Table of contents

18 December 2020 - Rules + General Release Notice

What's New?

Custom Policy Updates

The custom policy has been updated to version 1.23 as a result of the new deployment. You’ll need to update your custom policy to the latest version. The permissions added include:

  1. ""inspector:DescribeAssessmentTemplates""
  2. ""inspector:ListAssessmentTemplates""
  3. ""inspector:ListExclusions""
  4. ""inspector:DescribeExclusions""

Click here to access the new Custom Policy.

General Bug Fixes

  1. Improved error handling for Conformity bot when disabled AWS region exists on account and checks for enabled regions should not be removed.
  2. Improved handling of AWS IAM API throttling errors
  3. Fix a bug which prevented buttons for Browse all Checks and Reports from displaying when the dashboard stats were not available.
  4. Fixed a bug where urls in communication channels didn't have whitespace trimmed
  5. Fixed a bug where the default title for CIS report preventing the report from being generated.
  6. Fixed a bug where API calls authorizer are cached incorrectly.
  7. Fixed a bug where the incorrect number of days left in a trial in Weekly summary emails that customers receive.
  8. Fixed a bug where ‘GET all accounts’ returned no results for custom role users.

New Rules

  1. Inspector-003: Check for Amazon Inspector Exclusions This rule checks for Amazon Inspector assessment exclusions to resolve them step by step to ensure that your assessment runs can be successfully executed.
  2. VirtualMachines-028: Check for Associated Load Balancers
    This rule ensures that your Azure virtual machine scale sets are using load balancers for traffic distribution.
  3. VirtualMachines-027: Check for Zone-Redundant Load Balancers This rule ensures that Azure virtual machine scale sets are configured for zone redundancy.
  4. Network-012: Enable DDoS Standard Protection for Virtual Networks
    This rule ensures that DDoS Standard Protection feature is enabled for all your security-critical Microsoft Azure virtual networks (VNETs).
  5. Search-001: Enable System-Assigned Managed Identities
    This rule ensures that your Microsoft Azure Search Service instances have system-assigned managed identities enabled in order to allow secure application access to other Azure resources such as storage accounts and key vaults.
  6. Resources-001: Tags
    This rule Ensures that there is a tagging strategy in use for identifying and organizing Azure resources by name, purpose, environment, and other criteria.
  7. KeyVault-015: Check for Azure Key Vault Secrets Expiration
    This rule checks for Microsoft Azure Key Vault secrets that are about to expire so that they are renewed prior to their expiration date.
  8. KeyVault-016: Check for Azure Key Vault Keys Expiration
    This rule checks for Microsoft Azure Key Vault keys that are about to expire soon so that they are renewed prior to their expiration date.
  9. SQL-015: Check for Sufficient Point in Time Restore (PITR) Backup Retention Period
    This rule ensures there is a sufficient PITR backup retention period configured for Azure SQL databases.

Rule Updates

  1. Inspector-002: Days since last Amazon Inspector run
    This rule has been updated to handle assessment runs that belong to the current assessment template only. If the completed time falls outside the time threshold set in the rule settings and the next scheduled (if a schedule is preset) run set in the assessment template also falls outside this period, the rule will generate a failure check.

Rule Bug Fixes

  1. RG-001: Tags
    Template Scanner will now process Tags on IAM role resources and the Tag rule[RG-001] will generate correct results.
  2. Route53-011 Dangling Records
    Fixed a bug where the rule would previously evaluate with incomplete data resulting in no checks or false positive returned.
  3. AG-006: Enable SSL Client Certificate
    Fixed a bug where a partially setup resource in API Gateway causes no checks generated for the rule.
  4. Fixed a bug where attaching an AWS-managed policy to an IAM role would trigger RTM to run rules for the AWS-managed IAM policy.
  5. Fixed a bug on the following rules where safe list or block list rule configuration settings were not working as expected resulting in either missing checks or false positives:
  6. IAM-054: IAM Configuration Changes for:
    1. IAM-058: Check for Unapproved IAM Users Existence
    2. ES-006: Elasticsearch Accessible Only From Safelisted IP Addresses
    3. EC2-046: Blocklisted AMIs
    4. EC2-071: Check for EC2 Instances with Blocklisted Instance Types