Table of contents

15 March 2021 - Rule Update Notice

Custom Policy Updates

The custom policy has been updated to version 1.26 as a result of the new deployment. You’ll need to update your custom policy to the latest version. The permissions added include:

  1. ""ce:GetAnomalies""
  2. ""elasticloadbalancing:DescribeRules""

Click here to access the new Custom Policy.

New Rules


  1. ELBv2-011: Check if Application Load Balancers are redirecting HTTP to HTTPS
    This rule checks if Application Load Balancers (ALB) are configured to redirect HTTP traffic (port 80) to HTTPS (port 443).
  2. RDS-042: Enable Aurora Cluster Copy Tags to Snapshots
    This rule ensures that Amazon Aurora clusters have the Copy Tags to Snapshots feature enabled.
  3. CostExplorer-002: Cost Anomaly Detection Findings This rule checks for any spend anomalies within your AWS account that have been identified by Amazon Cost Anomaly Detection and analyzes and determines the root cause (such as the account, service, region, or usage type) that is driving the cost increase.


  1. VirtualMachines-033: Enable and Configure Health Monitoring
    This rule ensures that the health of your Microsoft Azure scale set instances is being monitored.

Rule Updates

  1. Route53-011: Dangling DNS Records The rule will create one check for each hosted zone and include any dangling records as metadata instead of creating a check for each record.
  2. RTM-009: VPC Network Configuration Changes
    The rule has been updated to only generate checks for successful configuration changes instead of unsuccessful ones where access to make changes has been denied.
  3. SSM-001: SSM Parameter Encryption
    EBS-004: EBS Volumes Recent Snapshots
    Support for exception by resource and tags added to SSM-001 and EBS-004.

Bug Fixes

  1. RG-001: Tags
    We've improved how we evaluate resources for RG-001 to help prevent inaccurate results under certain circumstances.
  2. IAM-036: IAM Admin Permissions
    Fixed a bug that prevented users from configuring the rule to either check for IAM users assigned to actions or managed policies i.e both settings had to have a configuration.
  3. S3-014: S3 Bucket Public Access Via Policy Fixed an issue where the rule was not reporting 'Actions' in its checks if there was a condition on the policy.
  4. SES-004: DKIM Enabled
    SES-001: Identity Cross-Account Access

Fixed a bug where checks were not being generated for these rules.