CloudHealth Secure State 2020 What's New | 09 DEC 2021

Check for additions and updates to these release notes.

CIS GCP Foundations Benchmark v1.1.0 Support

November 20, 2020

We’re excited to announce that Secure State now supports the latest release of the CIS GCP Foundations Benchmark v1.1.0 framework. Secure State's implementation includes 48 rules and full mapping for over 48 controls, spanning services across Identity & Access Management, Logging & Monitoring, Networking, Virtual Machines, Storage, Cloud SQL, MySQL, SQL Server, and BigQuery. Learn more about how to protect your Google Cloud environment.

Compliance Management and Custom Frameworks -- Private Beta

October 8, 2020

Customers are using Secure State to accelerate and monitor their compliance to industry standards like CIS, NIST, PCI, and more. We’re now introducing the ability to extend the natively supported industry standards and create custom frameworks within Secure State. Your custom rules can be associated with controls defined in a natively managed framework or build your own framework specific to the needs of your organization or a specific application. For example, you can build a custom framework to monitor conformance to your usage of a specific cloud service.

Compliance management is available as a private beta today. If you’re interested in participating in this private beta, please reach out to your CloudHealth representative to get started. You can read about using it here.

Google Cloud Security and Compliance – Private Beta

October 1, 2020

We're announcing security and compliance monitoring support for Google Cloud environments and resources, enabling users to extend security visibility and manage risk consistently across the three major public cloud providers.

Over 15 key Google Cloud services across compute, network, and storage can now be protected in real-time by Secure State, following the CIS Foundations Benchmark v1.1.0. We're also introducing bulk onboarding capabilities starting with Google Cloud, so users can now easily manage and onboard a group of GCP Projects using organization-level roles.

Google Cloud support is now available as a private beta for which interested customers can reach out their CloudHealth representative to get initial access. Read more about this here:

Azure Remediation Support

September 29, 2020

We're extending remediation support to Azure environments, enabling users to proactively scale security and remediate thousands of misconfigurations in seconds for the Azure cloud. There are 5 pre-defined remediation jobs available, along with the ability to create custom jobs. Users can fix misconfigurations without providing Azure Subscription write-access to Secure State.

Read more about how to use Secure State Remediation here:

Remediation Jobs – Open Source

August 7, 2020

We are excited to announce that all remediation jobs are now open sourced. As we continue to enhance the library of jobs available, we invite all our customers to engage and contribute so that we can all help each other resolve findings faster. You'll also find our job authoring best practices and useful code snippets for customizing remediation jobs in the open sourced repository.

Please visit us on Github to find out more:

New Licensed Resources - August 2020

July 30, 2020

Secure State’s licensing model is based on the usage count of cloud resources deployed. We focus on compute and database resources consumed because they are the key workloads and services that we are protecting in your environments. As the platform expands to cover a greater breath of services, additional resources will be added to the licensed resources list. We recently expanded our security coverage to include support for Amazon Elasticsearch, Amazon EKS, and Amazon DynamoDB. If you’re using these services, you will see the resources and counts appear on the Usage Page beginning August 1st at 12 AM GMT. These services will count towards your subscription and you will see a minimal usage increase based on these new resources.

Remediation – Public Beta

July 30, 2020

We’re excited to announce that you can now scale cloud security by automating remediation actions to misconfigurations! Available as a public beta for AWS users, Secure State’s industry-leading remediation framework can be used to fix security findings across multiple accounts, spanning multiple regions, in a matter of seconds, without elevating write permissions. Workflows can be set up to trigger manual or automated actions on findings matching the desired criteria of rule, cloud accounts, regions, and tags. Whether from the natively supported library of actions or a custom script, a programmatic remediation can be deployed with just a few simple steps.

Get started with the Remediation Framework by following the guide here.

Introducing Support for AWS Certificate Manager

July 28, 2020

We’re introducing availability of AWS Certificate Manager (ACM) monitoring in Secure State. If you’ve deployed ACM, you can immediately search your resources through Explore in the Secure State platform or through the EDS API. Along with inventory collection, new rules are available. Please go to the Rules Page and filter accordingly to see the corresponding rules.

AWS Certificate Manager New Rules:

  • AWS Certificate Manager (ACM) has in-use certificates that are expired or expiring in the next 30 days (High)
  • AWS Certificate Manager (ACM) Certificate Transparency logging is disabled (Medium)
  • AWS Certificate Manager (ACM) has a certificate with a wildcard domain (Low)

Introducing Support for Azure Cosmos DB Collection and Rules

July 27, 2020

We're introducing support for Azure Cosmos DB. Cosmos DB is Azure’s managed multi-model database service classified as a NoSQL database. Our support includes inventory collection that can be viewed through Explore or retrieved via API, and the new rules listed below which can be found on the Rules Page.

  • Azure Cosmos DB Database account is accessible through any source address (High)
  • Azure Cosmos DB Database account is configured with an unrestricted network security group (Medium)
  • Azure Cosmos DB Database account is not encrypted with customer key (Low)

New Cloud Services Icons

July 23, 2020

We've updated service icons in Explore and the Findings detail page to align to the most recent icons from AWS and Azure. Here are examples for AWS and Azure respectively:

VMware Secure State introduces Amazon Elasticsearch and AWS ELBv2 inventory collection and rules

July 23, 2020

This week Secure State introduced support for Amazon Elasticsearch service and ELBv2 which includes Network Load Balancer and Application Load Balancer. Users of these services can search for their resources deployed through Explore in the web console or through the EDS API. Along with inventory collection, new rules for both services were introduced.

ELBv2 (8 new rules)

  1. Internet facing Elastic Load Balancer has HTTP listener – High severity
  2. Elastic Load Balancer access logs are not enabled – Medium
  3. Elastic Load Balancer configured with insecure SSL Ciphers and Vulnerable SSL policy – Medium
  4. Elastic Load Balancer listener TLS is not configured – Medium
  5. Elastic Load Balancer is not in use – Medium
  6. Elastic Load Balancer cross zone load balancing is not enabled – Medium
  7. Elastic Load Balancer is using a default VPC – Medium
  8. Elastic Load Balancer is using a default security group – Medium

Amazon Elasticsearch (10 new rules)

  1. Amazon Elasticsearch service domain is publicly accessible - High
  2. Amazon Elasticsearch policy allows unrestricted access for all the users - High
  3. Amazon Elasticsearch policy allows unrestricted traffic from all IP addresses - High
  4. Amazon Elasticsearch zone awareness is disabled - Medium
  5. HTTPS is not enforced to communicate with Amazon Elasticsearch - Medium
  6. Amazon Elasticsearch search slow logging is disabled - Low
  7. Node to node encryption for Amazon Elasticsearch is not enabled - Medium
  8. Data at rest for Amazon Elasticsearch is not encrypted - Medium
  9. Amazon Elasticsearch index slow logging is disabled - Low
  10. Amazon Elasticsearch application logging is disabled - Low

VMware Secure State introduces Amazon DynamoDB inventory collection and rules

June 3, 2020

VMware Secure State now supports Amazon DynamoDB (Amazon’s managed NoSQL offering). Beginning today, you will be able to search for DynamoDB resources through Explore orEDS APIs. Additionally, three new security rules were introduced.

  • DynamoDB table auto scaling is not enabled for a table with PROVISIONED capacity mode
  • DynamoDB continuous backups and/or point-in-time recovery is disabled
  • Encryption for DynamoDB table has not been enable using AWS managed or Customer managed customer master keys

Learn more about the Rules by going to the Rules management page and searching for DynamoDB. Or go direct to Findings by Rule and search for DynamoDB to see if you have any vulnerable resources.

March 26, 2020

Monitoring your finding count changes allows you to keep a pulse on your company’s cloud security program. To aide with this, VMware Secure State, is introducing the Trends dashboard. You can see summary information on total findings, new and resolved findings, and finding counts broken out by top accounts and services with open findings. This dashboard can be filtered to give you a sense of how you’re trending over the last week, last month, or months. You can use these trends to track whether individual cloud accounts owners are making progress in reducing security risk, or whether your organization is meeting its quarterly security goals.

The Trends dashboard can be found here:

Improved Tracking of Resolved Findings

March 12, 2020

VMware Secure State supports tracking the status of findings – open or resolved – to provide users an accurate view of whether findings continue to pose a security vulnerability. Now, we are expanding the resolved finding status to display a resolved reason and resolved date to provide customers a better understanding of what caused the finding to be resolved. Resolved reasons such as “Remediated,” “Rule query updated,” or “Rule deleted” will be visible in the details page of a resolved finding that explains what type of change caused the resolution, and the resolved date will indicate the time the change occurred. These new properties will enable users to correctly attribute configuration corrections in their environment to resolved findings.

Remediation – Private Beta

February 25, 2020

Remediation is a new capability for creating programmatic actions to remediate misconfigurations at scale. It is a flexible, in-account remediation approach for enforcing secure resource configurations where customers have complete control over the permissions boundary. Actions can be scaled to multiple accounts, spanning multiple regions, in a matter of seconds without elevating write permissions to VMware Secure State. Remediation workflows can be manually triggered or deployed as automated guardrails. Remediation beta makes available 5 job supported out-of-the-box for common misconfigurations such as unencrypted S3 buckets, publicly accessible SSH ports, etc. More information about our Remediation strategy can be found on our blog.

To get started with Remediation private beta, read more here:

Enriched metadata on cloud resources

January 15, 2020

For greater context on the resources with violations, VMware Secure State now presents several more properties across the various AWS and Azure services, enabling you to take effective next steps. This change can be noticed through the Findings Details page for any new findings by clicking into a violation.

An example of a password policy can be seen below, in which greater detail on password requirements are now presented.

Identify Expiring AWS RDS and Aurora Certificate Bundles

January 14, 2020

Using VMware Secure State’s Explore and Custom Rules, you can enforce security operations updates, such as certificate rotation and configuration updates. AWS recently made an announcement requiring users to update SSL certificates for RDS and Aurora DB Instances. A policy such as this can be tracked through VMware Secure State as an Explore query and saved as a custom rule.

Through a custom rule, any databases with old certificates will be flagged as violations, and as certificates are updated, the associated violations will be resolved, enabling you to track and monitor the update across all of your AWS accounts. Go to Explore and try this query out in your environment.

db_instance HAS NOT ca_certificate_identifier = "rds-ca-2019"
check-circle-line exclamation-circle-line close-line
Scroll to top icon