Table of contents

08 February 2021 - Rule Update Notice

Custom Policy Updates

The custom policy has been updated to version 1.24 as a result of the new deployment. You’ll need to update your custom policy to the latest version. The permissions added include:

  1. ""ec2:GetEbsEncryptionByDefault""
  2. ""wafv2:ListWebACLs"""
    Click here to access the new Custom Policy.

New Rules


  1. ECR-003: Enable Scan on Push for ECR Container Images
    This rule ensures that each Amazon ECR container image is automatically scanned for vulnerabilities when pushed to a repository.
  2. EBS-014: Enable Encryption by Default for EBS Volumes
    This rule ensures that all your new Amazon EBS volumes are encrypted by default within the specified AWS cloud region in order to reach your data protection and compliance goals.
  3. CC-003: Trend Micro Cloud One™ – Conformity Insufficient Access Permissions
    This rule ensures that Amazon IAM policies created to grant access to the Conformity Bot on your behalf provides all the permissions required to scan your AWS infrastructure in order to get the latest conformity rules, new features, and best practices.


  1. Subscriptions-003: Ensure "Not Allowed Resource Types" Policy Assignment in Use
    This rule ensures that a "Not Allowed Resource Types" policy is assigned to your Azure subscriptions in order to deny deploying restricted resources within your Azure cloud account for security and compliance purposes.
  2. Network-013: Review Network Interfaces with IP Forwarding Enabled
    This rule ensures that the Azure network interfaces with IP forwarding enabled are regularly reviewed.

Rule Updates

IAM-036: AWS IAM Users with Admin Privileges

Fixed a bug that made the rule too strict and resulted in false positives. The rule has also been updated to:

  1. Check more scenarios of users with admin privileges including checking users assigned to customer-managed and inline policies and specific action permissions.
  2. Enable users via rule settings to specify the list of AWS Managed Policies or Actions for which Users with Administrator Privileges will be checked.

Bug Fixes

WAF-001: AWS Web Application Firewall in Use
WAF-001 was previously verifying WAF classic resources only. The rule now checks for WAFv2 as well.