOCKED retention rule) and per-service opt-in data-plane logging (Object Storage GetObject / PutObject, KMS Encrypt / Decrypt / Generate, Functions invocations). Control 03 enables Cloud Guard at the tenancy root for detective posture. Control 04 enables Vulnerability Scanning Service for workload-level CVE detection. Control 05 designates production compartments as Security Zones for preventive enforcement. Control 06 turns on VCN Flow Logs across every VNIC and subnet. Control 07 wires Notifications topics and subscriptions plus Events rules to the canonical tenancy-critical security events. Control 08 closes the forensic loop by archiving audit logs to Object Storage with a LOCKED 2-year retention rule. The compartment hierarchy primitive is owned by the OCI IAM page (Phase 5) and cross-referenced where relevant; do not re-author it here. Resource Manager vs OSS Terraform: Using ORM? Variables are entered via Console UI (schema-driven by an optional schema.yaml); state is stored in OCI Object Storage automatically; no terraform.tfvars needed. Using OSS Terraform? Standard terraform.tfvars + local/remote state apply. Both paths use the same oracle/oci ~> 6.0 provider declared above. oci-log-01-audit-tenancy ! CRITICAL DETECTIVE The OCI Audit service records every management-plane API call across the tenancy (write and read, success and failure, with the calling principal, source IP, request body where it does not contain secrets, and the affected resource OCIDs) into a tenancy-wide audit log; this is the OCI equivalent of AWS CloudTrail org-trail and Azure Activity Log centralisation. Set the Audit service retention to its 365-day maximum (CIS OCI v2.0.0 §4.x codifies the 365-day minimum), centralise audit events into a dedicated logging compartment, and archive every audit event to an Object Storage bucket with a LOCKED retention rule of 2 years (730 days) — this is the two-tier pattern that mirrors Phase 6 AWS CloudTrail plus S3 Object Lock Compliance mode and Phase 8 GCP aggregated sinks plus BigQuery audit. Without the archive tier the compliance window is bounded at 365 days; without the LOCKED retention rule the archive itself can be deleted by any principal with OBJECT_DELETE permission, which is the exact attacker profile incident response cares about (Oracle Cloud Infrastructure — Audit Service overview (accessed 2026-05)). The principle traces back to General Logging — log integrity: an audit log an attacker can shorten is not an audit log; immutability and chain-of-custody require write-once retention. CRITICAL because in the absence of tenancy-wide audit the organisation cannot detect, scope, or close out any incident touching the management plane — a Cloud Guard finding, a Vault key deletion, an Identity Domain group mutation, all become unobservable. MITIGATES: Inability to detect, scope, or attribute management-plane compromise. An attacker who gains tenancy-admin (via compromised federated identity, leaked API key, or compromised break-glass) makes API calls — Vault key delete, policy create, compartment delete, instance create with permissive Security List — that are invisible to incident response if Audit retention is at the 90-day default and the archive does not exist. ATTACK VECTOR: An attacker with stolen tenancy-admin credentials operates inside the tenancy for 6-9 months (the median dwell time for cloud intrusions per Mandiant's M-Trends) before being detected. Audit retention is 90 days; the attacker's initial access, persistence creation, and lateral movement are out of the audit window. The incident response team can establish current state but cannot reconstruct the sequence of events that produced it. BLAST RADIUS: The entire tenancy, retroactively. Every management-plane API call older than the retention horizon is gone — every Vault key access, every IAM policy change, every resource create or destroy. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Step 1: set the Audit service retention to its 365-day maximum. oci audit configuration update \\ --compartment-id \"$TENANCY_OCID\" \\ --retention-period-days 365 # Step 2: create the dedicated logging compartment and the audit-archive Object Storage bucket. oci os bucket create \\ --compartment-id \"$LOGGING_COMPARTMENT_OCID\" \\ --name audit-archive-prod \\ --namespace-name \"$OS_NAMESPACE\" \\ --versioning Enabled \\ --kms-key-id \"$VAULT_KEY_OCID\" # Step 3: apply a LOCKED 2-year retention rule on the archive bucket. # time_amount=730 days; time_rule_locked transitions immutable after 14-day grace. oci os retention-rule create \\ --bucket-name audit-archive-prod \\ --namespace-name \"$OS_NAMESPACE\" \\ --display-name compliance-2y \\ --duration '{\"timeAmount\":730,\"timeUnit\":\"DAYS\"}' \\ --time-rule-locked \"$(date -u -d '+14 days' +%Y-%m-%dT%H:%M:%SZ)\" # Step 4: configure a Service Connector Hub to ship the tenancy Audit log into the archive bucket. oci sch service-connector create \\ --compartment-id \"$LOGGING_COMPARTMENT_OCID\" \\ --display-name audit-to-archive \\ --source '{\"kind\":\"logging\",\"logSources\":[{\"compartmentId\":\"'\"$TENANCY_OCID\"'\",\"logGroupId\":\"_Audit\",\"logId\":\"_Audit\"}]}' \\ --target '{\"kind\":\"objectStorage\",\"bucketName\":\"audit-archive-prod\",\"namespaceName\":\"'\"$OS_NAMESPACE\"'\"}'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Source: Oracle Cloud docs (accessed 2026-05) resource \"oci_audit_configuration\" \"tenancy\" { compartment_id = var.tenancy_ocid retention_period_days = 365 } resource \"oci_objectstorage_bucket\" \"audit_archive\" { compartment_id = var.logging_compartment_id namespace = var.os_namespace name = \"audit-archive-prod\" versioning = \"Enabled\" kms_key_id = var.vault_key_ocid retention_rules { display_name = \"compliance-2y\" duration { time_amount = 730 time_unit = \"DAYS\" } # Lock the rule 14 days after creation: rule becomes immutable, cannot be # reduced or deleted even by tenancy-admin (mirrors S3 Object Lock Compliance). time_rule_locked = timeadd(timestamp(), \"336h\") } } # Service Connector Hub: tenancy Audit log -> archive bucket. resource \"oci_sch_service_connector\" \"audit_to_archive\" { compartment_id = var.logging_compartment_id display_name = \"audit-to-archive\" source { kind = \"logging\" log_sources { compartment_id = var.tenancy_ocid log_group_id = \"_Audit\" log_id = \"_Audit\" } } target { kind = \"objectStorage\" bucket = oci_objectstorage_bucket.audit_archive.name namespace = var.os_namespace } }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-log-01-audit-tenancy\" \\ --display-name \"oci-log-01-audit-tenancy\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-log-01-audit-tenancy\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as oci from \"@pulumi/oci\"; // Tenancy-wide Audit retention extension to 365 days (default is 90). const cfg = new pulumi.Config(); const tenancyOcid = cfg.require(\"tenancyOcid\"); const auditRetention = new oci.audit.Configuration(\"tenancy-audit-365d\", { compartmentId: tenancyOcid, retentionPeriodDays: 365, // max-365 at the audit-service tier; archive longer via Logging }); // Forward Audit events to a tenancy-level Logging service log group for long-term archive. const auditArchiveGroup = new oci.logging.LogGroup(\"audit-archive\", { compartmentId: tenancyOcid, displayName: \"audit-archive-7yr\", description: \"Long-term Audit event archive — exported via Service Connector to Object Storage\", }); const auditLog = new oci.logging.Log(\"audit-tenancy-forward\", { logGroupId: auditArchiveGroup.id, displayName: \"audit-tenancy\", logType: \"SERVICE\", isEnabled: true, configuration: { source: { sourceType: \"OCISERVICE\", service: \"audit\", resource: tenancyOcid, category: \"all\", }, }, retentionDuration: 180, // 6 mo at the Logging tier; Service Connector exports daily to OSS }); export const auditLogOcid = auditLog.id; </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 3.1; 3.25.1.x2.1; 2.24.x (verify) AU-2; AU-3; AU-6; AU-9; AU-11A.8.15; A.5.28CLD.12.4.5 Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'audit' with eventName = 'UpdateConfiguration' reducing retentionPeriodDays below the 365-day baseline. Audit-configuration deltas at the tenancy compartment that flip the Audit retention from the documented compliance window to the OCI minimum of 90 days. Ingestion-rate drop on the tenancy-root Audit log group of more than 30% week-over-week — surfaces silent log-source detachments. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'audit' and eventName = 'UpdateConfiguration' | eval new_retention = data.request.payload.retentionPeriodDays | where new_retention < 365 | stats count by 'User Name', 'Compartment Name', new_retention</code> The Audit retention setter is a single tenancy-scoped REST call; any successful invocation reducing the value is unambiguous. Alert threshold Any UpdateConfiguration setting retentionPeriodDays below 365 — page; this is the tenancy's compliance-window guard. Week-over-week ingestion drop on the tenancy-root Audit log group exceeding 30% during steady-state hours — page; correlate with infrastructure changes. Initial response Restore the retention value to 365 days via oci audit config update; OCI Audit accepts the change instantly without backfill. Snapshot the current Audit log archive to Object Storage with Object Lifecycle Management retention-rule in compliance mode so the historical window is preserved independently of the live setting. Document the rollback per general/ir.html and update the tenancy compliance dashboard. References Oracle — changing Audit log retention (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-log-02-data-events ! HIGH DETECTIVE The OCI Audit service records management-plane API calls — bucket create, key rotate, policy update — but it does not record data-plane events (the GetObject and PutObject calls into individual buckets, the Encrypt and Decrypt and GenerateDataKey calls into individual Vault keys, the Function invocations) by default. Data-plane events are equivalent to the AWS CloudTrail \"Data Events\" tier and the Azure Storage Diagnostic Logs tier — they answer \"who read the customer-data bucket between 02:00 and 04:00 UTC the night of the incident\" and they are required for any forensic investigation of data exfiltration. Enable service logs explicitly for Object Storage read and write categories, for Vault key use, and for Functions invocations, organised into a per-service Log Group inside the dedicated logging compartment, and ship the resulting logs into Logging Analytics or via Service Connector Hub into Object Storage for long-term retention (OCI — Logging Service overview (accessed 2026-05)). The cost model is per-GB-ingested into the Logging service (with archival economics if you ship to Object Storage), so noisy services like Functions warrant a sampling policy decision rather than blanket 100% capture. HIGH because the absence of data-plane events makes data-exfiltration incidents un-investigable — the management-plane Audit log shows the bucket existed and the IAM policy permitted read, but not who read what and when. MITIGATES: Inability to investigate data-exfiltration incidents. An attacker who obtains read access to an Object Storage bucket (via compromised user, leaked PAR, or over-broad compartment policy) downloads the customer data; with only management-plane Audit enabled, incident response can establish only that the principal had read permission, not whether they exercised it. ATTACK VECTOR: An attacker compromises a CI/CD service account with read access to a customer-data Object Storage bucket and exfiltrates the contents over the course of a week, throttled to evade volumetric anomaly detection. Without Object Storage read data-plane events enabled, incident response can establish current bucket contents but cannot determine whether they were read, when, by whom, or from which source IP. BLAST RADIUS: Every bucket and every Vault key without data-plane logging — the entire forensic shadow zone where data-plane API calls happen but leave no trace. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Step 1: create the per-service Log Group in the logging compartment. oci logging log-group create \\ --compartment-id \"$LOGGING_COMPARTMENT_OCID\" \\ --display-name service-data-events # Step 2: enable Object Storage read events for a sensitive bucket. oci logging log create \\ --log-group-id \"$LOG_GROUP_OCID\" \\ --display-name objectstorage-customer-data-read \\ --log-type SERVICE \\ --is-enabled true \\ --configuration '{ \"source\": { \"service\": \"objectstorage\", \"resource\": \"'\"$BUCKET_OCID\"'\", \"category\": \"read\", \"sourceType\": \"OCISERVICE\" } }' # Step 3: enable Object Storage write events (PutObject, DeleteObject) for the same bucket. oci logging log create \\ --log-group-id \"$LOG_GROUP_OCID\" \\ --display-name objectstorage-customer-data-write \\ --log-type SERVICE \\ --is-enabled true \\ --configuration '{ \"source\": { \"service\": \"objectstorage\", \"resource\": \"'\"$BUCKET_OCID\"'\", \"category\": \"write\", \"sourceType\": \"OCISERVICE\" } }' # Step 4: enable KMS (Vault) key-use events for a regulated Vault key. oci logging log create \\ --log-group-id \"$LOG_GROUP_OCID\" \\ --display-name vault-key-use \\ --log-type SERVICE \\ --is-enabled true \\ --configuration '{ \"source\": { \"service\": \"vaults\", \"resource\": \"'\"$VAULT_KEY_OCID\"'\", \"category\": \"all\", \"sourceType\": \"OCISERVICE\" } }'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Source: Oracle Cloud docs (accessed 2026-05) resource \"oci_logging_log_group\" \"service_data_events\" { compartment_id = var.logging_compartment_id display_name = \"service-data-events\" } # Object Storage read events for customer-data bucket. resource \"oci_logging_log\" \"objectstorage_read\" { log_group_id = oci_logging_log_group.service_data_events.id display_name = \"objectstorage-customer-data-read\" log_type = \"SERVICE\" is_enabled = true configuration { source { service = \"objectstorage\" resource = var.customer_data_bucket_ocid category = \"read\" source_type = \"OCISERVICE\" } } } # Object Storage write events (PutObject, DeleteObject) for the same bucket. resource \"oci_logging_log\" \"objectstorage_write\" { log_group_id = oci_logging_log_group.service_data_events.id display_name = \"objectstorage-customer-data-write\" log_type = \"SERVICE\" is_enabled = true configuration { source { service = \"objectstorage\" resource = var.customer_data_bucket_ocid category = \"write\" source_type = \"OCISERVICE\" } } } # Vault key-use events (Encrypt, Decrypt, GenerateDataKey) for a regulated key. resource \"oci_logging_log\" \"vault_key_use\" { log_group_id = oci_logging_log_group.service_data_events.id display_name = \"vault-key-use\" log_type = \"SERVICE\" is_enabled = true configuration { source { service = \"vaults\" resource = var.regulated_vault_key_ocid category = \"all\" source_type = \"OCISERVICE\" } } }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-log-02-data-events\" \\ --display-name \"oci-log-02-data-events\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-log-02-data-events\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 3.x5.x2.x4.x (verify) AU-2; AU-12A.8.15CLD.12.4.5 Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' with eventName in (UpdateLog, DeleteLog) targeting any service log resource (logType = SERVICE) backing Object Storage data events or Function invocation logs. UpdateLogGroup events that move data-event log emitters out of the centralized log group, severing the pipeline to Logging Analytics. Configuration deltas on individual service-log resources where isEnabled flips from true to false. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'logging' and eventName in ('UpdateLog', 'DeleteLog') | eval is_data_event = if(data.target.log.logType = 'SERVICE' and data.target.log.configuration.source.category in ('read', 'write'), 'YES', 'NO') | where is_data_event = 'YES' | stats count by 'User Name', data.target.log.displayName, eventName</code> Service logs are individually addressed; the inventory of data-event-emitting service logs is bounded and known per compartment. Alert threshold Any disable or delete of a data-event service log on Object Storage, KMS, or Functions resources — page; data-event visibility is required for forensic granularity. An UpdateLogGroup moving a data-event log into a non-archival log group — page. Initial response Re-enable the service log via oci logging log update --is-enabled true; OCI Logging restarts the data-event pipeline within a minute. Reconcile the log's parent group binding via Resource Manager so the central pipeline routes match the documented topology. Backfill data-event coverage for the gap window from the resource's native audit feeds (Object Storage access via the bucket's own access log; KMS via tenancy-root Audit) per general/ir.html. References Oracle — OCI service logs (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-log-03-cloud-guard ! HIGH DETECTIVE Cloud Guard is DETECTIVE at tenancy scope. Cloud Guard is OCI's cross-tenancy detection plane: enable it at the tenancy root with Oracle-managed detector recipes (the Configuration detector evaluates resource configurations against a library of checks — public buckets, weak NSG rules, IAM policies that grant manage all-resources, Vault keys without rotation; the Activity detector evaluates suspicious API call patterns — instance launched in unusual region, IAM policy created from anomalous source IP, MFA bypassed), set the target to the tenancy root compartment so detection covers the entire subtree, and attach the Oracle-managed responder recipe (which integrates with Notifications and Functions; the auto-remediation behaviour is canonically owned by oci-ir-02-cloud-guard-remediation on the OCI IR page). Problems surface in the Cloud Guard problems view with severity Critical / High / Medium / Minor / Low; integrate the problems stream into the organisation's SIEM or ticketing via Notifications topics for triage tracking. Cloud Guard's scope is tenancy posture (CSPM) — it observes unsafe state and surfaces findings; it does not block resource creation (Security Zones at oci-log-05 is the preventive surface) and it does not scan workloads for CVEs (Vulnerability Scanning Service at oci-log-04 is the workload-scope detective surface). The detector pack is certified against CIS OCI v2.0.0; v3.1.0 evaluation requires VSS findings plus manual compartment-policy checks until OCI ships the v3.1.0 detector pack (OCI — Cloud Guard documentation (accessed 2026-05)). The principle traces back to General Logging — SIEM and detection engineering: a posture engine that finds the issues nobody is configured to look for, with managed detector recipes that ship with the platform rather than being authored by the customer. MITIGATES: Misconfigurations and suspicious activity going undetected — public buckets, over-broad IAM policies, Vault keys without rotation, Compute instances launched in unusual regions, MFA bypassed for federated identities — across the entire tenancy. ATTACK VECTOR: A workload team accidentally creates a public-read Object Storage bucket containing customer PII; without Cloud Guard the misconfiguration sits unobserved until a security researcher (or attacker) discovers it. Compounds with leaked credentials: an attacker using a compromised tenancy-admin federated identity makes API calls from an anomalous source IP — without the Activity detector and without a Notifications wire to the SOC, the calls are recorded in Audit but not surfaced as a problem to triage. BLAST RADIUS: The entire tenancy root subtree. Without Cloud Guard, every compartment relies on workload-team self-policing for misconfiguration detection. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Step 1: enable Cloud Guard at the tenancy root with a reporting region. # (Reporting region is the region where Cloud Guard stores problems; one per tenancy.) oci cloud-guard configuration update \\ --compartment-id \"$TENANCY_OCID\" \\ --status ENABLED \\ --reporting-region us-ashburn-1 # Step 2: create the tenancy-root target so detection covers the entire compartment subtree. oci cloud-guard target create \\ --compartment-id \"$TENANCY_OCID\" \\ --display-name tenancy-root \\ --target-resource-type COMPARTMENT \\ --target-resource-id \"$TENANCY_OCID\" # Step 3: attach the Oracle-managed detector + responder recipes to the target. # (Recipe OCIDs are tenancy-specific; query with oci cloud-guard detector-recipe list.) oci cloud-guard target-detector-recipe create \\ --target-id \"$TARGET_OCID\" \\ --detector-recipe-id \"$ORACLE_MANAGED_CONFIG_DETECTOR_OCID\" oci cloud-guard target-responder-recipe create \\ --target-id \"$TARGET_OCID\" \\ --responder-recipe-id \"$ORACLE_MANAGED_RESPONDER_OCID\"</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Source: Oracle Cloud Guard docs (accessed 2026-05) resource \"oci_cloud_guard_cloud_guard_configuration\" \"tenancy\" { compartment_id = var.tenancy_ocid status = \"ENABLED\" reporting_region = \"us-ashburn-1\" } # Clone the Oracle-managed Configuration detector recipe so it can be tuned per-tenancy. resource \"oci_cloud_guard_detector_recipe\" \"config_clone\" { compartment_id = var.tenancy_ocid display_name = \"tenancy-config-detector\" source_detector_recipe_id = var.oracle_managed_config_detector_ocid } # Clone the Oracle-managed Activity detector recipe. resource \"oci_cloud_guard_detector_recipe\" \"activity_clone\" { compartment_id = var.tenancy_ocid display_name = \"tenancy-activity-detector\" source_detector_recipe_id = var.oracle_managed_activity_detector_ocid } # Clone the Oracle-managed responder recipe (responsive pair owned by oci-ir-02). resource \"oci_cloud_guard_responder_recipe\" \"responder_clone\" { compartment_id = var.tenancy_ocid display_name = \"tenancy-responder\" source_responder_recipe_id = var.oracle_managed_responder_ocid } # Target = tenancy root compartment subtree; binds detectors + responder. resource \"oci_cloud_guard_target\" \"tenancy_root\" { compartment_id = var.tenancy_ocid display_name = \"tenancy-root\" target_resource_type = \"COMPARTMENT\" target_resource_id = var.tenancy_ocid target_detector_recipes { detector_recipe_id = oci_cloud_guard_detector_recipe.config_clone.id } target_detector_recipes { detector_recipe_id = oci_cloud_guard_detector_recipe.activity_clone.id } target_responder_recipes { responder_recipe_id = oci_cloud_guard_responder_recipe.responder_clone.id } }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-log-03-cloud-guard\" \\ --display-name \"oci-log-03-cloud-guard\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-log-03-cloud-guard\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 3.x (Config)2.x (Defender)2.x (SCC)(best-practices) CM-8; CM-3; SI-4A.8.9; A.8.16CLD.12.4.5 Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'cloud-guard' with eventName = 'UpdateConfiguration' whose payload flips status from ENABLED to DISABLED. Tenancy-root Cloud Guard configuration deltas where the reportingRegion changes — surfacing reporting-region migrations that interrupt finding flow. Cloud Guard problem-stream gap longer than 15 minutes during steady-state operating hours. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'cloud-guard' and eventName = 'UpdateConfiguration' | eval cg_status = data.request.payload.status | where cg_status = 'DISABLED' | stats count by 'User Name', 'Compartment Name'</code> Cloud Guard tenancy enablement is a single boolean; disable events are exceptional and ticketed. Alert threshold Any tenancy Cloud Guard status transition to DISABLED — page immediately; this disables every detector and responder simultaneously. Problem-stream gap exceeding 15 minutes on the tenancy-root reporting region during business hours — page. Initial response Re-enable Cloud Guard at the tenancy via oci cloud-guard configuration update --status ENABLED; detectors resume scanning within minutes. Re-attach detector and responder recipes to the tenancy-root target if the disable cycle reset the binding state. Replay the disabled window against the tenancy Audit log feed using the same JMESPath the Cloud Guard activity detector evaluates, and triage the surfaced events per general/ir.html. References Oracle — Cloud Guard documentation (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-log-04-cloud-guard-detectors ! CRITICAL DETECTIVE Vulnerability Scanning Service (VSS) is DETECTIVE on workloads. The anchor literal oci-log-04-cloud-guard-detectors is preserved for sibling-provider link stability (sibling-anchors.tsv lock from Phase 6 — every AWS, Azure, and GCP logging page emits a graceful-then-STRICT href pointing at this anchor literal); the functional Title for this control on this page is \"Vulnerability Scanning Service\" because VSS provides the cleanest cross-provider functional analog to AWS GuardDuty / Amazon Inspector, Azure Defender for Servers and Defender for Containers, and GCP Security Command Center Premium threat detection plus Container Analysis. Configure two recipe surfaces: host scan recipes scan the operating system of Compute instances for CVEs and open ports on a schedule (the Cloud Agent must be running on the instance and the Vulnerability Scanning plugin must be enabled); container scan recipes scan Container Registry (OCIR) images on push and on a schedule for CVEs in OS and language packages. Findings surface in the VSS console with severity Critical / High / Medium / Low and also flow into Cloud Guard via the VSS detector, so a tenancy that ships both oci-log-03 and this control gets a single problem-triage view (OCI — Vulnerability Scanning Service (accessed 2026-05)). Remediation feedback flows back to OS Management Hub for patching workflows (oci-work-08-os-management-hub on the OCI Workloads page). VSS is distinct from Cloud Guard — VSS is workload-level CVE detection (the worklo"},{"id":"oci/network.html","url":"oci/network.html","title":"OCI Network Hardening — Cloud Hardening Guide","breadcrumb":"Home OCI Network","description":"OCI network hardening: VCN design, security lists vs NSGs, Service Gateway, Private Endpoint, WAF, DDoS, DNS DNSSEC, NAT Gateway egress.","body":"OCI Network Hardening Overview This page covers Oracle Cloud Infrastructure network hardening across the surfaces that decide whether an attacker reaching the network edge can pivot inward, exfiltrate data, or sustain disruption. Scope is the commercial OCI realms (OC1); OCI Government Cloud and dedicated-region tenancies inherit the same controls but expose realm-specific endpoints, region availability, and Identity Domain federation constraints — re-verify region availability and the relevant docs.oracle.com realm-endpoint documentation before applying any of the IaC below to a sovereign or dedicated-region deployment. CIS sub-IDs and NIST / ISO mappings throughout this page reference the CIS Oracle Cloud Infrastructure Foundations Benchmark v2.0.0 (accessed 2026-05) unless explicitly annotated as a post-v2.0.0 feature or a best-practice recommendation that the v2.0.0 benchmark has not yet codified. CIS published the Oracle Cloud Infrastructure Foundations Benchmark v3.1.0 in 2026; this site cites v2.0.0 throughout the corpus for consistency with the locked compliance-table contract. The crosswalk page at compliance frameworks describes how the seven pinned framework columns relate to each other. The OCI network model is the product of a tenancy (the root identity boundary, where the realm and root compartment live), compartments (hierarchical containers that own policy, quota, and resources — owned canonically by oci-iam-07-compartment-hierarchy on the OCI IAM page; this page cross-references and does not re-author the compartment model), Virtual Cloud Networks (VCNs) (regional networks with custom CIDR allocation; no auto-mode subnets), subnets (regional or AD-specific CIDR slices, with the boolean prohibit_public_ip_on_vnic that turns a subnet into a private subnet at the data plane), VNICs (the per-host network interface that NSGs attach to), Security Lists (stateful L4 firewalls scoped to a subnet — the legacy surface that ships with every VCN), Network Security Groups (stateful L4 firewalls scoped to a VNIC, with the unique ability to reference other NSGs as source or destination — the security-group-style surface), Dynamic Routing Gateway (DRG) (the hub-and-spoke routing primitive that lets one DRG attach to many VCNs and to FastConnect / IPsec for on-prem peering), Service Gateway (the regional egress to the Oracle Services Network for Object Storage, Autonomous Database, and OCI control planes — no NAT, no Internet Gateway), Private Endpoint (the per-service-instance private VNIC inside your subnet that fronts an OCI managed service at a private IP), NAT Gateway (stateful SNAT for outbound public traffic from private subnets), Bastion service (per-session time-limited SSH or managed port-forwarding sessions to instances that have no public IP), and edge primitives Flexible Load Balancer, OCI DNS, Web Application Firewall (WAF), and Network Firewall (managed Palo Alto VM-Series for L7 / FQDN egress filtering). The cross-cutting principles — segmentation, zero trust, egress control, private connectivity, encryption in transit, and DNS security — are owned by the General Network page; this page maps them to OCI primitives. Severity is assigned from the methodology severity rubric; equivalence callouts at the bottom of each control point at the matching control on the AWS, Azure, and GCP sibling pages. Three anti-conflation callouts up front, because each pair gets conflated in audit reports and architecture reviews and the distinction matters for control design. First: Security Lists and Network Security Groups are complementary, not alternative. Security Lists are subnet-scoped stateful firewalls — every VNIC in the subnet inherits the Security List rule set, evaluation happens per packet, and Security Lists are the legacy surface that ships with every VCN by default. Network Security Groups (oci-net-02) are VNIC-scoped stateful firewalls, with the unique ability for a rule to reference another NSG as source or destination — this is the security-group-style surface familiar from AWS, and it lets you express \"tier-A may reach tier-B\" without enumerating CIDRs. Both surfaces are evaluated together: a packet must satisfy the union of any matching Security List rules and any matching NSG rules. Use NSGs for VNIC-grouping logic (per-tier, per-role); use Security Lists for blanket subnet-wide defaults. Both must deny 0.0.0.0/0 ingress on admin ports; the same invariant has to hold on both surfaces because the union evaluation does not give one surface veto over the other. Second: the OCI Bastion service is the default access path; SSH-to-public-IP is an anti-pattern, not an alternative. The Bastion service (referenced from oci-net-02 and authored canonically on the OCI Workloads page) provides per-session time-limited SSH and managed port-forwarding sessions to target instances that have no public IP; sessions are audited in the OCI Audit service, scoped to a single target, and expire after a configured TTL (default 3 hours, maximum 3 hours; renewal is explicit). Putting public IPs on workload instances and opening TCP 22 to 0.0.0.0/0 on a Security List or NSG is the canonical OCI ops anti-pattern; it is enumerated only to be ruled out. The Bastion is the default; SSH-to-public-IP is not a tradeoff to weigh. Third: Service Gateway and Private Endpoint are complementary, not alternative. Service Gateway (oci-net-04) routes private traffic from a VCN to the Oracle Services Network — Object Storage, Autonomous Database, OKE control plane, and other OCI-managed services — over Oracle's backbone, with no NAT and no public IP on the workload; it is a regional bulk-routing primitive bound to the route table via a network_entity_id entry for all-<region>-services-in-oracle-services-network. Private Endpoint (oci-net-03) creates an explicit private VNIC inside your subnet that exposes one specific OCI managed-service instance (for example, one Autonomous Database) as a private IP you control; the consuming workload connects to a 10.x address. Service Gateway is bulk and regional; Private Endpoint is per-service-instance. PE is the right pattern when you want CIDR-level reachability of a specific managed-service instance; SG is the right pattern for the broad \"talk to Object Storage and ADB control planes from this VCN without an Internet Gateway\" case. Most production VCNs need both. Order and scope matter. Controls 01–04 are foundational invariants: design the VCN explicitly (no default reuse), close 0.0.0.0/0 ingress to admin ports on both Security Lists and NSGs, front OCI managed-service instances with Private Endpoints inside private subnets, and route bulk OCI-service traffic via the Service Gateway. Control 05 is the L7 WAF on public Load Balancers. Control 06 is the platform-default L3/L4 DDoS layer and its operator-visible L7 rate-limiting complement. Control 07 signs the organisation's public DNS zones and points private resolution at private DNS views. Control 08 closes the egress loop with NAT Gateway, egress NSG and Security List rules, and Network Firewall for FQDN- or L7-aware egress filtering. The compartment hierarchy and least-privilege policy primitives are owned by the OCI IAM page and cross-referenced from this page where relevant; do not re-author them here. Resource Manager vs OSS Terraform: Using ORM? Variables are entered via Console UI (schema-driven by an optional schema.yaml); state is stored in OCI Object Storage automatically; no terraform.tfvars needed. Using OSS Terraform? Standard terraform.tfvars + local/remote state apply. Both paths use the same oracle/oci ~> 6.0 provider declared above. oci-net-01-vcn-design ! MEDIUM PREVENTIVE Design every workload VCN as an explicit custom-CIDR Virtual Cloud Network owned by a per-environment compartment, with subnets stratified into public (load balancers and edge only), private (workloads with no public IPs — prohibit_public_ip_on_vnic = true), and data-tier (database subnets, no Internet Gateway in the route table). Hub-and-spoke topology is expressed via a Dynamic Routing Gateway (DRG) — one DRG per region attaches to many workload VCNs and to FastConnect or IPsec circuits for on-prem peering, so transitive routing is explicit and policy-controlled rather than a side effect of VCN peering (Oracle Cloud Infrastructure — Dynamic Routing Gateway documentation (accessed 2026-05)). The principle is reinforced in General Network — segmentation: a network the tenancy did not consciously design is a network whose blast radius the tenancy cannot reason about. OCI does not ship a \"default\" VCN in the AWS sense, but the equivalent failure mode is workload teams creating shared-purpose VCNs in the root compartment with overlapping CIDRs that later cannot be peered without renumbering. Compartment scope per workload (cross-link: oci-iam-07-compartment-hierarchy) is the structural fix. MITIGATES: Shadow VCNs created in the root compartment with overlapping CIDRs and permissive Security Lists, blocking later hub-and-spoke peering and making centralised egress filtering impossible to enforce on the traffic those VCNs generate. ATTACK VECTOR: A workload team launches a VCN with the 10.0.0.0/16 default CIDR in the root compartment, attaches an Internet Gateway, and provisions a flat subnet with the default Security List (which permits all egress and SSH ingress from the VCN CIDR). A workload VM gets an ephemeral public IP and is immediately reachable on whatever ports the default Security List allows from the wider tenancy. Compounds when later projects re-use the same CIDR and the security team discovers peering is impossible at the moment a hub VCN is introduced. BLAST RADIUS: Per VCN: every VNIC in every subnet of the VCN for as long as the VCN exists. Compounds across many VCNs in a large tenancy whose CIDR plan was never centrally managed. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Step 1: create the workload VCN with an explicit CIDR in the workload compartment. oci network vcn create \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --cidr-blocks '[\"10.40.0.0/16\"]' \\ --display-name vcn-app-prod \\ --dns-label appprod # Step 2: create the private workload subnet (no public IPs allowed on any VNIC). oci network subnet create \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --vcn-id \"$VCN_OCID\" \\ --cidr-block 10.40.10.0/24 \\ --display-name snet-app-prod-private \\ --prohibit-public-ip-on-vnic true \\ --dns-label appprodpriv # Step 3: create the data-tier subnet (no Internet Gateway route). oci network subnet create \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --vcn-id \"$VCN_OCID\" \\ --cidr-block 10.40.20.0/24 \\ --display-name snet-app-prod-data \\ --prohibit-public-ip-on-vnic true \\ --dns-label appproddata # Step 4: create the regional DRG for hub-and-spoke and attach the workload VCN. oci network drg create \\ --compartment-id \"$NETWORK_COMPARTMENT_OCID\" \\ --display-name drg-hub-eu-frankfurt-1 oci network drg-attachment create \\ --drg-id \"$DRG_OCID\" \\ --vcn-id \"$VCN_OCID\" \\ --display-name attach-vcn-app-prod</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Source: Oracle Cloud docs (accessed 2026-05) resource \"oci_core_vcn\" \"app_prod\" { compartment_id = var.workload_compartment_id cidr_blocks = [\"10.40.0.0/16\"] display_name = \"vcn-app-prod\" dns_label = \"appprod\" } resource \"oci_core_subnet\" \"app_prod_private\" { compartment_id = var.workload_compartment_id vcn_id = oci_core_vcn.app_prod.id cidr_block = \"10.40.10.0/24\" display_name = \"snet-app-prod-private\" prohibit_public_ip_on_vnic = true dns_label = \"appprodpriv\" } resource \"oci_core_subnet\" \"app_prod_data\" { compartment_id = var.workload_compartment_id vcn_id = oci_core_vcn.app_prod.id cidr_block = \"10.40.20.0/24\" display_name = \"snet-app-prod-data\" prohibit_public_ip_on_vnic = true dns_label = \"appproddata\" } # Regional DRG (hub) — attach many workload VCNs and FastConnect / IPsec here. resource \"oci_core_drg\" \"hub\" { compartment_id = var.network_compartment_id display_name = \"drg-hub-eu-frankfurt-1\" } resource \"oci_core_drg_attachment\" \"vcn_app_prod\" { drg_id = oci_core_drg.hub.id vcn_id = oci_core_vcn.app_prod.id display_name = \"attach-vcn-app-prod\" }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-net-01-vcn-design\" \\ --display-name \"oci-net-01-vcn-design\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-net-01-vcn-design\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/an/a2.x (verify) SC-7; CM-2A.8.20; A.8.22CLD.9.5.1 Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'core' with eventName in (CreateVcn, UpdateVcn, CreateInternetGateway) inside a compartment normally reserved for private workloads. Route-table mutation events (UpdateRouteTable) that introduce an Internet Gateway target on a route previously carrying NAT or Service-Gateway egress only. VCN CIDR overlap with the corporate on-prem allocation as detected by a periodic diff of the VCN inventory against the IPAM source of truth. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'core' and eventName in ('CreateVcn', 'CreateInternetGateway', 'UpdateRouteTable') | eval added_igw = if(eventName = 'UpdateRouteTable' and data.request.payload.routeRules like '%internetGateway%', 'YES', 'NO') | where eventName in ('CreateVcn', 'CreateInternetGateway') or added_igw = 'YES' | stats count by 'User Name', 'Compartment Name', eventName</code> Tag every compartment with NetworkClass = private|edge so the saved search can narrow to private-class compartments where an IGW should never appear. Alert threshold Any new Internet Gateway in a NetworkClass = private compartment — page on first event. Any VCN whose CIDR overlaps the IPAM allocation table — page; CIDR overlap breaks downstream peering and DNS resolution. Initial response Detach the Internet Gateway from affected route tables via Resource Manager; OCI applies the route change online without flow disruption to NAT/SGW traffic. If the VCN itself is the deviation, plan a controlled VCN replacement with the correct CIDR and a documented migration window; do not edit CIDR in place (the operation is unsupported). Brief the network team and capture the topology change per general/ir.html. References Oracle — OCI VCN concepts (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-net-02-sl-nsg-no-admin ! CRITICAL PREVENTIVE No Security List and no Network Security Group in any compartment of the tenancy may permit ingress from 0.0.0.0/0 on administrative ports — SSH 22, RDP 3389, Oracle Database 1521, PostgreSQL 5432, MySQL 3306, SQL Server 1433, MongoDB 27017, Redis 6379, and any other database or management port the organization uses. Both surfaces must enforce the same invariant because OCI evaluates Security Lists and NSGs as a union: a packet is allowed if either surface admits it, so leaving the deny on only one surface is insufficient (Oracle Cloud Infrastructure — Security Rules (Security Lists and NSGs) (accessed 2026-05)). Anti-conflation: Security Lists are subnet-scoped — every VNIC in the subnet inherits the rules. NSGs are VNIC-scoped and can reference other NSGs as source or destination, which is how OCI expresses \"tier-A may reach tier-B\" without enumerating CIDRs (the security-group-style surface). Use NSGs for per-tier and per-role grouping logic; use Security Lists for blanket subnet-wide defaults; both must deny admin-port ingress from the public internet because the union-evaluation model gives neither surface a veto. Access path: operators reach instances via the OCI Bastion service (per-session time-limited SSH or managed port-forwarding to instances with no public IP, audited via the OCI Audit service); putting a public IP on a workload instance and opening TCP 22 to 0.0.0.0/0 is the canonical OCI ops anti-pattern, not an alternative to weigh. CRITICAL because this is the \"open the internet to my database\" misconfiguration; Shodan-style scanners locate exposures within minutes, and CIS OCI v2.0.0 §2.1 and §2.2 codify the requirement for both surfaces. The principle traces back to General Network — zero trust: never trust source-IP filtering as the only control on a management port. MITIGATES: Direct internet exposure of management planes and databases — leading to credential brute force, exploitation of unpatched pre-auth RCE in admin services, and untargeted ransomware against open Oracle DB / PostgreSQL / MongoDB / Redis instances. ATTACK VECTOR: A workload team adds a permissive ingress rule \"temporarily\" to a Security List or NSG to debug a jump host (TCP 22 from 0.0.0.0/0); the rule is never reverted. Within hours, distributed brute-force traffic from compromised residential IPs begins probing for SSH passwords or weak keys. Database admin ports are worse: pre-authentication CVEs in some database engines turn an open port into immediate unauthenticated code execution; pre-3.6 MongoDB / pre-6 Redis with default no-auth configurations are still in the wild. Compounds when only one of the two surfaces (Security List or NSG) is fixed and the other still permits the traffic. BLAST RADIUS: Every VNIC in the offending subnet (Security List) or every VNIC carrying the offending NSG, across every workload that uses the surface. With OCI's union-evaluation model, a deny on one surface and an allow on the other resolves to allow. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Step 1: replace the default Security List ingress rules with an empty array (no ingress). # Egress rules are kept; admin ingress invariant lives on the NSG side too. oci network security-list update \\ --security-list-id \"$DEFAULT_SL_OCID\" \\ --ingress-security-rules '[]' \\ --force # Step 2: create the workload NSG and attach to VNICs via instance/LB configuration. oci network nsg create \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --vcn-id \"$VCN_OCID\" \\ --display-name nsg-app-tier # Step 3: add an explicit allow-from-bastion-NSG rule on SSH (NSGs can reference other NSGs). oci network nsg rules add \\ --nsg-id \"$APP_NSG_OCID\" \\ --security-rules '[{ \"direction\": \"INGRESS\", \"protocol\": \"6\", \"source\": \"'\"$BASTION_NSG_OCID\"'\", \"sourceType\": \"NETWORK_SECURITY_GROUP\", \"tcpOptions\": {\"destinationPortRange\": {\"min\": 22, \"max\": 22}}, \"description\": \"SSH only from Bastion NSG; no 0.0.0.0/0 ingress\" }]' # Step 4: audit the tenancy for any Security List or NSG rule allowing 0.0.0.0/0 on admin ports. oci search resource structured-search \\ --query-text \"query SecurityList resources where (freeformTags.audit = 'admin-port-review')\" \\ --output table</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Source: Oracle Cloud docs (accessed 2026-05) # Default Security List with an EMPTY ingress array — admin invariant enforced by absence of rules. resource \"oci_core_default_security_list\" \"vcn_default\" { manage_default_resource_id = oci_core_vcn.app_prod.default_security_list_id # Egress: permit all (egress controls covered in oci-net-08). egress_security_rules { destination = \"0.0.0.0/0\" protocol = \"all\" } # Ingress: deliberately empty. No rule => no admit on this surface. } # Workload NSG — VNIC-scoped, can reference other NSGs as source. resource \"oci_core_network_security_group\" \"app_tier\" { compartment_id = var.workload_compartment_id vcn_id = oci_core_vcn.app_prod.id display_name = \"nsg-app-tier\" } resource \"oci_core_network_security_group\" \"bastion_tier\" { compartment_id = var.workload_compartment_id vcn_id = oci_core_vcn.app_prod.id display_name = \"nsg-bastion-tier\" } # SSH allowed ONLY from the bastion NSG — no 0.0.0.0/0 source possible. resource \"oci_core_network_security_group_security_rule\" \"ssh_from_bastion_nsg\" { network_security_group_id = oci_core_network_security_group.app_tier.id direction = \"INGRESS\" protocol = \"6\" # TCP source = oci_core_network_security_group.bastion_tier.id source_type = \"NETWORK_SECURITY_GROUP\" tcp_options { destination_port_range { min = 22 max = 22 } } description = \"SSH only from Bastion NSG; 0.0.0.0/0 ingress on admin ports is denied by absence\" } # Explicit deny-by-absence: NO rule with source = \"0.0.0.0/0\" on admin ports anywhere. # NSGs are allow-list; the deny is modelled by absence (documented in prose).</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-net-02-sl-nsg-no-admin\" \\ --display-name \"oci-net-02-sl-nsg-no-admin\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-net-02-sl-nsg-no-admin\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as oci from \"@pulumi/oci\"; // NSG with NO admin-ingress from internet (SSH:22, RDP:3389 from 0.0.0.0/0 banned). const cfg = new pulumi.Config(); const compartmentId = cfg.require(\"compartmentOcid\"); const vcnOcid = cfg.require(\"vcnOcid\"); const bastionCidr = cfg.require(\"bastionCidr\"); // e.g., 10.0.99.0/24 const appNsg = new oci.core.NetworkSecurityGroup(\"app-tier-nsg\", { compartmentId: compartmentId, vcnId: vcnOcid, displayName: \"app-tier-no-admin-internet\", }); // SSH ingress: ONLY from bastion CIDR — never 0.0.0.0/0. const sshFromBastion = new oci.core.NetworkSecurityGroupSecurityRule(\"ssh-bastion-only\", { networkSecurityGroupId: appNsg.id, direction: \"INGRESS\", protocol: \"6\", // TCP source: bastionCidr, sourceType: \"CIDR_BLOCK\", tcpOptions: { destinationPortRange: { min: 22, max: 22 } }, description: \"SSH from bastion subnet only — explicit allow\", }); // RDP: not exposed at all on Linux app tier; if Windows tier exists, mirror the SSH pattern. // 0.0.0.0/0 ingress on any port to this NSG is rejected by Cloud Guard policy upstream. export const nsgOcid = appNsg.id; </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/an/a2.1; 2.2 SC-7(5); SC-7A.8.20; A.8.22CLD.9.5.1 Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' with eventName in (UpdateSecurityList, UpdateNetworkSecurityGroupSecurityRules) whose ingress rule payload contains the literal source CIDR 0.0.0.0/0 against destination ports 22 or 3389. NSG attachment events binding a public-internet-exposed NSG to a Compute instance in a workload compartment normally protected by Bastion-mediated access. VCN Flow Logs successful inbound flows to port 22 or 3389 from non-corporate source ASNs. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'core' and eventName in ('UpdateSecurityList', 'UpdateNetworkSecurityGroupSecurityRules') | eval body = data.request.payload | where body like '%\"source\":\"0.0.0.0/0\"%' and (body like '%\"destinationPortRange\":{\"min\":22%' or body like '%\"destinationPortRange\":{\"min\":3389%') | stats count by 'User Name', data.target.id, 'Compartment Name'</code> Security-list and NSG bodies are flat JSON; substring matching is sufficient for the canonical world-open-admin-port pattern. Alert threshold Any rule introducing 0.0.0.0/0 on TCP 22 or 3389 — page on first event; admin access from the open internet is a control-fence break. Inbound flow record on TCP 22 or 3389 from a non-corporate ASN — page; correlate with the rule history to identify the originating mutation. Initial response Revert the security list or NSG rules via Resource Manager to the last-known-good HCL; OCI accepts the change online and the new rule set takes effect immediately. Sample VCN Flow Logs across the exposure window for any matching inbound 22/3389 sessions; capture session 5-tuples for forensic export. If session data shows successful TCP handshakes, treat affected hosts as potentially compromised — snapshot the boot volume, isolate via NSG deny-all, and escalate per general/ir.html. References Oracle — security rules and network security groups (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-net-03-private-endpoint ! HIGH PREVENTIVE Front OCI managed-service instances — Autonomous Database, Object Storage (where supported), OKE control planes, FSS file systems, and other services that expose a Private Endpoint integration — with a Private Endpoint VNIC inside a private subnet of the workload VCN. The Private Endpoint allocates a Customer-VNIC inside a subnet you control, with a 10.x private IP that consuming workloads connect to instead of the service's public endpoint; the underlying managed-service instance has no exposed public surface in this configuration (Oracle Cloud Infrastructure — Private Endpoints documentation (accessed 2026-05)). The principle is reinforced in General Network — private connectivity: managed-service traffic that never traverses a public endpoint cannot be intercepted at a public endpoint, and the blast radius of a leaked tenancy admin credential does not include \"exfiltrate from any IP on the internet\". Anti-conflation with Service Gateway (oci-net-04): Private Endpoint is per-service-instance and creates an explicit private VNIC inside your subnet; Service Gateway is bulk regional routing to the Oracle Services Network and does not put a VNIC in your subnet. Choose PE when the workload needs CIDR-level reachability of a specific managed-service instance (for example, \"this app talks to this ADB only\"); choose SG when the workload needs broad reachability of the Oracle Services Network (for example, Object Storage from many subnets). Most production VCNs use both. Compartment-policy scope (oci-iam-08-policy-least-privilege) keeps the right groups able to use the Private Endpoint without giving them the ability to recreate it on a public address. MITIGATES: Exfiltration of data from OCI managed services via leaked credentials over the public internet — the managed-service instance has no public endpoint to reach from a compromised laptop or external host. ATTACK VECTOR: An Autonomous Database is provisioned on its default public mTLS endpoint with an ACL \"secured\" by client-IP allow-list. The ACL is later widened during a debugging exercise; a stolen wallet file plus the public hostname is enough to connect from any IP. Without a Private Endpoint, the data-plane attack surface is the public internet; with a Private Endpoint, the data-plane surface is only the workload VCN. BLAST RADIUS: Per managed-service instance: full table contents (ADB), full bucket contents (Object Storage), full cluster API plane (OKE) if a credential is leaked and the data plane is reachable from any IP. With a Private Endpoint and a private subnet, the blast radius is bounded by VCN reachability. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Step 1: provision the Autonomous Database with a Private Endpoint into a private subnet. oci db autonomous-database create \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --db-name appprod \\ --display-name adb-app-prod \\ --cpu-core-count 2 \\ --data-storage-size-in-tbs 1 \\ --admin-password \"$ADB_ADMIN_PW\" \\ --subnet-id \"$PRIVATE_SUBNET_OCID\" \\ --private-endpoint-label adb-app-prod-pe \\ --nsg-ids '[\"'\"$APP_NSG_OCID\"'\"]' \\ --is-mtls-connection-required true # Step 2: create a generic Private Endpoint for an OCI service inside the private subnet. oci network private-endpoint create \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --vcn-id \"$VCN_OCID\" \\ --subnet-id \"$PRIVATE_SUBNET_OCID\" \\ --display-name pe-managed-svc \\ --nsg-ids '[\"'\"$APP_NSG_OCID\"'\"]' # Step 3: confirm no public endpoint exists on the ADB. oci db autonomous-database get \\ --autonomous-database-id \"$ADB_OCID\" \\ --query 'data.\"private-endpoint\"'</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Source: Oracle Cloud docs (accessed 2026-05) resource \"oci_database_autonomous_database\" \"app_prod\" { compartment_id = var.workload_compartment_id db_name = \"appprod\" display_name = \"adb-app-prod\" cpu_core_count = 2 data_storage_size_in_tbs = 1 admin_password = var.adb_admin_password # Private Endpoint placement — no public endpoint. subnet_id = oci_core_subnet.app_prod_private.id private_endpoint_label = \"adb-app-prod-pe\" nsg_ids = [oci_core_network_security_group.app_tier.id] is_mtls_connection_required = true } # Generic Private Endpoint for an OCI managed-service instance inside the private subnet. resource \"oci_dns_view\" \"private_pe_view\" { compartment_id = var.workload_compartment_id display_name = \"private-pe-view\" scope = \"PRIVATE\" }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-net-03-private-endpoint\" \\ --display-name \"oci-net-03-private-endpoint\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-net-03-private-endpoint\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/an/a2.x (verify) SC-7; AC-4A.8.20; A.8.22CLD.9.5.1 Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' with eventName in (DeletePrivateEndpoint, UpdatePrivateEndpoint) targeting any service private endpoint serving Autonomous Database, Vault, or Object Storage. Service-resource events that switch a managed service's network mode from PRIVATE to PUBLIC — surfaced as service-specific update events bearing a network-config attribute. Private DNS zone deletions that severed the FQDN binding the workload uses to address the private endpoint. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' in ('core', 'database', 'object-storage', 'kms') and eventName in ('DeletePrivateEndpoint', 'UpdatePrivateEndpoint', 'UpdateAutonomousDatabase', 'UpdateVault') | eval net_mode = data.request.payload.networkAccessType | where eventName like 'PrivateEndpoint%' or net_mode = 'PUBLIC' | stats count by 'User Name', data.target.id, eventName, net_mode</code> Cross-service correlation is required because the private-endpoint surface is partly on core (the PE resource) and partly on individual service resources (the network-mode attribute). Alert threshold Any PrivateEndpoint delete or any service flipping networkAccessType to PUBLIC — page on first event. Private DNS zone deletion against a zone hosting endpoint FQDNs — page; the workload's reachability collapses on next DNS TTL expiry. Initial response Re-create the PrivateEndpoint via Resource Manager; the new endpoint may receive a different IP, so update the dependent DNS records and refresh consumer connection strings. Flip the service back to PRIVATE network mode via the service-specific update endpoint; downtime depends on the service (Autonomous DB rolls online; some services require restart). Verify VCN Flow Logs show traffic resumed to the new private IP and document the rebuild per general/ir.html. References Oracle — private access to OCI services (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-net-04-service-gateway ! HIGH PREVENTIVE Attach a Service Gateway to every workload VCN that needs to reach the Oracle Services Network — Object Storage, Autonomous Database control plane, OKE control plane, Container Registry, and the other OCI-managed services published in the regional Services Network — and route the matching service CIDR via the Service Gateway, not via a NAT Gateway or Internet Gateway. The Service Gateway forwards traffic over Oracle's backbone with no NAT and no exposure of the workload subnet to the public internet (Oracle Cloud Infrastructure — Service Gateway documentation (accessed 2026-05)). The route-table entry uses the symbolic destination all-<region>-services-in-oracle-services-network (or the narrower oci-<region>-object-storage for Object-Storage-only traffic) with the SGW as the network_entity_id. The principle is reinforced in General Network — egress control: traffic that does not need to traverse the public internet should not, both for confidentiality and for the egress-cost story. Anti-conflation with Private Endpoint (oci-net-03): Service Gateway is bulk regional routing — one SGW serves every workload in the VCN that needs to talk to the Oracle Services Network. Private Endpoint is per-managed-service-instance — one PE per ADB, one PE per FSS, and so on, each creating a VNIC in your subnet. SG does not put a VNIC in your subnet; PE does. Most production VCNs need both: PE for the specific managed-service instances the workload owns, SG for the broad \"this VCN talks to Object Storage and ADB control planes\" case. MITIGATES: Workload egress to OCI managed services traversing the public internet (or being routed via a NAT Gateway with associated public IP), exposing the traffic to interception or to the egress-cost surcharge, and putting Oracle Services Network reachability behind a public route. ATTACK VECTOR: A workload team configures Object Storage access from a private subnet by adding a NAT Gateway and a 0.0.0.0/0 route — the workload reaches Object Storage but its egress is now also reachable for any other destination, and traffic to Object Storage transits the public internet. A misconfigured Object Storage IAM policy then becomes an internet-facing exfiltration channel rather than a backbone-only one. BLAST RADIUS: Without SGW: every Object Storage / ADB / OCI-service request from the VCN traverses public infrastructure. With SGW: traffic to the Oracle Services Network stays on Oracle's backbone. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Step 1: discover the Services Network destination OCIDs for the current region. oci network service list --query 'data[*].{name:name, id:id}' --output table # Step 2: create the Service Gateway and bind it to the workload VCN. oci network service-gateway create \\ --compartment-id \"$NETWORK_COMPARTMENT_OCID\" \\ --vcn-id \"$VCN_OCID\" \\ --display-name sgw-app-prod \\ --services '[{\"service_id\":\"'\"$OCI_ALL_SERVICES_OCID\"'\"}]' # Step 3: update the private subnet route table to send Services-Network traffic via the SGW. oci network route-table update \\ --rt-id \"$PRIVATE_RT_OCID\" \\ --route-rules '[{ \"destination\": \"'\"$OCI_ALL_SERVICES_CIDR_LABEL\"'\", \"destinationType\": \"SERVICE_CIDR_BLOCK\", \"networkEntityId\": \"'\"$SGW_OCID\"'\", \"description\": \"Services Network via SGW; no public NAT\" }]' \\ --force</code> Re"},{"id":"oci/workloads.html","url":"oci/workloads.html","title":"OCI Workloads Hardening — Cloud Hardening Guide","breadcrumb":"Home OCI Workloads","description":"OCI workloads: Compute IMDSv2 enforcement, Bastion service, Container Registry image scanning + signing, Vulnerability Scanning Service hosts, Functions resource principals, OKE Workload Identity umbrella, image build pipeline, OS Management Hub patching.","body":"OCI Workloads Hardening Overview This page covers Oracle Cloud Infrastructure workload hardening across the surfaces that decide whether an attacker who lands code execution on a single OCI workload can pivot to credentials, sibling workloads, or the OCI control plane. Scope is the commercial OCI realms (OC1); OCI Government Cloud and dedicated-region tenancies inherit the same controls but expose realm-specific endpoints, region availability, and Identity Domains (formerly IDCS) federation constraints — re-verify region availability and the relevant docs.oracle.com realm-endpoint documentation before applying any of the IaC below to a sovereign or dedicated-region deployment. Workload surfaces covered: Compute Instances (VM and bare-metal shapes), Container Registry (image hosting plus image signing via OCI Vault keys), Container Engine for Kubernetes (OKE) in both Basic and Enhanced cluster tiers (billing/SLA axis, not a control-surface axis), Functions (FaaS authenticating via resource principals), DevOps build pipelines, and OS Management Hub (patch lifecycle management). CIS sub-IDs and NIST / ISO mappings throughout this page reference the CIS Oracle Cloud Infrastructure Foundations Benchmark v2.0.0 (accessed 2026-05) unless explicitly annotated as a post-v2.0.0 feature or a best-practice recommendation that the v2.0.0 benchmark has not yet codified; CIS published v3.1.0 in 2026 but this site cites v2.0.0 throughout the corpus for consistency with the locked compliance-table contract. The crosswalk page at compliance frameworks describes how the seven pinned framework columns relate to each other. One canonical-content cross-link to flag at the top, because authoring this page in isolation would otherwise duplicate ~1500 words of canonical material: secrets management for OCI Functions is documented on the General IAM — secrets management page, not here. The Phase 4 canonical-content rule (one canonical treatment per cross-cutting topic) lives this rule out in oci-work-05: the control covers Functions resource-principal authentication and Vault secret retrieval at runtime, and cross-links to general/iam.html for the secrets-handling reference architecture rather than re-authoring it. The same pattern is mirrored on the AWS, Azure, and GCP sibling pages (aws-work-05, azure-work-05, gcp-work-05). Compartment hierarchy and instance / resource principal mechanics are owned canonically by oci-iam-06-instance-principals and oci-iam-07-compartment-hierarchy on the OCI IAM page; this page cross-references and does not re-author the canonical IAM model. Three anti-conflation callouts up front, because each pair gets conflated in audit reports and architecture reviews and the distinction matters for control design. First: instance principals vs resource principals. Instance principals authenticate Compute instances to OCI APIs via dynamic-group membership; the dynamic-group matching rule pins which instances may obtain the principal (typically by compartment OCID or by free-form tag). Resource principals extend the same model to non-Compute resources — Functions, API Gateway, OKE pods via instance principals on worker nodes, and a growing list of OCI managed services. Both are bound to dynamic groups; both eliminate user-API-keys-on-workloads. The canonical treatment lives at oci-iam-06-instance-principals; oci-work-05 on this page maps the model to Functions specifically. Second: OKE Basic vs OKE Enhanced clusters. Basic clusters lack the Oracle-managed control-plane SLA and the Cluster Add-on Management lifecycle features; Enhanced clusters add the SLA, add-on management, Virtual Nodes, and Workload Identity in its current GA shape. The control-surface — the hardening posture this page recommends (Workload Identity, private cluster endpoints, image signing, network policies, Bastion access) — is identical between tiers. Basic vs Enhanced is a billing and SLA axis, not a hardening axis. oci-work-06 is therefore authored as a single umbrella control covering both tiers, mirroring the umbrella decisions made for EKS / AKS / GKE on the AWS / Azure / GCP sibling pages. Third: OS Management Hub and the Vulnerability Scanning Service are complementary, not alternative. OS Management Hub (oci-work-08) is the patch deployment surface — managed-instance enrolment, software-source pinning (custom mirrors or vendor-default), and scheduled patch jobs that actually install packages on instances. The Vulnerability Scanning Service (VSS) — host scope on oci-work-04 and container-image scope on oci-work-03 — is the CVE detection surface that reports unpatched CVEs and open ports against benchmark baselines. The two services close a feedback loop: VSS detects, OS Management Hub remediates, the next VSS scan confirms. Treating either as a substitute for the other leaves either detection blind or remediation manual. Order matters. Controls 01–02 are foundational invariants for every Compute instance: IMDSv2 enforced (the SSRF-to-credentials kill-chain mitigation) and the OCI Bastion service as the remote-access plane (SSH-to-public-IP enumerated only to be ruled out). Controls 03–04 close the supply-chain and vulnerability-assessment loop: Container Registry image scanning, signing, and immutability at build time; VSS host scanning at runtime. Control 05 hardens Functions. Control 06 hardens OKE. Control 07 establishes signed-image provenance via the OCI DevOps build pipeline. Control 08 handles ongoing patch hygiene via OS Management Hub. The page is structured so a reader can skim 01–02 for the everyday Compute baseline, then dip into 03–08 by service area as needed. Equivalence callouts at the bottom of each control point at the matching control on the AWS, Azure, and GCP sibling pages. Resource Manager vs OSS Terraform: Using ORM? Variables are entered via Console UI (schema-driven by an optional schema.yaml); state is stored in OCI Object Storage automatically; no terraform.tfvars needed. Using OSS Terraform? Standard terraform.tfvars + local/remote state apply. Both paths use the same oracle/oci ~> 6.0 provider declared above. oci-work-01-instance-metadata-v2 ! CRITICAL PREVENTIVE Configure every Compute instance with IMDSv2 enforced by setting are_legacy_imds_endpoints_disabled = true in the instance's instance_options block — at both launch time and as a remediation on existing instances. The OCI Instance Metadata Service v2 requires a session token obtained via an authenticated PUT before any GET to 169.254.169.254/opc/v2/ will return credentials or metadata; the legacy v1 surface accepts unauthenticated GETs and is the SSRF-exploitable path (Oracle Cloud Infrastructure — Instance Metadata Service v2 (accessed 2026-05)). Disabling the legacy endpoints turns the metadata service into a token-required surface that an unauthenticated SSRF reflection cannot drive. PITFALL: a Compute instance that obtains an instance principal via dynamic-group membership inherits the same kill-chain risk as an AWS instance-role identity; SSRF reflection against IMDSv1 hands the attacker an instance-principal session token that the workload's compartment-scoped IAM policy may have generously authorised. Mirrors AWS aws-work-01-imdsv2-mandatory, Azure Trusted Launch at azure-work-01-trusted-launch, and GCP gcp-work-01-shielded-vm — all CRITICAL PREVENTIVE across providers because the SSRF-to-credentials path is the highest-leverage Compute misconfiguration. The principle traces back to General Workloads — runtime security: never let a workload's network position alone determine its identity strength. MITIGATES: SSRF-to-credentials kill chain — an attacker who lands an SSRF bug in any internet-facing or LAN-facing service on a Compute instance steals the instance principal's session token from the metadata endpoint and pivots to whatever the dynamic-group policy authorises (read Object Storage, manage Vault keys, invoke Functions, call IAM enumeration APIs). ATTACK VECTOR: A workload-tier HTTP service has an SSRF bug in a URL-fetching feature that accepts arbitrary GET targets. The attacker supplies http://169.254.169.254/opc/v1/instance/. On a legacy-IMDS-enabled instance, the v1 endpoint returns instance metadata including the workload's dynamic-group-bound principal credentials via the security_credentials sub-tree; on an IMDSv2-only instance, the GET fails because no session token was obtained. The pattern is the OCI analog of the 2019 Capital One IMDSv1 breach on AWS. Compounds when the workload's dynamic group is over-broadly scoped (compartment-wide rather than instance-OCID-specific). BLAST RADIUS: Per instance: an instance with are_legacy_imds_endpoints_disabled = true denies credential theft via SSRF reflection on that instance. With a compartment-level instance configuration default plus an audit query for non-compliant instances, the property becomes a tenancy-wide invariant: every new instance is forced IMDSv2-only at create time. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Enforce IMDSv2-only on an existing instance. oci compute instance update \\ --instance-id \"$INSTANCE_OCID\" \\ --instance-options '{\"areLegacyImdsEndpointsDisabled\": true}' \\ --force # Launch a new instance with IMDSv2-only from the start. oci compute instance launch \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --availability-domain \"$AD\" \\ --shape \"VM.Standard.E4.Flex\" \\ --shape-config '{\"ocpus\": 2, \"memoryInGBs\": 16}' \\ --image-id \"$IMAGE_OCID\" \\ --subnet-id \"$PRIVATE_SUBNET_OCID\" \\ --assign-public-ip false \\ --instance-options '{\"areLegacyImdsEndpointsDisabled\": true}' # Audit: list instances still allowing IMDSv1 (legacy endpoints enabled). oci search resource structured-search \\ --query-text \"query instance resources where (lifecycleState = 'RUNNING')\" \\ --output json \\ | jq -r '.data.items[] | .identifier' \\ | while read -r oid; do legacy=$(oci compute instance get --instance-id \"$oid\" --query 'data.\"instance-options\".\"are-legacy-imds-endpoints-disabled\"' --raw-output) [ \"$legacy\" = \"false\" ] && echo \"LEGACY-IMDS: $oid\" done</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Source: Oracle Cloud docs (accessed 2026-05) resource \"oci_core_instance\" \"app_prod\" { compartment_id = var.workload_compartment_id availability_domain = data.oci_identity_availability_domain.ad.name shape = \"VM.Standard.E4.Flex\" display_name = \"vm-app-prod-01\" shape_config { ocpus = 2 memory_in_gbs = 16 } source_details { source_type = \"image\" source_id = var.hardened_image_ocid } create_vnic_details { subnet_id = oci_core_subnet.app_prod_private.id assign_public_ip = false nsg_ids = [oci_core_network_security_group.app_tier.id] } # IMDSv2 enforced: legacy v1 endpoint is unreachable; SSRF reflection cannot # obtain a session token because most SSRF payloads can only emit GETs. instance_options { are_legacy_imds_endpoints_disabled = true } agent_config { is_management_disabled = false is_monitoring_disabled = false plugins_config { name = \"Vulnerability Scanning\" desired_state = \"ENABLED\" } plugins_config { name = \"OS Management Hub Agent\" desired_state = \"ENABLED\" } } } # Instance configuration default — every instance launched via this configuration # inherits IMDSv2-only without each launch having to remember the toggle. resource \"oci_core_instance_configuration\" \"hardened_default\" { compartment_id = var.workload_compartment_id display_name = \"ic-hardened-default\" instance_details { instance_type = \"compute\" launch_details { compartment_id = var.workload_compartment_id shape = \"VM.Standard.E4.Flex\" instance_options { are_legacy_imds_endpoints_disabled = true } } } }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-work-01-instance-metadata-v2\" \\ --display-name \"oci-work-01-instance-metadata-v2\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-work-01-instance-metadata-v2\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Remediation — Pulumi (TypeScript) <code class=\"language-typescript\">import * as pulumi from \"@pulumi/pulumi\"; import * as oci from \"@pulumi/oci\"; // Compute instance with IMDSv2-only metadata access (IMDSv1 disabled). const cfg = new pulumi.Config(); const compartmentId = cfg.require(\"compartmentOcid\"); const subnetOcid = cfg.require(\"subnetOcid\"); const imageOcid = cfg.require(\"imageOcid\"); const sshAuthorizedKeys = cfg.require(\"sshAuthorizedKeys\"); const hardenedInstance = new oci.core.Instance(\"hardened-vm\", { compartmentId: compartmentId, availabilityDomain: cfg.require(\"availabilityDomain\"), shape: \"VM.Standard.E5.Flex\", shapeConfig: { ocpus: 2, memoryInGbs: 16 }, displayName: \"hardened-vm-imdsv2\", sourceDetails: { sourceType: \"image\", sourceId: imageOcid, }, createVnicDetails: { subnetId: subnetOcid, assignPublicIp: \"false\", }, metadata: { ssh_authorized_keys: sshAuthorizedKeys, }, instanceOptions: { areLegacyImdsEndpointsDisabled: true, // IMDSv1 OFF — IMDSv2 only }, // Trusted launch surrogate: Secure Boot + Measured Boot via plain shielded-instance config. platformConfig: { type: \"AMD_VM\", isSecureBootEnabled: true, isMeasuredBootEnabled: true, isTrustedPlatformModuleEnabled: true, }, }); export const instanceOcid = hardenedInstance.id; </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/an/a5.x (verify) AC-3; CM-7; SC-8A.8.20; A.8.25CLD.9.5.1 Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'compute' with eventName = 'LaunchInstance' whose payload sets instanceOptions.areLegacyImdsEndpointsDisabled = false. Existing-instance update events (UpdateInstance) flipping the legacy-IMDS option back on for an instance previously locked to v2-only. Cloud Guard problems of type InstanceMetadataV1Enabled against the tenancy's Compute inventory. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'compute' and eventName in ('LaunchInstance', 'UpdateInstance') | eval legacy_enabled = if(data.request.payload.instanceOptions.areLegacyImdsEndpointsDisabled = 'false', 'YES', 'NO') | where legacy_enabled = 'YES' | stats count by 'User Name', data.target.instance.id, eventName</code> The IMDS-v2-only enforcement is a single boolean on each instance; v1 endpoint exposure is the OCI analogue of the EC2 IMDSv1 pivot risk. Alert threshold Any new or updated instance running with legacy IMDS endpoints enabled — page on first event. Cloud Guard InstanceMetadataV1Enabled problem severity HIGH on a production-tagged instance — page. Initial response Update the instance to disable legacy IMDS endpoints via oci compute instance update --instance-options '{\"areLegacyImdsEndpointsDisabled\":true}' — OCI applies the change without reboot. For new launches drifted from baseline, reconcile the launch template (Compute instance configuration) via Resource Manager so subsequent launches inherit v2-only enforcement. Audit instance-principal token issuance for the affected instances across the drift window; rotate any downstream secrets that may have been fetched via the legacy endpoint. References Oracle — OCI instance metadata service (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-work-02-bastion-service ! HIGH PREVENTIVE Operators reach workload Compute instances via the OCI Bastion service, which provisions per-session, time-limited SSH sessions (or managed port-forwarding sessions for non-SSH services such as Oracle Database 1521 or RDP 3389) to target instances that have no public IP; sessions are audited in the OCI Audit service, ephemeral SSH key pairs are bound to the session, and the session TTL is capped at 3 hours with explicit renewal required for longer access windows (Oracle Cloud Infrastructure — Bastion Service overview (accessed 2026-05)). The Bastion attaches to a target subnet in your VCN, applies a client-CIDR allow-list (so only operator-network IPs can initiate sessions), and uses Oracle-managed infrastructure to bridge to the target — no public IPs, no open SSH listener on the workload itself, no long-lived SSH key material on disk to compromise. SSH-to-public-IP is an anti-pattern, not an alternative. Putting a public IP on a workload instance and opening TCP 22 to 0.0.0.0/0 on a Security List or NSG exposes the instance to unauthenticated network scanning and SSH brute-force; even with public-key-only authentication and Fail2ban, the attack surface is the SSH daemon itself and the daemon's TLS / SSH-protocol implementation, not just the password layer. The Bastion service is the default; SSH-to-public-IP is documented here only to be ruled out — this control continues the same anti-pattern enumeration started on oci-net-02 (which denies 0.0.0.0/0 on TCP 22 at the firewall layer regardless of whether the workload has a public IP). HIGH PREVENTIVE because the Bastion is the structural fix for the entire class of \"operator opens TCP 22 to debug something\" misconfigurations; mirrors AWS Session Manager (aws-work-02), Azure JIT Bastion (azure-work-02), and GCP OS Login + IAP (gcp-work-02). The principle traces back to General Workloads — runtime security: never make the workload's SSH daemon the perimeter. MITIGATES: Internet-facing SSH brute force and pre-authentication SSH-daemon CVEs against workload instances; long-lived SSH key compromise (when a developer laptop is stolen the keys cannot reach instances directly); blast radius of stolen operator keys. ATTACK VECTOR: A workload team needs to debug a production instance and adds an ingress rule \"temporarily\" allowing TCP 22 from 0.0.0.0/0 on the instance's NSG. Within minutes, distributed brute-force traffic from compromised residential IPs begins probing the SSH daemon. Even with public-key-only authentication, a pre-authentication CVE in sshd (CVE-2024-6387 regreSSHion in OpenSSH 8.5p1–9.7p1 is the most recent canonical case) turns the open port into unauthenticated remote code execution on the workload. The Bastion service makes this attack class structurally impossible because no inbound TCP 22 is ever opened on the workload's NSG. BLAST RADIUS: Per session: a Bastion session is scoped to one target resource, one OS user, one ephemeral SSH key, and one TTL (max 3 hours). Across the tenancy: enforcing the invariant \"no Compute instance carries a public IP\" via subnet-level prohibit_public_ip_on_vnic = true plus a deny on TCP 22 from 0.0.0.0/0 on every NSG turns Bastion into the only viable interactive access path. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Step 1: create a Standard Bastion attached to a private workload subnet. oci bastion bastion create \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --bastion-type STANDARD \\ --target-subnet-id \"$PRIVATE_SUBNET_OCID\" \\ --client-cidr-block-allow-list '[\"10.0.0.0/8\",\"192.0.2.0/24\"]' \\ --max-session-ttl-in-seconds 10800 \\ --name bastion-app-prod # Step 2: create a managed SSH session against a target Compute instance. oci bastion session create \\ --bastion-id \"$BASTION_OCID\" \\ --display-name dev-session-2026-05-23 \\ --session-ttl-in-seconds 10800 \\ --key-details '{\"publicKeyContent\":\"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... ops@bastion\"}' \\ --target-resource-details '{ \"sessionType\": \"MANAGED_SSH\", \"targetResourceId\": \"'\"$INSTANCE_OCID\"'\", \"targetResourceOperatingSystemUserName\": \"opc\", \"targetResourcePort\": 22 }' # Step 3: connect (the bastion returns an ssh ProxyCommand string at session-create time). ssh -i ~/.ssh/ephemeral_ed25519 \\ -o ProxyCommand=\"ssh -W %h:%p -p 22 $SESSION_OCID@host.bastion.$REGION.oci.oraclecloud.com\" \\ -p 22 opc@\"$INSTANCE_PRIVATE_IP\" # Audit: any session activity is in the Audit service (eventName=session.create). oci audit event list \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --start-time \"$(date -u -d '-7 days' '+%Y-%m-%dT%H:%M:%SZ')\" \\ --end-time \"$(date -u '+%Y-%m-%dT%H:%M:%SZ')\" \\ --query 'data[?contains(\"event-name\", `Session`)].[(\"event-time\"),\"event-name\",(\"user-name\")]' \\ --output table</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Source: Oracle Cloud docs (accessed 2026-05) resource \"oci_bastion_bastion\" \"app_prod\" { compartment_id = var.workload_compartment_id bastion_type = \"STANDARD\" target_subnet_id = oci_core_subnet.app_prod_private.id client_cidr_block_allow_list = [\"10.0.0.0/8\", \"192.0.2.0/24\"] max_session_ttl_in_seconds = 10800 # 3 hours; the Bastion service hard cap name = \"bastion-app-prod\" freeform_tags = { \"purpose\" = \"operator-access\" \"owner\" = \"platform-security\" } } # Per-session resource — typically driven by a just-in-time access tool, not # baked into the static Terraform state. Shown here for completeness. resource \"oci_bastion_session\" \"dev_session\" { bastion_id = oci_bastion_bastion.app_prod.id display_name = \"dev-session-${formatdate(\"YYYY-MM-DD\", timestamp())}\" session_ttl_in_seconds = 10800 key_details { public_key_content = var.operator_ephemeral_ssh_pubkey } target_resource_details { session_type = \"MANAGED_SSH\" target_resource_id = oci_core_instance.app_prod.id target_resource_operating_system_user_name = \"opc\" target_resource_port = 22 } } # NSG rule on the workload tier: SSH only from the Bastion service's managed # infrastructure (the Bastion injects its source addresses at session create). # The deny on 0.0.0.0/0 TCP 22 is enforced by absence — see oci-net-02.</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-work-02-bastion-service\" \\ --display-name \"oci-work-02-bastion-service\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-work-02-bastion-service\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/an/a(best-practices) AC-17; AC-17(3); AU-2A.8.5; A.8.15CLD.9.5.1 Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'bastion' with eventName = 'CreateSession' whose targetResourcePrivateIpAddress falls outside the bastion's documented target-CIDR allow-list. Bastion resource update events that widen clientCidrBlockAllowList beyond the corporate VPN CIDR. Session-duration audit events where sessionTtlInSeconds exceeds the documented 3-hour cap. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'bastion' and eventName in ('CreateSession', 'UpdateBastion') | eval wide_client = if(data.request.payload.clientCidrBlockAllowList like '%0.0.0.0/0%', 'YES', 'NO') | eval long_ttl = if(data.request.payload.sessionTtlInSeconds > 10800, 'YES', 'NO') | where wide_client = 'YES' or long_ttl = 'YES' | stats count by 'User Name', data.target.bastion.id, eventName</code> Bastion session events name the requesting principal, the target IP, and the session TTL — all three are inputs to the policy decision. Alert threshold Any Bastion resource update extending clientCidrBlockAllowList to 0.0.0.0/0 — page. Session TTL configured above 10 800 seconds (3 hours) on a production-tagged bastion — page. Initial response Restore the bastion's client_cidr_block_allow_list to the corporate-VPN CIDR via Resource Manager; OCI applies the change online to new sessions. Terminate any active sessions originating outside the corporate VPN CIDR via oci bastion session delete. Audit the bastion's session log archive for any session that originated outside the documented client-CIDR during the widened-allow-list window and document per general/ir.html. References Oracle — OCI Bastion service (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-work-03-image-scanning ! HIGH DETECTIVE Every Container Registry (OCIR) repository that backs a production workload must satisfy three independent requirements: (1) repository immutability via is_immutable = true so that a published tag cannot be overwritten with new bytes after publication (preserves the bytes-to-name binding the rest of the supply chain assumes), (2) vulnerability scanning via a Vulnerability Scanning Service container scan recipe that scans on push and on a recurring schedule, surfacing OS-package CVEs and language-runtime CVEs in the pushed image layers, and (3) image signing via an OCI Vault key, producing an attestation object that oci-work-06 (the OKE image policy) verifies at admission time (Oracle Cloud Infrastructure — Container Registry (accessed 2026-05)). Immutability without scanning lets vulnerable images through; scanning without immutability lets an attacker who compromises the build pipeline overwrite a signed-and-scanned tag with a backdoored layer; signing without scanning attests bytes that may carry critical CVEs. The three controls compose — none of the three on its own is sufficient. HIGH DETECTIVE because VSS scans surface unsafe state after publication; oci-work-07 (signed build pipeline) and oci-work-06 (admission policy that requires signed images) are the paired PREVENTIVE controls that turn detection into enforcement. Mirrors AWS ECR scan-on-push (aws-work-03), Azure Container Registry scanning (azure-work-03), and GCP Artifact Registry scanning (gcp-work-03). The principle traces back to General Workloads — supply chain: every artifact promoted to production must carry both a scan record and a signature whose root of trust the cluster verifies. MITIGATES: Deployment of container images with known critical CVEs in OS packages or language runtimes; supply-chain swap where an attacker who compromises the build pipeline overwrites a previously-signed tag with backdoored bytes; promotion of unscanned images to production via misconfigured CI. ATTACK VECTOR: A workload team pushes a base image built on an unpatched oraclelinux:8 that carries critical CVEs in glibc and openssl. Without scan-on-push, the image lands in OCIR and the OKE deployment that references it goes live carrying the CVE. Two months later, a public PoC for one of the CVEs is published; the workload is now exploitable. Compounds when an attacker who compromises the CI service account in the workload compartment overwrites the :latest or even :v1.2.3 tag with a backdoored layer — without is_immutable = true, the published bytes change beneath consumers. Compounds further when the OKE cluster has no image-policy admission, so even a signed-image baseline can be bypassed by referencing the new mutable bytes. BLAST RADIUS: Per repository: scanning + immutability + signing turn one OCIR repository into a verifiable supply-chain source. Across the tenancy: a baseline applied to every production repository plus an OKE admission policy that rejects unsigned images turns image hygiene into a tenancy-wide invariant. Remediation — OCI CLI <code class=\"language-bash\"># oci CLI (v3.x) # Step 1: create an immutable Container Registry repository. oci artifacts container-repository create \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --display-name prod-images-app \\ --is-immutable true \\ --is-public false # Step 2: create a VSS container scan recipe with standard scan level (OS + lang CVEs). oci vulnerability-scans container-scan-recipe create \\ --compartment-id \"$SECURITY_COMPARTMENT_OCID\" \\ --display-name csr-prod-images \\ --scan-settings '{\"scanLevel\":\"STANDARD\"}' # Step 3: bind the recipe to the target repository (container scan target). oci vulnerability-scans container-scan-target create \\ --compartment-id \"$SECURITY_COMPARTMENT_OCID\" \\ --display-name cst-prod-images \\ --container-scan-recipe-id \"$CSR_OCID\" \\ --target-registry '{ \"type\":\"OCIR\", \"compartmentId\":\"'\"$WORKLOAD_COMPARTMENT_OCID\"'\", \"repositoryId\":\"'\"$REPO_OCID\"'\" }' # Step 4: sign a pushed image with an OCI Vault key (post-push, pre-deploy). oci artifacts container-image-signature sign-upload \\ --compartment-id \"$WORKLOAD_COMPARTMENT_OCID\" \\ --image-id \"$IMAGE_OCID\" \\ --kms-key-id \"$VAULT_KEY_OCID\" \\ --kms-key-version-id \"$VAULT_KEY_VERSION_OCID\" \\ --signing-algorithm SHA_512_RSA_PKCS_PSS \\ --description \"release v1.2.3\" # Audit: list scan results above CRITICAL for the repository. oci vulnerability-scans container-scan-result list \\ --compartment-id \"$SECURITY_COMPARTMENT_OCID\" \\ --container-scan-target-id \"$CST_OCID\" \\ --highest-problem-severity CRITICAL \\ --output table</code> Remediation — Terraform <code class=\"language-hcl\"># Terraform OCI provider ~> 5.0 # Source: Oracle Cloud docs (accessed 2026-05) resource \"oci_artifacts_container_repository\" \"prod_images\" { compartment_id = var.workload_compartment_id display_name = \"prod-images-app\" # Immutability: a published tag cannot be overwritten. Backdoor-swap defence. is_immutable = true is_public = false readme { content = \"Production application images. Immutable; scanned by VSS; signed via Vault key.\" format = \"text/markdown\" } } # Vault key dedicated to image-signing — distinct from data-encryption keys # so its policy can be tightly scoped (sign-only for the CI principal). resource \"oci_kms_key\" \"image_signing\" { compartment_id = var.security_compartment_id display_name = \"key-image-signing-app\" management_endpoint = data.oci_kms_vault.security.management_endpoint protection_mode = \"HSM\" key_shape { algorithm = \"RSA\" length = 512 # 4096-bit RSA for signing } } # VSS container scan recipe — STANDARD scan level covers OS + language CVEs. resource \"oci_vulnerability_scans_container_scan_recipe\" \"prod\" { compartment_id = var.security_compartment_id display_name = \"csr-prod-images\" scan_settings { scan_level = \"STANDARD\" } } resource \"oci_vulnerability_scans_container_scan_target\" \"prod\" { compartment_id = var.security_compartment_id display_name = \"cst-prod-images\" container_scan_recipe_id = oci_vulnerability_scans_container_scan_recipe.prod.id target_registry { type = \"OCIR\" compartment_id = var.workload_compartment_id repository_id = oci_artifacts_container_repository.prod_images.id } } # Image signature — typically created by the CI pipeline post-push, not in # static Terraform state. Shape shown here for the build_spec to model. resource \"oci_artifacts_container_image_signature\" \"release_v123\" { compartment_id = var.workload_compartment_id image_id = var.published_image_ocid kms_key_id = oci_kms_key.image_signing.id kms_key_version_id = var.image_signing_key_version_ocid signing_algorithm = \"SHA_512_RSA_PKCS_PSS\" signature = var.precomputed_signature_b64 message = var.signing_message_b64 description = \"release v1.2.3\" }</code> Remediation — OCI Resource Manager <code class=\"language-bash\"># Submit the Terraform block above to OCI Resource Manager via a configured # Git source-provider. Variables are entered through the Console UI (schema-driven # by an optional schema.yaml); state is stored in OCI Object Storage automatically. # This is an INVOCATION snippet — the .tf body is the existing Terraform block # on this same control-box (do NOT duplicate HCL here). oci resource-manager stack create-from-git-provider \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --config-source-provider-id \"$CONFIG_SRC_PROVIDER_OCID\" \\ --repository-url \"https://example.com/org/hardening-iac\" \\ --branch-name \"main\" \\ --working-directory \"modules/oci-work-03-image-scanning\" \\ --display-name \"oci-work-03-image-scanning\" \\ --terraform-version \"1.5.x\" # Plan + apply via the ORM job lifecycle (state stored in OCI automatically). STACK_OCID=$(oci resource-manager stack list \\ --compartment-id \"$COMPARTMENT_OCID\" \\ --display-name \"oci-work-03-image-scanning\" \\ --query 'data[0].id' --raw-output) PLAN_JOB_OCID=$(oci resource-manager job create-plan-job \\ --stack-id \"$STACK_OCID\" --query 'data.id' --raw-output) oci resource-manager job create-apply-job \\ --stack-id \"$STACK_OCID\" \\ --execution-plan-strategy FROM_PLAN_JOB \\ --execution-plan-job-id \"$PLAN_JOB_OCID\" </code> Compliance mapping CIS AWS Foundations v7.0.0 CIS Microsoft Azure Foundations v6.0.0 CIS GCP Foundation v5.0.0 CIS OCI Foundation v3.1.0 NIST SP 800-53 rev5 ISO/IEC 27001:2022 ISO/IEC 27017:2015 n/an/an/a(best-practices) RA-5; SI-3; SA-11A.8.8; A.8.29CLD.12.4.5 Log signals OCI Logging Analytics records where 'Log Source' = 'OCI Audit Logs' and 'Service Name' = 'artifacts' with eventName in (UpdateContainerRepository, UpdateContainerImageSignature) toggling repository-level vulnerability scanning off. OCIR image-push events emitting a digest absent from the corresponding signed-digest inventory — surfaces unsigned-image regressions. Vulnerability Scanning Service (VSS) report events showing CRITICAL CVE counts greater than zero on images currently referenced by OKE deployments. Query <code class=\"language-sql\">'Log Source' = 'OCI Audit Logs' and 'Service Name' in ('artifacts', 'vulnerability-scanning') and eventName in ('UpdateContainerRepository', 'CreateContainerImageSignature', 'PutContainerImage') | eval scan_off = if(data.request.payload.isImmutable = 'false' or data.request.payload.scanningEnabled = 'false', 'YES', 'NO') | where scan_off = 'YES' | stats count by 'User Name', data.target.repository.name, eventName</code> Pair the audit-side gate with a periodic VSS report-list scan via oci vulnerability-scanning host-scan-target list for container-image targets. Alert threshold Any OCIR repository where scanning or signature requirement is disabled — page. VSS report containing one or more CRITICAL CVEs against an image currently deployed in OKE — page within the SLA window for critical-severity vulnerabilities. Initial response Re-enable repository scanning and signing requirement via Resource Manager; OCIR runs the next scan within minutes. For deployed images carrying CRITICAL CVEs, schedule a rolling redeploy onto a freshly built image with the patch applied; OKE supports surge updates that keep the workload available throughout. Brief the workload team on the scan policy and update the vulnerability-management dashboard per general/ir.html. References Oracle — OCI Container Registry (accessed 2026-05) Cross-provider equivalence: AWS · Azure · GCP Equivalent on: AWS · Azure · GCP oci-work-04-vulnerability-scanning ! HIGH DETECTIVE Every Compute instance in a workload compartment is enrolled in a Vulnerability Scanning Service host scan recipe that reports OS-package CVEs, open ports relative to the workload's expected listening posture, and CIS-benchmark compliance against the instance's OS family. The recipe runs the Oracle-managed scanner agent inside the instance (enrolled via the Compute agent's Vulnerability Scanning plugin set to ENABLED — see the agent_config block in oci-work-01's Terraform) plus optional port-scan and benchmark sub-scans (Oracle Cloud Infrastructure — Vulnerability Scanning Service (accessed 2026-05)). Findings feed back into OS Management Hub (oci-work-08) which is the remediation surface that actually applies patches via scheduled jobs, closing the detect-then-remediate loop. Scope distinction (anti-conflation): this control is workload-level host scanning — the per-instance Compute hardening surface that pairs with the per-image container scanning surface on oci-work-03. Both surfaces are powered by the same Vulnerability Scanning Service but operate on different artefact types (running OS image vs published container image). HIGH DETECTIVE because absence of host scanning means CVE drift on long-running instances goes unnoticed until exploitation; the remediation pair is OS Management Hub. Mirrors AWS Inspector for EC2 (aws-work-04), Azure Defender for Servers (azure-work-04), and GCP VM Manager (gcp-work-04). The principle traces back to General Workloads — patch management: detection + remediation are paired controls, never substitutes. MITIGATES: CVE drif"},{"id":"search.html","url":"search.html","title":"Search — Cloud Hardening Guide","breadcrumb":"Home Search","description":"Full-text search across the Cloud Hardening Guide — controls, services, compliance mappings.","body":"Search Query Type a control name, cloud service, or compliance term. Results update as you type. Search query Search Results Enter a query to see results. About this search This search runs entirely in your browser using a pre-built index (js/search-index.json). No queries leave your machine. The index covers all 43 pages of the Cloud Hardening Guide and is rebuilt by running node build/make-index.js from the project root. If JavaScript is disabled <div class=\"callout-warning\"> <p><strong>Search requires JavaScript.</strong> Browse the full site without JavaScript:</p> <ul> <li><a href=\"compliance-matrix.html\">Compliance Matrix</a> — every control across all four providers, sortable + filterable (works without JS for read-only viewing)</li> <li><a href=\"general/index.html\">General Cloud Security</a> — site hub linking to all domain pages</li> <li><a href=\"index.html\">Home</a> — provider entry points</li> </ul> </div>"}]}