Conformity whats new - What's New | Trend Micro Cloud One™ Documentation

Topics on this page

conformity_whats_new 1

Please visit the Conformity Release Notes page for Conformity updates.

conformity_whats_new 2

View Checks in ServiceNow SecOps Module.

conformity_whats_new 3

Added Azure rules for AusGov ISM standard.
We’ve also updated AWS Well-Architected Framework to the March 2021 version.
You can now track and view the ‘apply profile’ events via the RTM dashboard or query them via the public events API by using ‘account.apply.profile’ as the event name.
Checks returned from Template Scanner will now attempt to include logicalResourceId property in addition to usual properties.
Updated the Jira Communications Channel to clear out existing fields when selecting a new 'Project' and 'Issue Type'.

conformity_whats_new 4

The following updates were released to Conformity on 28th July 2021.

Communication Channels Update

Webhook: Updated the Webhook Communication Channel to send checks that have been deleted due to a user removing/deleting a resource. These checks delivered will have an additional field "isDeleted: true" to differentiate them from the current checks being sent via webhook.
Jira: Updated the Jira Communication Channel 'Create' and ‘Update' screens to no longer support swapping to an alternative connection type (OAuth or API token) to reduce the risk of breaking a successfully configured channel.

Cloud One Users

With SSOv2 can now access Conformity via Cloud One UI. See our help page on SSoV2 Public API.
Will receive account update emails if they have a valid email address in Conformity

Scan a Profile with Template Scanner

Users without Admin privileges can now select and scan a Profile in Template Scanner via Conformity UI or API by calling the /profiles API.

Bug Fixes

Fixed a bug to reduce the number of failed Schedule Reports generation.
Fixed a bug to return the correct API response when a user typed a value while filtering regions.
Fixed a bug to add an account name and account environment to the body of the system-disabled Conformity bot notification email.
Fixed a bug with Template Scanner API Response body to include the actual accountId in the account field only when the accountId field is passed in the request body.
Fixed a bug to successfully process intrinsic functions as arguments of '!Join' in the Template Scanner.
Fixed a bug where Reports generated with individual checks did not display the Total counts on the PDF report correctly.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.32. Click here to access the latest custom policy.

Conformity Bot Updates

Boosted error handling to prevent outdated or inconsistent checks.
Improvements to prevent Conformity Bot from running longer than expected for European accounts.

Rule Updates

EC2-072 - EC2 Instance Not In Public Subnet: This rule has been updated to allow exceptions based on EC2 Instances by name matched with a regex expression pattern.
IAM-066 - AWS IAM Groups with Admin Privileges: This rule has been updated to allow exceptions based on tags and resource id.

Rule Bug Fixes

IAM-046: Support Role: Fixed a bug where the rule generated false positives due to the throttling of the attached entities.
EKS-002: Kubernetes Cluster Version: Fixed a bug to update the rule to the latest Amazon EKS Kubernetes version 1.20.
Fixed a bug where the following rules failed to generate any checks because of inability to pull data from the ECS Service:
ECS-003: Check for Amazon ECS Service Placement Strategy
ECS-004: Check for Fargate Platform Version
Fixed a bug that prevents checks from being generated when there are a large number of exclusions for the following rules:
Inspector-002: Days since last Amazon Inspector run
Inspector-003: Check for Amazon Inspector Exclusions Updated

conformity_whats_new 5

We’re excited to share that you can now preview Terraform Template scanning using the Conformity Template Scanner UI as well as API endpoints.

Find out the supported Terraform resource types for our Preview release here.

We will be looking forward to your feedback before we announce the General Availability (official release).

conformity_whats_new 6

The following updates were released to Conformity on 12th August 2021.

RTM for Azure

You can now set up Real Time Threat Monitoring and monitor events on your Azure accounts via UI and API. For details, see:Real-time Monitoring Settings.

Organization Profile

Conformity enables you to now set up an Organization Profile in your Conformity Account to customize default rule settings for all existing and newly added accounts to your organization. For details: see: Profiles.

CQL Filter Method

You can now customise your search results using the Conformity Query Language (CQL) to filter and search your checks on Reports. For details, see CQL Filter Method.

Compliance

Rule Mappings updated for the HITRUST and NIST 800-53 REV5 Compliance and Standard Reports.

Reports

You can now include/exclude Account names on pdf reports via a new checkbox when creating reports and report configurations. For details see: Generate and Download Report.

Bug Fixes

Fixed a bug where creating your first account using the API would display the message "Trial ends a few seconds ago" on the dashboard.
Fixed a bug to bring the Check status returned by the API endpoints in line with the current behaviour of the UI.
Fixed a bug where problem tickets in the ServiceNow communication channel were not resolving automatically.
Fixed a bug where deleting profiles too quickly was logging the user out of the application

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.32. Click here to access the latest custom policy.

Conformity Bot Updates

Fixed a bug where Conformity bot was switching between 'Success' and 'Failure' states due to throttling errors on targeted IAM Roles.

New Rule

AWS

VPC-017: Unrestricted Inbound Traffic on Remote Server Administration Ports: This rule ensures that no Network ACL (NACL) allows unrestricted inbound traffic on TCP ports 22 and 3389.Boosted error handling to prevent outdated or inconsistent checks.

Rule Update

IAM-070: Check for IAM User Group Membership: This rule has been updated to support success checks in order to provide a more accurate compliance score.
Inspector-001: Amazon Inspector Findings: The rule has been optimized to reduce the likelihood of prevent throttling to ensure consistent checks.

Rule Bug Fix

VPC-001: VPC Flow Logs Enabled: Fixed a bug where shared VPC resources resulted in false positive results for this rule.

conformity_whats_new 7

List Template Scanner Rules API endpoints are now available for the Terraform and CloudFormation template types in Conformity Template Scanner. For details see: Template Scanner API Documentation.

conformity_whats_new 8

Conformity API for AWS Well-Architected Tool

Conformity's API integration with the AWS Well-Architected Tool now enables you to push a report of failed and successful checks from your Conformity accounts to your workload review. This report allows you to review checks more accurately with data-driven responses.

Checks generated from rules are mapped to a particular Well-Architected review question. The checks are also summarised by 'Risk level' and 'Rule IDs' to allow better visibility for remediation based on the review findings. This summary is then pushed to the 'Notes' field for the related question. For details, see our API Documentation for the Well-Architected Tool.

conformity_whats_new 9

The following features and updates were released to Conformity on 7th September 2021.

Standards and Frameworks Conformity now supports the NIS Europe (OES-2019) and FISC Security Compliance(V9).

Communication Channels Update

ServiceNow: Updated ServiceNow communication channel to include ‘cloud provider Id’ and ‘cloud provider in the description.
Jira: Disabled the ‘Test settings' and the ‘Save’ buttons for Jira communication channel when the configuration is invalid. This ensures valid configuration must be selected and a successful test must be run before saving.

Bug Fixes

Fixed a bug where PDF Reports with 0 checks displayed a blank white page.
Fixed a bug where a default email communication channel was not set up when an account was added on Cloud OneConformity.
Fixed a bug where no error message was displayed for ‘Create/Update’ Communication settings API endpoints with more than 2 statuses were passed in the request.
Fixed a bug where usage of wildcard (* or ?) in the first few characters of the filter[name] field for Events API was returning an error message.
Fixed a bug where the "Welcome to Trend Micro Cloud One" welcome email was being sent up to three times upon email verification.
Fixed a bug where the user could not see the option to add an Azure account on the Subscription page if they only had AWS accounts configured.
Fixed a bug to generate accurate checks for Lambda-007 Rule in the Template scanner results.
Fixed a bug where the number of active communication channels with manual notifications turned 'ON' was not being reflected immediately.
Fixed a bug to remove ‘Organisational Profile' as an option in the Template Scanner dropdown option for Profile rule settings' because the organisational profile is already checked against by default.
Fixed a bug to prevent users from configuring exceptions using the following APIs for Rules that do not support exceptions:
https://eu-west-1-api.cloudconformity.com/v1/accounts/{id}/settings/rules/{ruleId}
https://eu-west-1-api.cloudconformity.com/v1/accounts/{id}/settings/rules
https://eu-west-1-api.cloudconformity.com/v1/profiles
https://eu-west-1-api.cloudconformity.com/v1/profiles/{id}

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.32. Click here to access the latest custom policy.

New Rule

AWS

IAM-068: Unapproved IAM Policy in Use: This rule checks if there are any unapproved IAM-managed policies in use.

Rule Update

Optimized rule configurations to prevent the following rules from generating false positive checks due to API throttling:

ELB-005: ELB Insecure SSL Protocol
ELB-006: ELB Insecure SSL Ciphers
IAM-001: Access Keys Rotated 30 Days
IAM-002: Access Keys Rotated 45 Days
IAM-004: Unnecessary Access Keys.
IAM-007: Password Policy Lowercase.
IAM-008: Password Policy Uppercase.
IAM-009: Password Policy Number
IAM-010: Password Policy Symbol
IAM-011: Password Policy Expiration
IAM-012: Password Policy Reuse Prevention
IAM-013: MFA For IAM Users With Console Password
IAM-016: IAM User Policies
IAM-024: IAM User With Password And Access Keys
IAM-025: Unnecessary SSH Public Keys
IAM-026: SSH Public Keys Rotated 30 Days
IAM-027: SSH Public Keys Rotated 45 Days
IAM-028: Inactive IAM Console User
IAM-029: Unused IAM User
IAM-038: Access Keys Rotated 90 Days
IAM-044: SSH Public Keys Rotated 90 Days

Rule Bug Fixes

EC2-027: Instance In Auto Scaling Group: Fixed a bug where false positives were generated by RTM for EC2 Instances created by Auto Scaling Group in between the bot runs.
CS-001: AWS Custom Rule: Improved the rule to minimize the likelihood of missing checks due to throttling of AWS Config rules.
CC-003: Conformity Insufficient Access Permissions: Fixed a bug that occasionally had a minor impact on the reliability of some of the IAM rules supported by RTM and Conformity Bot.

conformity_whats_new 10

The following features and updates were released to Conformity on 21st September 2021.

Terraform Template Scanner Update Template Scanner now supports scanning AWS RDS DB Cluster resources for Terraform templates.

Bug Fixes

Fixed a bug to enable Template Scanner to resolve nested intrinsic functions within Fn-Sub maps on CloudFormation templates.
Fixed a bug where the rule - DynamoDB-001: Unused table was being displayed in the Template Scanner results.
Fixed a bug where settings for a newly configured communication channel were not being reflected in the account settings UI.
Fixed a bug where users were being logged out of Conformity after clicking on a profile deleted via the API.
Fixed bug where users weren't able to scroll back up the Main Dashboard after navigating away from provider-specific account settings, for example, AWS RTM settings, Azure access settings, etc.
Fixed a bug where deleting a CQL query and going back to ‘Simple filters’ did not reset the filters.
Fixed a bug for the Get Excluded Resources API endpoint to return accurate results for regions ap-southeast-2 and eu-west-1.

Conformity Bot Updates We added support for AWS API Gateway Rest API tags to Conformity Bot so that rules like AG-005 (API Gateway Private Endpoint) can now support exceptions based on tags.

Custom Policy Updates - There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.32. Click here to access the latest custom policy.

New Rule

AWS

IAM-071: Receive Permissions via IAM Groups Only: This rule ensures that your Amazon IAM users can receive permissions only through IAM groups to follow the Principle of Least Privilege (POLP), allowing you to manage user-based access to your AWS resources efficiently.

Rule Update

RG-001: Tags: ResourceGroup Tags now supports API Gateways - REST API and Stages. To enable these resources, please update and save your rule settings.

Rule Bug Fix

ELBV2-006: ELBv2 ALB Security Group: Improved this rule to smoothly handle API throttling and prevent the generation of false positives as a result.

conformity_whats_new 11

The following feature and updates were released to Conformity on 8th October 2021.

Preview for Google Cloud Platform (GCP) Now Available!

You can now onboard Google Cloud Projects to Conformity as cloud accounts and scan to produce checks. All GCP projects onboarded to Conformity during the Preview period will be monitored free of charge. Please refer to the Rules section below for Rules included in the Preview release. For details see: Add a GCP Account.

Standards and Compliance Reports

We now support the CIS AWS Foundations v1.3 Compliance Standard reports including the Excel version.
We’ve also added the NIST CyberSecurity Framework compliance reporting for Azure.

New Rules Start Date

You can now customize 'New Rules Start Date' in both organization settings and account settings. Any rules released after this set date will be treated as new rules.

Download Report Summary as PNG

You can download Report Summary as a PNG image from Dashboard > Overview and click on the three dots next to Configured Reports > Export PNG.

CSV Reports Update

CSV reports will now include 'Check Id' and 'Link to resource' fields.

Checks API Update

Added a consistentPagination parameter in the Checks API that can be set to ‘false’ to get better performance at the cost of consistency when paginating.

Filter RTM Rules with Services API

Updated v1/services API to indicate which rules are supported by RTM. Here is an example of using 'jq' command to parse the v1/services endpoint response to filter RTM rules:

```
  curl https://ap-southeast-2.cloudconformity.com/v1/services > conformityservices.json
  cat conformityservices.json | jq '.included[] | select(.attributes.rtm==true)' > rtmrules.json
```

View all unmonitored accounts in the Threat Monitoring section

Conformity now displays all the accounts unmonitored by RTM on the Threat Monitoring section as compared to previously displaying up to 10 accounts only.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.32. Click here to access the latest custom policy.

Conformity Bot Updates

Improved Conformity Bot to prevent duplicate notifications or false positives due to throttling without a change in the customer resources. We applied this improvement to some AWS rules for EC2, Route-53, VPC, IAM, KMS, CWL, Inspector, Trusted Advisor, Sheild, EMR, WAF, Lambda, Organisations, Cloud Conformity, Secrets Manager, BackUp, and Well-Architected.

New Rules

The following new rules will be available with the Preview release of the Google Cloud Platform to Conformity.

CloudSQL-002: Enable Automated Backups for Cloud SQL Database Instances: This rule ensures that Cloud SQL database instances are configured with automated backups.
CloudSQL-003: Enable High Availability for Cloud SQL Database Instances: This rule ensures that the production SQL database instances are configured to automatically failover to another zone within the selected cloud region.
BigQuery-001: Check for Publicly Accessible BigQuery Datasets: This rule checks for publicly accessible Google Cloud BigQuery datasets.
CloudStorage-001: Check for Publicly Accessible Cloud Storage Buckets: This rule ensures that there are no publicly accessible Cloud Storage buckets within your Google Cloud Platform (GCP) account.
CloudVPC-001: Check for Unrestricted RDP Access: This rule ensures that there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3389 (RDP).
CloudVPC-002: Check for Unrestricted SSH Access: This rule ensures that no VPC firewall rules allow unrestricted inbound access on TCP port 22 (SSH).
CloudVPC-003: Enable VPC Flow Logs for VPC Subnets: This rule ensures that the VPC Flow Logs feature is enabled for all VPC network subnets.
CloudIAM-001: Restrict Administrator Access for Service Accounts: This rule ensures that user-managed service accounts are not using administrator-based roles.
ComputeEngine-001: Check for Virtual Machine Instances with Public IP Addresses: This rule ensures that your Google Compute Engine instances are not configured to have external IP addresses to minimize their exposure to the Internet.
CloudKMS-001: Check for Publicly Accessible Cloud KMS Keys: This rule ensures that there are no publicly accessible KMS cryptographic keys available within your Google Cloud account.

Rule Updates

RTM-009: VPC Network Configuration Changes: This rule now supports an ‘allow list’ of users based on ARNs such that checks are not generated for users added to this list. The Supported user types are IAMUser, AssumedRole, and FederatedUser.
VPC-015: Ineffective Network ACL DENY Rules: Updated this rule to generate a rule failure if a DENY NACL rule is ineffective due to a higher priority ALLOW rule.
Route53-003: Route 53 Domain Transfer Lock: This rule has been updated to not check the transfer lock status of these domains as AWS does not support transfer lock for the following top-level domains:
- “.ch”
- “.co.nz”
- “.co.za”
- “.com.ar”
- “.com.au”
- “.de”
- “.es”
- “.eu”
- “.fi”
- 1“.fr”
- “.jp”
- “.net.au”
- “.net.nz”
- “.nl”
- “.it”
- “.org.nz”
- “.qa”
- “.ru”
- “.se”
- “.uk”
Rules labeled as 'New' have been updated to 'Recently added'.

Rule Bug Fixes

The following VPC Network ACLs rules will no longer scan shared VPC and produce checks
VPC-010: Unrestricted Network ACL Outbound Traffic
VPC-011: Unrestricted Network ACL Inbound Traffic
VPC-015: Ineffective Network ACL DENY Rules
VPC-017: Unrestricted Inbound Traffic on Remote Server Administration Ports
Fixed a bug to prevent false positives from being generated for the following rules:
SNS-006 - SNS Topic Encrypted
SNS-007 - SNS Topic Encrypted With KMS Customer Master Keys

conformity_whats_new 12

The Conformity Production account experienced a degree of outbound API call rate-limiting for the IAM service in AWS, between 30th August -16th September 2021, resulting in some missing and outdated checks by Conformity Bot.

Cause

Working with the AWS account teams, we identified certain instances where Conformity was making repetitive API calls. For example, redundant attempts to list and get certain AWS managed policies contributing to throttling by AWS.

Resolution

We have made Conformity Bot checks for the IAM service more reliable by caching certain IAM results to reduce the number of redundant API calls. This also reduces the likelihood of API throttling on your accounts. We will continue to monitor the system to ensure the success of these improvements. We have more improvements planned to increase the efficiency of the Conformity Bot in the near future and will keep you updated with the progress.

conformity_whats_new 13

The following features and updates were released to Conformity on 4th November 2021.

The Custom Check API now enables a user to specify a TTL field to auto remove/expire their check.
The extra data for checks earlier available through the Get Check Details API and UI is now included in the 'Meta' column of CSV reports.
We’ve Improved the RTM eventBridge rule to exclude data events.

Bug Fixes

Fixed an issue with the Jira communication channel configuration where the ‘Save’ and the ‘Test’ buttons got stuck when testing against an invalid priority.
Improved the performance of "Create Account" Public API, response time is now reduced.
Added missing metadata, page number, and size to the payload response examples in the Checks API Reference documentation.
Fixed a bug to display corresponding ticketing channels while viewing checks for ‘All Cloud Accounts’.

Custom Policy Updates

The custom policy has been updated as a result of the new deployment. The current custom policy version is 1.33. The permissions added are:

macie2:GetClassificationExportConfiguration
macie2:ListClassificationJobs
macie2:GetFindingStatistics

Click here to access the latest custom policy.

New Rules

AWS

S3-029: Amazon Macie Finding Statistics for S3: This rule captures summary statistics about Amazon Macie security findings on a per-S3 bucket basis.
Macie2-002: Amazon Macie Sensitive Data Repository: This rule ensures that a data repository bucket is defined for Amazon Macie within each AWS region.
Macie2-003: Amazon Macie Discovery Jobs: This rule ensures that Amazon Macie data discovery jobs are created and configured within each AWS region.

Azure

SecurityCenter-029: Configure Additional Email Addresses for Azure Security Center Notifications: This rule ensures that additional email addresses are provided to receive security notifications.

Rule Updates

SSM-003: Check for SSM Managed Instances: Updated the rule to no longer produce checks for EC2 Instances in 'Stopped' state.
IAM-054: IAM Configuration Changes: Add a new rule configuration for setting a regular expression of ARNs for users (IAMUser, AssumedRole or FederatedUser) whose activity will not be checked against this rule (e.g. ^(arn:aws:iam::\d{12}:user\/James-.+)$)”
RTM-011: Unintended AWS API Calls Detected: This rule now supports ‘PasswordRecoveryRequested’, ‘PasswordRecoveryCompleted’, ‘PasswordUpdated’ root user events.
Updated Default Risk Levels for S3-026 and S3-027

We’ve updated the default risk levels for these rules to reduce alarm noise and provide more relevant notifications from the other S3 rules that do control exposure of a bucket to public access.

S3-026: Enable S3 Block Public Access for S3 Buckets - from 'Very High' to 'Medium'.
S3-027: Enable S3 Block Public Access for AWS Accounts - from 'Very High' to 'Low'.

Because an Account admin can only use the S3 Block Public Access feature to restrict public access to a bucket, but they cannot grant public access to the bucket. They need to use a policy or an ACL to open a given access point and buckets to grant public access. Therefore, failing the checks for the rules S3-026 & S3-027 with a ‘Very High’ severity overstates the exposure of the buckets in an account.

The severities of 'Medium' and 'Low' respectively provide a closer depiction of the exposure since the 'Very High' Severity rules S3-001, S3-002, S3-003, S3-004, S3-005, and S3-014 directly control public access to a bucket.

For more information see AWS documentation on Block Public Access and Access Control Block Public Access.

Bug Fixes

IAM-17: Unused IAM Group: Fixed the bug which RTM generates false positive check result for IAM-017 rule.
Fix a bug where duplicate notifications were generated for the following rules:
- VirtualMachines-001: Enable Encryption for Boot Disk Volumes
- VirtualMachines-002: Enable Encryption for Non-Boot Disk Volumes
- VirtualMachines-003: Enable Encryption for Unattached Disk Volumes
Fixed a bug where EBS service retained stale checks for users with a large amount of EBS snapshots.
Fixed a bug where ELB related rules were not being triggered by RTM events. Added support for Terraform plans AWS KMS key resourceDB instance resource.
IAM-047: IAM Manager Roles: Fixed a bug where false negative checks were being generated for the rule.

conformity_whats_new 14

The following features and updates were released to Conformity on 19th November 2021.

Conformity now available in the Terraform Provider Registry

Conformity is now supported as a Terraform Provider allowing you to provision and manage your Conformity account settings via Terraform templates. The functionality includes onboarding and managing AWS and Azure accounts, users, profiles and account rule settings, reports, conformity bot frequency, and communication channels. Read more >>

GCP Account Onboarding

You can now upload a service account key file while Adding a GCP account instead of using the copy and paste option.
You can also view the number of existing GCP projects added to the service account.

Profiles - UX Improvements

We’ve updated the ‘Apply to’ dialogue box to be more descriptive of the search function.
We’ve also updated the Profile Summary page providing clarity around the ‘manually configured’ and ‘available to be configured’ rules.
Additionally, we’ve added a ‘Rule Summary’ section under Rule Settings for individual accounts.

Bug Fixes

Fixed a bug to update the Communication Channel API endpoint to make it consistent with the UI.
Fixed a bug where incomplete accounts were being displayed in the unmonitored account list on the All accounts tab in the Threat monitoring dashboard.
Fixed a bug to make Azure conformity bot using consistent region naming for filter and check results.
Fixed a bug with validation while creating/updating report configs using the API to check for all items and reject the request on finding any invalid formats in the email array.

Custom Policy Updates

The custom policy has been updated as a result of the new deployment. The current custom policy version is 1.34. The permission added is: - config:SelectResourceConfig Click here to access the latest custom policy

New Rules

Azure

ActiveDirectory-024: Enable Security Defaults: This rule ensures that the Security Defaults feature is enabled for Azure Active Directory (AAD) to help protect your organization from common attacks. It is a set of basic identity security mechanisms recommended by Microsoft and provided at no extra cost in Active Directory.
ActiveDirectory-023: Restrict User Access to AAD Group Features in Azure Access Panel: This rule ensures that the ‘Restrict user ability to access groups features in the Access Panel’ setting is enabled to ascertain that non-privileged users are unable to create and manage security groups using the Azure Access Panel.

Rule Updates

CS-001: AWS Custom Rule (ConfigService): This rule now allows you to configure the following categories to custom rules. If you’ve not configured a custom category, then the default categories will apply to all custom rules.
- Security,
- Reliability,
- Performance Efficiency,
- Cost Optimisation, and
- Operational Excellence
CloudFormation Rules: Updated this rule to generate a rule failure if a DENY NACL rule is ineffective due to a higher priority ALLOW rule.

Rule Bug Fixes

RDS-005: RDS Encrypted With KMS Customer Master Keys: Fixed bug where the rule was generating false positives when encrypted using AWS default keys.
RDS-007: RDS Multi-AZ: Fixed a bug on RDS-007 such that no check is returned Aurora Serverless DB cluster.
Fixed the bug where RTM did not generate checks for the following rules when an IAM role was created or updated.
- IAM-50: Cross-Account Access LAcks External ID and MFA
- IAM-057: Check for Untrusted Cross-Account IAM Roles

conformity_whats_new 15

The following features and updates will be released to Conformity on 29th November 2021.

New API Endpoints for:

GCP Account Onboarding

Create GCP Organisation: POST/gcp/organisations
Create GCP Account: POST/accounts/gcp
List GCP Projects in an Organisation: GET/v1/gcp/organisations/{id}/projects

Azure Subscriptions Onboarding

Onboard Azure Active Directory: POST /azure/active-directories
List all subscriptions in an onboarded Azure Active Directory: GET azure/active-directories/{directoryId}/subscriptions

Bug Fixes

Fixed a bug where a Conformity user and a CloudOne user having the same email address trying to reset the password over the Conformity screen was resulting in an error.
Fixed a bug to prevent the same checks from being generated on different GCP projects that are onboarded in the same service account.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.34. Click here to access the latest custom policy

New Rules

GCP

CloudSQL-004:Enable SSL/TLS for Cloud SQL Incoming Connections: This rule checks whether secure SSL/TLS is used for Incoming Connections to Cloud SQL server database instances.
ComputeEngine-002: Enforce HTTPS Connections for App Engine Applications: This rule ensures that all connections made to your Google App Engine applications are using HTTPS in order to protect against eavesdropping and data exposure.

Rule Updates

Route53-011: Remove AWS Route 53 Dangling DNS Records: Updated primary resource from “hosted zone” to “hosted zone's record” to allow-list IPs and record names. Please note that only records with AWS IPs can generate checks. Note: resourceID has changed from "hosted zone" to "hosted zone-record name" (e.g. used to be "/hostedzone/xxxx" and now "/hostedzone/xxxx-domain.com."). You’ll need to update the existing resourceID exceptions and suppression settings accordingly.
RTM now supports RDS DB cluster events rules.

conformity_whats_new 16

The following features and updates were released to Conformity on 10th November 2021.

Conformity now supports the LGPD (Brazil) Compliance and Conformity AWS Standard and Framework report.
You can also add a description to all of your Configured Reports.

Bug Fixes

Fixed a bug where Conformity displayed a blank screen when onboarding a GCP project without correct permissions.
Fixed a bug where the Reports API endpoint returned an error on using the curl -L command.
Fixed a bug to hide admin links in the communication channel recipient configuration screen for non admin users.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.34. Click here to access the latest custom policy.

New Rules

GCP

CloudSQL-005: Disable 'Cross DB Ownership Chaining' Flag for SQL Server Database Instances: This rule ensures that SQL Server database instances have 'cross db ownership chaining' flag set to Off.
CloudSQL-006: Disable 'Contained Database Authentication' Flag for SQL Server Database Instances: This rule ensures that SQL Server database instances have 'contained database authentication' flag set to Off.
CloudSQL-007: Disable "log_min_duration_statement" Flag for PostgreSQL Database Instances:This rule ensures that PostgreSQL database instances have "log_min_duration_statement" flag set to -1 (Off).
CloudKMS-002: New Rule: Rotate Google Cloud KMS Keys: This rule ensures that all KMS cryptographic keys available within your Google Cloud account are regularly rotated.
CloudIAM-002: Enforce Separation of Duties for Service-Account Related Roles:This rule ensures that separation of duties is implemented for all Google Cloud service account roles.

Azure

AccessControl-002: Resource Locking Administrator Role: This rule ensures that there is a custom IAM role assigned to manage resource locking within each Microsoft Azure subscription.

Rule Updates

Inspector-001: Amazon Inspector Findings: This rule now returns EC2 instance tags and finding attributes (tags) related to the finding as part of the check tags data. EC2 instance tags and inspector finding attributes can be disabled or enabled within the rule configuration. Both of these are enabled by default.
Advisor-001: Check for Azure Advisor Recommendations: This rule now displays checks under the relevant categories when trying to filter, report or calculate scores for each pillar instead of appearing under all 5 categories.

conformity_whats_new 17

The following features and updates were released to Conformity on 19 January 2022.

The Jira communication channel configuration modal now displays an error message when the test ticket cannot be transitioned properly when testing a configuration.

Bug Fixes

Fixed a bug with the JIRA ticket workflows not resolving properly when the workflow has a screen attached to the Done transition and the screen has a required field (for example resolution)
Fixed a bug that was causing 'Resource' & 'Introduced by' fields to be included by default in slack notification messages from Conformity even though the default configuration displayed in the UI indicated otherwise.
Fixed a bug to enable an Admin user to invite a Cloud One Conformity user to a Conformity direct organization.
Fixed a bug where ‘Disable’ and ‘Remove’ buttons were being pushed out of the screen when there were multiple safe listed IP addresses for an API key.
Fixed a bug where previously suppressed checks were displayed as unsuppressed on an update to group settings or to azure access settings.
Fixed an issue wherein the ‘View by Resources’ tab, not scored checks were displaying and counting as failed checks.

Custom Policy Updates

The custom policy has been updated as a result of the new deployment. The current custom policy version is 1.35. Click here to access the latest custom policy.
The permission added is: ‘iam:GetAccountAuthorizationDetails’

New Rules

GCP

ComputeEngine-003: Disable Interactive Serial Console Support: This rule ensures that interactive serial console support is disabled for all your production Google Compute Engine instances.
ComputeEngine-004: Disable IP Forwarding for Virtual Machine Instances: This rule ensures that the IP Forwarding feature is disabled at the Google Compute Engine instance level for security and compliance reasons, as instances with IP Forwarding enabled to act as routers/packet forwarders.
CloudSQL-008: Enable 'log_connections' Flag for PostgreSQL Database Instances:This rule ensures that PostgreSQL database instances have the 'log_connections' configuration flag enabled.
CloudSQL-009: Enable "log_disconnections" Flag for PostgreSQL Database Instances: This rule ensures that PostgreSQL database instances have the "log_disconnections" flag enabled.
CloudSQL-010: Enable "log_checkpoints" Flag for PostgreSQL Database Instances: This rule ensures that PostgreSQL database instances have "log_checkpoints" flag enabled.
CloudSQL-011: Enable "log_lock_waits" Flag for PostgreSQL Database Instances: This rule ensures that PostgreSQL database instances have the "log_lock_waits" flag enabled.
CloudSQL-012: Enable 'log_temp_files' Flag for PostgreSQL Database Instances: This rule ensures that "log_temp_files" database flag is set to 0 (enabled) for all your Google Cloud PostgreSQL database instances.
CloudSQL-013: Configure "log_min_error_statement" Flag for PostgreSQL Database Instances: This rule ensures that PostgreSQL database instances have the appropriate configuration set for the "log_min_error_statement" flag.
CloudSQL-014: Disable "local_infile" Flag for MySQL Database Instances: This rule ensures that MySQL database instances have the "local_infile" flag disabled.

Azure

AppService-017: Disable Plain FTP Deployment: This rule ensures that your Microsoft Azure App Services web applications are not configured to be deployed over plain FTP. Instead, the deployment can be disabled over FTP or performed over FTPS. FTPS (Secure FTP) is used to enhance security for your Azure web application as it adds an extra layer of security to the FTP protocol and helps you to comply with industry standards and regulations.
VirtualMachines-036: Use Customer Managed Keys for Virtual Hard Disk Encryption: This rule ensures that your Microsoft Azure Virtual Hard Disk (VHD) volumes are using Customer Managed Keys (CMKs) instead of Platform-Managed Keys (PMKs – default keys used by Microsoft Azure for disk encryption) in order to have full control over your VHD data encryption and decryption process.
Network-015 (Check for Unrestricted UDP Access)e: This rule ensures that Microsoft Azure network security groups (NSGs) do not allow unrestricted inbound access (i.e. 0.0.0.0/0) on UDP ports.
ActivityLog-027 (Create Alert for "Delete Policy Assignment" Events): This rule ensures that an Azure activity log alert is used to detect "Delete Policy Assignment" events.

Rule Updates

RDS-023: Amazon RDS Public Snapshots: We’ve updated this rule to prevent stale checks due to throttling.
Updated the following rules so that checks won't be deleted if triggered by DeleteAccessKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteLoginProfile, DeletePolicyVersion events:
IAM-004: Unnecessary Access Keys
IAM-013: MFA For IAM Users With Console Password
IAM-016: IAM User Policies
IAM-024: IAM User With Password And Access Keys
IAM-025: Unnecessary SSH Public Keys
IAM-028: Inactive IAM Console User
IAM-029: Unused IAM User
IAM-036: AWS IAM Users with Admin Privileges
IAM-058: Check that only safelisted IAM Users exist
IAM-070: Check for IAM User Group Membership
IAM-071: Receive Permissions via IAM Groups Only

Bug Fixes

SSM-003:Check for SSM Managed Instances: Fixed a bug where the checks were generated for EC2 instances in a state that is not pending or running.
Fixed a bug that prevented RTM from generating checks for the following rules when DB cluster events are triggered:
RDS-007: RDS Multi-AZ
RDS-035: Cluster Deletion Protection
RDS-042: Enable Aurora Cluster Copy Tags to Snapshots

conformity_whats_new 18

The following features and updates are now available with Conformity's latest release on 27 January 2022.

Conformity now supports CIS Benchmarks for AWS Foundations 1.4 Standard and Framework report.
Added a new property to ‘GET /v1/azure/active-directories/{id}/subscriptions’ to indicate whether or not a subscription has been onboarded onto Conformity.
Enhanced Rule Settings > Configure Rule on account level to exclude matched resources between the Conformity Bot runs.

Bug Fixes

Fixed an issue where a longer account name displayed a broken HTML tag on the RTM dashboard.
Fixed incorrect sample requests for the 'Update Rule Setting' and the 'Update Rule Settings' APIs.
Fixed an issue where reports generated in "Improve compliance across your organisation" were not saved in the ‘Other Reports - History’ section.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.35. Click here to access the current custom policy.

New Rules

GCP

ComputeEngine-005: Enable "Shielded VM" Security Feature: This rule ensures that the ‘Shielded VM’ feature is enabled for your virtual machine (VM) instances.
ComputeEngine-006: Check for Instances Associated with Default Service Accounts: This rule ensures that your VM instances are not associated with the default GCP service account.
ComputeEngine-008: Check for Instance-Associated Service Accounts with Full API Access:This rule ensures that VM instances are not associated with default service accounts that allow full access to all Google Cloud APIs.
CloudIAM-003: Check for IAM Members with Service Roles at the Project Level: This rule ensures that the Service Account User and Service Account Token Creator roles are assigned to a user for a specific GCP service account rather than to a user at the GCP project level.

Bug Fix

S3-025: S3 Buckets Encrypted with Customer-Provided CMKs: Fixed a bug where the disabled rule was generating checks.

conformity_whats_new 19

From approximately 00:30 UTC 19 January 2022 to approximately 10:00 UTC 10 February 2022, Conformity experienced data retrieval errors for the AWS IAM and TrustedAdvisor services, which resulted in missing checks for certain rules. The issues have now been resolved and the affected checks have been regenerated.

Incident Summary

Due to changes deployed on 19 January to how Conformity handles certain AWS credentials, AWS Conformity Bot was not able to retrieve certain resource data for two AWS services. These changes affected rules dependent upon AWS TrustedAdvisor Checks and IAM Credential Reports.

Impact

Checks related to the AWS Trusted Advisor and IAM Credential Report services were removed and deleted by Conformity Bot due to not being able to retrieve any resources for these services. The following IAM and TrustAdvisor rules were affected:

IAM Rules

IAM-055: Canary Access Token
IAM-048: Root Account Active Signing Certificates
IAM-042: Hardware MFA for AWS Root Account
IAM-041:IAM User Password Expiry 45 Days
IAM-040: IAM User Password Expiry 30 Days
IAM-039: IAM User Password Expiry 7 Day
IAM-035: Root Account Usage
IAM-003: Credentials Last Used

TrustedAdvisor Rules

TrustedAdvisor-001: Trusted Advisor Service Limits
TrustedAdvisor-002: Trusted Advisor Checks
TrustedAdvisor-003: Exposed IAM Access Keys

Resolution

We’ve improved how Conformity Bot handles the way we retrieve TrustedAdvisor Checks and IAM Credential Reports to be compatible with the changes we introduced in January 2022.

conformity_whats_new 20

The following features and updates are now available with Conformity's latest release on 16 February 2022.

Bug Fix - Fixed a bug where the PATCH Rule Settings API endpoint was returning an error when the request had misplaced exception attributes.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.35. Click here to access the current custom policy.

New Rules

GCP

CloudSQL-015: Check for Publicly Accessible Cloud SQL Database Instances: This rule ensures that your Google Cloud SQL database instances are configured to accept connections from trusted networks and IP addresses only.
ComputeEngine-007: Enable VM Disk Encryption with Customer-Supplied Encryption Keys: This rule ensures that the disks attached to your production Google Compute Engine instances are encrypted with Customer-Supplied Encryption Keys (CSEKs).
CloudIAM-004: Delete User-Managed Service Account Keys:This rule ensures that VM instances are not associated with default service accounts that allow full access to all Google Cloud APIs.

Rules Updates

Firehose-001: Firehose Delivery Stream Destination Encryptions: This rule has been updated to specify the relevant encryption type. The rule ensures that Firehose delivery stream data records are encrypted at the destination.
Lambda-001: Lambda Runtime Environment Version: Customers can now configure the end of support runtime in the rule settings.

Rule Bug Fixes

ECS-002: ECS Task Log Driver In Use: Fixed a bug where the disabled rule was generating checks.
ECS-003: ECS Configuration Changes: We've fixed a bug where Conformity Bot was unable to correctly scan ECS Clusters.

conformity_whats_new 21

The following features and updates are now available with Conformity's latest release on 9 March 2022.

Updated Compliance Evolution Score Calculation: Conformity Compliance Status numbers are calculated based on the latest Conformity Bot run. We’ve updated the calculation of the evolution chart compliance to match the formula used in the live Conformity compliance status dashboard i.e. using the unweighted formula: (Total number of successful Checks / Total number of Checks) * 100
Previously, the evolution compliance was an average of the compliances across accounts, which produced daily results that were not comparable with the live results because:
- The Compliance level evolution numbers are calculated based on the last 24 Conformity Bot runs
- The base dataset to calculate the values for each widget is different, therefore, even if the calculation method is the same - total successes / total checks * 100, the results are likely to be different.
This change will affect the evolution chart API, Dashboard and the results received in the Conformity weekly summary email. For details see: Compliance Evolution
Special Characters in Report Title and Description

We now support Chinese characters in the Title and Description fields of Report Configurations.
Search and View Accounts by Account ID

As an Admin user, you can allow users to view and search for a cloud account by its Account ID by toggling the ON/OFF button from Administration > Subscription > Conformity Accounts. For more info see Subscriptions

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.35. Click here to access the current custom policy.

New Rules

GCP - CloudVPC-004: Default VPC Network In Use: This rule ensures that the default VPC network is not being used within your GCP projects.

CloudVPC-005: Check for Legacy Networks: This rule ensures that legacy networks are not being used anymore within your GCP projects.
CloudIAM-005: Enable Multi-Factor Authentication for User Accounts: This rule ensures that Multi-Factor Authentication (also known as 2-Step Verification or 2SV) is enabled for all user accounts in order to help protect the access to your Google Cloud Platform (GCP) resources, applications and data.
CloudIAM-006: Enable Security Key Enforcement for Admin Accounts: This rule ensures that security key enforcement is enabled for all Google Cloud Platform (GCP) organization administrator accounts.
CloudSQL-016: Configure Root Password for MySQL Database Access: This rule ensures that Google Cloud MySQL database instances do not allow anyone to connect with administrative privileges only, without needing a root password.

Rules Updates

EC2-034: Unrestricted Security Group Ingress on Uncommon Ports: We’ve updated:
The rule’s name from ‘Unrestricted Security Group Ingress’ to ‘Unrestricted Security Group Ingress on Uncommon Port’ and
Added a configuration to enable users to allowlist AWS Security Groups by name with Regex.

Rules Bug Fixes

RDS-034: Backtrack: Fixed a bug for the rule where checks for Aurora RDS instances were not being generated.
VPC-016: VPC Endpoints in Use: Fixed a bug where the rule returned false positives for VPCs’ shared from another account.
VPC-010: Unrestricted Network ACL Outbound Traffic and VPC-011: Unrestricted Network ACL Inbound Traffic: The rules have been updated to:
- Include a list of the number of compliant/non-compliant rules in the check message
- Restrict the ICMP protocol from contributing to the ‘FAILURE’ status checks
IAM-13: MFA for IAM Users with Console Password: Fixed a bug where a stale check still existed after the IAM User Login Profile has been removed.

conformity_whats_new 22

The following features and updates are now available with Conformity's latest release on 28 March 2022.

Updated NIST 800-53 Rev5 Compliance & Conformity Report: We've updated the NIST 800-53 Rev5 Compliance & Conformity report to include rules and enhanced controls.
Updated Suppression Data Behaviour for Azure Accounts: We've updated the suppression data behaviour for Azure accounts where suppressed Azure checks disappeared on recreating the check.

Custom Policy Updates

The custom policy has been updated as a result of the new deployment. The current custom policy version is 1.36 and the permission added is: firehose:ListTagsForDeliveryStream. Click here to access the current custom policy.

New Rules

Azure

StorageAccounts-018: Account Encryption using Customer Managed Keys: This rule ensures that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys (i.e. default keys used by Microsoft Azure for data encryption), to have more granular control over your Azure Storage data encryption and decryption process.

AWS

Firehose-002: Firehose Delivery Stream Server-Side Encryption: This rule ensures that Kinesis Data Firehose delivery streams enforce Server-Side Encryption, ideally using Customer-Managed Keys (CMKs).

GCP

CloudIAM-007: Login Credentials In Use: This rule ensures the use of corporate login credentials instead of personal accounts such as Gmail accounts.
CloudStorage-002: Check for Enable Uniform Bucket-Level Access: This rule ensures that Google Cloud Storage buckets have uniform bucket-level access enabled. With this level of access, object access is controlled entirely through bucket-level permissions (IAM) to ensure uniform access to all the objects within a storage bucket.

Rules Updates

StorageAccounts-006: Disable Anonymous Access to Blob Containers
StorageAccounts-012: Enable Immutable Blob Storage
StorageAccounts-016: Check for Publicly Accessible Web Containers
StorageAccounts-017: Review Storage Accounts with Static Website Configuration The rules now support exceptions by tags retrieved from Azure Blob Container Metadata.
Lambda-008: Enable Encryption in Transit for Environment Variables
Lambda-009: Enable Encryption at Rest for Environment Variables using Customer Master Keys Updated the rules' names and descriptions to clearly specify encryption in transit and at rest.
IAM-054: IAM Configuration Changes: Updated this rule allowing you to change the severity for each IAM configuration event via rule settings.

Rules Bug Fixes

IAM-034: Valid IAM Identity Providers: We've improved how we handle IAM identity provider data and fixed an issue with remediating OpenID Connect identity providers to prevent false positives.
EBS-004: EBS Volumes Recent Snapshots
EBS-005: EBS Volumes Too Old Snapshots We've updated the way we handle AWS EBS Volumes and EBS Volume Snapshots to improve reliability and functionality for the rules. AWS rules EBS-004 and EBS-005.
AG-001: APIs CloudWatch Logs
AG-002: APIs Detailed CloudWatch Metrics
AG-003: Tracing Enabled
AG-004: Content Encoding
AG-007: Private Endpoint
AG-008: Rotate Expiring SSL Client Certificates
AG-009: Enable Encryption for API Cache
AG-010: Enable API Cache
RG-001: Tags Fixed a bug to resolve the throttling issue for API Gateway rules by reducing the API Gateway API call concurrency.

conformity_whats_new 23

The following rules and updates will be available with Conformity's latest release on 12 April 2022.

Conformity will now support the new 'Sustainability' pillar

Conformity can now help customers benchmark and remediate their sustainability impact. AWS Well-Architected Framework added the 'Sustainability' pillar in December 2021. We've updated our Rules, Reports, Checks filter, Compliance Level Comparison Table, and the Compliance Status Widget in accordance with the AWS Well-Architected Framework updated version.

API Updates

Conformity now supports Trend Micro's domain when using Conformity's public API
The legacy users (signed up for Conformity in the 'us-west-2', 'ap-southeast-2', and 'eu-west-1' regions) won't be affected by this change.
Cloud One Conformity users can now use 'https://conformity.{region}.cloudone.trendmicro.com/api' to access Conformity's public APIs.

Custom Policy Updates

There are no changes to the custom policy as a result of the new deployment. The current custom policy version is 1.36. Click here to access the current custom policy.

New Rules

Azure

Monitor-007: Configure Diagnostic Setting Categories: This rule ensures that the diagnostic settings are configured to capture the appropriate categories.
Monitor-008: Enable Diagnostic Logs for the Supported Resources: This rule ensures that Diagnostic Logs are enabled for the supported Azure cloud resources.

AWS

EC2-077: Require IMDSv2 for EC2 Instances: This rule ensures that all the Amazon EC2 instances require the use of Instance Metadata Service Version 2 (IMDSv2) when requesting instance metadata in order to protect against vulnerabilities that could be used to access the Instance Metadata Service (IMDS).

GCP

CloudDNS-001: Enable DNSSEC for Google Cloud DNS Zones: This rule ensures that DNSSEC security feature is enabled for all your Google Cloud Domain Name System (DNS) managed zones.
CloudDNS-002: Check for DNSSEC Key-Signing Algorithm in Use: This rule ensures that RSASHA1 signature algorithm is not used for DNSSEC key signing.
CloudAPI-002: Check for API Key Application Restrictions: This rule ensures that your Google Cloud API key usage is restricted to trusted hosts, HTTP referrers, or applications.
CloudAPI-003: Check for API Key API Restrictions: This rule ensures that API keys have restrictions in place to only allow access to specific APIs, and not general access to all GCP APIs.
CloudIAM-008: Rotate Google Cloud API Keys: This rule ensures that all the API keys created for your Google Cloud Platform (GCP) projects are regularly rotated.

Rules Updates

SQL-005: Enable Transparent Data Encryption for SQL Databases: Updated the rule title to 'Enable Transparent Data Encryption for SQL Databases' for an appropriate representation of the best practice recommendation.

Rule Bug Fixes

Firehose-001: Firehose Delivery Stream Destination Encryption
Firehose-002: Enable Firehose Delivery Stream Server-Side Encryption Fixed a bug where the rule - Firehose-001 did not have a link to their resources. Also, both the rules Firehose-001 and Firehose-002 did not support tags for "DirectPut" Delivery Stream Type Firehose Delivery Streams.
Lambda-009: Enable Encryption at Rest for Environment Variables using Customer Master Keys Fixed a bug where Lambda-009 did not generate a SUCCESS check after remediation steps have been followed to encrypt Lambda Environment variables at rest using CMKs.

conformity_whats_new 24

Incident Update: False positive checks generated for the Azure rule - AppService-018

From approximately 2022-03-09 10:00:00 UTC to 2022-04-19 03:20:00 UTC, the Conformity Bot incorrectly produced failure checks associated with the rule AppService-018 for Azure AppService resources. This was caused due to an error in our deployment where some components of AppService-018 were released prematurely. We’ve removed the rule from the application and all the associated checks and will notify you in a release notice when we re-introduce the rule.

conformity_whats_new 25

The following rules and updates are now available with Conformity's latest release on 28 April 2022.

We've updated the PCI DSS c3.2.1 standard to support the new AWS and Azure rules added to Conformity.
You can now view the GCP Project ID for the GCP Account under Settings > Update General Settings.

Bug Fixes

Fixed a bug with the API documentation to include descriptions for the fields appearing under the API endpoint 'Get Check Evolution Statistics'.
Fixed a bug with the check count statistics on the Evolution API to reflect the average number across bot runs instead of a cumulative number.
Fixed a bug that stopped the Conformity bot from running successfully.
Fixed up a bug to display an error for the unverified user(s) when creating or updating an SMS or email channel via our public API.
Fixed a bug to set the default cooldown value for the Autoscaling group to 300 seconds if it is not specified in the CloudFormation template.

Custom Policy Updates

We've updated the custom policy as a result of the new deployment. The latest custom policy version is 1.37 and the permissions added are:

inspector:DescribeAssessmentTargets
inspector:DescribeResourceGroups
inspector:ListAssessmentTargets
inspector:PreviewAgents

Click here to access the current custom policy.

New Rules

Azure

Monitor-009: Enable Exporting Activity Logs for Azure Cloud Resources: This rule ensures that exporting activity logs is enabled for each cloud resource within a subscription.
StorageAccounts-019: Enable Logging for Azure Storage Blob Service: This rule ensures that storage logging is enabled for the Azure Storage Blob service.
StorageAccounts-020: Enable Logging for Azure Storage Table Service: This rule ensures that storage logging is enabled for the Azure Storage Table service.

AWS

EC2-078: Instances Scanned by Amazon Inspector: This rule ensures that all your Amazon EC2 instances are included in at least one Inspector Classic assessment target to make sure that Amazon Inspector Classic service can evaluate your EC2 instances for potential security issues and common vulnerabilities during assessment runs.

GCP

CloudDNS-003: Check for DNSSEC Zone-Signing Algorithm in Use: This rule ensures that DNSSEC key signing is not using RSASHA1 as a signature algorithm for the Zone-Signing Key (ZSK) associated with your public DNS managed zone.
CloudIAM-009: Configure Google Cloud Audit Logs to Track All Activities: This rule ensures that the Audit Logs feature is configured to record all service and user activities.
CloudAPI-001: Google Cloud API Keys: This rule ensures that all the API keys created for your Google Cloud Platform (GCP) projects are regularly rotated.

Rules Updates

ELBv2-003: ALB Security Policy
ELBv2-009 Network Load Balancer Security Policy: Updated ELBv2-003 and ELBv2-009 to use the latest and most secure security policies.
IAM-036: AWS IAM Users with Admin Privileges: Updated IAM-036 to show the policies attached to privileged IAM Users.

conformity_whats_new 26

The following updates and features are now available with Conformity's latest release on 17 May 2022.

What's New

Updated the note below the Compliance level Comparison section on the Main Dashboard to clearly display the number of incomplete and onboarded accounts included in the comparison.

Bug Fixes

Fixed a bug in RTM, where the 'Read Only' users could view the Configure Rules button. The button is now visible to the authorised users only.
Fixed a bug where suppressing an Azure check was returning errors after a successful suppression.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.37.

Click here to access the current custom policy.

New Rules

GCP

CloudSQL-017: Disable 'remote access' Flag for SQL Server Database Instances: This rule ensures that the "remote access" SQL Server flag is set to "off".
CloudSQL-018: Disable 'log_statement_stats' Flag for PostgreSQL Database Instances: This rule ensures that the 'log_statement_stats' PostgreSQL database flag is set to Off.
CloudSQL-019: Disable 'external scripts enabled' Flag for SQL Server Database Instances: This rule ensures that the "external scripts enabled" SQL Server flag is set to Off.
BigQuery-002: Enable BigQuery Encryption with Customer-Managed Keys: This rule ensures that BigQuery dataset tables are encrypted using Customer-Managed Keys (CMKs).
ComputeEngine-009: Enable "Block Project-Wide SSH keys" Feature: This rule ensures that the Block Project-Wide SSH keys feature is enabled for all your virtual machine instances.
CloudLogging-001: Enable Monitoring for Bucket Permission Changes: This rule ensures that each Google Cloud Platform (GCP) project has configured a GPC alerting policy that is triggered each time a Google Cloud Storage bucket permission change is made.
CloudLogging-002: Enable VPC Network Changes Monitoring: This rule ensures that VPC network route changes are being monitored using alerting policies.
CloudLogging-003: Enable VPC Network Changes Monitoring This rule ensures that Google Cloud VPC network changes are being monitored using log metrics and alerting policies.
CloudLogging-004: Enable Monitoring for Custom Role Changes: This rule ensures that custom IAM role changes are being monitored using alerting policies.
CloudLogging-005: Enable Monitoring for SQL Instance Configuration Changes: This rule ensures that SQL instance configuration changes are being monitored using alerting policies.
CloudLogging-006: Enable Monitoring for Firewall Rule Changes: This rule ensures that each Google Cloud Platform (GCP) project has configured a GCP alerting policy that is triggered every time a Virtual Private Cloud (VPC) network firewall rule change is made.
CloudLogging-007: Enable Monitoring for Audit Configuration Changes: This rule ensures that GCP project audit configuration changes are being monitored using alerting policies.
CloudLogging-009: Export All Log Entries Using Sinks: This rule ensures that all the log entries generated for your Google Cloud projects are exported using sinks.

Azure

SecurityCenter-028: All Parameters for Microsoft Defender for Cloud Default Policy: This rule ensures that all the parameters supported by Microsoft Defender for Cloud default policy are enabled.
SecurityCenter-030: Enable Defender for Endpoint Integration with Microsoft Defender for cloud: This rule ensures that Defender for Endpoint – Defender for Cloud integration is enabled.
SecurityCenter-031: Enable Defender Microsoft Defender for Cloud Apps Integration: This rule ensures that Microsoft Defender for Cloud Apps integration is enabled.
SecurityCenter-032: Enable Azure Defender for Virtual Machine Servers: This rule ensures that Azure Defender is enabled for Azure virtual machine (VM) servers.
SecurityCenter-033 Enable Microsoft Defender for Cloud for App Service Instances: This rule ensures that Microsoft Defender for Cloud is enabled for Azure App Service instances.
SecurityCenter-034: Enable Microsoft Defender for Cloud for Key Vaults: This rule ensures that Microsoft Defender for Cloud is enabled for Azure key vault resources.

Rule Updates

IAM-013: MFA For IAM Users With Console Password: The rule now supports MFA events.
VirtualMachine-001: Enable Encryption for Boot Disk Volumes, VirtualMachine-002: Enable Encryption for Non-Boot Disk Volumes, VirtualMachine-003:Enable Encryption for Unattached Disk Volumes: Updated the rules' names to clarify encryption in Azure Disk Encryption and the risk level from High to Medium.

Rule Bug Fixes

EC2-030: EC2 Instance Termination Protection: Fixed a bug where EC2-030 was returning checks for EC2 instances that are part of Auto Scaling groups.
CT-002: CloudTrail S3 Bucket Logging Enabled, CT-003: CloudTrail Bucket Publicly Accessible, CT-004: CloudTrail Bucket MFA Delete Enabled: Fixed how we handle AWS CloudTrail resource data to address incorrect check results with the AWS rules CT-002, CT-003, and CT-004. We also improved how we evaluate CT-002 and CT-004, you may notice that old checks are removed and recreated.
Fixed a bug where Resource types were not displayed correctly in the View by Resource tab for some resources.

conformity_whats_new 27

The following features and updates are now available with Conformity's latest release on 6 June 2022.

Updated the FedRAMP Rev 4 Compliance Standard to support the new AWS and Azure rules released by Conformity.
Updated the Get Services API endpoint to display data for associated compliance standards.

Bug Fixes

Fixed a bug to display the resource type in the View By Resource tab for some rules.
Fixed a bug to disable the 'Configure' button for Power users in the Conformity Administration > Users tab.
Fixed a bug to enable users to apply a profile to over 1000 accounts at once.
Fixed a bug that incorrectly allowed suppression of checks via the Public API without correctly setting one of the mandatory values in the request.
Fixed a bug to remove an outdated Knowledge Base page for the rule - Route53-008.
Fixed a bug with the drop down email selection to load all the available emails when configuring a scheduled report.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.37. Click here to access the current custom policy.

New Rules

GCP

CloudSQL-020: Configure 'user connections' Flag for SQL Server Database Instances: This rule ensures that SQL Server database instances have the appropriate configuration set for the user connections flag.
CloudSQL-021: Disable 'user options' Flag for SQL Server Instances: This rule ensures that the user options SQL Server flag is not configured.
ComputeEngine-011: Enable Confidential Computing for Virtual Machine Instances: This rule ensures that Confidential Computing is enabled for virtual machine (VM) instances.
ComputeEngine-010: Enable OS Login for GCP Projects: This rule ensures that the OS Login feature is enabled at the GCP project level.
CloudLogging-008: Enable Project Ownership Assignments Monitoring: This rule ensures that GCP project ownership changes are being monitored using alerting policies.

AWS

CF-012: Cloudfront Content Distribution Network: This rule ensures that your websites/web applications are using the Amazon CloudFront Content Distribution Network (CDN) to secure the web content delivery (media files and static resource files e.g. html, .css, .js).

Azure

SQL-017: Enable Vulnerability Assessment for Microsoft SQL Servers: This rule ensures that Vulnerability Assessment is enabled for Microsoft SQL database servers.
Network-016: Check for Unrestricted CIFS Access: This rule ensures that Microsoft Azure Network Security Groups (NSGs) do not allow unrestricted access on TCP port 445 to protect against attackers that use brute force methods to gain access to Azure virtual machines associated with these NSGs.
Network-017: Check for Unrestricted HTTP Access: This rule ensures that Microsoft Azure Network Security Groups (NSGs) do not allow unrestricted access on TCP port 80 to protect against attackers that use brute force methods to gain access to Azure virtual machines associated with these NSGs.

Rule Updates

Improved the following rules to take the resource region into account when producing check results:
- EC2-048: Reserved Instance Lease Expiration In The Next 7 Days
- EC2-049: Reserved Instance Lease Expiration In The Next 30 Days
- EC-004: ElastiCache Reserved Cache Node Lease Expiration In The Next 7 Days
- EC-005: ElastiCache Reserved Cache Node Lease Expiration In The Next 7 Days
- ES-015: ElasticSearch Node To Node Encryption
- ES-016: Elasticsearch Reserved Instance Lease Expiration in The Next 7 Days
- ES-017: Elasticsearch Reserved Instance Lease Expiration in The Next 7 Days
- RDS-010: RDS General Purpose SSD
- RDS-011: RDS Default Port
- RDS-014: RDS Reserved DB Instance Lease Expiration In The Next 7 Days
- RDS-015: RDS Reserved DB Instance Lease Expiration In The Next 30 Days
- S3-026: Enable S3 Block Public Access for S3 Buckets
Updated the following rules to check for additional unrestricted inbound access scenarios on Azure Network Security Groups:
- Network-001: Check for Unrestricted RDP Access
- Network-002: Check for Unrestricted SSH Access
- Network-005: Check for Unrestricted FTP Access
- Network-006: Check for Unrestricted MySQL Database Access
- Network-007: Check for Unrestricted PostgreSQL Database Access
- Network-008: Check for Unrestricted MS SQL Database Access
- Network-009: Check for Unrestricted Oracle Database Access
- Network-010: Check for Unrestricted RPC Access
CT-003: Publicly Accessible CloudTrail Buckets: We've improved how we evaluate the CloudTrail target bucket and its access policies.

Rule Bug Fixes

SecurityCenter-001 "Enable Microsoft Defender Standard Pricing Tier: Fixed a bug to take Microsoft's Defender (formerly Security Centre) service changes into account preventing the remediation of failed checks.

conformity_whats_new 28

The following features and updates are now available with Conformity's latest release on 4 July 2022.

Introducing in the new Evolution Chart summary widget under the Overview tab, which enables you to view your overall compliance trends upto one year and the daily average breakdown of your compliance score by Success, Failed, and Total checks. Read more>
Conformity now supports the following compliance standards:
- The ISO ISO 27001:2013 for GCP
- The PCI DSS V3.2.1 (updated to April 2022)for GCP
Updated AWS and Azure rules mapping for APRA CPS 234 compliance standard.
Added a new operator isNullOrUndefined for Custom Rules.

Bug Fixes

Fixed a bug where unassociated checks from other accounts were being shown inside the Most critical failures section of the Group Dashboard and the Account Dashboard.
Fixed a bug where users were unable to connect to Jira OAuth via our Jira communications channel using SSO into the conformity platform via Trend Micro Cloud One Console.
To ensure Microsoft Teams notifications are received promptly for all organizations, Microsoft Teams communication channels are now limited to 100 notifications/hr per channel.
Fixed a bug where unassociated checks were being displayed from other accounts in the same organisation in View by Rule & View by Standards & Frameworks views.
Fixed a bug with the drop-down email selection to load all the available emails configuring a scheduled report.
Fixed a bug with Well Architected Tool notes not being generated at times and added support for the Sustainability pillar.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.37. Click here to access the current custom policy.

Conformity Bot Update

Enhanced performance of Conformity Bot to only assess by scanning or to only scan the minimum Active Directory data required to run Active Directory rules for Azure subscriptions.

New Rules

GCP

CloudSQL-022: Disable "log_planner_stats" Flag for PostgreSQL Database Instances: The rule ensures that the log_planner_stats PostgreSQL database flag is set to "off"
CloudSQL-023: Disable 'log_parser_stats' Flag for PostgreSQL Database Instances: This rule ensures that the log_hostname PostgreSQL database flag is set to "on".
CloudSQL-024: Enable "skip_show_database" Flag for MySQL Database Instances: This rule ensures that the skip_show_database MySQL database flag is set to "on".
CloudSQL-025: Disable 'log_parser_stats' Flag for PostgreSQL Database Instances: This rule ensures that the log_parser_stats PostgreSQL database flag is set to "off".
CloudSQL-026: Disable 'log_executor_stats' Flag for PostgreSQL Database Instances: Ensure that the log_executor_stats PostgreSQL database flag is set to Off.
CloudVPC-006: Cloud DNS logging for VPC Networks: This rule ensures that the Cloud DNS logging is enabled for all your Virtual Private Cloud (VPC) networks using DNS server policies.
CloudLoadBalancing-001: Check for Insecure SSL Cipher Suites: This rule ensures that there are no HTTPS/SSL Proxy load balancers configured with insecure SSL policies.
CloudStorage-003: Configure Retention Policies with Bucket Lock: This rule ensures that the log bucket retention policies are using the Bucket Lock feature
CloudIAM-010: Enforce Separation of Duties for KMS-Related Roles: This rule ensures that separation of duties is implemented for all Google Cloud KMS-related roles.

Azure

Network-023: Check for Unrestricted DNS Access: This rule ensures that no network security groups allow unrestricted inbound access on TCP and UDP port 53.
Network-020: Check for Unrestricted ICMP Access: This rule ensures that no network security groups allow unrestricted inbound access using Internet Control Message Protocol (ICMP).
Network-018: Check for Unrestricted SMTP Access: This rule ensures that Microsoft Azure network security groups (NSGs) do not allow unrestricted access on TCP port 25.
Network-019: Check for Unrestricted Telnet Access: This rule ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access on TCP port 23
SecurityCenter-035: Microsoft Defender for Cloud for SQL Server Virtual Machines: This rule ensures that Microsoft Defender for Cloud is enabled for SQL Server virtual machines.
SecurityCenter-036: Enable Microsoft Defender for Cloud for Azure SQL Database Servers: This rule ensures that Microsoft Defender for Cloud is enabled for your Azure SQL database servers.
SecurityCenter-037: Enable Microsoft Defender for Cloud for Azure Containers: This rule ensures that Microsoft Defender for Cloud is enabled for Azure containers.
SecurityCenter-038: Enable Microsoft Defender for Cloud for Storage Accounts: This rule ensures that Microsoft Defender for Cloud is enabled for Azure storage accounts.

Rule Updates

Updated the following rules to enhance check result and improve the way exceptions are handled:
- CloudVPC-004: Default VPC Network In Use
- CloudVPC-005: Check for Legacy Networks
Updated the following rules check results with minor text changes:
- SecurityCenter-032: Enable Microsoft Defender for Cloud for Virtual Machines
- SecurityCenter-033: Enable Microsoft Defender for Cloud for App Service
- SecurityCenter-034: Enable Microsoft Defender for Cloud for Key Vaults
The following rules will now have no checks for Google Kubernetes (GKE) clusters as the best practices do not apply to GKE clusters:
- ComputeEngine-001: Check for Virtual Machine Instances with Public IP Addresses
- ComputeEngine-004: Disable IP Forwarding for Virtual Machine Instances
- ComputeEngine-006: Check for Instances Associated with Default Service Accounts
- ComputeEngine-008: Check for Instance-Associated Service Accounts with Full API Access
VirtualMachines-023:Enable Accelerated Networking for Virtual Machines: Enabled a feature to exclude checks by tags or resourceId for the rule.
ActiveDirectory-003: Check for Active Directory Guest Users: Updated Active-Directory 003 to evaluate 100 guest users instead of all the guest users.

conformity_whats_new 29

Cloud One Conformity Full Access users can now create Conformity Custom Roles that can be set up with the different levels of access permissions for different accounts. Follow these steps to create a Custom Role and assign the access permissions i.e. Full Access, Read-Only, or No Access in Conformity and then map it to any Trend Micro Cloud One ™ role from User Management >> Administration >> Roles.

conformity_whats_new 30

The following features and updates are now available with Conformity's latest release on 18 July 2022.

Conformity now allows admins to enforce API key safe IP ranges being used when creating API keys.
RTM-005: Users Signed into AWS from an Approved Country: Conformity now supports North Macedonia previously known as Macedonia (Macedonia changed its name to North Macedonia).

Bug Fixes

Fixed a bug with the Jira communications channel to display only active users in the channel's 'Assignee' list.
Fixed a bug with the display of CSV Compliance Standard report data when importing it in Excel format through the 'Import data' wizard.
Fixed a bug where the 'Configure rule...' and 'Send rule to...' options became visible for custom checks created along with the existing custom rules.
Fixed a bug to enhance the performance of the RTM Event Monitoring dashboard section to prevent screen performance issues for customers with a large number of RTM events.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.37. Click here to access the current custom policy.

New Rules

Azure

VirtualMachines-037: Server Side Encryption for Unattached Disk using CMK: This rule ensures that unattached managed disk volumes are encrypted at rest using Customer-Managed Keys (CMKs).
Network-022: Check for Unrestricted HTTPS Access: This rule ensures that no network security groups allow unrestricted inbound access on TCP port 443. This rule was released on 4th July 2022 and was missed out from our release communications. We apologise for the miscommunication and the confusion.

GCP

CloudIAM-011: Minimize the Use of Primitive Roles: This rule limits the use of primitive roles, for example, Owner, Editor, and Viewer for Cloud IAM members in production and security-critical cloud environments.

Rule Update

Network-015: Check for Unrestricted UDP Access: Updated the rule to prevent Conformity Bot from generating false positive checks for some scenarios, for example, security groups with Access Deny configurations.

conformity_whats_new 31

The following features and updates are now available with Conformity's latest release on 10 August 2022.

Bug Fixes

Fixed a timeout bug happening when adding an AWS account vis Public API.
Fixed a bug with SNS notifications being triggered for excluded resources in any rule for AWS, Azure and GCP bots.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.37. Click here to access the current custom policy.

New Rules

Azure

Network-021: Check for Unrestricted MongoDB Access: This rule ensures that no network security groups allow unrestricted inbound access on TCP ports 27017, 27018 and 27019.
Azure: Network-024: Check for Unrestricted NetBIOS Access: This rule ensures that no network security groups allow unrestricted inbound access on TCP port 139 and UDP ports 137 and 138 (NetBIOS).
Azure: VirtualMachines-039: Server Side Encryption for Boot Disk using CMK: This rule ensures that Azure VM managed disk boot volumes are encrypted at rest using customer-managed keys (CMKs).

conformity_whats_new 32

End of Life - Conformity Cost Optimization Feature

In April 2020, we decided to deprecate the Cost Optimization feature, which has helped Standalone Conformity customers manage their AWS costs. It has been deprecated as of July 2022 and will reach the end of life on 10th September 2022.

Why are we doing this?

The Cost Optimization feature used data from the deprecated AWS ‘Detailed Billing Report’. AWS strongly recommends that all customers move away from this report and migrate to the newer Cost and Usage Report.

We have decided to discontinue all support for Cost Analysis as our strategic focus as Trend Micro Cloud One ™ Conformity is on core Cloud Security Posture management (CSPM) features.

What does it mean for you?

No Cost Optimization widget - you will stop seeing the Cost Optimization widget on your Organizations’ Main Dashboard.

What happens to the Cost Rules?

All Cost category rules except for the following Rules will still be available to all customers. We’re deprecating these four Rules because their AWS data source is a deprecated AWS billing report.

What do I need to do?

You don't need to do anything at your end. If you wish, you can turn off the AWS Billing report used by Conformity. If you have any concerns or queries regarding the end of life for the Cost Optimization feature, please reach out to your account managers.

This feature is unavailable to our Trend Micro Cloud One ™ Conformity customers.

conformity_whats_new 33

The following features and updates are now available with Conformity's latest release on 23 August 2022.

You can now search and add GCP projects while onboarding your GCP accounts to Conformity.
You can also view and onboard all GCP projects as we've eliminated the 100 projects limit.
Uninstall Azure RTM script is now available.
Updated the following Compliance Standards and Reports to include newly release rules:
- HITRUST CSF v9.3
- HIPAA 45CFR164
- NIST 800-53 Rev4
- FedRAMP rev4
- SOC 2 Nov 2019
Updated the following Compliance & Conformity Reports to include newly released rules:
- ISO 27001:2013 - updated May 2022
- NIST 800-53 Rev5 - updated June 2022, also available to GCP accounts now

Bug Fixes

Fixed a bug to improve CSV compliance and generic reports generation with a huge number of checks.
Fixed a bug to change the API response from status code 200 to 422 when a custom rule is run with wrong configuration.
Fixed a bug where account level rule setting exceptions were deleted on applying a profile with no configured exceptions AND “include exceptions” unchecked.

Custom Policy Updates

We've updated the custom policy as a result of the new deployment. The new custom policy version is 1.38. Click here to access the current custom policy.

And the new permissions added are:

appflow:DescribeFlow
appflow:ListFlows

New Rules

Azure

Network-025: Check for Unrestricted Inbound TCP or UDP Access on Selected Ports: This rule ensures that no network security groups allow unrestricted inbound access via TCP or UDP on selected ports.

AWS

AppFlow-001: Enable Data Encryption with KMS Customer Master Keys: This rule ensures that Amazon AppFlow flows are encrypted with KMS Customer Master Keys (CMKs).

GCP

CloudLoadBalancing-002: Check for Cloud SQL Database Instances with Public IPs: This rule ensures that Cloud SQL database instances don't have any public IP addresses assigned.

Rule Bug Fix

CT-002 CloudTrail S3 Bucket Logging Enabled: Fixed a bug where the rule did not correctly exclude the relevant S3 resource using exceptions via tags.

conformity_whats_new 34

The following features and updates are now available with Conformity's latest release on 7 September 2022.

Updated the following Compliance Standards and Reports to include newly released rules:
- Monetary Authority of Singapore MAS-TRM 2021
- NIST CyberSecurity Framework
- AusGov ISM

Bug Fixes

Fixed a bug that was preventing users from successfully updating the CQL filter for an existing saved report.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

New Rule

Azure

StorageAccounts-021: Configure Minimum TLS Version: This rule ensures that the "Minimum TLS version" setting is set to "Version 1.2" for all Azure Storage accounts.

Rule Update

EKS-001: EKS Cluster Endpoint Public Access: Added an optional rule configuration to Safelist source IP addresses from the EKS cluster "Public access source allowlist". If all the source IP addresses in the EKS "Public access source allowlist" are in the configured Safelist, the rule will succeed.

Rule Bug Fix

VirtualMachines-013: Enable Backups for Azure Virtual Machines: Fixed a bug where an incorrect failure check was generated for a re-created VM instance using a previously used name.

conformity_whats_new 35

Announcing the General Availability- GA of GCP for Cloud One Conformity Customers.

What does it mean for you?

If you are currently subscribing through AWS or Azure marketplace, the metered billing for your GCP accounts using Cloud One - Conformity will start on September 13th, 2022.
If you are currently using the 30-day free trial, the metered billing won’t start until your trial period is over and you subscribe to the service.

Marketplace Consumption Pricing for Cloud One Conformity

|Cloud Account Resource Count| Pricing| |:---|:---| |Per cloud account with <250 resources/hr|$0.00| |Per cloud account with 250-1,000 resources/hr|$0.07| |Per cloud account 1001-5,000 resources/hr|$0.29| |Per cloud account 5,001+ resources/hr|$0.35|

For more information, see Cloud One billing.

The following rules, standards and enhancements are already available for all GCP customers:

90+ cloud security configuration rules
PCI-DSS-V3.2.1 standard
ISO-27001:2013 standard
APRA CPS 234
NIST 800-53 Rev5
Ability to search for projects while onboarding
While onboarding GCP projects on Conformity via UI, the customer could only see 100 projects at a time due to a project cap in Conformity. This project cap is now removed, and users will be able to view & onboard all GCP projects within a service account.

conformity_whats_new 36

The following features and updates are now available with Conformity's latest release on 28 September 2022.

Updated the following Compliance Standards and Reports to include the newly released rules:
- Azure Well-Architected Framework
- AWS Well-Architected Framework
- NIS Europe OES-2019

Bug Fixes

Fixed a bug where the Lambda rules displayed only 50 checks per region.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

New Rule

GCP

GKE-001: Enable GKE Cluster Node Encryption with Customer-Managed Keys: This rule ensures that boot disk encryption with Customer-Managed Keys is enabled for GKE cluster nodes.
BigQuery-003: Enable BigQuery Dataset Encryption with Customer-Managed Encryption Keys: This rule ensures that all your Google Cloud BigQuery datasets are encrypted using Customer-Managed Encryption Keys (CMEKs).
CloudSQL-027: Enable 'cloudsql.enable_pgaudit' and 'pgaudit.log' Flags for PostgreSQL Database Instances: This rule ensures that cloudsql.enable_pgaudit and pgaudit.log flags are enabled for Google Cloud PostgreSQL server instances.
CloudSQL-028: Disable '3625' Trace Flag for SQL Server Database Instances: This rule ensures that the 3625 trace flag for SQL database servers is set to off.
CloudIAM-012: Enable Access Approval: This rule ensures that Access Approval is enabled for your Google Cloud account.
CloudAPI-004: Enable Cloud Asset Inventory This rule ensures that Google Cloud Asset Inventory is enabled for your GCP projects.

Azure

PostgreSQL-012: Enable Infrastructure Double Encryption: This rule ensures that infrastructure double encryption is enabled for all Azure PostgreSQL database servers.
PostgreSQL-013: log_checkpoints" Parameter for PostgreSQL Flexible Servers: This rule ensures that the log_checkpoints parameter for your Microsoft Azure PostgreSQL flexible database servers is set to ON.

Rule Bug Fix

ELB-007: ELB Security Group: Fixed a bug where the rule did not generate checks for some regions with access permissions to Conformity.

conformity_whats_new 37

From 2022-09-28 16:20 UTC - 20:43 UTC (9:20 AM PDT - 1:43 PM PDT)

AWS experienced a service outage in the us-west-2 (Oregon) region, which affected the Conformity application. This outage affected the API Gateway service, which made the Conformity application inaccessible during the time window. The service has fully recovered now, and Conformity has returned to normal.

Affected regions

Oregon service region (us-west-2) and Cloud One US-1

P.S: No other Conformity regions were impacted.

Impact

The customers could not access the Conformity application via the UI or API or successfully scan their accounts. Any automated workflows relying on Conformity, for example, the API workflows using the Template Scanner, may also have been impacted.

Resolution

The service health of Amazon API Gateway has now fully recovered and can be tracked here. Conformity also has service returned to normal.

conformity_whats_new 38

The following features and updates are now available with Conformity's latest release on 26 October 2022.

Introducing the 'skipUpdatingEnabledSuppression' attribute in the Check API allowing you to prevent updating suppressed checks until you reach your 'suppressed-until' date.
You can now add tags when onboarding AWS, Azure or GCP accounts using the Accounts API.
The CSV reports now include cost and savings data for the checks related to the cost rules.
Added support for PCI DSS v4 and CIS Controls Version 8 across Conformity compliance features for AWS, Azure and GCP.
Added support for CIS GCP Foundation Benchmark Version 1.2.0 in Conformity compliance features.

Bug Fixes

Fixed a bug preventing CSV reports from being generated when compliance reports had 0 checks.
Fixed a bug to make notes mandatory while updating the suppressed or unsuppressed property in the Check API regardless of whether the underlying rule is custom or standard.
Fixed a bug where reports generation failed due to a large amount of data.
Fixed a bug with the public API Events get to strip all html tags (syntax to enclose username, api keys or similar data in a strong tag) from event.attributes.description property of the response object.
Fixed a bug to make the Note field mandatory when suppressing or un-suppressing a check the UI.
Fixed a bug to allow the users to go back to the Project selection from the Confirmation page when onboarding GCP projects.
Fixed a bug where users weren't receiving the 'Welcome' email after signing up.
Fixed a bug to display a warning icon indicating the rule exception state for Tags case insensitive, Tags case sensitive, and resource id filters in all 3 rule list views (Account, Organisational profile and Custom Profile).
Fixed a bug to increase the size limit of an Organisation Profile allowing you to save and apply multiple rule configurations to many accounts.
Fixed a bug where the Profile API was timing out when a profile with multiple rule configurations was applied to a large number of accounts.
WS-005: WorkSpaces Storage Encryption: Fixed a bug for the rule to generate checks for all Workspace checks on an AWS account instead of 25 workspaces.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

New Rules

Azure

MySQL-002 (Configure TLS Version for MySQL Flexible Database Servers): This rule ensures that the tls_version parameter is set to a minimum of TLSv1.2 for all MySQL flexible database servers.

Rule Update

CF-006: CloudFront Security Policy: Updated the rule to include the latest Security policies.

conformity_whats_new 39

The following features and updates are now available with Conformity's latest release on 12 October 2022.

Added the skipUpdatingEnabledSuppression attribute to prevent updating the suppressed and suppressed-until attributes on suppressed checks using the Checks API.
Improved our compliance score calculation logic to prevent the score of greater than 95% being rounded off to 100%.

Bug Fixes

Fixed a bug where the Conformity Bot reported stale checks with a large number of EC2 resources.
Fixed a bug that prevented getting the list of excluded resources in the UI and the public API by making some performance enhancements.
Fixed a bug with the Custom Rules engine that returned an HTTP 500 error for resources without data.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

New Rules

GCP

CloudIAM-013: Essential Contacts for Organizations (Not Scored): This rule ensures that the Essential Contacts are defined for your Google Cloud organization.
ResourceManager-001: Disable User-Managed Key Creation for Service Accounts: This rule ensures that the Disable Service Account Key Creation policy is enforced.

Rule Bug Fixes

Config-002: AWS Config Referencing Missing S3 Bucket: Fixed a bug where the rule did not return a success check for compliant Config resources on the Provider level.
Fixed an issue where the check region for the following rules incorrectly returned as ALL:
- Monitor-002: Activity Log Retention
- Monitor-003: Activity Log All Activities
- Monitor-004: Activity Log All Regions
- Monitor-005: Check for Publicly Accessible Activity Log Storage Container
- Monitor-006: Use BYOK for Activity Log Storage Container Encryption
- Resources-001: Tags

conformity_whats_new 40

The following features and updates are now available with Conformity's latest release on 31 October 2022.

You can now view a summary of your cloud accounts with disabled Conformity Bot on the Main Dashboard by clicking on the View Accounts button.

Bug Fix

Fixed a bug happening due to the updated AZ CLI Version, where the users weren't able to generate the password for the created App Registration manually. We've updated the script to generate the Password & Client_secret_key automatically. Please ensure that the AZ CLI version is higher than 2.40.0 for the new script to work.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

conformity_whats_new 41

Discontinuing Rules Pre-Release Notice: The 48-hour pre-release notice to be discontinued with effect from 10 January 2023

From 10 January 2023, Trend Micro Cloud OneTM - Conformity will no longer send a Pre-release Notice 48 hours prior to releasing new rules and rule updates. You will be receiving all the release updates including rules through a post deployment update on the What’s New page.

Important: As a part of our new communication strategy, we will no longer be sending release emails effective 10th January 2023. We highly recommend that you subscribe to the Trend Micro Cloud One TM Updates RSS Feed using an RSS Feed Reader to get notified about the latest releases and news for Conformity.

Why?

This change is a part of Conformity’s strategy to deliver you new rules, features and, fixes faster.
In 2023, Conformity aims to deploy multiple times per week and we can only do this if we remove the 48 hour pre-release rules notice and manual release emails.

Impact

We acknowledge that some of you are under strict SLAs that require monitoring of new rules impacting your compliance scores.

If you’re affected by the release of new rules, we recommend configuring the New Rules Behaviour settings Manually so your compliance scores are not impacted by newly released rules and you can enable them as required.
If you have already configured the setting to automatically enable newly released rules, no further action is required.

conformity_whats_new 42

The following updates are now available with Conformity's latest release on 07 November 2022.

Bug Fixes with Rule Updates

Fixed a bug to prevent Conformity from generating checks for the backup vault with different types of protected item(s) for a number of Virtual Machine rules.
Fixed a bug to prevent the throttling of Azure Storage Accounts service due to numerous storage accounts and blob containers by implementing a hard limit of 100 storage accounts.
- This implies that Conformity will now scan only the first 100 Azure storage accounts with an unlimited number of blob containers for the rules listed below:
  - StorageAccounts-006 - Disable Anonymous Access to Blob Containers
  - StorageAccounts-012 - Enable Immutable Blob Storage
  - StorageAccounts-016 - Check for Publicly Accessible Web Containers
  - StorageAccounts-017 - Review Storage Accounts with Static Website Configuration

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

conformity_whats_new 43

Fixed an issue to prevent SNS service throttling by introducing a limit to scan upto 4000 AWS SNS topics for the following rules:

SNS-001 Topic Exposed
SNS-002 Cross Account Access
SNS-003 SNS Appropriate Subscribers
SNS-004 Topic Accessible For Publishing
SNS-005 Topic Accessible For Subscription
SNS-006 Topic Encrypted
SNS-007 Topic Encrypted With KMS Customer Master Keys

conformity_whats_new 44

The following updates are now available with Conformity's latest release on 14 November 2022.

To improve Conformity Bot's reliability, cloud accounts onboarded to Conformity via the Public API will be queued to run with in the next 10 minutes of the API call.

Bug Fix

Fixed the broken 'Add and Manage Users' link on the Public API page linking to Cloud One help documentation.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

conformity_whats_new 45

The following features and updates are now available with Conformity's latest release on 21 November 2022.

The FISC Security Guidelines v9 compliance standard mapping now supports the latest AWS and Azure rules released in Conformity.

Bug Fixes

Enhanced the scanning of all AWS RDS Instances to reduce throttling.
Fixed a bug where the note for 'number of checks included' indicated an incorrect count while configuring a report for individual checks.
Fixed a bug where the 'Account rule settings' notes were not being saved correctly for the Custom Role Full Access Users.
KMS-002:Key Rotation Enabled: Fixed a bug where checks were generated incorrectly if the KMS key did not support key rotation.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

Rules

Azure

SecurityCenter-039: Enable Automatic Provisioning of Vulnerability Assessment for Virtual Machines: This rule advises users to manually check that automatic provisioning of vulnerability assessment solutions is Enabled for virtual machines.

Rule Updates

Fixed an issue with the following rules handling AWS regions with restricted permissions in Conformity:

EBS-010: EBS Volumes Attached to Stopped EC2 Instances
VPC-016: VPC Endpoints in Use
S3-025: S3 Buckets Encrypted with Customer-Provided CMKs
CT-003: Publicly Accessible CloudTrail Buckets
RDS-027: Instance Level Events Subscriptions
RDS-028: Security Groups Events Subscriptions
RDS-029: RDS Event Notifications
RDS-039: RDS Instance Not in Public Subnet

End of Life - Conformity Cost Optimization Feature

The Conformity Cost Optimization feature will reach end of life with the upcoming release on 21 November 2022. If you've missed our advance notice, please read through the details below.

Why are we doing this?

We have decided to discontinue all support for Cost Analysis as our strategic focus as Trend Micro Cloud One ™ Conformity is on core Cloud Security Posture management (CSPM) features.

What does it mean for you?

No Cost Optimization widget - you will stop seeing the Cost Optimization widget on your Organizations’ Main Dashboard.

What happens to the Cost Rules?

All Cost category rules except for the following Rules will still be available to all customers. We’re deprecating these four Rules because their AWS data source is a deprecated AWS billing report.

What do I need to do?

The Cost Optimization feature is unavailable to our Trend Micro Cloud One ™ Conformity customers.

conformity_whats_new 46

On 23 November 2022, we upgraded the Elasticsearch clusters to improve your experience with the Conformity platform, providing you with a more resilient and secure cloud infrastructure by applying the security best practices.

conformity_whats_new 47

The following features and updates are now available with Conformity's latest release on 29 November 2022.

Added a new Replay endpoint to the Checks API allowing you to send checks history into newly created Communication Channels. For details see: Re-run Historical Check Notifications.
You can now add Chinese characters in the Account Tags via the UI and the public API.
GCP Conformity Bot now supports the following regions:
- asia-south2
- australia-southeast2
- europe-southwest1
- europe-west8
- europe-west9
- northamerica-northeast2
- us-east5
- us-south1
- southamerica-west1

Bug Fixes

Fixed a bug where the Real Time Threat Monitoring notifications were not being sent when a check status changed from Failure, to Success, and then back to Failure in quick succession.
Fixed a bug where the Power Users and the Read Only users were able to view users' activity on the Main Dashboard. User activities can only be viewed by a Full Access user and a Custom Role user with appropriate permissions.
Fixed a bug where the Azure Real Time Monitoring install script failed to install monitoring resources correctly.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

Rules

Azure

SecurityCenter-040: Enable Automatic Provisioning of Microsoft Defender for Containers Components [Not scored]: This rule recommends that automatic provisioning of security components is enabled for Azure containers.
StorageAccounts-022: Disable public access to storage accounts with blob containers: This rule ensures that public access to blob containers is disabled for your Azure storage accounts. The recommended setting overrides any alternative configurations allowing public blob access.

GCP

GKE-002: Enable Encryption for Application-Layer Secrets for GKE Clusters: This rule ensures that GKE Clusters have Application-Layer Secrets Encryption enabled.

Rule Updates

Updated the following AWS EC2 Non-Security-Group service level rules to fix an error-handling issue and generate accurate checks for all regions.
- EC2-009: EC2-Classic Elastic IP Address Limit
- EC2-010: EC2-VPC Elastic IP Address Limit
- EC2-011: Account Instance Limit
- EC2-024: Unassociated Elastic IP Addresses
- EC2-026: Unused AMI
- EC2-056: Unused AWS EC2 Key Pairs
- EC2-072: EC2 Instance Not in Public Subnet
- EC2-078: EC2 Instances Scanned by Amazon Inspector Classic

conformity_whats_new 48

The following features and updates are now available with Conformity's latest release on 08 December 2022.

Bug Fixes

Fixed a bug to prevent Azure RTM events from being created intermittently by improving the logic of detecting duplicate events.
Fixed a bug with the Security Group rules scanning by ignoring them if the Ingress or Egress rules cannot be extracted from the IaC template.
Fixed a bug to return the error response of 200 with {data: []} instead of 403 for service group API for an organisation without any account.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.38. Click here to access the current custom policy.

New Rule

Azure

ActivityLog-029: Create Alert for "Delete Public IP Address" Events: This rule ensures that an Azure activity log alert is used to detect "Delete Public IP Address" events.

Rule Updates

Updated the following rules to fix an issue with their handling of AWS regions with restricted permissions for Conformity:

  - IAM-060: Attach Policy to IAM Roles Associated with APP-Tier EC2

  - IAM-064: Attach Policy to IAM Roles Associated with Web-Tier EC2

  - ASG-004: Same Availability Zones in ASG and ELB

  - Inspector-001: Amazon Inspector Findings

  - Inspector-002: Days since last Amazon Inspector run

  - Inspector-003: Check for Amazon Inspector Exclusions

SQL-010: Check for Unrestricted SQL Database Access: Updated the rule to return a SUCCESS check when the ‘Deny public network access’ toggle is checked. The rule continues to ensure firewalls associated with your Microsoft Azure SQL servers are not configured to allow unrestricted inbound access.

SQS-004 : Queue Server Side Encryption: Updated the rule to cover the latest SQS encryption options in AWS and prevent false negative checks

conformity_whats_new 49

Impact of AWS EventBridge Cross-Account IAM Role Changes on Conformity

The following features and updates are now available with Conformity's latest release on 08 December 2022.

From 16 February 2023, all new AWS EventBridge Cross-account event bus targets will require an IAM role. This change will affect new Conformity Real Time Monitoring (RTM) EventBridge configurations but does not immediately affect the existing Conformity customers.

What is the change?

To increase security, AWS will soon require creating an IAM role for new Cross-account event bus targets. Consequently, Conformity will update the RTM installation process for new accounts to comply with the new requirement.

Fixed a bug to prevent Azure RTM events from being created intermittently by improving the logic of detecting duplicate events.
Fixed a bug with the Security Group rules scanning by ignoring them if the Ingress or Egress rules cannot be extracted from the IaC template.
Fixed a bug to return the error response of 200 with {data: []} instead of 403 for service group API for an organisation without any account.

Custom Policy Updates

User Impact

AWS has confirmed that there will be no immediate impact on existing customers. If you are an existing Conformity customer using RTM, there is no deadline and you will be able to update your RTM resources after 16 February 2023 at your own pace.

Resolution

We are working on updating the authentication method and installation script for RTM. The new script will allow you to install or update RTM in your AWS accounts in line with the new IAM role requirements from AWS.

conformity_whats_new 50

The following rules and updates are now available with Conformity's latest release on 15 December 2022.

Custom Policy Updates

The custom policy has been updated as a result of the new deployment. The new custom policy version is 1.39 and the permission added is:

- `securityhub:DescribeHub`

Click here to access the new custom policy.

New Rule

AWS

SecurityHub-002: Security Hub Enabled: This rule ensures Amazon Security Hub service is enabled for your AWS accounts.

Rule Updates

Updated the following rules to improve error-handling and ensure that the checks are only generated in regions with security groups:
- EC2-012: Security Group Excessive Counts
- EC2-013: Security Group Large Counts
SQS-005: SQS Encrypted With KMS Customer Master Keys: Updated the rule to return a failure when the ‘Amazon SQS key (SSE-SQS)’ is selected as encryption key type. The rule continues to ensure that your SQS queues are using KMS CMK customer-managed keys instead of AWS managed-keys (i.e. default keys used in absence of defined customer keys) to benefit from a more granular control over the queues data encryption/decryption process.
Monitor-006: Activity Log Storage Encryption with Customer-Managed Key: Updated the rule to check storage container encryption for diagnostic settings in addition to log profiles. The rule ensure that your Microsoft Azure activity log storage container is encrypted with a Customer-Managed Key (CMK) to protect your activity log data at rest with a key from your own Azure key vault.
Updated the following AWS service-level rules to fix an error-handling issue and generate accurate checks when Conformity's permissions to certain AWS regions is restricted:
- Lambda-005: Lambda Function With Admin Privileges
- Lambda-006: Using An IAM Role For More Than One Lambda Function
- SSM-003: Check for SSM Managed Instances
- EC2-002: Unrestricted SSH Access
- EC2-003: Unrestricted RDP Access
- EC2-004: Unrestricted Oracle Access
- EC2-005: Unrestricted MySQL Access
- EC2-006: Unrestricted PostgreSQL Access
- EC2-007: Unrestricted DNS Access
- EC2-008: Unrestricted MsSQL Access
- EC2-015: EC2 Instance Security Group Rules Counts
- EC2-038: Unrestricted Telnet Access
- EC2-039: Unrestricted SMTP Access
- EC2-040: Unrestricted RPC Access
- EC2-041: Unrestricted NetBIOS Access
- EC2-042: Unrestricted FTP Access
- EC2-043: Unrestricted CIFS Access
- EC2-045: Unrestricted MongoDB Access
- EC2-063: Unrestricted Elasticsearch Access
- EC2-064: Unrestricted HTTP Access
- EC2-065: Unrestricted HTTPS Access
- EC2-074: Check for Unrestricted Redis Access
- EC2-075: Check for Unrestricted Memcached Access

conformity_whats_new 51

The following bug fixes are now available with Conformity's latest release on 20 December 2022.

Fixed a bug to prevent Power User and Read Only from accessing all event activities through public API.
Fixed a bug with CQL to now validate the query length and also display an error message for queries exceeding 5000 characters.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.39. Click here to access the current custom policy.

conformity_whats_new 52

The following updates are now available with Conformity's latest release on 12 January 2023.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.39. Click here to access the current custom policy.

New Rules

Azure

Monitor-010: Enable Subscription Activity Log Diagnostic Settings: This rule ensures that Azure Monitor Activity Logs for your subscription are exported to an appropriate data store using diagnostic settings. This rule also replaces the rule: Monitor-001 - Azure Activity Log Profile in Use which will be deprecated soon.
ActivityLog-028: Create Alert for Create or Update Public IP Address Events: This rule ensures that activity log alerts are created for the Create or Update Public IP Address events.

GCP

ResourceManager-003: Enforce Uniform Bucket-Level Access: This rule ensures that Enforce Uniform bucket-level access organization policy is enabled at the Google Cloud Platform (GCP) organization level, and that the project inherits the parent's policy.
ResourceManager-002: Disable Automatic IAM Role Grants for Default Service Accounts: This rule ensures that Disable Automatic IAM Grants for Default Service Accounts policy is enforced.
Dataproc-001: Enable Dataproc Cluster Encryption with Customer-Managed Keys: This rule ensures that your Dataproc Clusters on Compute Engine are encrypted using Customer-Managed Keys (CMKs).

Platform Updates

We've now empowered the Conformity Bot with the following 10 additional regions to support GCP:
- eur4
- eur6
- nam4
- nam7
- nam8
- nam10
- nam11
- nam12
- nam13
- nam-eur-asia1
We've also improved our PDF report engine to generate reports with up to 5,000 checks.

Bug Fixes

Fixed a bug where checks for CloudStorage Buckets resources returned incorrect region value i.e. global for a region with hosted resources.
Fixed a bug where the Deprecated Rules were being enabled on clicking the 'Reset to Default' button.

conformity_whats_new 53

The following update is available with Conformity's latest release on 19 January 2023.

AWS Real-Time Monitoring installation now supports EventBridge Cross-Account IAM Role

We have updated the AWS Real-Time Monitoring installation template to include an IAM role for cross-account access to increase security and adhere to the latest AWS EventBridge cross-account access requirements.

For more information see the RTM Settings. While there is no firm deadline from AWS, we recommended that you update your EventBridge configuration to follow the best practice.

For more information about sending and receiving Amazon EventBridge events between AWS accounts, see the AWS documentation.

conformity_whats_new 54

Updated Compliance Standards: CIS Foundations Benchmarks

We've updated our compliance standards to meet the Center of Internet Security (CIS) Foundations Benchmarks for AWS, Azure and GCP. You can now filter Checks and download Compliance Reports to ensure your cloud environment complies with the latest CIS Foundations Benchmarks.

CIS Amazon Web Services Foundations Benchmark, v1.5.0
CIS Microsoft Azure Foundations Benchmark v1.5.0
CIS Google Cloud Platform Foundation Benchmark v1.3.0

You can view the CIS certifications awarded to Trend Micro Cloud One - Conformity on the CIS partner website and find out more about Compliance and Conformity in our documentation.

ISO 27001:2022 Support for AWS, Azure and GCP

We now support ISO 27001:2022 across compliance features for AWS, Azure and GCP.

Custom Policy Updates

We've updated the custom policy to version - 1.40. The added permission is:

lambda:ListFunctionUrlConfigs

Click here to access the new custom policy.

conformity_whats_new 55

Rule Update

Resources-001: Tags: Improved this rule to return more resource details in the check including service and resource names and a link to the resource.

conformity_whats_new 56

Bug Fix

Improved Conformity Bot to scan a large numbers of SNS resources and produce checks successfully.

conformity_whats_new 57

Rule Update

Updated the Severity for the following RTM Configuration Change Rules from HIGH to LOW to improve alert fatigue as these rules do not ideally represent a security vulnerability. These rules are more of events prompting you to review your severity and change it as required.

Azure

Network-014: Monitor Network Security Group Configuration Changes

AWS

Config-005: AWS Config Configuration Changes
CT-013: AWS CloudTrail Configuration Changes
ECS-001: Monitor Amazon ECS Configuration Changes
GD-003: AWS GuardDuty Configuration Changes
IAM-054: IAM Configuration Changes
KMS-007: Monitor AWS KMS Configuration Changes
Organizations-003: AWS Organizations Configuration Changes
RDS-036: Amazon RDS Configuration Changes
Route53-009: Amazon Route 53 Configuration Changes
Route53Domains-001: Amazon Route 53 Domains Configuration Changes
RTM-009: Network configuration change detected
S3-022: S3 Configuration Changes
SecurityHub-001: Detect AWS Security Hub Configuration Changes

conformity_whats_new 58

Rule Update

Config-002: AWS Config Referencing Missing S3 Bucket: Improved this rule to simplify account scanning, improve reliability and reduce false positive checks.

conformity_whats_new 59

Bug Fix

Improved the way Conformity scans AWS Kinesis resources to reduce API throttling and improve performance.

conformity_whats_new 60

Rule Update

CT-004: CloudTrail Bucket MFA Delete Enabled: Updated the rule to improve check accuracy and remove duplicate checks. This rule will no longer produce checks if the CloudTrail S3 bucket is located in another account.

conformity_whats_new 61

Rule Update

CT-002: CloudTrail S3 Bucket Logging Enabled: Updated the rule to improve check accuracy and remove duplicate checks. This rule will no longer produce checks if the CloudTrail S3 bucket is located in another account.

conformity_whats_new 62

Checks with Time to Live (TTL) attribute have now been excluded from the compliance score calculation to produce more accurate percentage scores. This update will affect the scores displayed under:
- Conformity compliance status
- Compliance level comparison
- Compliance level evolution
Updated the following Compliance Standards and Reports to include newly released rules:
- PCI DSS v3.2.1
- AWS Well-Architected Framework

conformity_whats_new 63

Bug Fix

Fixed a bug with "!Ref" on the Event Rule to create a CloudWatch Alarm successfully without an error.

conformity_whats_new 64

Conformity Template Scanner API now supports scanning CloudFormation templates for additional AWS regions (me-central-1, ap-south-2, ap-southeast-3, ap-southeast-4, eu-central-2, eu-south-2, us-gov-west-1, us-gov-east-1).

conformity_whats_new 65

Updated the resource link for following rules to incorporate the new Azure functionality allowing users to access the resource directly on the Azure Console.

SecurityCenter-002
SecurityCenter-003
SecurityCenter-004
SecurityCenter-005
SecurityCenter-006
SecurityCenter-007
SecurityCenter-008
SecurityCenter-009
SecurityCenter-010
SecurityCenter-011
SecurityCenter-012
SecurityCenter-013
SecurityCenter-014
SecurityCenter-015
SecurityCenter-020
SecurityCenter-021
SecurityCenter-022
SecurityCenter-023
SecurityCenter-024
SecurityCenter-025

conformity_whats_new 66

Remove Administration User screen for Cloud One Users as Cloud One Users are managed by Cloud One

conformity_whats_new 67

Fixed a bug that prevented users from onboarding new Azure subscriptions via public APIs.

conformity_whats_new 68

SQS-004 : Queue Server Side Encryption:

Updated the rule logic to cover the latest SQS encryption options in AWS and prevent false negative checks.

conformity_whats_new 69

Enhanced the scanning of EBS resources to improve performance and reduce API throttling by updating the following Rules:

EBS-004: EBS Volume Recent Snapshots
EBS-005: EBS Volumes Too Old Snapshots

Bug Fixes

Fixed a bug where users were being logged out of the Cloud One console while actively working in Conformity.

conformity_whats_new 70

Bug Fix

S3-028: Enable S3 Bucket Keys: Fixed a bug where the Template Scanner results displayed an error message cannot read properties of undefined (reading 'filter') on scanning the rule.

Fixed a bug where the Template Scanner returned checks for the following rules on scanning a Cloud Formation template without the required number of instances:

ELB-001: Unused Elastic Load Balancers
ELB-010: ELB Minimum Number of EC2 Instances

conformity_whats_new 71

Upcoming changes to AWS IAM Scanning

We will soon change how Conformity scans AWS IAM resources. In preparation, you will need to update your Conformity Custom Policy and ensure you have the permission iam:GetAccountAuthorizationDetails. This permission was first added on 19 January 2022 as part of v1.35. If you are missing the permission, you may lose IAM checks.

Reminder: Update Conformity AWS Custom Policy

The latest Conformity Custom Policy is v1.40. Click here to access the new custom policy.

Conformity requires up-to-date permissions to properly scan your AWS account. Please refer to our documentation on keeping your aws custom policy up to date.

To be notified of out of date permissions, you can also refer to the following rules:

conformity_whats_new 72

Bug Fix

VirtualMachines-015: Enable System-Assigned Managed Identities: Fixed a bug where the rule generated false positive checks while configuring both the system-assigned managed identities and user-assigned identities simultaneously.

conformity_whats_new 73

Changes to AWS IAM Scanning

We have changed how Conformity scans AWS IAM resources. Please ensure you have the permission iam:GetAccountAuthorizationDetails. This permission was first added on 19 January 2022 as part of v1.35 of the AWS custom policy. The latest version of the AWS custom policy is v.1.40. If you are missing the permission, you may lose IAM checks.

conformity_whats_new 74

Bug Fixes and Enhancements

Fixed a bug that prevented users from uploading their organisation logo.
Removed Organisation Details from the Administration screen for Cloud One Users, as these details are managed at the Cloud One level.

conformity_whats_new 75

The following update is now available with Conformity's latest release on 11 April 2023.

Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.41 and the permission added is:

- `rds:DescribeDBParameterGroups`

Click here to access the new custom policy.

conformity_whats_new 76

The following compliance standards now support GCP and have been updated for AWS and Azure:

NIST Cyber Security Framework v1.1
Update System and Organization Controls 2 (SOC 2)

New Rule

AWS

Lambda-010: Enable IAM Authentication for Lambda Function URLs: This rule ensures that your function URLs are secured with IAM authentication (AWS_IAM) allowing only authenticated IAM users and roles to invoke your Amazon Lambda functions via function URLs.

conformity_whats_new 77

New Rule

AWS

Lambda-011: Lambda Function URL Not in Use: Check whether your Amazon Lambda functions are configured with function URLs for HTTP(S) endpoints. A function URL creates a direct HTTP(S) endpoint to your function and this may pose a security risk depending on the security configuration and intention of the function.
You can now configure a rule's setting to allow exceptions based on Resource IDs up to 256 characters.

conformity_whats_new 78

Bug Fix

KMS-006: KMS Cross Account Access: Fixed a bug where the Template Scanner bypassed the Account settings - Include as friendly AWS accounts > All within this AWS Organization and All within this Conformity organization.

conformity_whats_new 79

Bug Fix

Fixed a bug to ensure that the Conformity Template Scanner can handle default behaviours of the parameter SqsManagedSseEnabled for the following rules:

SQS-004: Queue Unprocessed Messages
SQS-005: SQS Encrypted With KMS Customer Master Keys

conformity_whats_new 80

Rule Deprecation Notice

As of 20 April 2023, Conformity has deprecated the following rules:

AWS

Azure

You can find summaries of the reasons we deprecated each rule via the knowledge base articles linked above.

Click here to learn more about rule deprecation.

conformity_whats_new 81

Bug Fixes

Fixed a bug where users were being logged out of the Cloud One console while actively working in Conformity.

conformity_whats_new 82

Bug Fix

Fixed a bug to support exceptions via tags while generating checks for the following Rules:
RDS-023: Amazon RDS Public Snapshots
RDS-040: Enable RDS Snapshot Encryption

conformity_whats_new 83

Custom Policy Update

The Conformity AWS custom policy has been updated as a result of deprecation of the following permissions by AWS. The new custom policy version is 1.42 and the permissions removed are:

- `aws-portal:ViewBilling`
- `aws-portal:ViewUsage`
- `budgets:ViewBudget`

Click here to access the new custom policy.

conformity_whats_new 84

Bug Fix

StorageAccounts-008: Enable Trusted Microsoft Services for Storage Account Access: Updated the rule logic to ensure accurate checks.

conformity_whats_new 85

Bug Fix

AKS-001: Enable Kubernetes Role-Based Access Control: Fixed a bug where the rule generated failure checks for a cluster with RBAC enabled.

conformity_whats_new 86

Introducing New API Endpoints for Access Control (Conformity Custom Roles:)

Create a role: POST /access-control/roles/
Update a role: PATCH /access-control/roles/{roleId}
List all roles: GET /access-control/roles
Describe a role: PATCH /access-control/roles/{roleId}

conformity_whats_new 87

Bug Fix

Fixed a bug where the Tags column in the CSV report replaced :: with =. In addition, we have introduced a new column i.e. TagObjects to avoid any ambiguity of Key Value pairs in the Tags column.

conformity_whats_new 88

RTM for Google Cloud Platform (GCP)

You can now set up Real-Time Threat Monitoring and monitor events on your Google Cloud Platform (GCP) accounts in Trend Cloud One - Conformity. For details, see Real-time Monitoring Settings.

conformity_whats_new 89

Rule Update

Advisor-001: Check for Azure Advisor Recommendations: Updated the scanning and display of Azure Advisor Findings to accurately reflect the latest functionality in the Azure Advisor service.

conformity_whats_new 90

Bug Fixes

Fixed a bug to produce accurate checks for the following GCP Cloud Logging rules:

CloudLogging-001: Enable Monitoring for Bucket Permission Changes
CloudLogging-002: Enable VPC Network Route Changes Monitoring
CloudLogging-003: Enable VPC Network Changes Monitoring
CloudLogging-004: Enable Monitoring for Custom Role Changes
CloudLogging-007: Enable Monitoring for Audit Configuration Changes

conformity_whats_new 91

Rule Update

SecurityCenter-020 : Microsoft Defender for Cloud Recommendations:

Updated the rule logic to reflect the latest Assessments in Microsoft Defender for Cloud.

conformity_whats_new 92

We've improved the access validation for following Access Control Public APIs to be called by Cloud One Admin users only: - Create a Role - Update a Role - Get all Roles - Describe a Role

conformity_whats_new 93

Bug Fix

Updated the Template Scanner where several resources were not being remediated for the following rules:

RG-001: Tags
EBS-006: EBS Volume Naming Conventions
EC2-035: EC2 Instance Naming Conventions
EC2-036: Security Group Naming Conventions

conformity_whats_new 94

Bug Fix

Fixed a bug where AWS GovCloud could not be enabled or disabled in the Conformity Bot settings.

conformity_whats_new 95

Introducing A new API Endpoint for Access Control (Conformity Custom Roles:)

Delete a role: DELETE /access-control/roles/{roleId}

conformity_whats_new 96

Bug Fix

Fixed a bug to produce accurate checks for the following AWS IAM rules:

IAM-001: Access Keys Rotated 30 Days
IAM-002: Access Keys Rotated 45 Days
IAM-038: Access Keys Rotated 90 Days

conformity_whats_new 97

Rule Update

EC2-033 : Unrestricted Outbound Access:

Updated the rule to support an allowlist for the unconfigurable Security Groups.

conformity_whats_new 98

Servicenow Integration Update: We've updated the settings to allow users to set up a ServiceNow integration without delete permissions.

conformity_whats_new 99

Rule Update

Monitor-005 : Check for Publicly Accessible Activity Log Storage Container:

Updated the rule to support Azure diagnostic settings. Diagnostic settings are the preferred way to capture Azure Monitor logs and it's recommended to ensure the target storage container for diagnostic settings logs is not publicly accessible.

conformity_whats_new 100

Trend Cloud One™ - Template Scanner Github app

*** Cloudformation Templates *** We have increased support to 35 AWS resource types scanned (previously 8 supported), and increased rules coverage to over 250 rules ( previously 45 were supported).

*** Terraform ***

We have increased rules coverage to over 85 rules ( previously 45 were supported).

For more information, please refer to the documentation.

conformity_whats_new 101

Bug Fix

Fixed a bug to produce accurate checks for the following AWS IAM rules:

IAM-003: Credentials Last Used

conformity_whats_new 102

Bug Fix

S3-023: S3 Object Lock: Fixed a bug to return no checks by Template Scanner when both the Days and the Years are set to ObjectLockConfiguration.

conformity_whats_new 103

We've added the HIPAA compliance standard to support GCP rules and also updated the standard to the latest version i.e. HIPAA Feb-2023 for AWS and Azure rules.

conformity_whats_new 104

Rule Update

You can now disable specific regions from the Rule configuration settings and exclude them from generating checks for the following AWS rules:

Config-001: AWS Config Enabled
CT-001: CloudTrail Enabled
GD-001: GuardDuty Enabled

conformity_whats_new 105

Incident Update: Trend Cloud One Conformity Recorded Reduced Usage for Customers with Metered Consumption Billing

An incident affecting Conformity consumption billing reduced the expected billing charges for some accounts with S3, IAM, EC2, and Azure Monitor resources.

This led to incorrectly excluding resource counts during the incident. As a result, account consumption tiers may have been temporarily changed to a lower tier.

Affected Regions

All

Impact

Intermittent reduction in usage charges between 21 August 2021 to 7 June 2023 for some customers using consumption billing.

Resolution

We’re working on deploying a fix for the bug that caused the drop in usage. As a result, you may see an increase in your Conformity consumption and, consequently, your charges once we deploy the bug fix. Watch out for the bug fix update on our What’s New page.

conformity_whats_new 106

New Rule

GCP

CertificateManager-001: SSL certificates validity period: This rule ensures that the SSL certificates are renewed within the appropriate validity period.

conformity_whats_new 107

Introduced a system improvement to increase the efficiency of scanning cloud accounts with large numbers of resources.

Please note: some accounts with large number of resources may experience a brief disruption in scheduled Conformity Bot scans while the change is being rolled out. The system will recover and return to normal within 2 hours.

conformity_whats_new 108

Bug Fix

Reduced Consumption Billing: Fixed a bug where Conformity consumption billing reduced the expected billing charges for some accounts with S3, IAM, EC2, and Azure Monitor resources. As a result of the bug fix, you may see an increase in your Conformity consumption and, consequently, your billing charges.

conformity_whats_new 109

Bug Fix

CosmosDB-003: Restrict Default Network Access for Azure Cosmos DB Accounts: Updated the rule logic to incorporate public network setting to avoid false negatives.

conformity_whats_new 110

Bug Fix

RDS-005: RDS Encrypted With KMS Customer Master Keys: Fixed a bug with Template Scanner to return correct scan results for CMK encrypted RDS.

conformity_whats_new 111

New Rule

GCP

CloudStorage-005: Define index page suffix and error page for the bucket website configuration: This rule ensures that the bucket website configuration includes a main page suffix and an error page.

conformity_whats_new 112

New Rule

GCP

ComputeEngine-013: Configure load balancers for Managed Instance Groups: This rule ensures that Managed Instance Groups (MIGs) are associated with load balancers.

conformity_whats_new 113

Bug Fix

S3-018: DNS Compliant S3 Bucket Names: Fixed a bug to return correct check results when the S3 bucket resource sets the DNS compliant bucket name.

conformity_whats_new 114

Bug Fix

Fixed a bug that limited Conformity Bot from scanning the RDS Snapshots accurately.

conformity_whats_new 115

Bug Fix

Fixed a bug where some users belonging to Organisations in the region us-west-2 were not receiving their weekly summary emails.

conformity_whats_new 116

We’re moving the Conformity User Interface to Dark Mode on 12 July 2023 to align with Trend’s brand identity and be consistent with the user experience and messaging across all assets and standards.

conformity_whats_new 117

Bug Fix

Fixed a bug where active users without an email were showing up on the email recipient list when sending a failed rule resolution email or when setting up an email communication channel.

conformity_whats_new 118

Bug Fix

Fixed a bug with the Conformity Bot's scanning where STS was disabled in at least one AWS region.

conformity_whats_new 119

Trend Cloud One Conformity - Dark Mode Released

We’ve moved the Conformity User Interface to Dark Mode to align with Trend’s brand identity and be consistent with the user experience and messaging across all assets and standards.

conformity_whats_new 120

Rule Update

Updated the following security policy rules to be configurable, and updated to the latest TLS versions:

ELBv2-003: ELBv2 ALB Security Policy
ELBv2-009: Network Load Balancer Security Policy
CF-006: CloudFront Security Policy
ELB-004: ELB Security Policy
ELB-015: Web-Tier ELB Security Policy
ELB-016: App-Tier ELB Security Policy

conformity_whats_new 121

New Rule

Azure

StorageAccounts-023: Private Endpoint in Use: This rule ensures that private endpoints are used to access Microsoft Azure Storage accounts.

conformity_whats_new 122

Bug Fix

Fixed a bug where some customers could not download their organization's historical reports. We've made every effort to restore the maximum number of historical reports, but could not recover all.

conformity_whats_new 123

Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.43 and the permissions added are:

- ecs:DescribeClusters
- ecs:ListTagsForResource

Click here to access the new custom policy.

conformity_whats_new 124

New Rule

Azure

AccessControl-003: Subscription Administrator Custom Role: This rule ensures that there are no custom subscription administrator roles within your Microsoft Azure cloud account.

conformity_whats_new 125

Bug Fix

Fixed a bug that prevented users from updating the AWS Conformity Bot settings with disabled AWS Gov Cloud regions.

conformity_whats_new 126

New Rules

Azure

Monitor-011: Configure Application Insights: This rule ensures that an Application Insights resource is created within your Azure cloud account.
PostgreSQL-014: Disable "Allow access to Azure services" for PostgreSQL database servers: This rule ensures that any access from Azure services to Azure PostgreSQL database servers is disabled.
Network-026: Bastion Host in Use: This rule ensures that Azure Bastion service is used within your Microsoft Azure cloud account.
Subscriptions-004: Basic/Consumption SKU Should not be Used in Production: This rule ensures that the Basic/Consumption SKU is not used for Azure cloud resources that need to be monitored, for example, production workloads.

conformity_whats_new 127

Rule Update

CF-006: CloudFront Security Policy

Updated the rule to be compliant with the latest security policy.

conformity_whats_new 128

Rule Update

Fixed an issue with the way we scan AWS CloudFront resources to provide a more accurate and complete set of checks.

CF-001: CloudFront In Use
CF-002: CloudFront Insecure Origin SSL Protocols
CF-003: CloudFront Traffic To Origin Unencrypted
CF-004: CloudFront Integrated With WAF
CF-005: CloudFront Logging Enabled
CF-006: CloudFront Security Policy
CF-007: CloudFront Viewer Protocol Policy
CF-008: CloudFront Geo Restriction
CF-009: CloudFront Compress Objects Automatically
CF-011: FieldLevel Encryption
CF-012: Use CloudFront Content Distribution Network

conformity_whats_new 129

New Rule

Azure

StorageAccounts-024: Enable Infrastructure Encryption: This rule ensures that infrastructure encryption is enabled for Microsoft Azure Storage accounts.

Rules' Mapping Update for Compliance Standards

We've updated the Rule mappings to be compliant with the NIST 800-53 Rev.5, APRA CPS 234 and CIS Controls Version 8 Compliance and Standard Reports.

conformity_whats_new 130

Rule Update

Network-003: Enable Azure Network Watcher: You can now Add or Remove Azure regions from the rule Settings in addition to a default list of regions we've included in the rule. We've also updated the rule to return a failure if the Network Watcher service isn't enabled for all the configured Azure regions.

conformity_whats_new 131

Custom Compliance Standards

We’re excited to share that you can now preview Custom Compliance Standards through the Conformity API endpoints. For details, see our help documentation.

conformity_whats_new 132

Rule Update

CFM-006: CloudFormation Stack With IAM Role: Updated the rule to generate a failure check if the policy allows for all actions with all the resources.

conformity_whats_new 133

Bug Fixes

S3-025: S3 Buckets Encrypted with Customer-Provided CMKs: Updated the rule to identify KMS keys properly.

conformity_whats_new 134

IMPORTANT: Standalone Conformity SSO Certificate Expiry

The current Conformity SSO certificate will expire on Thursday 17 August 2023 at 09:41:05 UTC. Follow the instructions on this help page for actions that you may need to take to switch to the new certificate. Trend Micro support will be reaching out to customers affected.

Customers using Cloud One SSO are unaffected.

conformity_whats_new 135

Rule Update

CloudSQL-001: Check for Cloud SQL Database Instances with Public IPs: Update the rule to align more closely with CIS GCP v2.0 Control 6.2.9.

conformity_whats_new 136

New Rules

GCP

CloudSQL-030: Configure "log_min_messages" Flag for PostgreSQL Instances: This rule ensures that PostgreSQL database instances have the appropriate configuration set for the "log_min_messages" flag.

conformity_whats_new 137

New Rules

GCP

CloudAPI-005: API Keys Should Only Exist for Active Services (Not Scored): This rule ensures that there are no API keys in use within your Google Cloud projects.

conformity_whats_new 138

New Rule

GCP

CloudSQL-031: Configure "log_error_verbosity" Flag for PostgreSQL Instances: This rule ensures that PostgreSQL database instances have the appropriate configuration set for the "log_error_verbosity" flag.

conformity_whats_new 139

Bug Fix

EBS-002: EBS Encrypted With KMS Customer Master Keys: Updated the rule logic to validate the EBS volumes correctly.

conformity_whats_new 140

Custom Rule Updates

When creating a new custom rule, there is now an option to specify rule slug that will yield a custom rule id combined from the CUSTOM prefix and the slug provided. The slug field needs to be unique across organization, up to 200 characters long and comprised of only alphanumeric characters and - and _ without spaces.

conformity_whats_new 141

Bug Fix

Updated the way we scan GCP Resource Manager service to reduce API throttling with the following rules:

ResourceManager-001: Disable User-Managed Key Creation for Service Accounts
ResourceManager-002: Disable Automatic IAM Role Grants for Default Service Accounts
ResourceManager-003: Enforce Uniform Bucket-Level Access

conformity_whats_new 142

We've updated the GCP Conformity Bot; it won't scan a shutdown GCP project now.

conformity_whats_new 143

We've renamed The 'Conformity Report' to the 'Cloud Posture Report' to align with Trend's brand messaging.

Rule Update

Lambda-001: Lambda Runtime Environment Version: Updated the rule with a default 'Latest runtime version' list configurable from the Rule Settings, to ensure the use the latest version of the execution environment configured for your Amazon Lambda functions.

conformity_whats_new 144

New Rule

Azure

SecurityCenter-041: Microsoft Defender for Cloud Security Alerts: This rule ensures that Microsoft Defender for Cloud security alerts are examined and resolved.
Known issue: We have an existing issue with the new rule where alerts that are in progress status will be displayed as active. We'll share an update as soon as this is resolved.

conformity_whats_new 145

Introduced a system improvement to increase the efficiency of scanning cloud accounts with large numbers of resources.

conformity_whats_new 146

You can now use our new AI Assistant for the Knowledge base and Help pages to get the most out of Conformity and help improve your cloud infrastructure.

conformity_whats_new 147

Integrate Trend Cloud One - Conformity with Trend Vision One

Trend Cloud One - Conformity customers

You can now integrate Conformity with Trend Vision One by signing up for a 30 day fully customizable Trend Vision One trial. Once you sign-up or you've already signed up with Trend Vision One, you can integrate Conformity with Trend Vision One > Risk Insights using an API key.

For step-by step insrtuctions, see the help page: Integrating Trend Vision One Conformity with Trend Vision One.

Haven't Signed up for Conformity

If you haven't signed up for Conformity yet, please follow the Conformity AWS Data Source Setup guide and follow the steps in the help page linked above.

Conformity Standalone (Legacy Customers)

Refer to the Conformity Standalone (Legacy) Customers section in the help page linked above.

conformity_whats_new 148

Rule Update

GCP

ComputeEngine-003: Disable Interactive Serial Console Support: Update the rule to identify "Enable connecting to serial ports" configuration setting status properly.

conformity_whats_new 149

Rule Update

Azure

SecurityCenter-001: Enable Microsoft Defender Standard Pricing Tier: Updated the rule enabling you to configure 'Resource Types' validation from the 'Rule Settings'.

conformity_whats_new 150

Rule Update

GCP

ComputeEngine-001: Check for Virtual Machine Instances with Public IP Addresses: Updated the rule to identify the VM instance network interface access configuration status accurately.

conformity_whats_new 151

Our AI Assistants for the Knowledge base and Help pages can now answer questions in 85 languages including English, Spanish, French, German, Portuguese, Italian, Dutch, Russian, Arabic, and Chinese.

conformity_whats_new 152

New Rule

Azure

SQL-019: Enable Transparent Data Encryption for SQL Managed Instance using Customer-Managed Keys: This rule ensures that Azure SQL managed instances are encrypted at rest using Customer-Managed Keys (CMKs).

conformity_whats_new 153

New Rule

Azure

Synapse-001: Enable Transparent Data Encryption for Azure Synapse Analytics Dedicated SQL Pools: This rule ensures that Transparent Data Encryption (TDE) is enabled for dedicated SQL pools in Azure Synapse Analytics.

conformity_whats_new 154

Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.44 and the permissions added are:

- ec2:DescribeTransitGatewayPeeringAttachments
- ec2:SearchTransitGatewayRoutes
- ec2:DescribeTransitGatewayRouteTables
- ec2:DescribeTransitGateways

Click here to access the new custom policy.

conformity_whats_new 155

Rule Update

AWS

Lambda-001: Lambda Using Latest Runtime Environment: Updated the rule title from 'Lambda Runtime Environment Version' to 'Lambda Using Latest Runtime Environment'.

New Rules

AWS

Lambda-012: Lambda Using Supported Runtime Environment: This rule ensures that you always use a supported environment version for your Amazon Lambda functions in order to avoid end of support timeframes from AWS.

conformity_whats_new 156

Rule Update

AWS

You can now disable specific regions from the Rule configuration settings and exclude them from generating checks for the following AWS rules:

IAM-065: IAM Access Analyzer in Use
EBS-014: EBS default encryption
Macie2-003: Amazon Macie Discovery Jobs
SecurityHub-002: Security Hub Enabled

conformity_whats_new 157

Rules' Mapping Update for Compliance Standards

We've updated the Rule mappings to be compliant with the ISO 27001:2022 and AWS Well-Architected Framework Compliance and Standard Reports.

conformity_whats_new 158

RDS-041: Enable Instance Storage AutoScaling
Fixed a bug with the Template Scanner to support the MaxAllocatedStorage property in the RDS DBInstance resource.

conformity_whats_new 159

Rules' Mapping Update for Compliance Standards

We've updated the Rule mappings to be compliant with the NIST Cybersecurity Framework and ISO 27001 Compliance and Standard Reports.

conformity_whats_new 160

Rule Update

AWS

Updated the following rules' to interact optimally with AWS regions with restricted permissions in Conformity:

Config-001: AWS Config Enabled
CT-001: CloudTrail Enabled
GD-001: GuardDuty Enabled

conformity_whats_new 161

We've introduced a new operator, dateComparison, for Custom Rules. This operator enables the creation of custom rules that interact with date strings in resources. Within this operator, we've added two sub-operators: olderThan and within. You can use this operator to determine whether a date string is older than a specific date or falls within a certain time frame.

For more information, see

conformity_whats_new 162

Rule Update

Azure

VirtualMachines-024: Enable Performance Diagnostics for Azure Virtual Machines: Updated this rule to support Windows and unsupported Linux VMs.

conformity_whats_new 163

Rules' Mapping Update for Compliance Standards

We've updated the Rule mappings to be compliant with the System and Organization Controls 2 (SOC 2) Compliance and Standard Reports.

Rule Update

Azure

AppService-012: Enable FTPS-Only Access: Updated this rule to resolve the case-sensitive issue to avoid false negatives.

AWS

The following rules won't generate checks for security groups that are shared from other accounts.

EC2-001: Security Group Port Range
EC2-002: Unrestricted SSH Access
EC2-003: Unrestricted RDP Access
EC2-004: Unrestricted Oracle Access
EC2-005: Unrestricted MySQL Access
EC2-006: Unrestricted PostgreSQL Access
EC2-007: Unrestricted DNS Access
EC2-008: Unrestricted MsSQL Access
EC2-012: Security Group Excessive Counts
EC2-013: Security Group Large Counts
EC2-014: Security Group Rules Counts
EC2-032: SecurityGroup RFC 1918
EC2-033: Unrestricted Security Group Egress
EC2-034: Unrestricted Security Group Ingress on Uncommon Ports
EC2-036: Security Group Naming Conventions
EC2-038: Unrestricted Telnet Access
EC2-039: Unrestricted SMTP Access
EC2-040: Unrestricted RPC Access
EC2-041: Unrestricted NetBIOS Access
EC2-042: Unrestricted FTP Access
EC2-043: Unrestricted CIFS Access
EC2-044: Unrestricted ICMP Access
EC2-045: Unrestricted MongoDB Access
EC2-059: Descriptions for Security Group Rules
EC2-061: Security Group Name Prefixed With 'launch-wizard'
EC2-063: Unrestricted Elasticsearch Access
EC2-064: Unrestricted HTTP Access
EC2-065: Unrestricted HTTPS Access
EC2-074: Check for Unrestricted Redis Access
EC2-075: Check for Unrestricted Memcached Access
RG-001: Tags

Shared security groups won't be considered by the following rules:

EC2-015: EC2 Instance Security Group Rules Counts
ELB-007: ELB Security Group

conformity_whats_new 164

Updated Compliance Standards: CIS Foundations Benchmarks

CIS Amazon Web Services Foundations Benchmark v2.0.0
CIS Microsoft Azure Foundations Benchmark v2.0.0
CIS Google Cloud Platform Foundation Benchmark v2.0.0

You can view the CIS certifications awarded to Trend Micro Cloud One - Conformity on the CIS partner website and find out more about Compliance and Conformity in our documentation.

conformity_whats_new 165

Rule Update

AWS

GD-001: GuardDuty Enabled: Updated rule to support all regions. Read more >>

conformity_whats_new 166

Rule Update

Azure

CosmosDB-003: Restrict Default Network Access for Azure Cosmos DB Accounts: Updated this rule to skip virtual network validation to avoid false negatives.

conformity_whats_new 167

Template Scanner - Terraform plans: Fixed a bug to ensure that the Template Scanner continues scanning in event of missing or empty attributes from certain rules in the template.

conformity_whats_new 168

Rules Update

AWS

RG-001: Tags: Update the rule to add the following resource types to support tags:

EC2 Key Pair
EC2 Reserved Instance
ECS Cluster
ECS Container Instance
ECS Services
ECS Task Definition
EKS Cluster
Lambda Function
Neptune DB Cluster
RDS DB Cluster
RDS DB Snapshot
RDS Event Subscription
RDS Reserved DB Instance
VPC Egress-Only Internet Gateway
VPC Endpoint
VPC Internet Gateway
VPC NAT Gateway
VPC Peering Connection
VPC Route Table
VPC Subnet
VPC Transit Gateway
VPC Transit Gateway Attachment
VPC Transit Gateway Route Table
VPC VPN Connection
VPC VPN Gateway

conformity_whats_new 169

Bug Fix

AWS

Fixed a bug impacting IAM certificate which affected the following rules:
IAM-018: SSL/TLS Certificate Expiry 7 Days
IAM-019: SSL/TLS Certificate Expiry 30 Days
IAM-020: SSL/TLS Certificate Expiry 45 Days
IAM-021: Expired SSL/TLS Certificate
IAM-033: Pre-Heartbleed Server Certificates
IAM-059: Server Certificate Signature Algorithm
IAM-062: AWS IAM Server Certificate Size

GCP

CloudLogging-001: Enable Monitoring for Bucket Permission Changes: Updated the rule to validate the alerting policy correctly.

conformity_whats_new 170

We've updated all instances of the term 'Azure AD' to 'Microsoft Entra ID' in Trend Cloud One - Conformity and Standalone UI, Online help and API documentation following an update from Microsoft in July 2023. For details, see: Microsoft's Glossary of Updated Terminology.

conformity_whats_new 171

We've added sanity checking to produce more accurate results while scanning a Terrafrom Template with an invalid format in the Template Scanner.

conformity_whats_new 172

Bug Fix

GCP

Fixed a bug impacting the following CloudLogging rules:
CloudLogging-001: Enable Monitoring for Bucket Permission Changes
CloudLogging-002: Enable VPC Network Route Changes Monitoring
CloudLogging-003: Enable VPC Network Changes Monitoring
CloudLogging-004: Enable Monitoring for Custom Role Changes
CloudLogging-005: Enable Monitoring for SQL Instance Configuration Changes
CloudLogging-006: Enable Monitoring for Firewall Rule Changes
CloudLogging-007: Enable Monitoring for Audit Configuration Changes
CloudLogging-008: Enable Project Ownership Assignments Monitoring

Rules Update

GCP

CloudIAM-001: Restrict Administrator Access for Service Accounts:

Update the rule to accurately exclude Google-managed service accounts.
Update the rule to display the number of service accounts associated with each role. Additionally, detailed information will only be shown for roles that have fewer than 5 service accounts.

conformity_whats_new 173

Custom Policy Update

The Conformity AWS custom policy was updated on 5.12.2023 at 09:59 AEST. The new custom policy version is 1.45 and the permissions added are:

- ecr:DescribeImages
- lambda:ListLayers

Click here to access the new custom policy.

conformity_whats_new 174

New resources supported by Template Scanner

Template Scanner and Template Scanner API support scanning Terraform ECR repository resource now.

conformity_whats_new 175

Rules' Mapping Update for Compliance Standards

We've updated the Rule mappings to be compliant with the NIS Europe Compliance and Standard Reports.

Rules Update

AWS

IAM-042: Hardware MFA for AWS Root Account: Updated this rule to a not scored rule. AWS can now support multiple virtual and hardware MFA devices on the root account. It is no longer possible to conclusively determine the presence of a hardware MFA device on the root account via API.

Azure

Advisor-001: Check for Azure Advisor Recommendations: Updated the extra data within the check message to improve the identification of the check and its corresponding recommendation.

conformity_whats_new 176

Bug Fix

Monitor-005: Check for Publicly Accessible Activity Log Storage Container: Fixed a bug that was inhibiting the checks being created by the scanner.

conformity_whats_new 177

New Rules

AWS

Lambda-013: Function in Private Subnet: This rule ensures that your Amazon Lambda functions are configured to use private subnets.

Rules Update

AWS

S3-025: S3 Buckets Encrypted with Customer-Provided CMKs: You can now add exceptions to the rule configurations.

DynamoD-004: AWS KMS Customer Master Keys for Table Encryption: Update the rule title, description, and check message to clearly distinguish between Customer Managed Keys (CMK) and AWS Managed Keys.

conformity_whats_new 178

New Rules

AWS

Inspector2-001: Enable Amazon Inspector 2: This rule ensures that Amazon Inspector 2 is enabled for your AWS cloud environment.

conformity_whats_new 179

Bug Fix

RTM-011: Monitor Unintended AWS API Calls: Fixed the regex validation for the rule setting. We advise checking for any existing invalid regex patterns as your configured rule settings will not be modified.

conformity_whats_new 180

Rule Update

RDS-037: Enable AWS RDS Transport Encryption: Updated the rule to support MySQL, Aurora MySQL, and Aurora PostgreSQL database engines.

conformity_whats_new 181

Compliance standards

Google Cloud Architecture Framework

We now support Google Cloud Architecture Framework (version August 2023) across compliance features for GCP.

conformity_whats_new 182

Custom Policy Update

The Conformity AWS custom policy was updated on 16.01.2024 at 10:59 AEDT. The new custom policy version is 1.46 and the permissions added are:

rds:DescribeDBClusterParameters
rds:DescribeDBClusterParameterGroups

Click here to access the new custom policy.

conformity_whats_new 183

Rule Update

AppService-008: Enable Incoming Client Certificates: Updated the rule to automatically produce a SUCCESS check if HTTP 2.0 is enabled.

Custom Checks Updates

We have made the following updates to the Custom Checks API feature:

Updated the Custom Checks 'Time-To-Live' (TTL) feature to allow mutability for existing checks, enabling easier stateless management and deletion.
Introduced a Maximum TTL of 12 months for newly created checks. If no TTL is specified, the value will default to 12 months after the creation date.
Fixed a bug that resulted in some existing custom checks being incorrectly deleted.

Custom Checks Data Migration

On Wednesday 31 January (AEDT), we will migrate your existing custom checks to the new TTL system.
All existing custom checks without a TTL will be updated to include a TTL of 12 months from the update date.

For further details, see Create Custom Checks and Custom Rules vs Conformity Rules.

conformity_whats_new 184

Custom Checks Updates

On Monday 29 January 2024 (AEDT), we introduced the following updates to Custom Checks:

Allow 'Time-To-Live' (TTL) to be mutable.
Introduced a default and maximum TTL value of 12 months after the check creation date.

As of Wednesday 31 January (AEDT), we have migrated all existing Custom Checks to use TTL. The affected checks now have a TTL of 12 months from today, at which point they will automatically be deleted.

If you have existing Custom Checks, you can update the TTL value via the Update Check endpoint. If you wish to maintain a Custom Check beyond 12 months, we recommend scheduling an automated API process to keep your Custom Checks up-to-date.

conformity_whats_new 185

Communication Channels Update

Webhook: Enhanced the Webhook Communication Channel to allow custom headers to be used with third-party tools like Splunk.

Rule Update

Backup-002: Configure AWS Backup Vault Access Policy: Fixed a bug which prevented checks being created for certain backup vaults.

conformity_whats_new 186

Standards and Compliance Reports

On 14 February 2024, the following compliance standards will be deprecated:

CIS Amazon Web Services Foundations Benchmark v1.2.0
CIS Amazon Web Services Foundations Benchmark v1.3.0
CIS Amazon Web Services Foundations Benchmark v1.4.0
CIS Microsoft Azure Foundations Benchmark v1.1.0
CIS Google Cloud Platform Foundation Benchmark v1.2.0

These deprecated compliance standards will be no longer accessible in the filters, preventing the creation of new reports or report-configurations with these outdated standards. If any existing report configurations include deprecated compliance standards, it will not be possible to generate new PDF/CSV reports. However, the list of previously generated PDF/CSV reports remains available. We recommend updating your report configurations to use the latest versions of CIS Foundations Benchmark before 14 February 2024.

conformity_whats_new 187

Rule Update

Updated these rules to exclude cross account evaluation to avoid false positive checks:

BigQuery-002: Enable BigQuery Encryption with Customer-Managed Keys
BigQuery-003: Enable BigQuery Dataset Encryption with Customer-Managed Encryption Keys

conformity_whats_new 188

GCP account permission list updated

New permission "iam.roles.list" added for "cloudiam-roles" descriptor. For the full list of required GCP permissions, see here.

conformity_whats_new 189

Upcoming Rule Updates

The following rule updates will be released soon. These changes may affect your checks and compliance scores:

AWS

KMS-002: Key Rotation Enabled: Update to stop incorrect checks for Asymmetric keys.
Lambda-001: Lambda Using Latest Runtime Environment: Remove 'dotnet7' and add 'dotnet8' to the default recommended list of latest runtime versions.
Lambda-012: Lambda Using Supported Runtime Environment: Add 'dotnet8' to the list of supported runtime versions. See AWS documentation - Lambda runtimes for further details.

GCP

CloudVPC-003: Enable VPC Flow Logs for VPC Subnets: Update to exclude non-PRIVATE subnets from being incorrectly evaluated by the rule. VPC Flow Logs cannot be enabled for subnets whose purpose is not PRIVATE.

conformity_whats_new 190

Rule Updates

KMS-002: Key Rotation Enabled: Updated the rule to bypass asymmetric keys for having rotation enabled.
CloudVPC-003: Enable VPC Flow Logs for VPC Subnets: Updated the rule to exclude non PRIVATE purpose subnets from being incorrectly evaluated. VPC Flow Logs cannot be enabled for subnets whose purpose is not PRIVATE.

conformity_whats_new 191

Standards and Compliance Reports

As of 14 February 2024, the following compliance standards have been deprecated:

CIS Amazon Web Services Foundations Benchmark v1.2.0
CIS Amazon Web Services Foundations Benchmark v1.3.0
CIS Amazon Web Services Foundations Benchmark v1.4.0
CIS Microsoft Azure Foundations Benchmark v1.1.0
CIS Google Cloud Platform Foundation Benchmark v1.2.0

These deprecated compliance standards are no longer accessible in the filters, preventing the creation of new reports or report-configurations with these outdated standards. If any existing report configurations include deprecated compliance standards, it will not be possible to generate new PDF/CSV reports. However, the list of previously generated PDF/CSV reports remains available. We recommend updating your report configurations to use the latest versions of CIS Foundations Benchmark.

conformity_whats_new 192

Updated GCP account permission list

We've added the following new GCP account permissions for the artifactregistry-repositories descriptor:

artifactregistry.repositories.getIamPolicy
artifactregistry.repositories.list

For a full list of GCP permissions, see Add a GCP Account.

conformity_whats_new 193

GCP account permission list updated

New permissions

apigateway.gateways.list
apigateway.gateways.getIamPolicy
apigateway.locations.get

added for "apigateway-gateways" descriptor. For the full list of required GCP permissions, see here.

conformity_whats_new 194

Custom Policy Update

The Conformity AWS Custom Policy has been updated to version 1.47. The new permissions added are:

- `ec2:DescribeTransitGatewayAttachments`
- `backup:ListRecoveryPointsByResource`

Click here to access the latest custom policy.

For more information, refer to the AWS Custom Policy documentation.

conformity_whats_new 195

Rule Updates

Lambda-001: Lambda Using Latest Runtime Environment: Removed 'dotnet6' and added 'dotnet8' to the default recommended list of latest runtime versions.
Lambda-009: Enable Encryption at Rest for Environment Variables using Customer Master Keys: Improved the rule logic to generate no check when lambda functions have no environment variable.
Lambda-012: Lambda Using Supported Runtime Environment: Added 'dotnet8' to the list of supported runtime versions. See AWS documentation - Lambda runtimes for further details.

Rule Deprecation

EC2-015: EC2 Instance Security Group Rules Counts: The recommendation of limiting security group rules to a certain quota is no longer a best practice. See the knowledge base article for additional context. For more information on rule deprecation, see here.

conformity_whats_new 196

Rule Update

DynamoDB-005: DynamoDB Backup and Restore: Updated the rule to correctly get backups created with both Amazon DynamoDB and AWS Backup.

conformity_whats_new 197

Updated GCP account permission list

We've added the following new GCP account permissions:

compute.disks.getIamPolicy
compute.disks.list

For a full list of GCP permissions, see Add a GCP Account.

conformity_whats_new 198

Standards and Compliance Reports

The Azure Well-Architected Framework compliance standard report has been updated to reflect recent updates to Azure's Well-Architected Framework.

Considering substantial changes applied to the rule mapping, Conformity now supports the following compliance standards:

Azure Well-Architected Framework (updated October 2023)
Azure Well-Architected Framework (Deprecated) (updated July 2022)

As of 01 June 2024, the following compliance standards will be deprecated:

Azure Well-Architected Framework (Deprecated) (updated July 2022)

This deprecated compliance standard will be no longer be accessible in the filters, preventing the creation of new reports or report-configurations with this outdated standard. If any existing report configurations include the deprecated compliance standard, it will not be possible to generate new PDF/CSV reports. However, the list of previously generated PDF/CSV reports remains available. We recommend updating your report configurations to use the latest versions of the Azure Well-Architected Framework by 01 June 2024.

conformity_whats_new 199

Updated GCP account permission list

We've added the following new GCP account permissions:

datastore.databases.list
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.routers.list

For a full list of GCP permissions, see Add a GCP Account.

conformity_whats_new 200

Rule Update This change may affect your checks and compliance scores:

Azure

AppService-016: Enable Application Insights: Updated the rule to handle Application Insights configured using either instrumentation keys or connection strings.

conformity_whats_new 201

Updated GCP account permission list

We've added the following new GCP account permissions:

compute.vpnGateways.list

For a full list of GCP permissions, see Add a GCP Account.

conformity_whats_new 202

More Terraform resources supported by Template Scanner

We've supported the following Terraform resources in Template Scanner:

Lambda Function
Kinesis Stream
SNS Topic

conformity_whats_new 203

Updated GCP account permission list

We've added the following new GCP account permissions:

networkconnectivity.hubs.list
networkconnectivity.hubs.listSpokes
cloudfunctions.functions.list
cloudfunctions.functions.getIamPolicy

For a full list of GCP permissions, see Add a GCP Account.

conformity_whats_new 204

Updated GCP account permission list

We've added the following new GCP account permissions:

file.instances.list
pubsublite.topics.list
pubsublite.topics.listSubscriptions

For a full list of GCP permissions, see Add a GCP Account.

conformity_whats_new 205

Custom Policy Update

The Conformity AWS Custom Policy has been updated to version 1.48. The new permission added is:

- `cloudwatch:GetMetricData`

Click here to access the latest custom policy.

For more information, refer to the AWS Custom Policy documentation.

conformity_whats_new 206

Incident Affecting Real-Time Monitoring for AWS

From 11:16 UTC 21 March to 01:10 UTC 25 March, Trend Cloud One Conformity did not receive Real-Time Monitoring events from the AWS region us-east-1. The affected events may include critical IAM service events and resource-based events in your AWS accounts from us-east-1.

We have resolved the issue and sincerely apologize for the inconvenience this may have caused. If you have any more concerns, please feel free to raise a support request.

conformity_whats_new 207

Upcoming Rule Update

These GCP Cloud Logging rules have been updated to accept bucket-based log-based metrics:

CloudLogging-001: Enable Monitoring for Bucket Permission Changes
CloudLogging-002: Enable VPC Network Route Changes Monitoring
CloudLogging-003: Enable VPC Network Changes Monitoring
CloudLogging-004: Enable Monitoring for Custom Role Changes
CloudLogging-005: Enable Monitoring for SQL Instance Configuration Changes
CloudLogging-006: Enable Monitoring for Firewall Rule Changes
CloudLogging-007: Enable Monitoring for Audit Configuration Changes
CloudLogging-008: Enable Project Ownership Assignments Monitoring

conformity_whats_new 208

Upcoming Rule Update

The change will allow you to add new supported cache node types to the rule settings:

EC-011: ElastiCache Desired Node Type

conformity_whats_new 209

Updated GCP account permission list

We've added the following new GCP account permissions:

compute.targetVpnGateways.list

For a full list of GCP permissions, see Add a GCP Account.

conformity_whats_new 210

RTM for AWS

RTM now supports the following rules:

EKS-001: EKS Cluster Endpoint Public Access: Ensure that AWS EKS cluster endpoint access isn't public and prone to security risks.
EKS-003: Kubernetes Cluster Logging: Ensure that EKS control plane logging is enabled for your Amazon EKS clusters.

conformity_whats_new 211

Bug Fix

KeyVault-004: Enable AuditEvent Logging for Azure Key Vaults: Fixed a bug that created failed checks when the audit category group is enabled.

conformity_whats_new 212

Updated GCP account permission list

We've added the following new GCP account permissions:

bigquery.tables.list
bigquery.tables.getIamPolicy

For a full list of GCP permissions, see Add a GCP Account.

conformity_whats_new 213

RTM for AWS

Added the following rule to RTM:

ECR-003: Enable Scan on Push for ECR Container Images: This rule ensures that each Amazon ECR container image is automatically scanned for vulnerabilities when pushed to a repository.

conformity_whats_new 214

Additional Terraform Resources' support in the Template Scanner

We now support the following Terraform resources in the Template Scanner:

Auto Scaling Group
CloudFormation Stack
SQS Queue

conformity_whats_new 215

Rule Updates

Lambda-001: Lambda Using Latest Runtime Environment: Removed 'ruby3.2' and added 'ruby3.3' to the default recommended list of latest runtime versions.
Lambda-012: Lambda Using Supported Runtime Environment: Added 'ruby3.3' to the list of supported runtime versions. See AWS documentation - Lambda runtimes for further details.

conformity_whats_new 216

Template Scanner updates

Additional Terraform Resources' support: We now support Terraform resource CloudTrail Trail in the Template Scanner.
DynamoDB-005: DynamoDB Backup and Restore: Fixed a bug in the Template Scanner to resolve an error returned from the rule when templates are scanned.

conformity_whats_new 217

GCP account permission list updated

New permissions

apigateway.apis.list
apigateway.apis.getIamPolicy

For the full list of required GCP permissions, see here.

conformity_whats_new 218

New Rules

Azure

APIManagement-001: Enable Built-In Response Caching: This rule ensures that built-in response caching is enabled for Microsoft Azure API Management APIs to reduce latency for API callers and backend load for API providers.
APIManagement-004: Prevent the Exposure of Credentials and Secrets using Encrypted Named Values: This rule ensures that named values are encrypted to prevent the exposure of secrets in Azure API Management.

conformity_whats_new 219

New Rules

Azure

APIManagement-005: Enable Resource Logs: This rule ensures that Azure API Management API services are configured to use resource logs.

conformity_whats_new 220

New Rules

Azure

VirtualMachines-041: Enable MFA for Privileged Identities with Access to Virtual Machines: Ensure that only MFA-enabled identities can access your Azure virtual machine (VM) instances.

conformity_whats_new 221

Updated GCP account permission list

We've added the following new GCP account permissions:

compute.regionBackendServices.getIamPolicy
compute.backendServices.getIamPolicy

For a full list of GCP permissions, see Add a GCP Account.

conformity_whats_new 222

Template Scanner Updates

Additional Terraform Resources' Support: We now support Terraform resource ELBv2 in the Template Scanner.
Lambda-007: VPC Access for AWS Lambda Functions: Fixed a bug in the Terraform Template Scanner to return correct checks.

conformity_whats_new 223

GCP account permission list updated

New permissions

alloydb.clusters.list
alloydb.instances.list

For the full list of required GCP permissions, see here.

conformity_whats_new 224

Azure Custom Role Permissions Update

The Azure permission Microsoft.Storage/storageAccounts/queueServices/queues/read has been removed from the Custom Role template. For the full list of required Azure permissions, see here.

conformity_whats_new 225

GCP account permission list updated

New permissions

apigateway.apis.get
apigateway.apiconfigs.list
apigateway.apiconfigs.getIamPolicy
servicemanagement.services.get

For the full list of required GCP permissions, see here.

conformity_whats_new 226

New Rules

Azure

APIManagement-006: Enable Support for HTTP/2: This rule ensures that Azure API Management API gateways are configured to use HTTP/2.

conformity_whats_new 227

Standards and Compliance Reports

The PCI DSS v4 Standards and Compliance report has been updated to reflect the latest rules released for AWS, Azure and GCP.

conformity_whats_new 228

Updated GCP account permission list

We've added the following new GCP account permissions:

pubsub.topics.get
pubsub.topics.getIamPolicy

conformity_whats_new 229

Updated GCP project APIs & Account Permissions list

We've added the following new APIs & Account Permissions:

Apigee API

New permissions:

apigee.apiproducts.list
apigee.deployments.list
apigee.envgroupattachments.list
apigee.envgroups.list
apigee.instanceattachments.list
apigee.instances.list
apigee.proxies.list
apigee.proxyrevisions.list

For the full list of required GCP permissions, see here.

conformity_whats_new 230

Upcoming Rule Update

The following rule updates will be released soon. These changes may affect your checks and compliance scores:

AWS

Lambda-001: Lambda Using Latest Runtime Environment: Removed 'dotnet7' from the default recommended list of latest runtime versions.
Lambda-012: Lambda Using Supported Runtime Environment: Removed 'dotnet7' from the list of supported runtime versions. See AWS documentation - Lambda runtimes for further details.

conformity_whats_new 231

GCP account permission list updated

New permissions

spanner.instances.getIamPolicy
spanner.instances.list
memcache.instances.list

For the full list of required GCP permissions, see here.

conformity_whats_new 232

AWS Custom Policy Update

The Conformity AWS Custom Policy has been updated to version 1.49. The new permission added is:

- `lambda:GetFunction`

Click here to access the latest custom policy.

For more information, refer to the AWS Custom Policy documentation.

conformity_whats_new 233

New Rule

Azure

APIManagement-003: Enable Integration with Application Insights: This rule ensures that API Gateway APIs are integrated with application insights for diagnostic logging.

conformity_whats_new 234

New Region

AWS

The new AWS region ca-west-1 and il-central-1 is enabled for Conformity.

conformity_whats_new 235

New Rule

Azure

APIManagement-002: Enforce HTTPS: This rule ensures that Azure API Management APIs are using HTTPS.

conformity_whats_new 236

New Rule

Azure

APIManagement-007: Check the TLS Version Configured for API Gateways: This rule ensures that Azure API Management API gateways are not configured to use weak and deprecated TLS protocols.

conformity_whats_new 237

Rule Update

Azure

SecurityCenter-001: Enable Microsoft Defender Standard Pricing Tier: This rule has been updated not to check a deprecated KubernetesService.

conformity_whats_new 238

New Rule

Azure

VirtualMachines-040: Enable Trusted Launch for Virtual Machines: This rule ensures that all Azure Virtual Machines are using the Trusted Launch security feature.

conformity_whats_new 239

GCP account permission list updated

New permissions

redis.clusters.list
redis.instances.list

For the full list of required GCP permissions, see here.

conformity_whats_new 240

GCP account permission list updated

Removed the following unused permission:

apigee.proxyrevisions.list

For the full list of required GCP permissions, see here.

conformity_whats_new 241

Bug Fix

GCP

CloudSQL-004: Enable SSL/TLS for Cloud SQL Incoming Connections: Fixed a bug where the rule generated false positive checks while CloudSQL instance is configured correctly to only allow SSL connections.

conformity_whats_new 242

Template Scanner Updates

RDS-035: Cluster Deletion Protection: Fixed a bug where Template Scanner indicated that DeletionProtection was not enabled incorrectly. Template Scanner will now correctly return SUCCESS for RDS-035 if DeletionProtection is set to true in CloudFormation.

conformity_whats_new 243

Standards and Compliance Reports

Following up on previous notification (05 March 2024), as of 03 June 2024, the following compliance standard have been deprecated:

Azure Well-Architected Framework (Deprecated) (updated July 2022)

This compliance standard is no longer accessible in the filters, preventing the creation of new reports or report-configurations with this outdated standard. If any existing report configurations include the deprecated compliance standard, it will not be possible to generate new PDF/CSV reports. However, the list of previously generated PDF/CSV reports remains available. We recommend updating your report configurations to use the latest version of the Azure Well-Architected Framework.

conformity_whats_new 244

AWS account permission list updated

Added the following permission:

wafv2:GetWebACL

conformity_whats_new 245

GCP account permission list updated

New permissions

compute.subnetworks.getIamPolicy
compute.instances.getIamPolicy
iam.serviceAccounts.getIamPolicy
dataproc.clusters.getIamPolicy

For the full list of required GCP permissions, see here.

conformity_whats_new 246

Standards and Compliance Reports

You can now filter Checks and download Compliance Reports to ensure your AWS, Azure and GCP cloud environments comply with the following standards:

NIST Cybersecurity Framework v2.0

conformity_whats_new 247

Upcoming Rule Update

The following rule update will be released soon. These changes may affect your checks and compliance scores:

AWS

Lambda-012: Lambda Using Supported Runtime Environment: Removed 'nodejs16.x' from the list of supported runtime versions. See AWS documentation - Lambda runtimes for further details.

conformity_whats_new 248

Template Scanner Updates

Additional Terraform Resources' Support: We now support the following Terraform resources in Template Scanner:
- APIGateway RestApi
- Elasticsearch Domain
- Redshift Cluster
- EMR Cluster
- ElastiCache Cluster
- EFS File System
- Workspaces
- ELB Classic Load Balancer

conformity_whats_new 249

GCP account permission list updated

New permissions

apigee.environments.getStats

For the full list of required GCP permissions, see here.

conformity_whats_new 250

Rule Update

AWS

SSM-003: Check for SSM Managed Instances: Fixed a bug that generated false negative checks for a recently created instance despite being correctly managed by the AWS Systems Manager.

conformity_whats_new 251

Bug Fixes

CSV Reports:
Fixed a bug in generated CSV reports where values for user selected filters for 'Region', 'Providers' and 'Risk Levels' were not displayed in the same format as the values of the respective data columns of the report.
Fixed a bug in generated CSV reports where user selected filters for 'Standards & Frameworks controls' were not displayed.
PDF Reports:
Fixed a bug in generated PDF reports where user selected filters for 'Rules' were not displayed.
Fixed a bug in generated PDF reports where user selected filters for 'Categories' and 'Risk Levels' were not displayed in the same format as they appear in the 'List of Performed Checks'.

conformity_whats_new 252

Cloud Functions Runtime Changes for Google Cloud Platform (GCP) RTM

The current Cloud Functions runtime version used for Conformity RTM is Node.js 16 and will be decommissioned by Google Cloud on 30 January 2025. This change will affect Conformity GCP Real Time Monitoring (RTM) configurations but does not immediately affect the existing Conformity customers.

We have updated the GCP Real-Time Monitoring installation template to use the latest 1st generation Runtime version.

Please follow the Real-time Monitoring Settings > RTM for GCP to install RTM for GCP again to upgrade the existing configuration before 30 January 2025.

conformity_whats_new 253

Bug Fixes

Template Scanner:

Fixed an issue with Terraform Template Scanner where attempting to scan plans which contained only modules and no resources produced an error.

conformity_whats_new 254

**Terraform Template Scanner support for Cloud Formation Template Scanner Resources now Generally Available **

Conformity Terraform Template Scanner is now Generally Available with parity of coverage of the following Cloud Formation Template Scanner resource types:

Autoscaling Group
CF Stack
CloudTrail
Kinesis Stream
Lambda Function
SNS Topic
SQS Queue
API Gateway RestAPI
ELBv2
ES Domain
Workspaces
ELB Classic
Redshift Cluster
EMR Cluster
ElacticCache
EFS File System

conformity_whats_new 255

Template Scanner Updates

Template Scanner now supports scanning provider-level tags in Terraform AWS provider configuration block.

conformity_whats_new 256

AWS Custom Policy Update

The Conformity AWS Custom Policy has been updated to version 1.51. The new permission added is:

- `iam:GenerateServiceLastAccessedDetails`
- `iam:GetServiceLastAccessedDetails`

Click here to access the latest custom policy.

For more information, refer to the AWS Custom Policy documentation.

conformity_whats_new 257

GCP account permission list updated

New permissions

apigee.proxyrevisions.get

For the full list of required GCP permissions, see here.

conformity_whats_new 258

Standards and Compliance Reports

You can now filter Checks and download Compliance Reports to ensure your AWS, Azure and GCP cloud environments comply with the following standards:

NIS 2 Directive v2

conformity_whats_new 259

Bug Fix

AWS

RDS-008: RDS Publicly Accessible: Updated the rule logic to validate the security groups correctly.

conformity_whats_new 260

Template Scanner Updates

Template Scanner now supports aws_s3_bucket_versioning, aws_s3_bucket_acl and aws_s3_bucket_logging Terraform resources.

conformity_whats_new 261

Communication Channels Update

Webhook Communication: You can now allow-list static IP addresses used by Webhook communication channel to ensure reliable connection from Conformity to your webhook endpoint. See Conformity IP addresses for more details.

conformity_whats_new 262

GCP account permission list updated

New permissions

bigtable.instances.list
bigtable.clusters.list
bigtable.instances.getIamPolicy

For a full list of GCP permissions, see Add a GCP Account.

conformity_whats_new 263

New Rule

GCP

CloudSQL-032:Configure "log_statement" Flag for PostgreSQL Database Instances: This rule ensures that PostgreSQL database instances have the appropriate configuration set for the 'log_statement' flag.

conformity_whats_new 264

Template Scanner Updates

Template Scanner now supports following Terraform resources.

aws_s3_bucket_policy
aws_s3_bucket_server_side_encryption_configuration
aws_s3_bucket_website_configuration
aws_s3_bucket_lifecycle_configuration
aws_s3_bucket_object_lock_configuration
aws_s3_bucket_accelerate_configuration

conformity_whats_new 265

AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.52 and the permissions added are:

- bedrock:ListAgents
- bedrock:GetAgent
- bedrock:ListGuardrails
- bedrock:GetGuardrail
- bedrock:ListCustomModels
- bedrock:GetCustomModel

Click here to access the new custom policy.

conformity_whats_new 266

AWS Custom Policy Update

The Conformity AWS Custom Policy has been updated to version 1.53. The following permissions are removed:

- `iam:GenerateServiceLastAccessedDetails`
- `iam:GetServiceLastAccessedDetails`

Click here to access the latest custom policy.

For more information, refer to the AWS Custom Policy documentation.

conformity_whats_new 267

Upcoming Rule Update

Azure

Sql-007: Enable All Threat Detection Types: Improved this rule to smoothly handle API timeout.

conformity_whats_new 268

Template Scanner Updates

Template Scanner now supports the following Terraform resources.

aws_rds_cluster_instance
aws_security_group
aws_vpc_security_group_ingress_rule

conformity_whats_new 269

AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.54 and the permissions added are:

- `bedrock:ListDataSources`
- `bedrock:GetDataSource`

Click here to access the latest custom policy.

For more information, refer to the AWS Custom Policy documentation.

conformity_whats_new 270

Updated the Replay API endpoint to support replaying checks for an account using organisation-level communication setting.

conformity_whats_new 271

AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.55 and the permissions added are:

- bedrock:ListTagsForResource

Click here to access the new custom policy.

conformity_whats_new 272

Updated Compliance Standards: CIS Foundations Benchmarks

We've updated our compliance standards to meet the Center of Internet Security (CIS) Foundations Benchmarks for GCP. You can now filter Checks and download Compliance Reports to ensure your cloud environment complies with the latest CIS Foundations Benchmarks.

CIS Google Cloud Platform Foundation Benchmark v3.0.0

You can view the CIS certifications awarded to Trend Micro Cloud One - Conformity on the CIS partner website and find out more about Compliance and Conformity in our documentation.

conformity_whats_new 273

Bug Fix

GCP

GKE-002: Enable Encryption for Application-Layer Secrets for GKE Clusters: Updated the rule logic to validate the Application-layer secrets encryption correctly.

conformity_whats_new 274

New Rule Azure - MachineLearning-001: Enable High Business Impact for Machine Learning Workspaces: This rule ensures that High Business Impact (HBI) feature is enabled for Azure Machine Learning (ML) workspaces with sensitive data to limit the data collection by Microsoft Azure for diagnostic purposes.

conformity_whats_new 275

Bug Fix

Azure

AppService-008: Check that the Azure App requests incoming client certificates: Updated the rule logic to validate the configuration of incoming client cetrificates correctly.

conformity_whats_new 276

Standards and Frameworks

We have updated the rule mapping by removing rule StorageAccounts-012:Enable Immutable Blob Storage from control 3.12 of the following standards:

CIS Microsoft Azure Foundations Benchmark v1.5.0
CIS Microsoft Azure Foundations Benchmark v2.0.0

conformity_whats_new 277

New Rule

Azure

MachineLearning-003: Use System-Assigned Managed Identities for Azure Machine Learning Workspaces: This rule ensures that Azure Machine Learning workspaces are using system-assigned managed identities.

conformity_whats_new 278

New Rule

AWS

Bedrock-002: Use Guardrails to Protect Agent Sessions: This rule ensures that your Amazon Bedrock guardrails are protecting agent sessions.

conformity_whats_new 279

New Rule

AWS

Bedrock-003: Use Customer-Managed Keys to Encrypt Amazon Bedrock Guardrails: This rule ensures that your Amazon Bedrock guardrails are encrypted with Amazon KMS Customer Managed Keys (CMKs) instead of AWS managed keys.

conformity_whats_new 280

AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.56 and the permissions added are:

- sagemaker:ListDomains
- sagemaker:DescribeDomain

Click here to access the new custom policy.

conformity_whats_new 281

New Rule

Azure

SecurityCenter-042: Enable Defender for APIs: This rule ensures that Defender for APIs, a feature of Microsoft Defender for Cloud, is enabled for your Azure API Management services.

conformity_whats_new 282

New Rules

Azure

MachineLearning-004: Machine Learning Workspace Encryption using Customer-Managed Keys: This rule ensures that Azure Machine Learning workspaces are using Customer Managed Keys (CMKs) for encryption.
AIServices-001: Use Private Endpoints for OpenAI Service Instances: This rule ensures that network access to OpenAI service instances is allowed via private endpoints only.
AIServices-005: OpenAI Encryption using Customer-Managed Keys: This rule ensures that Azure OpenAI service instances are using Customer-Managed Keys (CMKs) for encryption.

conformity_whats_new 283

GCP account permission list updated

New permission "logging.logEntries.list" is added. For the full list of required GCP permissions, see here.

conformity_whats_new 284

New Rule

Azure

AIServices-002: Disable Public Network Access to OpenAI Service Instances: This rule ensures that public network access (i.e. all network access) to Microsoft Azure OpenAI service instances is disabled in order to enhance security by preventing unauthorized access.

conformity_whats_new 285

New Rule

Azure

MachineLearning-005: Enable Managed Virtual Network Isolation with Internet Outbound Access: This rule ensures that managed virtual network (managed VNet) isolation with Internet outbound is enabled.

conformity_whats_new 286

Standards and Compliance Reports

We've updated our compliance standards to meet the Center of Internet Security (CIS) Foundations Benchmarks for Azure. You can now filter Checks and download Compliance Reports to ensure your cloud environment complies with the latest CIS Foundations Benchmarks.

CIS Microsoft Azure Foundations Benchmark v2.1.0

You can view the CIS certifications awarded to Trend Micro Cloud One - Conformity on the CIS partner website and find out more about Compliance and Conformity in our documentation.

As of 04 November 2024, the following compliance standard will be deprecated:

CIS Microsoft Azure Foundations Benchmark v1.5.0

This deprecated compliance standard will no longer be accessible in the filters, preventing the creation of new reports or report-configurations with this outdated standard. If any existing report configurations include the deprecated compliance standard, it will not be possible to generate new PDF/CSV reports. However, the list of previously generated PDF/CSV reports remains available. We recommend updating your report configurations to use the latest versions of the CIS Microsoft Azure Foundations Benchmark by 04 November 2024.

conformity_whats_new 287

New Rule

Azure

MachineLearning-002: Enable Diagnostic Logs for Machine Learning Workspaces: This rule ensures that Diagnostic Logs are enabled for your Azure Machine Learning workspaces.

conformity_whats_new 288

New Rules

AWS

Bedrock-001: Use Customer-Managed Keys to Encrypt Agent Sessions: This rule ensures that your Amazon Bedrock agent session data are encrypted with Amazon KMS Customer Managed Keys (CMKs) instead of AWS managed keys.
Bedrock-004: Use Customer-Managed Keys to Encrypt Custom Models: This rule snsures that your Amazon Bedrock custom models are encrypted with Amazon KMS Customer-Managed Keys (CMKs) instead of AWS-managed keys.
Bedrock-005: Use Customer-Managed Keys to Encrypt Knowledge Base Transient Data: This rule ensures that your Amazon Bedrock knowledge base transient data are encrypted with Amazon KMS Customer Managed Keys (CMKs) instead of AWS managed keys.
Bedrock-006: Use Customer-Managed Keys to Encrypt Amazon Bedrock Studio Workspaces: This rule ensures that Bedrock Studio workspaces are encrypted with Amazon KMS Customer Managed Keys (CMKs).

conformity_whats_new 289

AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.56 and the permissions added are:

- ec2:DescribeVpcEndpointConnections
- ec2:DescribeVpcEndpointServices

Click here to access the new custom policy.

conformity_whats_new 290

New Rules

Azure

AIServices-003: Enable Diagnostic Logs for OpenAI Service Instances: This rule ensures that Diagnostic Logs are enabled for your Azure OpenAI service instances.

conformity_whats_new 291

Rule Update

AWS

VPC-006: VPC Endpoint Cross Account Access: Update the rule to generate checks correctly.

conformity_whats_new 292

New Rules

Azure

AIServices-004: Use Managed Identities for OpenAI Service Instances: This rule ensures that Azure OpenAI service instances are using managed identities.

conformity_whats_new 293

AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.58 and the permissions added are:

- bedrock:ListKnowledgeBases
- bedrock:GetKnowledgeBases

Click here to access the new custom policy.

conformity_whats_new 294

Rule Update

AWS

EBS-008: Idle EBS Volume: Updated the rule to make Idle days for EBS volumes configurable via a new parameter in the rule settings, allowing customization based on specific requirements.

conformity_whats_new 295

Upcoming Rule Update

AWS

ES-007: OpenSearch Version: Updated the version specified in the checking rule from OpenSearch_2.11 to OpenSearch_2.13.

conformity_whats_new 296

Updated GCP account permission list

We've added the following new GCP account permission:

notebooks.instances.getIamPolicy

For a full list of GCP permissions, see Add a GCP Account.

conformity_whats_new 297

New Rule

GCP

VertexAI-001: Vertex AI Dataset Encryption with Customer-Managed Encryption Keys (not scored): Ensure that your Google Cloud Vertex AI datasets are encrypted using Customer-Managed Encryption Keys (CMEKs) in order to have full control over data encryption and decryption process. You can create and manage your own Customer-Managed Encryption Keys with Cloud Key Management Service (Cloud KMS).

conformity_whats_new 298

Updated GCP account permission list

We've added the following new GCP account permission:

notebooks.instances.list

For a full list of GCP permissions, see Add a GCP Account.

New Rule

GCP

VertexAI-002:Disable Root Access for Workbench Instances: This rule ensures that root access is disabled for Vertex AI Workbench Instances.

conformity_whats_new 299

Rule Update

Azure

Sql-008: Configure Emails for Vulnerability Assessment Scan Reports and Alerts: Updated this rule to a not scored rule. Azure supports vulnerability assessment with express and classic configurations. Express configuration is now the default procedure and there is no need to configure notification setting with the email addresses. There is no way to check if the vulnerability assessment configuration is express or classic via API

conformity_whats_new 300

New Rule

GCP

VertexAI-003:Enable Secure Boot for Workbench Instances: This rule ensures that Secure Boot is enabled for your Vertex AI workbench instances.

conformity_whats_new 301

New Rule

AWS

Bedrock-007: Configure Sensitive Information Filters for Amazon Bedrock Guardrails: Ensure that Amazon Bedrock guardrails are configured to block or mask sensitive information such as Personally Identifiable Information (PII).

conformity_whats_new 302

New Rule

GCP

VertexAI-007:Enable Integrity Monitoring for Workbench Instances: This rule ensures that the integrity monitoring is enabled for Vertex AI Workbench Instances.

conformity_whats_new 303

Reminder: Upgrade existing configuration for Google Cloud Platform (GCP) RTM

The Cloud Functions runtime version used for old Conformity RTM is Node.js 16 and will be decommissioned by Google Cloud on 30 January 2025. This change will affect Conformity GCP Real Time Monitoring (RTM) configurations but does not immediately affect the existing Conformity customers.

We have released the GCP Real-Time Monitoring installation template to use the latest 1st generation Runtime version on 2024-06-18.

Please follow the Real-time Monitoring Settings > RTM for GCP to install RTM for GCP again to upgrade the existing configuration before 30 January 2025.

conformity_whats_new 304

New Rule

GCP

VertexAI-004:Enable Virtual Trusted Platform Module (vTPM) for Workbench Instances: This rule ensures that vTPM is enabled for your Vertex AI workbench instances.

conformity_whats_new 305

New Rule

GCP

VertexAI-006: Workbench Instance Encryption with Customer-Managed Encryption Keys: This rule ensures that your Google Cloud Vertex AI workbench instances are encrypted using Customer-Managed Encryption Keys (CMEKs).

conformity_whats_new 306

New Rule

Azure

APIManagement-010: Use System-Assigned Managed Identities for Azure API Management Services: Ensure that your Azure API Management service instances are using system-assigned managed identities in order to allow secure access to other Microsoft Azure protected resources such as Azure Key Vaults. System-assigned managed identities minimizes risks, simplifies management, and maintains compliance with evolving cloud services.
APIManagement-011: Use User-Assigned Managed Identities for Azure API Management Services: Ensure that your Azure API Management service instances are using user-assigned managed identities for fine-grained control over access permissions.

conformity_whats_new 307

New Rule

GCP

VertexAI-008:Enable Idle Shutdown for Workbench Instances: This rule ensures that idle shutdown is enabled for your Vertex AI workbench instances.

conformity_whats_new 308

New Rule

GCP

VertexAI-009: Enable Cloud Monitoring for Workbench Instances: Ensure that Cloud Monitoring feature is enabled for your Vertex AI workbench instances.

conformity_whats_new 309

Standards and Compliance Reports

We have updated the rule mapping by adding rules VirtualMachines-038:Server Side Encryption for Non-Boot Disk using CMK and VirtualMachines-039:Server Side Encryption for Boot Disk using CMK to the control 7.2/7.3 of the following standards:

CIS Microsoft Azure Foundations Benchmark v1.5.0
CIS Microsoft Azure Foundations Benchmark v2.0.0
CIS Microsoft Azure Foundations Benchmark v2.1.0

conformity_whats_new 310

New Rule

GCP

VertexAI-005: Enable Automatic Upgrades for Workbench Instances: This rule ensures that the automatic upgrades are enabled for Vertex AI Workbench Instances.

conformity_whats_new 311

New Rule

GCP

VertexAI-010: Default VPC Network In Use: This rule ensures that your Workbench Instances are not created in the default Virtual Private Cloud (VPC) network.

conformity_whats_new 312

New Rule

GCP

VertexAI-011: Prevent Assigning External IPs to Notebook Instances: This rule ensures that external IP addresses are not assigned to your Google Cloud Vertex AI workbench instances.

conformity_whats_new 313

Rule Update

Azure

AIServices-001: Use Private Endpoints for OpenAI Service Instances: Update the rule to generate checks correctly.

conformity_whats_new 314

Rule Update

Azure

Sql-009: Enable Vulnerability Assessment Email Notifications for Admins and Subscription Owners:
Sql-017: Enable Vulnerability Assessment for Microsoft SQL Servers:
Sql-018: Enable Vulnerability Assessment Periodic Recurring Scans: Updated this rule to a not scored rule. Azure supports vulnerability assessment with express and classic configurations. Express configuration is now the default procedure and there is no need to configure notification setting with the email addresses. There is no way to check if the vulnerability assessment configuration is express or classic via API.

conformity_whats_new 315

We've upgraded the Service Now connector from Vancouver version to the latest Xanadu version and you can access it through the Service Now Store under Integrations.

conformity_whats_new 316

New Rule

AWS

SageMaker-006: Notebook in VPC Only mode can access required resources: This rule ensures that Amazon SageMaker notebook instances running within a Virtual Private Cloud (VPC) can access required resources.

conformity_whats_new 317

AWS Custom Policy Update

The Conformity AWS custom policy will be updated soon. The new custom policy version will be 1.59 and the permissions added are:

- bedrock:ListFoundationModels

Click here to access the new custom policy.

conformity_whats_new 318

Upcoming Rule Update

The following rule update will be released soon. These changes may affect your checks and compliance scores:

AWS

Lambda-012: Lambda Using Supported Runtime Environment: Removed 'Python 3.8' from the list of supported runtime versions. See AWS documentation - Lambda runtimes for further details.

conformity_whats_new 319

AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.59 and the permissions added are:

- bedrock:ListFoundationModels

Click here to access the new custom policy.

conformity_whats_new 320

** Rule Update**

AWS

Lambda-012: Lambda Using Supported Runtime Environment: Removed 'Python 3.8' from the list of supported runtime versions. See AWS documentation - Lambda runtimes for further details.

conformity_whats_new 321

Standards and Compliance Reports

As of 21 October 2024, PDF report generated with individual checks will display a maximum of 5 cloud provider tags per check. To view a complete list of all associated tags, please refer to CSV report.

conformity_whats_new 322

AWS Custom Policy Update

The Conformity AWS custom policy will be updated soon. The new custom policy version will be 1.60 and the permissions added are:

sagemaker:ListModels
sagemaker:DescribeModel

Click here to access the new custom policy.

conformity_whats_new 323

AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.61 and the permissions added are:

sagemaker:ListEndpoints
sagemaker:DescribeEndpoint
sagemaker:ListImages
bedrock:ListAgentActionGroups
bedrock:GetAgentActionGroup

Click here to access the new custom policy.

conformity_whats_new 324

Standards and Compliance Reports

Following up on previous notification (14 October 2024), Effective October 22 2024, PDF report generated with individual checks display a maximum of 5 cloud provider tags per check. To view a complete list of all associated tags, please refer to CSV report.

conformity_whats_new 325

New Rules

Azure

APIManagement-008: Disable Public Network Access to API Management Services with Private Endpoints: This rule ensures that Azure API Management services configured with a private endpoint are not publicly accessible.

conformity_whats_new 326

AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.62 and the permissions added are:

bedrock:ListAgentKnowledgeBases
bedrock:GetAgentKnowledgeBase

Click here to access the new custom policy.

conformity_whats_new 327

Updated Compliance Standards: CIS Foundations Benchmarks

We've updated our compliance standards to meet the Center of Internet Security (CIS) Foundations Benchmarks for AWS. You can now filter Checks and download Compliance Reports to ensure your cloud environment complies with the latest CIS Foundations Benchmarks.

CIS Amazon Web Services Foundations Benchmark v3.0.0

You can view the CIS certifications awarded to Trend Micro Cloud One - Conformity on the CIS partner website and find out more about Compliance and Conformity in our documentation.

conformity_whats_new 328

Rule Update

AWS

Lambda-012: Lambda Using Supported Runtime Environment: Added 'Python 3.14' and 'Nodejs.22' to the list of supported runtime versions. See AWS documentation - Lambda runtimes for further details.

conformity_whats_new 329

AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.63 and the permissions added are:

bedrock:ListImportedModels
bedrock:GetImportedModel

Click here to access the new custom policy.

conformity_whats_new 330

AWS Custom Policy Update

The Conformity AWS custom policy has beeen updated. The new custom policy version is 1.64 and the permissions added are:

aoss:ListCollections
aoss:ListTagsForResource

Click here to access the new custom policy.

conformity_whats_new 331

Rule Update

AWS

EC-013: ElastiCache Engine Using Stable Version: Added Valkey and update Redis/Memcached to latest version. See AWS documentation - ElastiCache Engine for further details.

conformity_whats_new 332

AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.65 and the permissions added are:

sagemaker:ListClusters
sagemaker:DescribeCluster
sagemaker:ListClusterNodes
sagemaker:DescribeClusterNode

Click here to access the new custom policy.

conformity_whats_new 333

AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.66 and the permission added is:

config:ListTagsForResource

Click here to access the new custom policy.

conformity_whats_new 334

Standards and Compliance Reports

Following up on previous notification (12 August 2024), as of 07 November 2024, the following compliance standard have been deprecated:

CIS Microsoft Azure Foundations Benchmark v1.5.0

conformity_whats_new 335

Rule Update

AWS

EC-013: ElastiCache Engine Using Stable Version: Added Valkey support and update Redis/Memcached to latest version. See AWS documentation - ElastiCache Engine for further details.

conformity_whats_new 336

Standards and Compliance Reports

We have updated the rule mapping, and the rule SecurityHub-002: Security Hub Enabled is now displayed under Control 4.16 of the following standard:

CIS Amazon Web Services Foundations Benchmark v3.0.0

conformity_whats_new 337

Template Scanner Updates

Template Scanner now supports the following Terraform:

s3_bucket.object_lock_enabled flag
aws_iam_role_policies_exclusive resource

conformity_whats_new 338

GCP account permission list updated

New permissions

artifactregistry.dockerimages.list

For a full list of GCP permissions, see Add a GCP Account.

conformity_whats_new 339

Template Scanner Updates

Fixed an issue where the Endpoint address was being inferred incorrectly and set as resource name for RDS DB Clusters and Instances.

conformity_whats_new 340

Bug Fix

GCP

**CloudVPC-006: Updated the rule logic to validate the configuration of DNS Logging is enabled correctly will be updated soon.

conformity_whats_new 341

Rule Update

AWS

Lambda-001: Lambda Runtime Environment Version: Removed 'nodejs20.x', 'python 3.12' and added 'nodejs22.x', 'python 3.13' to the default recommended list of latest runtime versions.

conformity_whats_new 342

Upcoming Rule Update

AWS - RDS-004: RDS Encryption Enabled: Updated the rule to generate checks correctly. You may receive a new notification for existing instances for failed checks.

conformity_whats_new 343

Bug Fix

Template Scanner Updates

Cloudformation Template Scanner has been updated to exclude rules ELBv2-004 and ELBv2-008. These rules cannot run as they require knowledge of the TargetGroup TargetHealth, which is unknown before the template is deployed.

conformity_whats_new 344

Reminder: Upgrade existing configuration for Google Cloud Platform (GCP) RTM

We have released the GCP Real-Time Monitoring installation template to use the latest 1st generation Runtime version on 2024-06-18.

Please follow the Real-time Monitoring Settings > RTM for GCP to install RTM for GCP again to upgrade the existing configuration before 30 January 2025.

conformity_whats_new 345

Bug Fix

GCP

CloudVPC-006: Updated the rule logic to validate the configuration of DNS Logging is enabled correctly.

conformity_whats_new 346

Standards and Compliance Reports

Updated the following Compliance Standards and Reports:

HITRUST CSF v11.3.0

conformity_whats_new 347

Standards and Compliance Reports

You can now filter Checks and download Compliance Reports to ensure your AWS, Azure and GCP cloud environments comply with the following standards:

AusGov ISM Sep 2024

conformity_whats_new 348

AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.67 and the permission added is:

- sagemaker:DescribeImageVersion

Click here to access the new custom policy.

conformity_whats_new 349

New Rule

AWS

GD-004: Ensure that the S3 Protection feature is enabled for your Amazon GuardDuty detectors: S3 Protection enables GuardDuty to monitor object-level API operations in order to identify potential security risks for data stored within your S3 buckets.

conformity_whats_new 350

New Rule

AWS

GD-005: Ensure that Malware Protection for EC2 is enabled for your Amazon GuardDuty detectors: Malware Protection for EC2 helps detect potential malware in Amazon EC2 instances.

conformity_whats_new 351

New Rule

GCP

CloudFunction-001: GCP Function Runtime Version: This rule ensures that GCP functions are using the latest language runtime version available.

conformity_whats_new 352

Bug Fixes

Template Scanner

Fixed an issue where Vision One Template Scanner API would incorrectly return an error when an argument for a parameter was passed as a number.
Fixed an issue where Vision one Template Scanner API would incorrectly return an error when pseudoArguments for awsNotificationArns was passed as an array of strings.

conformity_whats_new 353

Rules Update

AWS

EC2-011: vCPU-Based EC2 Instance Limit: Updated the rule title from 'Account Instance Limit' to 'vCPU-Based EC2 Instance Limit'.
S3-019: S3 Buckets with Website Hosting Configuration Enabled: Updated the rule title from 'S3 Buckets with Website Configuration Enabled' to 'S3 Buckets with Website Hosting Configuration Enabled'.
S3-028: Enable S3 Bucket Keys: Updated the rule title from 'Enable Amazon S3 Bucket Keys' to 'Enable S3 Bucket Keys'.
RDS-036: Amazon RDS Configuration Changes: Updated the rule title from 'RDS Configuration Changes' to 'Amazon RDS Configuration Changes'.
RDS-041: Enable Instance Storage AutoScaling: Updated the rule title from 'Enable Amazon RDS Storage AutoScaling' to 'Enable Instance Storage AutoScaling'.
IAM-013: Enable MFA for IAM Users with Console Password: Updated the rule title from 'MFA For IAM Users With Console Password' to 'Enable MFA for IAM Users with Console Password'.
IAM-023: Check for Individual IAM Users: Updated the rule title from 'IAM User Present' to 'Check for Individual IAM Users'.
IAM-036: IAM Users with Administrative Privileges: Updated the rule title from 'AWS IAM Users with Admin Privileges' to 'IAM Users with Administrative Privileges'.
IAM-046: IAM Support Role: Updated the rule title from 'Support Role' to 'IAM Support Role'.
IAM-056: IAM CreateLoginProfile detected: Updated the rule title from 'CreateLoginProfile Detected' to 'IAM CreateLoginProfile detected'.
IAM-066: IAM Groups with Administrative Privileges: Updated the rule title from 'AWS IAM Groups with Admin Privileges' to 'IAM Groups with Administrative Privileges'.
KMS-007: Monitor AWS KMS Configuration Changes: Updated the rule title from 'AWS Key Management Service (KMS) Configuration Changes' to 'Monitor AWS KMS Configuration Changes'.
CFM-004: CloudFormation Stack Failed Status: Updated the rule title from 'Stack Failed Status' to 'CloudFormation Stack Failed Status'.
ES-008: Total Number of OpenSearch Cluster Nodes: Updated the rule title from 'OpenSearch Instance Counts' to 'Total Number of OpenSearch Cluster Nodes'.
ES-009: OpenSearch Desired Instance Type(s): Updated the rule title from 'OpenSearch Desired Instance Type' to 'OpenSearch Desired Instance Type(s)'.
ES-013: OpenSearch Domains Encrypted with KMS CMKs: Updated the rule title from 'OpenSearch Domain Encrypted with KMS CMKs' to 'OpenSearch Domains Encrypted with KMS CMKs'.
SageMaker-002: Notebook Data Encrypted With KMS Customer Managed Keys: Updated the rule title from 'Notebook Data Encrypted With KMS Customer Master Keys' to 'Notebook Data Encrypted With KMS Customer Managed Keys'.
SageMaker-004: Disable Direct Internet Access for Notebook Instances: Updated the rule title from 'Notebook Direct Internet Access' to 'Disable Direct Internet Access for Notebook Instances'.
SageMaker-007: Disable Root Access for SageMaker Notebook Instances: Updated the rule title from 'SageMaker Notebook Root Access' to 'Disable Root Access for SageMaker Notebook Instances'.
Neptune-005: IAM Database Authentication for Neptune: Updated the rule title from 'IAM Database Authentication' to 'IAM Database Authentication for Neptune'.
ECR-003: Enable Automated Scanning for Amazon ECR Container Images: Updated the rule title from 'Enable Scan on Push for ECR Container Images' to 'Enable Automated Scanning for Amazon ECR Container Images'.
Backup-001: Use AWS Backup Service in Use for Amazon RDS: Updated the rule title from 'Snapshot Backup Service' to 'Use AWS Backup Service in Use for Amazon RDS'.
StorageGateway-001: Use KMS Customer Master Keys for AWS Storage Gateway File Shares: Updated the rule title from 'File Shares Encrypted With CMK' to 'Use KMS Customer Master Keys for AWS Storage Gateway File Shares'.
ECS-001: Monitor Amazon ECS Configuration Changes: Updated the rule title from 'ECS Configuration Changes' to 'Monitor Amazon ECS Configuration Changes'.
ECS-002: Amazon ECS Task Log Driver in Use: Updated the rule title from 'ECS Task Log Driver In Use' to 'Amazon ECS Task Log Driver in Use'.
WellArchitected-001: AWS Well-Architected Tool in Use: Updated the rule title from 'AWS Well-Architected Tool Is In Use' to 'AWS Well-Architected Tool in Use'.
Bedrock-007: Configure Sensitive Information Filters for Amazon Bedrock Guardrails: Updated the rule title from 'Guardrail set to mask or block PII' to 'Configure Sensitive Information Filters for Amazon Bedrock Guardrails'.

Azure

StorageAccounts-001: Enable Secure Transfer in Azure Storage: Updated the rule title from 'Secure Transfer for Azure storage account' to 'Enable Secure Transfer in Azure Storage'.
StorageAccounts-003: Enable Logging for Azure Storage Queue Service: Updated the rule title from 'Storage Logging For Queue Service' to 'Enable Logging for Azure Storage Queue Service'.
StorageAccounts-005: Allow Shared Access Signature Tokens Over HTTPS Only: Updated the rule title from 'Shared Access Signature Tokens Are Allowed Only Over Https' to 'Allow Shared Access Signature Tokens Over HTTPS Only'.
SecurityCenter-002: Enable Automatic Provisioning of the Monitoring Agent: Updated the rule title from 'Automatic Provisioning Of The Monitoring Agent' to 'Enable Automatic Provisioning of the Monitoring Agent'.
MySQL-001: Enable In-Transit Encryption for MySQL Servers: Updated the rule title from 'SSL Connection' to 'Enable In-Transit Encryption for MySQL Servers'.
PostgreSQL-001: Enable 'LOG_CHECKPOINTS' Parameter for PostgreSQL Servers: Updated the rule title from 'Log Checkpoints' to 'Enable 'LOG_CHECKPOINTS' Parameter for PostgreSQL Servers'.
PostgreSQL-002: Enable In-Transit Encryption for PostgreSQL Database Servers: Updated the rule title from 'SSL Connection' to 'Enable In-Transit Encryption for PostgreSQL Database Servers'.
PostgreSQL-003: Enable 'LOG_CONNECTIONS' Parameter for PostgreSQL Servers: Updated the rule title from 'Log Connections' to 'Enable 'LOG_CONNECTIONS' Parameter for PostgreSQL Servers'.
PostgreSQL-004: Enable 'LOG_DISCONNECTIONS' Parameter for PostgreSQL Servers: Updated the rule title from 'Log Disconnections' to 'Enable 'LOG_DISCONNECTIONS' Parameter for PostgreSQL Servers'.
PostgreSQL-005: Enable 'LOG_DURATION' Parameter for PostgreSQL Servers: Updated the rule title from 'Log Duration' to 'Enable 'LOG_DURATION' Parameter for PostgreSQL Servers'.
PostgreSQL-006: Enable 'CONNECTION_THROTTLING' Parameter for PostgreSQL Servers: Updated the rule title from 'Connection Throttling' to 'Enable 'CONNECTION_THROTTLING' Parameter for PostgreSQL Servers'.
PostgreSQL-007: Check for PostgreSQL Log Retention Period: Updated the rule title from 'Log Retention Days' to 'Check for PostgreSQL Log Retention Period'.
PostgreSQL-008: Use Microsoft Entra Admin for PostgreSQL Authentication: Updated the rule title from 'Microsoft Entra Admin' to 'Use Microsoft Entra Admin for PostgreSQL Authentication'.
Sql-001: Enable Auditing for SQL Servers: Updated the rule title from 'Auditing' to 'Enable Auditing for SQL Servers'.
Sql-002: Configure 'AuditActionGroup' for SQL Server Auditing: Updated the rule title from 'Audit Action Groups' to 'Configure 'AuditActionGroup' for SQL Server Auditing'.
Sql-003: SQL Auditing Retention: Updated the rule title from 'Auditing Retention' to 'SQL Auditing Retention'.
Sql-004: Use Microsoft Entra Admin for SQL Authentication: Updated the rule title from 'Microsoft Entra Admin' to 'Use Microsoft Entra Admin for SQL Authentication'.
Sql-007: Enable All Types of Threat Detection on SQL Servers: Updated the rule title from 'Enable All Threat Detection Types' to 'Enable All Types of Threat Detection on SQL Servers'.
Sql-009: Enable Classic Vulnerability Assessment Email Notifications for Admins and Subscription Owners: Updated the rule title from 'Enable Vulnerability Assessment Email Notifications for Admins and Subscription Owners' to 'Enable Classic Vulnerability Assessment Email Notifications for Admins and Subscription Owners'.
AppService-006: Enable HTTPS-Only Traffic: Updated the rule title from 'Check that the Azure App is only using HTTPS' to 'Enable HTTPS-Only Traffic'.
AppService-007: Check for TLS Protocol Latest Version: Updated the rule title from 'Check that the Azure App is using the latest TLS version' to 'Check for TLS Protocol Latest Version'.
Network-008: Check for Unrestricted MS SQL Server Access: Updated the rule title from 'Check for Unrestricted MS SQL Database Access' to 'Check for Unrestricted MS SQL Server Access'.
KeyVault-003: Set Azure Secret Key Expiration: Updated the rule title from 'Set Secret Key Expiration' to 'Set Azure Secret Key Expiration'.
APIManagement-009: Unrestricted API Access: Updated the rule title from 'Restrict Caller IPs' to 'Unrestricted API Access'.

GCP

CloudKMS-003: Detect Google Cloud KMS Configuration Changes: Updated the rule title from 'Detect GCP Cloud KMS Configuration Changes' to 'Detect Google Cloud KMS Configuration Changes'.
CloudSQL-027: Enable 'cloudsql.enable_pgaudit' and 'pgaudit.log' Flags for PostgreSQL Database Instances: Updated the rule title from 'Enable 'cloudsql.enable_pgaudit' Flag for PostgreSQL Database Instances' to 'Enable 'cloudsql.enable_pgaudit' and 'pgaudit.log' Flags for PostgreSQL Database Instances'.
CloudPubSub-001: Detect Google Cloud Pub/Sub Configuration Changes: Updated the rule title from 'Detect GCP Pub/Sub Configuration Changes' to 'Detect Google Cloud Pub/Sub Configuration Changes'.

conformity_whats_new 354

New Rule

AWS

Lambda-014: Lambda Functions Should not Share Roles that Contain Admin Privileges: This rule ensures that your Amazon Lambda functions do not share execution roles that contain admin privileges in order to promote the Principle of Least Privilege (POLP) and provide your functions the minimal amount of access required to perform their tasks.

conformity_whats_new 355

AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.68 and the permissions added are:

elasticache:DescribeServerlessCaches

Click here to access the new custom policy.

conformity_whats_new 356

AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.69 and the permission added is:

- elasticmapreduce:GetBlockPublicAccessConfiguration

Click here to access the new custom policy.

New Rule

AWS

EMR-007: Enable the Block Public Access feature for Amazon EMR clusters in the specified AWS region: Ensure that the Block Public Access security feature is enabled for your Amazon EMR clusters in order to prevent EMR cluster launch if any of the cluster's security groups have a rule that allows inbound traffic from all public IPv4/IPv6 addresses.

conformity_whats_new 357

New Rule

AWS

CF-013: Enable Origin Access Control For Distributions with S3 Origin: This rule ensuress that the Origin Access Control (OAC) feature is enabled for all your Amazon CloudFront distributions that utilize an S3 bucket as an origin in order to restrict any direct access to your objects through Amazon S3 URLs.

conformity_whats_new 358

New Rule

GCP

GKE-006: Enable Auto-Upgrade for GKE Cluster Nodes: This rule ensures that the Auto-Upgrade feature is enabled for all the nodes running within your Google Kubernetes Engine (GKE) clusters. This feature helps you keep your cluster nodes up to date with the latest supported version of Kubernetes.

conformity_whats_new 359

AWS Custom Policy Update

The Conformity AWS custom policy has been updated. The new custom policy version is 1.70 and the permissions added are:

inspector2:ListFindings

Click here to access the new custom policy.

New Rule

AWS

Inspector2-002: Amazon Inspector 2 Findings: Amazon Inspector is an AWS service that helps improve the security and compliance of your AWS resources.

conformity_whats_new 360

New Rule

GCP

GKE-004: Use Shielded GKE Cluster Nodes: This rule ensures that your Google Kubernetes Engine (GKE) cluster pool nodes are shielded to provide a strong cryptographic identity.

conformity_whats_new 361

New Rule

GCP

GKE-005: Enable Secure Boot for Cluster Nodes: Ensure that Secure Boot is enabled for your Google Kubernetes Engine (GKE) cluster nodes.

conformity_whats_new 362

Cloud One Template Scanner (Preview) Removal Notice

Effective February 4, 2025, the Cloud One Template Scanner (Preview) Github application will be discontinued and disabled on GitHub. We encourage all existing users to transition to the generally available Trend Micro Cloud One GitHub application before this date to ensure continuous service.

For more details, please visit our help documentation.

conformity_whats_new 363

Template Scanner Updates

New Resources Support

Template Scanner Github App for Terraform templates now supports the following resources:

APIGateway RestApi
AutoScaling Group
CloudFormation Stack
CloudTrail Trail
EC2 Network Interface
EC2 Security Group
EC2 Volume
EC2 VPC
EC2 VPC Endpoint
ECR Repository
EFS File System
ElasticCache
Elasticsearch Domain
ELB Classic Load Balancer
EMR Cluster
IAM Group
IAM Managed Policy
IAM Role
Kinesis Stream
KMS Key
Lambda Function
RDS DB Cluster
RDS DB Instance
Redshift Cluster
VPC NAT gateways
VPC Network ACL
Workspaces

conformity_whats_new 364

New Rule

GCP

GKE-009: Automate Cluster Version Upgrades using Release Channels: This rule ensures that the version management is automated for your Google Kubernetes Engine (GKE) clusters using Release Channels.

conformity_whats_new 365

New Rule

GCP

GKE-008: Enable Integrity Monitoring for Cluster Nodes: This rule ensures that the Integrity Monitoring feature is enabled for all your Google Kubernetes Engine (GKE) cluster nodes.

conformity_whats_new 366

New Rule

GCP

GKE-007: Enable Auto-Repair for GKE Cluster Nodes: This rule ensures that the Auto-Repair feature is enabled for all your GKE cluster nodes.

conformity_whats_new 367

New Rule

GCP

GKE-013: Restrict Network Access: Ensure that your Google Kubernetes Engine (GKE) clusters are configured with master authorised networks.

conformity_whats_new 368

Template Scanner Updates

Template Scanner API now supports Terraform HCL (.tf) templates. Previously, Terraform HCL (.tf) templates were required to be transformed into HCL plan (.json) files before scanning. With the latest API, Terraform HCL (.tf) templates can now be scanned directly by scanning a .zip file of HCL templates.

You can now use the template-scanner/archive-scan endpoint to POST a ZIP file containing your Terraform templates to be scanned. For more information please visit the Template Scanner API documentation

conformity_whats_new 369

New Rule

GCP

GKE-012: Check for Alpha Clusters in Production: This rule ensures that the Alpha GKE clusters are not used for production workloads.

conformity_whats_new 370

Cloud One Template Scanner (Preview) Removal Notice

The Cloud One Template Scanner (Preview) Github application has been discontinued and disabled on GitHub. We encourage former users of the preview app to use the Trend Micro Cloud One GitHub application going forward.

For more details, please visit our help documentation.

conformity_whats_new 371

New Rule

GCP

GKE-014: Enable Binary Authorization: This rule ensures that the Binary Authorization feature is enabled for GKE clusters.

conformity_whats_new 372

Custom Check Public API Update

To avoid a rule title mismatch for custom checks, ruleTitle used in custom check must now match the existing rule title for the specified ruleId. Additionally ruleTitle is now an immutable field and cannot be modified once a custom check is created. For more information, see the Update Check endpoint.

conformity_whats_new 373

New Rule

GCP

GKE-016: Enable and Configure Cluster Logging: This rule ensures that logging is enabled for your Google Kubernetes Engine (GKE) clusters to collect logs emitted by your Kubernetes applications and the GKE infrastructure that runs your applications.

conformity_whats_new 374

New Rule

GCP

GKE-018: Enable Intranode Visibility: This rule ensures that intranode visibility is enabled for your GKE clusters.

conformity_whats_new 375

Template Scanner Updates

Template Scanner now supports Terraform HCL (.tf) templates.

Previously, Terraform HCL (.tf) templates were required to be converted into Terraform plans (.json) files before scanning.

With the latest feature, Terraform HCL (.tf) templates can now be scanned directly by uploading a ZIP file of HCL templates.

Use the "Template Scanner" menu and click on the Terraform tab, to upload a ZIP file containing HCL templates. For more information please visit the Template Scanner documentation

conformity_whats_new 376

New Rule

GCP

GKE-011: Enable Workload Vulnerability Scanning: This rule ensures that the Workload Vulnerability Scanning feature is enabled for your Google Kubernetes Engine (GKE) clusters.

conformity_whats_new 377

Organisation-Level Communication Settings Limit

To ensure reliable service, organisations are now limited to a maximum of 10 active organisation-level communication settings.

conformity_whats_new 378

New Rules

GCP

**GKE-015: Disable Legacy Authorization: This rule ensures that legacy authorization (also known as Attribute-Based Access Control or ABAC) is disabled for your Google Kubernetes Engine (GKE) clusters to guarantee compatibility with Role-Based Access Control (RBAC).
GKE-017: Enable Private Nodes: Ensure that your Google Kubernetes Engine (GKE) clusters are configured to provision all nodes with only internal IP addresses (i.e., private nodes).

conformity_whats_new 379

New Rule

GCP

GKE-020: Enable GKE Metadata Server: This rule ensures that GKE Metadata Server is enabled for your Google Kubernetes Engine (GKE) cluster nodes in order to enhance security by restricting workload access to sensitive instance information.

conformity_whats_new 380

Rule Update

AWS

Lambda-006: Using An IAM Role For More Than One Lambda Function: We've updated the Rule Severity from HIGH to MEDIUM to cover more scenarios and allow better flexibility for IAM Roles.

conformity_whats_new 381

New Rules

GCP

GKE-019: Enable and Configure Cluster Monitoring: This rule ensures that Cloud Monitoring is enabled for your Google Kubernetes Engine (GKE) clusters.
GKE-022: Enable VPC-Native Traffic Routing: This rule ensures that VPC-native traffic routing is enabled for your Google Kubernetes Engine (GKE) clusters.

conformity_whats_new 382

New Rule

GCP

GKE-023: Use Sandbox with gVisor for GKE Clusters Nodes: GKE Sandbox provides an extra layer of isolation between containers and the underlying host kernel, mitigating the risk of container escape vulnerabilities.

conformity_whats_new 383

New Rules

GCP

GKE-021: Use GKE Clusters with Private Endpoints Only: This rule ensures to restrict the control plane access to your Google Kubernetes Engine (GKE) clusters to private endpoints only, effectively disabling external access to the Kubernetes API.
GKE-024: Use Container-Optimized OS for GKE Clusters Nodes: This rule ensures that your Google Kubernetes Engine (GKE) cluster nodes use the Container-Optimized OS (cos_containerd), a managed, optimized, and hardened base OS provided by GKE to limit the host's attack surface.

conformity_whats_new 384

Updated GCP account permission list

We've added the following new GCP account permission:

container.clusters.get

For a full list of GCP permissions, see Add a GCP Account.

conformity_whats_new 385

Updated Compliance Standards: CIS Foundations Benchmarks

CIS Amazon Web Services Foundations Benchmark v4.0.1

You can view the CIS certifications awarded to Trend Micro Cloud One - Conformity on the CIS partner website and find out more about Compliance and Conformity in our documentation.

conformity_whats_new 386

RTM for GCP

RTM now supports the following rules:

GKE-004: Use Shielded GKE Cluster Nodes: This rule ensures that your Google Kubernetes Engine (GKE) cluster pool nodes are shielded to provide a strong cryptographic identity.
GKE-005: Enable Secure Boot for Cluster Nodes: Ensure that Secure Boot is enabled for your Google Kubernetes Engine (GKE) cluster nodes.
GKE-006: Enable Auto-Upgrade for GKE Cluster Nodes: This rule ensures that the Auto-Upgrade feature is enabled for all the nodes running within your Google Kubernetes Engine (GKE) clusters. This feature helps you keep your cluster nodes up to date with the latest supported version of Kubernetes.

conformity_whats_new 387

Standards and Compliance Reports

On 19 May 2025, the following compliance standards will be deprecated:

CIS Amazon Web Services Foundations Benchmark v1.5.0
CIS Amazon Web Services Foundations Benchmark v2.0
CIS Google Cloud Platform Foundation Benchmark v1.3.0

conformity_whats_new 388

RTM for GCP

RTM now supports the following rules:

GKE-001: Enable GKE Cluster Node Encryption with Customer-Managed Keys: This rule ensures that boot disk encryption with Customer-Managed Keys is enabled for GKE cluster nodes.
GKE-013: Restrict Network Access: Ensure that your Google Kubernetes Engine (GKE) clusters are configured with master authorised networks.
GKE-014: Enable Binary Authorization: This rule ensures that the Binary Authorization feature is enabled for GKE clusters.
**GKE-015: Disable Legacy Authorization: This rule ensures that legacy authorization (also known as Attribute-Based Access Control or ABAC) is disabled for your Google Kubernetes Engine (GKE) clusters to guarantee compatibility with Role-Based Access Control (RBAC).
GKE-016: Enable and Configure Cluster Logging: This rule ensures that logging is enabled for your Google Kubernetes Engine (GKE) clusters to collect logs emitted by your Kubernetes applications and the GKE infrastructure that runs your applications.
GKE-017: Enable Private Nodes: Ensure that your Google Kubernetes Engine (GKE) clusters are configured to provision all nodes with only internal IP addresses (i.e., private nodes).
GKE-018: Enable Intranode Visibility: This rule ensures that intranode visibility is enabled for your GKE clusters.
GKE-019: Enable and Configure Cluster Monitoring: This rule ensures that Cloud Monitoring is enabled for your Google Kubernetes Engine (GKE) clusters.
GKE-020: Enable GKE Metadata Server: This rule ensures that GKE Metadata Server is enabled for your Google Kubernetes Engine (GKE) cluster nodes in order to enhance security by restricting workload access to sensitive instance information.
GKE-021: Use GKE Clusters with Private Endpoints Only: This rule ensures to restrict the control plane access to your Google Kubernetes Engine (GKE) clusters to private endpoints only, effectively disabling external access to the Kubernetes API.

conformity_whats_new 389

Updated GCP account permission list

We've added the following new GCP account permission:

compute.regionSslPolicies.list

For a full list of GCP permissions, see Add a GCP Account.

conformity_whats_new 390

Standards and Compliance Reports

On 26 May 2025, the following compliance standards will no longer be supported:

AusGov ISM March 2021
NIS Europe OES-2019

These deprecated compliance standards will be no longer be accessible in the filters, preventing the creation of new reports or report-configurations with these outdated standards. If any existing report configurations include the deprecated compliance standard, it will not be possible to generate new PDF/CSV reports. However, the list of previously generated PDF/CSV reports remains available. We recommend updating your report configurations to use the latest versions of standards by 26 May 2025.

conformity_whats_new 391

RTM for GCP

RTM now supports the following rules:

GKE-007: Enable Auto-Repair for GKE Cluster Nodes: This rule ensures that the Auto-Repair feature is enabled for all your GKE cluster nodes.
GKE-008: Enable Integrity Monitoring for Cluster Nodes: This rule ensures that Integrity Monitoring is enabled for your Google Kubernetes Engine (GKE) cluster nodes.
GKE-009: Automate Cluster Version Upgrades using Release Channels: This rule ensures that Automate version management for your Google Kubernetes Engine (GKE) clusters using Release Channels.
GKE-010: Prevent Default Service Account Usage: This rule ensures that GKE clusters are not configured to use the default service account.
GKE-011: Enable Workload Vulnerability Scanning: This rule ensures that workload vulnerability scanning is enabled for Google Kubernetes Engine (GKE) clusters.
GKE-012: Check for Alpha Clusters in Production: This rule ensures that Alpha GKE clusters are not used for production workloads.
GKE-022: Enable VPC-Native Traffic Routing: This rule ensures that VPC-native traffic routing is enabled for Google Kubernetes Engine (GKE) clusters.
GKE-023: Use Sandbox with gVisor for GKE Clusters Nodes: This rule ensures that your cluster nodes are using GKE Sandbox with gVisor to isolate untrusted workloads to enhance security in the multi-tenant Google Kubernetes Engine (GKE) environments,
GKE-024: Use Container-Optimized OS for GKE Clusters Nodes: This rule ensures that your Google Kubernetes Engine (GKE) cluster nodes use the Container-Optimized OS (cos_containerd), a managed, optimized, and hardened base OS provided by GKE to limit the host's attack surface.

conformity_whats_new 392

New Rules

Azure

PostgreSQL-016: Enable Connection Throttling for PostgreSQL Flexible Servers: This rule ensure that connection throttling is enabled for your Azure Database for PostgreSQL flexible servers.
VirtualMachines-043: Disable Public Network Access to Virtual Machine Disks: This rule ensure that public network access (i.e., all network access) to Azure virtual machine (VM) disks is disabled in order to enhance security by preventing unauthorized access.

conformity_whats_new 393

New Rule

AWS

**IAM-073: Check for IAM Users with Compromised Credentials: This rule checks for Amazon IAM users with the "AWSCompromisedKeyQuarantine", "AWSCompromisedKeyQuarantineV2", and/or "AWSCompromisedKeyQuarantineV3" managed policies in order to identify IAM users with compromised or exposed credentials.

conformity_whats_new 394

New Rules

Azure

PostgreSQL-015: Enable Transport Encryption for PostgreSQL Flexible Servers: This rule ensures that the databases managed with Azure Database for PostgreSQL have the Transport Encryption feature enabled.

conformity_whats_new 395

New Rules

Azure

SecurityCenter-044: Enable Microsoft Defender for Cloud for Azure Resource Manager: This rule ensures that Microsoft Defender for Cloud is enabled for Azure Resource Manager.

conformity_whats_new 396

Custom Policy Updates

We've updated the Azure account API permission list. Click here to access the latest Azure account guide.

conformity_whats_new 397

New Rules

Azure

MySQL-003: Enable Transport Encryption for MySQL Flexible Servers: This rule ensures that "require_secure_transport" parameter is enabled for Azure MySQL flexible servers.
MySQL-005: Enable Audit Logging for MySQL Flexible Servers: This rule ensures that audit logging is enabled for Microsoft Azure MySQL flexible servers.

conformity_whats_new 398

Update Checks Endpoints

POST and PATCH Checks: The maximum configurable TTL has been increased to 99 years from the time of the request.

conformity_whats_new 399

New Rules

Azure

PostgreSQL-017: Check Log Files Retention Period for PostgreSQL Flexible Servers: This rule ensures that that there is a sufficient retention period configured for log files for Azure PostgreSQL flexible database servers.

conformity_whats_new 400

Updated GCP account permission list

We've added the following new GCP account permission:

compute.forwardingRules.list

For a full list of GCP permissions, see Add a GCP Account.

conformity_whats_new 401

As a part of our commitment to improving customer experience, we will release significant system enhancements for AWS cloud account scanning. These enhancements will be rolled out gradually over the next several months. Note: Some of these enhancements allow for more thorough and accurate scanning of account resources and verification, which may change the display of particular data with existing inconsistencies.

conformity_whats_new 402

New Rules

Azure

ActiveDirectory-025: Restrict Guest User Access to Their Own Directory Data: This rule ensures that guest user access is restricted to properties and memberships of their own directory objects in Microsoft Entra ID.

conformity_whats_new 403

New Rules

Azure

ActiveDirectory-026: Disable Tenant Creation for Non-Admin Users: This rule ensures that only administrators or specifically assigned users (i.e., users with tenant creator roles) have permission to create Microsoft Entra ID or Azure Active Directory B2C tenants.

conformity_whats_new 404

New Rule

Azure

SecurityCenter-043: Enable Microsoft Defender for Cloud for Open-Source Relational Databases: This rule ensures that Microsoft Defender for Cloud is enabled for open-source relational databases such as Azure Database for PostgreSQL, Azure Database for MySQL, and Azure Database for MariaDB.

conformity_whats_new 405

Updated GCP account permission and API list

We've added the following new GCP account permission and API:

pubsub.subscriptions.get
networkconnectivity.hubs.getIamPolicy
Bigtable Admin API

For a full list of GCP permissions, see Add a GCP Account.

conformity_whats_new 406

New Rule

Azure

MachineLearning-006: Enable Network Isolation for Azure Machine Learning Registries: This rule ensures that network isolation is enabled for your Azure Machine Learning registries.
AKS-007: Enable Support for Network Policies: This rule ensure that your Azure Kubernetes Service (AKS) clusters are using network policies to implement secure policy-based access control.

conformity_whats_new 407

New Rule

Azure

ActiveDirectory-027: Limit Guest User Invites to Administrators: This rule ensures that only users with the 'User Administrator' or the 'Guest Inviter' roles can invite guest users to your Microsoft Entra directory to collaborate on resources secured by your organisation.