Table of contents

14 December 2020 - Rule Update Notice

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment and hence no user action required. The current custom policy version is 1.21.

In addition to the following Rules, we will be deploying new exciting Rules on 16 December 2020. Although you will not receive a separate pre-release notification, we will send you a release notification once the Rules have been deployed on 16 December.

The new Rules will only be available when you update to the new custom policy version, provided with the release notice on 16 December.

New Rules

  1. ActivityLog-026: Create Alert for "Delete MySQL Database"
    Events This Rule ensures that an activity log alert is created for “Delete MySQL Database” events.
  2. ActivityLog-025: Create Alert for "Create/Update MySQL Database" Events
    This Rule ensures that an activity log alert is created for “Create/Update MySQL Database” events.
  3. VirtualMachines-023: Enable Accelerated Networking for Virtual Machines
    This Rule ensures that the Accelerated Networking feature is enabled for your Azure virtual machines (VMs) in order to provide low latency and high throughput for the network interfaces (NICs) attached to the VMs.
  4. VirtualMachines-024: Enable Performance Diagnostics for Azure Virtual Machines
    This rule ensures that Azure virtual machines are configured to use the Performance Diagnostics tool.
  5. VirtualMachines-025:Check for Empty Virtual Machine Scale Sets
    This Rule identifies an empty virtual machine scale sets available within your Microsoft Azure cloud account so that they can be deleted in order to eliminate unnecessary costs and meet compliance requirements when it comes to unused resource
  6. VirtualMachines-026: Enable Automatic Instance Repairs
    This Rule ensures that Azure virtual machine scale sets are configured to use automatic instance repairs.
  7. VirtualMachines-022: Enable Automatic OS Upgrades
    This Rule ensures that operating system (OS) upgrades are automatically applied to your Microsoft Azure virtual machine scale sets when a newer version of the OS image is released by the image publishers.
  8. Subscriptions-002: Check for the Number of Subscription Owners
    This Rule ensures there are at least two subscription owners designated for your Microsoft Azure account subscription in order to provide administrator access redundancy.
  9. CosmosDB-003: Restrict Default Network Access for Azure Cosmos DB Accounts
    This Rule ensures that your Microsoft Azure Cosmos DB accounts are configured to deny access to traffic from all networks, including the public Internet. To limit access to trusted networks and/or IP addresses only, you must update the firewall and the virtual network configuration for your Cosmos DB accounts.
  10. Network-011: Check for Network Security Groups with Wide Port Ranges
    This Rule ensures that your Azure network security groups (NSGs) don't have range of ports configured to allow inbound traffic in order to protect associated virtual machine instances against Denial-of-Service (DoS) attacks or brute-force attacks.
  11. RedisCache-002: Check TLS Protocol Latest Version This Rule checks check that Azure Redis Cache servers are using the latest version of the TLS protocol and produces the following results:
    • Success if Azure Redis Cache servers are using the latest version of the TLS protocol which is TLS version 1.2
    • Failure if Azure Redis Cache servers are not using the latest version of the TLS protocol

Please note if you create a new Redis Cache, the default version of TLS is 1.2, please see:

Rule Updates

  1. IAM-036: AWS IAM Users with Admin Privileges
    Update rule logic to also check user inline and attached policies.
  2. ECS-001: ECS Configuration Changes
    This rule now supports the following new events:
    • CreateCapacityProvider
    • CreateTaskSet
    • DeleteAccountSetting
    • DeleteCapacityProvider
    • DeleteTaskSet
    • DeregisterTaskDefinition
    • PutAccountSetting
    • PutClusterCapacityProviders
    • UpdateClusterSettings
    • UpdateServicePrimaryTaskSet
    • UpdateTaskSet

Bug Fixes

  1. IAM-049: IAM role policy too permissive
    Fixed a bug to handle invalid regular expressions and related errors.
  2. Config-001: AWS Config Enabled
    Improved error handling for Config-001 when encountering throttling errors from AWS, to minimize the occurrence of false failure checks.
  3. CT-002: Cloudtrail S3 Bucket Logging Enabled
    CT-004: CloudTrail Bucket MFA Delete Enabled
    Fixed a bug where the conformity bot was not ensuring that required resources are free of any attribute errors which in turn caused incorrect check status for CT-002 and CT-004.
  4. SecretsManager-003: Secret Rotation Interval
    Fixed a bug to now enable the rule by default.
  5. Fixed a bug where CloudWatch log groups rules were only checking the first 50 log groups.
  6. Fixed a bug where RTM uninstall script shows error when regions are disabled instead of user-friendly message.