30 November 2020 - Rule Update Notice
Custom Policy Updates
There is no change to the custom policy as a result of the new Trend Micro Cloud One™ – Conformity release and hence no user action is required. The current custom policy version is 1.21.
- SecurityCenter-021: Enable Monitoring of Deprecated Accounts
This rule ensures that monitoring of deprecated accounts within your Azure subscription(s) is enabled.
- SecurityCenter-022: Monitor the Total Number of Subscription Owners
This rule ensures that the total number of subscription owners within your Azure account is monitored.
- SecurityCenter-023: Enable Virtual Machine IP Forwarding Monitoring
This rule ensures that the IP Forwarding feature available for your Microsoft Azure virtual machines (VMs) is monitored by the Azure Security Center service for security and compliance purposes.
- SecurityCenter-024: Monitor External Accounts with Write Permissions
This rule ensures that the external accounts with write permissions are monitored using Azure Security Center.
- SecurityCenter-025: Enable DDoS Protection Standard Monitoring for Public Virtual Networks
This rule ensures that the monitoring of "DDoS Protection Standard" feature is enabled within your Microsoft Azure cloud account settings so that Azure Security Center can assess if DDoS protection is enabled for all the Azure Virtual Networks (VNets) with a subnet that is part of an application gateway with a public IP.
- RedisCache-001: Enable In-Transit Encryption for Redis Cache Servers
This rule ensures that the SSL connection to your Azure Redis Cache servers is enabled in order to meet cloud security and compliance requirements.
- CosmosDB-001: Enable Advanced Threat Protection
This rule ensures that your Microsoft Azure Cosmos DB accounts are using the Advanced Threat Protection feature to detect unusual and potentially harmful attempts to access or exploit the Cosmos DB account resources.
- CosmosDB-002: New Rule: Enable Automatic Failover
This rule ensures that your Microsoft Azure Cosmos DB accounts are using the Automatic Failover feature in order to enable resource replication and fault tolerance at the account level.
- AppService-016: Enable Application Insights
This rule ensures that the Application Insights feature is enabled for all your Microsoft Azure App Services web applications in order to provide advanced application monitoring.
- AppService-014: Check for Sufficient Backup Retention Period
This rule ensures that your Microsoft Azure App Services applications have a sufficient daily backup retention period configured for scheduled backups, in order to follow security and regulatory requirements.
- PostgreSQL-009: Check for PostgreSQL Major Version
This rule ensures that PostgreSQL database servers are using the latest major version of the PostgreSQL database.
- PostgreSQL-010: Enable Geo-Redundant Backups
This rule ensures that geo-redundant backups are enabled for your Azure PostgreSQL database servers in order to allow you to restore your PostgreSQL servers to a different Azure region in the event of a regional outage or a disaster.
- PostgreSQL-011: Enable Storage Auto-Growth
This rule checks if PostgreSQL storage Auto-Growth is enabled on Azure PostgreSQL database servers. Storage auto-growth prevents your PostgreSQL servers from running out of storage and becoming read-only.
- KeyVault-007: Restrict Default Network Access for Azure Key Vaults
This rule ensures that your Microsoft Azure Key Vaults are configured to deny access to traffic from all networks including the public Internet. In order to provide Cloud Conformity with secure read-only access to your Key Vault attributes to run Key Vault rules, please, see Azure integration for more information.
- KeyVault-008: App Tier Customer-Managed Key In Use This rule ensures that a Customer-Managed Key (CMK), also known as Bring Your Own Key (BYOK), is created and configured for your Microsoft Azure application tier in order to meet cloud security and compliance requirements within your organization.
- KeyVault-009: Database Tier Customer-Managed Key In Use
This rule ensures that a Customer-Managed Key (CMK), also known as Bring Your Own Key (BYOK), is created and configured for your Microsoft Azure database tier in order to meet cloud security and compliance requirements within your organization.
- KeyVault-010: Web Tier Customer-Managed Key In Use
This rule ensures that a Customer-Managed Key (CMK), also known as Bring Your Own Key (BYOK), is created and configured for your Microsoft Azure web tier in order to meet cloud security and compliance requirements.
- KeyVault-014: Check for Allowed Certificate Key Types Events
This rule ensures that Azure Key Vault certificates are using the appropriate key type(s) for security and compliance purposes.
- StorageAccounts-017: Review Storage Accounts with Static Website Configuration
- ECS-001: ECS Configuration Changes
Added a new setting for ECS-001 that allows setting user identity exceptions for the rule.
- IAM-054: IAM Configuration Changes
Users can configure the rule with a safelist of user ARNs, whose activities will not trigger a check for this rule.
- SecretManager-002: Secret rotation enabled Fixed the rule logic where secret rotation is disabled but a success check is generated instead of a failure check.
- SecretManager-003: Secret rotation interval
Fixed the rule logic where secret rotation is disabled but a failure check is generated instead of no check.
- ELBv2: ALB Listener Security
Fixed a bug where the rule produced a check for load balancer without listeners.
- IAM-013: MFA for IAM users with console password
Fixed a bug where the correct configuration of IAM users with console password does not generate success checks, or otherwise.
- Fixed a bug where auto-remediation resources generate failure checks.