Topics on this page
Introduction to Conformity Rules
What rules does Trend Micro Cloud One™ – Conformity support?
Conformity supports over 540 rules founded on cloud and security governance best practices, and Compliance Standards.
Conformity's rules cover the 6 categories of security and governance best practices:
Rules are run against your cloud account services, resources, their settings, and configurations.
What is the frequency of running the rules?
Conformity rules are run:
- Periodically on your added Accounts by the Conformity Bot, or
- In real-time for selected rules, if you have the Real-Time Monitoring subscription turned on for your account.
What rules are run?
Refer to Conformity Knowledge Base for all the rules supported by Conformity.
- Is there any rule that looks for open access to all ports? Rule: EC2-001 (Security Group Port Range) checks for any range of open ports including all ports.
- Are all the rules in AWS Config included in Conformity?
We support every rule in AWS Config as soon as they become available through
If Conformity doesn't support a rule you need, you have the option to create custom rules using AWS Config Service.
When an account is first added to Conformity, a set of default rules will be run on the account by the Conformity Bot.
Rules can be configured to better cater to your organisation's circumstances and governance needs. Some rules require configuration before they can be run, and all rules have configuration options including adjusting severity and enabling/disabling.
See Rule Configuration.
Anatomy of a rule
A Conformity rule is run against an AWS (or other Cloud Provider) or Conformity Service. For example Guard Duty, CloudTrail, CloudConformity. A full list of services can be found on the Knowledge Base.
Note: New rules or rules that are updated will be marked accordingly for 10 days after the release.
Provides a count for different check statuses. See Model: Check for more info on each status.
Some rules are documented by Conformity but cannot be tested against your cloud infrastructure due to not being applicable to cloud infrastructure or limitations of the data provided by the cloud provider. Rules that cannot be tested are identified as Not Scored. For more information see Model Check.
Rules marked for removal by Conformity are identified as ‘Deprecated Rules’. You will be notified of Deprecated Rules within your Profile and Account Rule settings. We will also send you an email providing more information about the rule deprecation, including any instructions that you need to follow.
Rules supported by Real Time Monitoring
|CloudFormation||CFM-001, CFM-002, CFM-004, CFM-005, CFM-006, CFM-007|
|CloudFront||CF-002, CF-003, CF-004, CF-005, CF-006, CF-007, CF-008, CF-009, CF-011|
|DynamoDB||DynamoDB-001, DynamoDB-003, DynamoDB-004, DynamoDB-005|
|EC2||EC2-001, EC2-002, EC2-003, EC2-004, EC2-005, EC2-006, EC2-007, EC2-008, EC2-014, EC2-015, EC2-016, EC2-017, EC2-020, EC2-021, EC2-022, EC2-023, EC2-024, EC2-025, EC2-026, EC2-027, EC2-028, EC2-029, EC2-030, EC2-031, EC2-032, EC2-033, EC2-034, EC2-035, EC2-036, EC2-038, EC2-039, EC2-040, EC2-041, EC2-042, EC2-043, EC2-044, EC2-045, EC2-046, EC2-047, EC2-053, EC2-055, EC2-056, EC2-058, EC2-059, EC2-061, EC2-063, EC2-064, EC2-065, EC2-066, EC2-069, EC2-070, EC2-071, EC2-072, EC2-073, EC2-074, EC2-075|
|ELB||ELB-001, ELB-002, ELB-003, ELB-004, ELB-005, ELB-006, ELB-007, ELB-008, ELB-009, ELB-010, ELB-011, ELB-012, ELB-013, ELB-014, ELB-015, ELB-016, ELB-017, ELB-018, ELB-021, ELB-022|
|IAM||IAM-001, IAM-002, IAM-003, IAM-004, IAM-005, IAM-006, IAM-007, IAM-008, IAM-009, IAM-010, IAM-011, IAM-012, IAM-013, IAM-016, IAM-017, IAM-018, IAM-019, IAM-020, IAM-021, IAM-022, IAM-024, IAM-025, IAM-026, IAM-027, IAM-028, IAM-029, IAM-033, IAM-038, IAM-044, IAM-045, IAM-049, IAM-050, IAM-051, IAM-052, IAM-053, IAM-054, IAM-056, IAM-057, IAM-058, IAM-059, IAM-060, IAM-062, IAM-064, IAM-069, IAM-071, RTM-001, RTM-002, RTM-003, RTM-005, RTM-008, RTM-010|
|Lambda||Lambda-001, Lambda-002, Lambda-003, Lambda-004, Lambda-005, Lambda-006, Lambda-007, Lambda-009|
|RDS||RDS-001, RDS-002, RDS-003, RDS-004, RDS-005, RDS-006, RDS-007, RDS-008, RDS-009, RDS-010, RDS-011, RDS-012, RDS-013, RDS-019, RDS-022, RDS-023, RDS-025, RDS-026, RDS-030, RDS-031, RDS-032, RDS-033, RDS-034, RDS-035, RDS-036, RDS-037, RDS-038, RDS-039, RDS-040, RDS-041, RDS-042|
|S3||S3-001, S3-002, S3-003, S3-004, S3-005, S3-006, S3-007, S3-008, S3-009, S3-010, S3-011, S3-012, S3-013, S3-014, S3-015, S3-016, S3-017, S3-018, S3-019, S3-020, S3-021, S3-022, S3-023, S3-024, S3-025, S3-026, S3-028|
|VPC||VPC-001, VPC-004, VPC-005, VPC-006, VPC-010, VPC-011, VPC-012, VPC-013, VPC-014, VPC-015, VPC-016, RTM-009|
|User sign in||RTM-004, RTM-006|
- A rule is marked as "New" or "Updated" on Conformity web interface. What does it mean?
Rules that are updated and new rules are marked as "Updated" and "New" for 10 days after the release. Updates include changes to rule behavior, bug fixes, improvements, new settings, changes to default settings, changes to default risk level, etc.
- Why does an AssumeRole action trigger a failure for our blacklisted region rule?
Sometimes regions get picked up by the browser from the last session. Say the user’s last action was in us east 1. When the user next logs in, the console login may be us east 1 even if user normally logs in to eu west 1.
- Is there a rule to check for S3 buckets with static website hosting option turned on? I created a bucket with static website hosting turned on, and it didn't trigger any violations.
Refer to the link: S3 Buckets with Website Configuration Enabled
- How are the AWS Inspector Findings risk levels calculated by Conformity?
AWS Inspector Findings risk levels are calculated in the following way:
Inspector.severity = High; Conformity risk level = HIGH
Inspector.severity = Medium; Conformity risk level = MEDIUM
Inspector.severity = Low; Conformity risk level = LOW
Otherwise Conformity risk level = LOW
- How are the GuardDuty Findings risk levels calculated by Conformity?
GuardDuty Findings risk levels are calculated in the following way:
GuardDuty.level >=7.0; Conformity risk level = HIGH
GuardDuty.level >=4.0 & GuardDuty.level <=6.9; Conformity risk level = MEDIUM
Otherwise Conformity risk level = LOW
- How are the Macie Alerts risk levels calculated by Conformity?
Macie Alerts risk levels are calculated in the following way:
Macie.severity = Critical; Conformity risk level = EXTREME
Macie.severity = High; Conformity risk level = HIGH
Macie.severity = Medium; Cloud Conformity risk level = MEDIUM
Macie.severity = Low; Cloud Conformity risk level = LOW
Macie.severity = Informational; Cloud Conformity risk level = LOW
- Adding several trusted accounts is a very time-consuming process. Is there a better way to do it?
If you are adding several trusted accounts, you can perhaps use the Conformity API. Trusted accounts are part of Cross Account rules. Example here - https://www.cloudconformity.com/knowledge-base/aws/SQS/sqs-cross-account-access.htmlYou can use update rule setting endpoint - https://github.com/cloudconformity/documentation-api/blob/master/Accounts.md#update-rule-setting
- We have experienced some issues with ACM Certificates expiring recently. It is my understanding that Conformity has rules for 7 Days (ACM-002), 30 Days (ACM-003), and 45 days (ACM-004) before expiry. However, when I visit our dashboard and filter by the ACM service I can only see ACM-004. I just wanted to clarify whether Cloud Conformity account is checking for all of the ACM certificate expiry rules. If they are being checked, is it possible for you to explain why am I unable to see them when filtering by ACM?
Only one of ACM Certificates Renewal rule - 2,3,4 generates a Check at any given time to avoid overlap
a. ACM-002 Certificate will expire within 7 days
b. ACM-003 Certificate will expire between 7 and 30 days
c. ACM-004 Certificate will expire between 30 and 45 days
The reason for producing one Check out of ACM-002, ACM-003, an ACM-004 at any given time is to avoid overlap and create a reliable conformity score:
ACM-002 is high risk
ACM-003 is medium risk
ACM-004 is low risk
Between 45 and 30 days you receive a low risk Check; between 30 and 7 days you receive a medium risk Check; and eventually, between 7 days and expiry, you get a high risk Check.
- Is there a rule to detect whether CloudTrail is configured to log to S3?
Yes. CloudTrail Enabled rule detects whether CloudTrail is configured to log to S3. S3BucketName is required for configuring a trail.
- Is it possible to check for logons from users that aren’t whitelisted
Sign-In Events rule checks Sign-In Events for IAM and Federated Users. Also, User signed in to AWS from an approved country rule detects user authentication session from an unapproved country.
- Is it possible to detect if an RDS Snapshot is shared publicly?
Yes. Amazon RDS Public Snapshots rule detects any public RDS snapshots
- Can we export cloudwatch logs from an EC2 instance and generate alerts?
Conformity doesn’t have access to CloudWatch logs so it cannot generate alerts out of it.