Table of contents

10 May 2021 - Rule Update Notice

Custom Policy Updates

The custom policy has been updated to version 1.29 as a result of the new deployment. You’ll need to update your custom policy to the latest version. The permissions added include:

  1. route53:GetDNSSEC
  2. ecr:GetLifecyclePolicy
  3. ecs:ListClusters
  4. ecs:ListServices
  5. ecs:DescribeServices

Click here to access the new Custom Policy.

New Rules


  1. ECR-004: Check for ECR Lifecycle Policy Usage
    Ensure there is a lifecycle policy defined for each Amazon ECR image repository in order to automatically remove untagged and old container images
  2. ECS-003: Check for Amazon ECS Service Placement Strategy
    Ensure that your Amazon ECS cluster services are using optimal placement strategies
  3. IAM-067: Approved ECS Execute Command Access
    Ensure that all access to the ECS Execute Command action is approved. This rule will provide additional governance and oversight for the recently launched Amazon ECS Exec feature.
  4. Route53-012: Enable DNSSEC Signing for Route53 Hosted Zone
    Ensure that Domain Name System Security Extensions (DNSSEC) signing is enabled for your Amazon Route 53 Public hosted zones in order to protect your domains against spoofing and cache poisoning attacks.


  1. VirtualMachines-034: Enable Autoscale Notifications
    Ensure that email or webhook-based alert notifications are enabled for your Microsoft Azure virtual machine scale sets in order to get notified for successful or failed autoscale actions.
  2. VirtualMachines-035: Remove Old Virtual Machine Disk Snapshots
    Identify old virtual machine disk snapshots so that they can be removed in order to optimize cloud costs.

Rule Updates

  1. RDS-029: RDS Event Notifications.
    Checks will no longer be generated for accounts with no RDS resources.
  2. S3-025: S3 Buckets Encrypted with Customer-Provided CMKs
    This rule will now exclude server access log buckets and no check (s) will be generated when these are present.
  3. S3-011: S3 Bucket Logging Enabled
    This rule will no longer show checks for buckets which are the recipient of server access logs.
  4. Route53-011: Dangling DNS Records
    Enabled exceptions based on Hosted Zone's tags or ID in the rule configuration.
  5. *Route53-009: Add exceptions
    Added support to allow safelist of user ARNs to be configured for this rule so that no checks will be produced for User ARNs added to the safelist.
  6. IAM-036 - AWS IAM Users with Admin Privileges
    This rule now supports exceptions based on tags and resource ids.
  7. S3-003 - S3 Bucket Public 'WRITE' ACL Access
    Updated the title and description to sync up with the rule functionality.
  8. GCP Content Update
    New knowledge base articles for GCP best practices. Rules are not available in Conformity yet. They are coming soon.

Bug Fixes

  1. S3-026: Enable S3 Block Public Access for S3 Buckets
    Checks now return the appropriate region instead of ‘global’.