10 May 2021 - Rule Update Notice
Custom Policy Updates
The custom policy has been updated to version 1.29 as a result of the new deployment. You’ll need to update your custom policy to the latest version. The permissions added include:
- ECR-004: Check for ECR Lifecycle Policy Usage
Ensure there is a lifecycle policy defined for each Amazon ECR image repository in order to automatically remove untagged and old container images
- ECS-003: Check for Amazon ECS Service Placement Strategy
Ensure that your Amazon ECS cluster services are using optimal placement strategies
- IAM-067: Approved ECS Execute Command Access
Ensure that all access to the ECS Execute Command action is approved. This rule will provide additional governance and oversight for the recently launched Amazon ECS Exec feature.
- Route53-012: Enable DNSSEC Signing for Route53 Hosted Zone
Ensure that Domain Name System Security Extensions (DNSSEC) signing is enabled for your Amazon Route 53 Public hosted zones in order to protect your domains against spoofing and cache poisoning attacks.
- VirtualMachines-034: Enable Autoscale Notifications
Ensure that email or webhook-based alert notifications are enabled for your Microsoft Azure virtual machine scale sets in order to get notified for successful or failed autoscale actions.
- VirtualMachines-035: Remove Old Virtual Machine Disk Snapshots
Identify old virtual machine disk snapshots so that they can be removed in order to optimize cloud costs.
- RDS-029: RDS Event Notifications.
Checks will no longer be generated for accounts with no RDS resources.
- S3-025: S3 Buckets Encrypted with Customer-Provided CMKs
This rule will now exclude server access log buckets and no check (s) will be generated when these are present.
- S3-011: S3 Bucket Logging Enabled
This rule will no longer show checks for buckets which are the recipient of server access logs.
- Route53-011: Dangling DNS Records
Enabled exceptions based on Hosted Zone's tags or ID in the rule configuration.
- *Route53-009: Add exceptions
*Added support to allow safelist of user ARNs to be configured for this rule so that no checks will be produced for User ARNs added to the safelist.
- IAM-036 - AWS IAM Users with Admin Privileges
This rule now supports exceptions based on tags and resource ids.
- S3-003 - S3 Bucket Public 'WRITE' ACL Access
Updated the title and description to sync up with the rule functionality.
- GCP Content Update
New knowledge base articles for GCP best practices. Rules are not available in Conformity yet. They are coming soon.
- S3-026: Enable S3 Block Public Access for S3 Buckets
Checks now return the appropriate region instead of ‘global’.