AWS – Updated Rules

The following rule received query and trigger updates to improve results:

• SQS queue should have encryption enabled (RuleId: db0e95af-f146-44a6-88a1-ed6614193912) - Medium

Azure Container Instance

• Container Instance container group image repository should be restricted from public access (RuleId: aedd80e9-9842-4e4a-b54a-ec510d32dd53) - High
• Container Instance container group should be restricted from public access (RuleId: d0b49297-9c6d-4f77-8e19-53482f001fd2) - High
• Container Instance container group should be encrypted with a CMK (RuleId: 31527120-12dd-49e5-a78b-69b1db7edc17) - Medium
• Container Instance container group should be enabled with azure monitor logs (RuleId: 2fc88f4c-f083-495c-8c60-c8600b5ecdb4) - Low

AWS – New Rules

• EC2 instance should restrict public access to FCP port (5500) (RuleId: f49878b2-c89e-44d9-80eb-d0e6bf560e75) - High
• EC2 instance should restrict public access to FCP port (8088) (RuleId: 2f155bea-fe84-4ae4-a991-6a4d5b83fd6d) - High
• EC2 instance should restrict public access to FCP port (8888) (RuleId: 7a57f2c5-8ba1-4862-867b-110249fef2e7) - High
• EC2 instance should restrict public access to Go, Node.js, and Ruby web development frameworks port data port (3000) (RuleId: 279aae5a-7db7-475c-92dc-854c41fad45d) - High
• EC2 instance should restrict public access to IMAP data port (143) (RuleId: 38315534-5242-4917-bc04-8698359d7570) - High
• EC2 instance should restrict public access to MSSQL data port (1434) (RuleId: 615537d1-e056-48e0-8180-787462598c6b) - High
• EC2 instance should restrict public access to POP3 data port (110) (RuleId: 2da3fb11-7564-4a0b-9471-986bf9aa082f) - High
• EC2 instance should restrict public access to Python web development frameworks port (5000) (RuleId: 430dc795-4733-4a27-93fd-e60bb479570e) - High
• EC2 instance should restrict public access to RPC data port (135) (RuleId: c7f36771-25a9-4e66-92eb-d1b7e69eaa81) - High
• EC2 VPC endpoint should restrict public access (RuleId: b4679d78-de7e-47c2-a0f6-e4045b1246ce) - High
• RDS DB instance should be deployed in VPC (RuleId: 3c1476e2-5480-4eb5-ae8d-800c887ea813) - High
• EC2 security group should restrict public access to alternative HTTP port (8888) (RuleId: 1d9397f8-85ff-4fde-b30c-54811004badc) - Medium
• EC2 security group should restrict public access to FCP port (5500) (RuleId: efdffe97-f426-42d8-a5d0-2bcad92a49b4) - Medium
• EC2 security group should restrict public access to IMAP port (143) (RuleId: f279962f-359d-41e8-9d14-93b50afb14e1) - Medium
• EC2 security group should restrict public access to legacy HTTP port (8088) (RuleId: 8510643a-0793-45ec-8edc-b68648afcd12) - Medium
• EC2 security group should restrict public access to MSSQL port (1434) (RuleId: ca4dcaea-fc79-4e87-9473-8e7501bcf397) - Medium
• EC2 security group should restrict public access to POP3 port (110) (RuleId: de0d183e-3e0e-4ac9-a70c-54996ed81d2a) - Medium
• EC2 security group should restrict public access to Go, Node.js, and Ruby web development frameworks port (3000) (RuleId: cd2a7f97-1bd2-48a9-90be-3bf3c305e4e9) - Medium
• EC2 security group should restrict public access to RPC port (135) (RuleId: 776d3354-fe02-41d6-b7bc-573769bdad3c) - Medium
• EC2 security group should restrict public access to Python web development frameworks port (5000) (RuleId: 24bd7354-0fad-4d11-b8b2-01a7feafa834) - Medium
• EC2 VPC endpoint service should require manual approval for connection requests (RuleId: 410b4536-7d4d-4537-8955-7f86faedb348) - Medium
• Elasticsearch application should have at least three data nodes (RuleId: 8b1c727b-4e96-40cc-8141-b550ba8e3fad) - Medium
• Elasticsearch domain should be configured with at least three dedicated master nodes (RuleId: 4b5a5862-4c5d-4bcc-863d-dfa609395c52) - Medium
• Elasticsearch domain should be encrypted with TLS-1.2 (RuleId: 53ca72de-a66e-4107-8ac5-56998aa0b221) - Medium
• RDS database cluster should not use a database engine default port (RuleId: cf2d7f4c-2695-4128-951a-710675ba2b5d) - Low
• RDS DB cluster should be configured to copy tags to snapshot (RuleId: 905a491a-5360-4574-a9e6-6b2be63e3806) - Low
• RDS DB instance should be configured to copy tags to snapshot (RuleId: 930f940f-5a82-4a54-8776-58480a9eaaef) - Low
• Elasticsearch audit logging should be enabled (RuleId: 800e2c67-ccc3-4a3e-a030-c321aad59f6a) - Low
• RDS database instance should not use a database engine default port (RuleId: a3ed4fd1-eaa9-4947-8061-e95be99088f6) - Low
• RDS event notifications subscription should be configured for critical cluster events (RuleId: 22b84024-6b77-4da0-abfc-64e6d5564df6) - Low
• RDS event notifications subscription should be configured for critical database instance events (RuleId: cd43896f-cef3-44b1-992d-fd156ee3d128) - Low
• RDS event notifications subscription should be configured for critical database parameter group events (RuleId: 3f95c26b-af6b-4d6b-abe0-516f1bf25313) - Low
• RDS event notifications subscription should be configured for critical database security group events (RuleId: c5383bbd-b1fa-4152-b575-1477070d5ee4) - Low

AWS – Updated Rule

The following rule received query and trigger updates to improve results:

• EC2 VPC endpoint should not have unrestricted access (RuleId: bfc755bd-f58c-498c-9d57-809e712b48c2) - High

GCP – New Rule

• VM instance should not use the default app engine service account (RuleId: a30fdd53-1960-4eb9-974a-2773bc2c8ced) - High

GCP – Updated Rules

The following rules received query and trigger updates to improve results, and a change in display name:

• Logging storage bucket retention policy should be configured with bucket lock (RuleId: d38c0a70-689c-4d90-ab47-1bf19165c8fb) - Medium
• Project should not have a default network (RuleId: eb83d4d2-f2aa-11ea-adc1-0242ac120002) - Medium

Updated Compliance Frameworks

The following frameworks received updated mappings for Azure, AWS, and GCP rules:

• NIST SP8 00-53, revision 5
• NIST CSF, version 1.1
• EU GDPR, 2016-679
• AICPA SOC 2, 2017
• PCI DSS, version 3.2.1
• ISO IEC 27001, 2013
• CSA CCM, version 3.0.1
• CSA CCM version 4.0.3

AWS – Updated Rules

The following IAM rules received query updates that take into account the limitations set by permissions boundaries to ensure more accurate reporting.

• IAM user, group, or role should not have access to attach policy versions (RuleId: 99c8f4c9-4916-46f9-980c-5b088c410fbf) - High
• IAM user, group, or role should not have access to create or update login profiles (passwords) for IAM users (RuleId: 08a4bc9c-d04d-4f0b-9304-6e88224dfb0a) - High
• IAM user, group, or role should not have access to create policy versions (RuleId: c7ed8c8a-661a-444d-9f27-7a5e040386d5) - High
• IAM user, group, or role should not have access to edit inline user, group or role policies (RuleId: d7030621-bd0e-4161-97cd-5d59417d696a) - High
• IAM user, group, or role should not have access to set default policy versions (RuleId: 0ab2af7c-d8d7-4929-a843-faf404bb6a6d) - Medium
• IAM user, group, or role should not have access to both edit assume role policies and assume IAM roles (RuleId: c71c5c06-1911-4977-a5af-bb2642fccfda) - Medium
• IAM user, group, or role should not have access to add users to groups (RuleId: 3f053c2e-2cfe-44b2-8a35-912a8ddb1270) - Medium

Updated Compliance Frameworks

The following frameworks received updated mappings for Azure, AWS, and GCP rules.

• NIST SP8 00-53, revision 5
• NIST CSF, version 1.1
• EU GDPR, 2016-679
• AICPA SOC 2, 2017
• PCI DSS, version 3.2.1
• ISO IEC 27001, 2013
• CSA CCM, version 3.0.1
• CSA CCM version 4.0.3

AWS – New Rules

• ECS task definitions should have secure networking modes and user definitions (RuleId: 8f66a089-dcb2-45fa-bcf1-9a57fa9818ef) - Medium
• RDS DB clusters should be configured for multiple Availability Zones(RuleId: 18d82921-696c-4053-9c69-01f1fe4fcd7c) - Medium
• EC2 instances should use single ENI (RuleId: f552af74-1374-48e2-964f-5a8105d0ace0) - Low
• IAM customer managed policies should not allow wildcard actions for services (RuleId: 4eff5e35-c09b-4d95-9c3c-f53c01470636) - Low

AWS – Updated Rules

The following rules received query and trigger updates to improve accuracy of findings:

• IAM password should be configured to expire after 90 days (RuleId: 5c8c25fd7a550e1fb6560bde) - High
• CloudTrail S3 bucket should have access logging enabled(RuleId: 5c8c265c7a550e1fb6560c63)-Medium

Updated Compliance Frameworks

The following frameworks received updated mappings for Azure, AWS and GCP rules:

• NIST SP8 00-53, revision 5
• NIST CSF, version 1.1
• EU GDPR, 2016-679
• AICPA SOC 2, 2017
• PCI DSS, version 3.2.1
• ISO IEC 27001, 2013
• CSA CCM, version 3.0.1
• CSA CCM version 4.0.3

AWS - New Rules

• ECS task definitions should have secure networking modes and user definitions (RuleId: 8f66a089-dcb2-45fa-bcf1-9a57fa9818ef) - High 
• RDS DB clusters should be configured for multiple Availability Zones(RuleId: 18d82921-696c-4053-9c69-01f1fe4fcd7c) - Medium 
• EC2 instances should use single ENI (RuleId: f552af74-1374-48e2-964f-5a8105d0ace0) - Low 
• IAM customer managed policies that you create should not allow wildcard actions for services (RuleId: 4eff5e35-c09b-4d95-9c3c-f53c01470636) - Low 
• AWS - Updated Rules  The following rules received query and knowledge base article updates to improve finding results and clarify information, respectively.

AWS - Updated Rules

The following rules received query and knowledge base article updates to improve finding results and clarify information, respectively.

• Firehose delivery stream destination should use an encrypted S3 bucket (RuleId: 8b76d13b-8c3a-4c4a-8993-a0e6f9af46c7 ) - Medium 
• Firehose delivery stream should have server side encryption enabled (RuleId: 77485161-b61f-4c11-b160-48c59ede5ed2) - Medium 

Amazon Kinesis Firehose

• Firehose delivery stream destination should use an encrypted S3 bucket (RuleId: 8b76d13b-8c3a-4c4a-8993-a0e6f9af46c7 ) - High
• Firehose delivery stream should have server side encryption enabled (RuleId: 77485161-b61f-4c11-b160-48c59ede5ed2) - High
• Firehose delivery stream destination associated with S3 bucket should have restricted access (RuleId: bda0713a-6e4f-426d-a409-10527f1a5da2) - High
• Firehose delivery stream should have IAM roles with restricted permissions (RuleId: 77485161-b61f-4c11-b160-48c59ede5ed2) - Medium
• Firehose delivery stream should have destination error logs enabled (RuleId: edad94df-ff76-4c26-a30e-c177badcd53a) - Low

AWS - Updated Rules

The following rules received query updates to improve accuracy:

• EKS Node Group IAM role should not have Administrator-level access (RuleId: d13740a2-246c-4822-a736-b8d93e98d02d) - High
• EKS Node Group IAM role should not have full EC2 privileges (RuleId: 3967d733-31e6-4651-adb6-17ae9d377497) - Medium
• EKS Node Group IAM role should not have full S3 privileges (RuleId: 36e66c95-b64e-41fd-8781-748f969d58e8 ) - Medium

Azure - Updated Rules

The following rules received query updates to improve accuracy:

• Network Watcher should be enabled for Azure subscriptions (RuleId: 5c8c26747a550e1fb6560c8d) - High
• SQL data encryption should be enabled (RuleId: 5c8c268d7a550e1fb6560cc0) - High

New Compliance Frameworks

The following frameworks were added for the first time for AWS, Azure, and GCP control mappings.

• CSA CCM, version 3.0.1
• CSA CCM, version 4.0.3
• CIS Google Kuberbetes Engine (GKE), version 1.1.0
• MITRE ATTACK Containers, version 10.0
• MITRE ATTACK Cloud, version 10.0

Updated Compliance Frameworks

The following frameworks received new controls:

• NIST CSF, version 1.1

The following frameworks had their mappings corrected and updated for Azure CIS rules:

• NIST SP 800-53, revision 5
• NIST SP 800-171, revision 1
• NIST CSF, version 1.1
• EU GDPR, 2016-679
• AICPA SOC 2, 2017
• US HIPAA 164, 2017-10-01
• PCI DSS, version 3.2.1
• ISO IEC 27001, 2013
• MITRE ATT&CK Cloud, version 8

AWS – New Rules

The following new rules were added in alignment with AWS Security Hub controls:

• Redshift cluster should have enhanced VPC routing enabled (RuleId: 6020fc49-cd03-452c-9b1c-d50721b17d19) - High
• Aurora MySQL clusters should not have backtracking disabled (RuleId: 40d265ff-f1b0-4500-83a8-49d3436c6510) - Medium
• EC2 subnets should not automatically assign public IP addresses (RuleId: 9acc58ab-ccad-48f2-a454-f114b9293b68) - Medium
• RDS DB cluster should not have IAM authentication disabled (RuleId: 006ce8ff-ace8-437c-a9ba-262c1326c77f) - Medium
• Secrets Manager secret should be rotated within a specified number of days (RuleId: 3d7322ca-c748-4106-bdfa-0ee89de73914) - Medium
• Secrets Manager secret which is not accessed for more than 90 days should be removed (RuleId: 75926694-7462-4b0c-b7c2-9c146ebd253c) - Medium
• WAFv2 web ACL should have logging enabled (RuleId: c5fe3d7e-ee5b-471c-963f-b00047446a72) - Medium
• API Gateway REST API stages should have AWS X-Ray tracing enabled (RuleId: bce5cb84-0771-4ed3-bf50-abb03435e22e) - Low
• Unused network access control lists should be removed (RuleId: 9b6fdd1a-1b2a-4180-8e01-b75a658ef77d ) - Low

Services and Rules:

Expanded support of Amazon ECS

• ECS Service should not have tasks with privileged IAM access to an EC2 instance (RuleId- 6ce69326-31e1-46ea-97d7-be55930bf14b)-High
• ECS Service task role with admin privileges should not have public IP addresses assigned to them (RuleId- 8dc3f050-486f-4b4d-96d4-b765af62a799)-High
• ECS Service tasks should not have access to EC2 instance metadata (RuleId- 1c9b757e-7c63-497a-a555-54129cbb9dd1)-Medium
• ECS Cluster execute command logging encryption should be enabled (RuleId- 6f743c71-0fbc-4710-805b-61044a204e6a)-Medium
• ECS Services should not have public IP addresses assigned to them (RuleId- 4dde3a86-0582-43ac-bca6-8fd6267c27f2)-Medium
• ECS Service should use a container image hosted on Amazon ECR (RuleId-a68ae6e6-f33d-4350-861d-57518257e35c)-Medium
• ECS Service should expose only secure protocols on port 443 (RuleId-b0e86286-220f-4938-97be-f08b9668fc95)-Medium
• ECS Cluster should have container insights enabled (RuleId- 8efed7d2-9b25-4602-b1d9-a8e99c3c6017)-Low

Compliance Updates

• Updated rule mappings for CIS Azure Foundations Benchmark v1.3.0
• Deprecation of CIS AWS Foundation Benchmark v1.2.0. CIS AWS v1.4.0 support was introduced a month ago. Secure State supports the current and one version back of any compliance framework. As per our deprecation policy, we have removed the CIS AWS v1.2.0.

AWS – New Rules

New rules were added for AWS Cloudfront and IAM services:

• CloudFront distribution origin S3 bucket should not be deleted (RuleId: 87853484-1541-11ec-82a8-0242ac130003) - Medium
• IAM group should not have administrator privileges (RuleId: 8343f7ac-4bb5-462e-866e-a5a7153ecdbb) - Medium
• IAM role should not have administrator privileges (RuleId: 742c1761-9f7f-4d50-8d74-b6b65d715aa8) - Medium

Updated Compliance Frameworks

The following frameworks received new controls:

• CIS AWS Foundations Benchmark, version 1.4.0
• CIS AWS Foundations Benchmark, version 1.3.0

Azure – New Rules

The following rules were added for Azure AKS:

• AKS cluster should have private node (RuleId: b500ea29-935e-4476-9318-ed7994c04854) - High
• AKS cluster should have Azure RBAC enabled for Kubernetes Authorization (RuleId: 8d74ff7e-98d1-4468-88ea-c546aab9f497) - Medium
• AKS cluster should have network policy enabled (RuleId: d451e213-434b-4171-aab9-9d5a4d0fbc54) - Medium

AWS – New Rule

A new rule for monitoring unused access was added to the AWS IAM service:

• IAM account should not be inactive for 45 days or longer (RuleId: b6b7e70f-c1aa-4dec-8822-4189d0d67a52) - Low

GCP – New Rules

New rules inspired by GCP connected threats were added to the GCP Compute service:

• VM instance with public IP address should not have access to GCS buckets (RuleId: 2cc1f26c-0a63-4f1c-a1c0-98d4737b95e5) - Medium
• VM instance with public IP address should not have access to private instances within the subnet (RuleId: 8b700155-43b9-43eb-bfcb-5480f563eb88) - Medium

AWS – Updated Rules

The following rules received query updates to improve the accuracy of results:

• ACM Certificate Transparency logging should be enabled (RuleId: 42529cd0-c4c8-462b-b890-1eaea0541058) - Medium
• IAM account should not be inactive for 90 days or longer (RuleId: 5c8c26187a550e1fb6560c07) - Low

Updated Compliance Frameworks

The following frameworks received new controls:

• NIST CSF, version 1.1
• PCI DSS, version 3.2.1

AWS – New Rule

A new rule was added for the S3 service:

• S3 bucket should have versioning and MFA delete enabled (RuleId: fb3c1bbc-2019-420f-b0df-598fd7e5a66f) - Medium

AWS – Updated Rules

The following IAM service rule was updated from a 90 day inactivity period to 45 days:

• IAM account should not be inactive for 45 days or longer (RuleId: 5c8c26187a550e1fb6560c07) - Low

GCP – Updated Rules

The following rules received query updates to reduce noise, adjusted severities, and minor style updates to titles:

• IAM user should not have permission to act as or assume control of a service account through a compute instance (RuleId: 1cfadcdf-c241-4256-9403-27563028f5c7) - High
• IAM user should not have permission to create a cloud build (RuleId- 0e8c0619-ef59-4be0-b048-785f51cc3f99) - High
• IAM user should not have permission to get access tokens for service accounts (RuleId: bd7b14fc-edcc-422a-a9cc-eb2f72a3edda) - High
• IAM user should not have permission to sign arbitrary Blob/JSON Web Token payloads on behalf of a service account (RuleId: 7a6d4b5e-21c7-4927-ae28-62343c1a9c19) - High
• IAM user should not have permission to act as or assume control of a service account through a cloud run service (RuleId: 50f015d6-d21c-4fc9-9064-5c38240a8600) - Medium
• IAM user should not have permission to act as or assume control of a service account through a cloud scheduler job (RuleId: 51701bcb-d2c2-49f7-b501-a3ceb593f700) - Medium
• IAM user should not have permission to act as or assume control of a service account through cloud functions (RuleId: 3a6e45ee-f148-471d-b53a-35747da42a6a) - Medium
• IAM user should not have permission to create user-managed keys for a service account (RuleId: 3ff71e42-4344-4026-b67f-15d428a38b70) - Medium

New Compliance Framework

The following framework was created for the first time:

• CIS AWS Foundations Benchmark, version 1.4.0

Updated Compliance Framework

The following framework received an additional rules mapping:

• CIS AWS Foundations Benchmark, version 1.3.0

AWS API Gateway

The API Gateway service was recently onboarded to Secure State, including the following rules:

• API Gateway REST API cache data should be encrypted at rest (RuleId: 628c16ff-83cd-4fb0-8cbd-0b85ef249f9c) - High
• API Gateway REST API stages should be protected with WAF (RuleId: 26afef00-699e-4b26-aeb3-94eb9fc9bde1) - High
• API Gateway REST API should be private (RuleId: ef408f0b-7d6f-4486-bfbc-b3440b40dc07) - Medium
• API Gateway REST API stages should be configured to use SSL certificates (RuleId: 17d1bb39-dd77-4768-a161-880b4015fa84) - Medium
• API Gateway HTTP and WebSocket API stage access logging should be enabled (RuleId: 22a611c3-d1d7-48ab-8fe9-e0ced2cce14e) - Low
• API Gateway REST API execution logging should be enabled (RuleId: d95441b3-7888-4a68-87cf-63ddb8075c25) - Low
• API Gateway REST API stage access logging should be enabled (RuleId: 1873082b-e6a7-45d4-ad11-aa5ec5e9389b) - Low
• API Gateway WebSocket API stage execution logging should be enabled (RuleId: 674de938-8e6d-4557-9d96-43e1ab2b809a) - Low

GCP – Updated Rules

Rules for the following services received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard.

• GCP Logging
• GCP SecretManager
• GCP Spanner
• GCP SQL
• GCP Storage

AWS - New Rules

The AWS Config service was recently onboarded to Secure State, including the following rule:

• AWS Config should be enabled in all regions (RuleId: b1bc556c-c77f-4938-9934-29029255e454) - Low

GCP - New Rules

• IAM user should not have permission to act as or assume control of service accounts through a compute instance (RuleId: 1cfadcdf-c241-4256-9403-27563028f5c7) - High
• IAM user should not have permission to create a cloud build (RuleId: 0e8c0619-ef59-4be0-b048-785f51cc3f99) - High
• IAM user should not have permission to act as or assume control of service accounts through a cloud function (RuleId: 3a6e45ee-f148-471d-b53a-35747da42a6a) - Medium
• IAM user should not have permission to act as or assume control of service accounts through a cloud scheduler job (RuleId: 51701bcb-d2c2-49f7-b501-a3ceb593f700) - Medium
• IAM user should not have permission to act as or assume control of service accounts through a cloud run service (RuleId: 50f015d6-d21c-4fc9-9064-5c38240a8600) - Medium
• IAM user should not have permission to create user-managed keys for service accounts (RuleId: 3ff71e42-4344-4026-b67f-15d428a38b70) - Medium
• IAM user should not have permission to get an access token for service accounts (RuleId: bd7b14fc-edcc-422a-a9cc-eb2f72a3edda) - Medium
• IAM user should not have permission to sign arbitrary Blob/JSON Web Token payloads on behalf of a service account (RuleId: 7a6d4b5e-21c7-4927-ae28-62343c1a9c19) - Medium

GCP - Updated Rules

Rules for the following services received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard.

• GCP IAM
• GCP KMS

GCP – Updated Rules

The following rules received query updates to improve accuracy of results.

• IAM user should not have permission to create deployments (RuleId: f58c8dd7-78d8-422a-a031-4fde0c361dfe) - High
• IAM user should not have permission to modify IAM roles (RuleId: e324edfe-cb97-4926-8830-503a55746a07) - High
• IAM user should not be a member of a basic role (RuleId: da2d988a-daec-443f-a857-621cc79124be) - Medium

Rules for the following services received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard.

• GCP DNS
• GCP GKE

GCP – New Rules

• IAM user should not have permission to create deployments (RuleId: f58c8dd7-78d8-422a-a031-4fde0c361dfe) - High
• IAM user should not have permission to modify IAM roles (RuleId: e324edfe-cb97-4926-8830-503a55746a07) - High
• IAM user should not be a member of a basic role (RuleId: da2d988a-daec-443f-a857-621cc79124be) - Medium

Azure – Updated Rules

• Application Gateway listener should require HTTPS for public endpoint (RuleId: 19ee67c4-6064-46e8-9c11-806d84684c89)-High

AWS – New Rule

• EC2 instance should not allow unrestricted protocol access (RuleId: 9f32d42a-2f4f-4e2a-ae10-a3686f0ec1e2) - High

Azure – New Rules

• DNS should have Azure Defender enabled (RuleId: 5b08cec4-8364-4972-89f9-0aeb2d93c712) - Medium
• Open-source relational databases should have Azure Defender enabled (RuleId: 64b8f999-f402-4139-ba55-b20af9461ec8) - Medium
• Resource Manager should have Azure Defender enabled (RuleId: bdca1454-57e2-4ab8-ad4d-9b48da6d82c7) - Medium

AWS – Updated Rules

The following rules received query updates to improve the filtering of results.

• CloudTrail event for AWS Console root login attempts should have alarm configured (RuleId: 5c8c26317a550e1fb6560c29) - High
• CloudTrail event for IAM policy changes should have alarm configured (RuleId: 5c8c262c7a550e1fb6560c23) - High
• CloudTrail event for network access control list changes should have alarm configured (RuleId: 5c8c262e7a550e1fb6560c25) - High
• CloudTrail event for network gateway configuration changes should have alarm configured (RuleId: 5c8c262f7a550e1fb6560c27) - High
• CloudTrail event for routing table configuration changes should have alarm configured (RuleId: 5c8c26337a550e1fb6560c2b) - High
• CloudTrail event for S3 bucket policy changes should have alarm configured (RuleId: 5c8c26357a550e1fb6560c2d) - High
• CloudTrail event for VPC configuration changes should have alarm configured (RuleId: 5c8c26397a550e1fb6560c32) - High
• CloudTrail event for AWS Console logins without MFA should have alarm configured (RuleId: 5c8c262a7a550e1fb6560c21) - Medium
• CloudTrail event for customer master key deletion events should have alarm configured (RuleId: 5c8c26287a550e1fb6560c1d) - Medium
• CloudTrail event for failed AWS Console login attempts should have alarm configured (RuleId: 5c8c26287a550e1fb6560c1f) - Medium
• CloudTrail event for security group configuration changes should have alarm configured (RuleId: 5c8c26367a550e1fb6560c2f) - Medium
• CloudTrail event for unauthorized API access attempts should have alarm configured (RuleId: 5c8c26377a550e1fb6560c30) - Medium
• IAM inactive key should be deleted (RuleId: 3f9cdb59-0b69-455e-a077-02de91622a4b ) - Medium
• CloudTrail event for AWS Config changes should have alarm configured (RuleId: 5c8c26267a550e1fb6560c1b) - Low
• CloudTrail event for CloudTrail configuration changes should have alarm configured (RuleId: 5c8c26237a550e1fb6560c16) - Low
• CloudWatch monitoring should be configured for any changes in AWS Config settings (RuleId: 64334788-3bc0-11eb-adc1-0242ac120002) - Low
• CloudWatch monitoring should be configured for any changes in AWS organizations (RuleId: ba73fb7e-3bc5-11eb-adc1-0242ac120002) - Low

GCP – Updated Rules

Rules for the following services received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard.

• GCP Compute

AWS – Updated Rules

The following rule received an update to optimize its query logic for better efficiency and reduced compute load.

• IAM active server certificate should be renewed before it expires(RuleId- 4c8ce4fa-a130-435c-bffb-1187f212f967)-High

Azure – Updated Rules

The following rule received an update to optimize its query logic for better efficiency and reduced compute load.

• Resource associated with a Managed Identity should not be assigned the Owner role(RuleId- d1e4bceb-7d7a-4238-ba57-fc16c5b8cd18)-High

Updated Compliance Frameworks

The following framework received updates:

• CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
  • Control 4.5.2 (Consider external secret storage (Manual)) was corrected to control 4.4.2.

GCP – Updated Rules

Rules for the following services received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard:

• GCP Cloud Function
• GCP Cloud Run

AWS Athena

• Athena query results should be encrypted - (RuleId: 41ac0561-cf8d-47f5-9122-ff2587b5f296) - High
• Athena query results should be stored in an S3 bucket which has restricted access - (RuleId: 029dce34-02df-4a4a-8e89-7e237328c3) - High
• Athena Workgroup should have publish cloudwatch metrics enabled - (RuleId: fa5dd258-7b8f-438e-b753-a5fd2c39fbaa) - Low

AWS – Updated Rules

The following rule has been deprecated and replaced, as it is not practical to rotate inactive IAM keys:

• IAM inactive key should be rotated every 90 days - (RuleId: 5c8c25ff7a550e1fb6560be0) - Medium

A new rule has been added that requires inactive keys be deleted:

• IAM inactive key should be deleted - (RuledId: 3f9cdb59-0b69-455e-a077-02de91622a4b) - Medium

Customers may see both rules displayed at first. The deprecated rule should be removed from all client interfaces by Friday.

GCP – Updated Rules

Rules for the following services received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard:

• GCP AppEngine
• GCP BigQuery
• GCP Bigtable

Updated Compliance Frameworks

The following frameworks received new controls:

• HIPAA 164 2017-10-01 for GCP
• CIS Azure Kubernetes Service (AKS) Benchmark, 1.0.0

AWS – Updated Rules

The following AWS rules received updates to CIS AWS Foundations Benchmark controls:

• IAM inactive key should be rotated every 90 days (RuleId: 5c8c25ff7a550e1fb6560be0) - Medium
• IAM user access key should be rotated every 90 days (RuleId: 5c8c25fb7a550e1fb6560bd8) - Medium

Updated Compliance Frameworks

The following framework received new controls:

• US HIPAA 164 2017-10-01 for Azure

AWS SageMaker

• SageMaker Endpoint should be encrypted - (RuleId: 0954f1f8-0990-4f5d-920a-4164df420450) - High
• SageMaker Model should be hosted on a VPC - (RuleId: 436b441e-f623-41ae-a3de-95bf0f4ea2) - High
• SageMaker Notebook instance should be encrypted - (RuleId: 970c9d10-ede7-4d1b-9d07-7981f68215bb) - High
• SageMaker Notebook instance should have direct internet access disabled - (RuleId: bebd0339-ae61-45b0-a4b4-b355f55771ad) - High
• SageMaker Model should have network isolation enabled - (RuleId: 88f700ad-53e2-41b5-b2ad-298bce36c388) - Medium
• SageMaker Notebook instance should have root access disabled - (RuleId: 80a37713-dba7-4e02-9e97-e9d4f90a145f) - Medium
• SageMaker Notebook instance should be encrypted with a CMK - (RuleId: 851e5535-037e-4395-b67f-9d765c54dac0) - Low

Azure – New Rules

• Principal should not have privileges to login as administrator to any VM at the subscription level - (RuleId: 8f093ee4-d45f-4ae7-a750-107abdb88cf9) - High
• Resource associated with a Managed Identity should not have role assignments at a resource group level - (RuleId: 30a20c0e-cda2-4d72-becd-aee26742888e) - Medium
• Principal should not have VM command execution privileges at the subscription level - (RuleId: bb4b3b31-7dae-48d3-858a-4e2591385de9) - Medium
• Principal should not have VM login privileges at the subscription level - (RuleId: edeb947c-bab6-41cc-96d4-42fab3bffc28) - Medium

New Compliance Framework

The following framework was created for the first time:

• CIS Azure Kubernetes Service (AKS) Benchmark, 1.0.0

Updated Compliance Framework

The following framework received new controls:

• CIS Amazon Elastic Kubernetes Service (EKS) Benchmark, 1.0.1
• CIS Google Kubernetes Engine (GKE) Benchmark, 1.0.0

AWS – Updated Rules

The following rule received a query update to verify key rotation is enabled on customer-managed CMKs:

• KMS should have automated key rotation enabled - (RuleId: 5c8c26217a550e1fb6560c12) - Medium

The following rule received a query update to verify CloudTrail is enabled before checking for CloudWatch integration:

• CloudTrail logs should be integrated with CloudWatch - (RuleId: 5c8c25e37a550e1fb6560ba9) - Low

The following rules received query updates to handle external account SNS topics configured with CloudWatch metric alarms:

• CloudTrail event for AWS Console root login attempts should have alarm configured - (RuleId: 5c8c26317a550e1fb6560c29) - High
• CloudTrail event for IAM policy changes should have alarm configured - (RuleId: 5c8c262c7a550e1fb6560c23) - High
• CloudTrail event for network access control list changes should have alarm configured - (RuleId: 5c8c262e7a550e1fb6560c25) - High
• CloudTrail event for network gateway configuration changes should have alarm configured - (RuleId: 5c8c262f7a550e1fb6560c27) - High
• CloudTrail event for routing table configuration changes should have alarm configured - (RuleId: 5c8c26337a550e1fb6560c2b) - High
• CloudTrail event for S3 bucket policy changes should have alarm configured - (RuleId: 5c8c26357a550e1fb6560c2d) - High
• CloudTrail event for VPC configuration changes should have alarm configured - (RuleId: 5c8c26397a550e1fb6560c32) - High
• CloudTrail event for AWS Console logins without MFA should have alarm configured - (RuleId: 5c8c262a7a550e1fb6560c21) - Medium
• CloudTrail event for CloudTrail configuration changes should have alarm configured - (RuleId: 5c8c26237a550e1fb6560c16) - Medium
• CloudTrail event for customer master key deletion events should have alarm configured - (RuleId: 5c8c26287a550e1fb6560c1d) - Medium
• CloudTrail event for failed AWS Console login attempts should have alarm configured - (RuleId: 5c8c26287a550e1fb6560c1f) - Medium
• CloudTrail event for security group configuration changes should have alarm configured - (RuleId: 5c8c26367a550e1fb6560c2f) - Medium
• CloudTrail event for unauthorized API access attempts should have alarm configured - (RuleId: 5c8c26377a550e1fb6560c30) - Medium
• CloudWatch monitoring should be configured for any changes in AWS Config settings - (RuleId: 64334788-3bc0-11eb-adc1-0242ac120002) - Low
• CloudWatch monitoring should be configured for any changes in AWS organizations - (RuleId: ba73fb7e-3bc5-11eb-adc1-0242ac120002) - Low
• CloudTrail event for AWS Config changes should have alarm configured - (RuleId: 5c8c26267a550e1fb6560c1b) - Low

Updated Compliance Frameworks

The following framework received new rules mappings:

• HIPAA 164 2017-10-01 for AWS

Azure – New Rules

• Principal should not have ability to self-assign the Owner role at the subscription level - (RuleId: a7e721e1-eaff-4db1-ab2c-6ea88efd8a88) - High
• Principal should not have indirect Owner access at the subscription level - (RuleId: ae8b57d8-923b-43a8-9b2a-6454be02e6b9) - High
• Resource associated with a Managed Identity should not be assigned the Owner role - (RuleId: d1e4bceb-7d7a-4238-ba57-fc16c5b8cd18) - High
• Resource associated with a Managed Identity should not have role assignments at the subscription level - (RuleId: 585a6052-f7fa-40df-9216-227ad6e43753) - High
• Custom role should not grant permissions equal to Owner role - (RuleId: 4c6b3141-3f25-4247-8540-8214326f9b19) - Low

AWS – Updated Rules

The following rules received updates to their queries to resolve an issue where HTTP listeners with HTTPS redirects were triggering violations.

• Elastic Load Balancer should use HTTPS listener protocol - (RuleId: d1916d37-6e93-47e8-81eb-8d40185fb582) - High
• Classic Load Balancer should use a secure listening protocol - (RuleId: 664ee373-cb7a-4aa6-93db-667f6a6c9590) - Medium

Azure – Updated Rules

Rules for the following services received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard.

• Azure Storage
• Azure TrafficManager
• Azure WAF

AWS Elastic Beanstalk

• Elastic Beanstalk environment with Classic Load Balancer should use a secure listening protocol - (RuleId: c8b5970e-7a30-4d72-bbe2-cd5e14a18133) - High
• Elastic Beanstalk environment with Elastic Load Balancer should use HTTPS listener protocol - (RuleId: 954caf25-5bf5-40bc-97fe-06a114684699) - High
• Elastic Beanstalk environment EC2 instance should enforce IMDSv2 - (RuleId: ba83ceb2-814b-4dfb-86b1-685d0bbaeb33) - Medium
• Elastic Beanstalk environment with Classic Load Balancer should have connection draining enabled - (RuleId: ed691c1b-1482-4ba2-85e9-10de5adcec60) - Medium
• Elastic Beanstalk environment with Classic Load Balancer should have cross-zone load balancing enabled - (RuleId: c73a7138-0d98-4dc4-83e0-4ab87fdda600) - Medium
• Elastic Beanstalk environment with Elastic Load Balancer should be configured with a secure SSL policy - (RuleId: cb662c12-b017-4ce7-97fb-943f05923e28) - Medium
• Elastic Beanstalk environment with Elastic Load Balancer should have access logging enabled - (RuleId: f0b0bb9b-1c12-4b44-a1ec-e775a9ded3ec) - Medium
• Elastic Beanstalk environment should have enhanced health reporting enabled - (RuleId: fceee26a-aca6-4b66-9483-935837d6b00a) - Low

Azure - Updated Rules

Rules for the following services received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard.

• Azure SQL

Updated Compliance Frameworks

The following framework was mapped to GCP for the first time:

• PCI DSS 3.2.1 for GCP

Azure - Updated Rules

Rules for the following Azure services received new remediation steps in their knowledge base articles:

• HDInsight
• MachineLearning

Rules for the following Azure services received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard.

• PostgreSQL
• ResourceManager
• Security

Updated Compliance Frameworks

The following framework received new rules mappings:

• PCI DSS 3.2.1 for Azure

AWS – New Rules

• EC2 instance should restrict public access to Redis Cache port (6379) (RuleId: 3e2ec500-b3fa-11eb-8529-0242ac130003) - High
• EC2 instance should restrict public access to SMB ports (445 and 139) (RuleId: 72090764-b3f5-11eb-8529-0242ac130003) - High
• EC2 instance should restrict public access to WinRM ports (5985 and 5986) (RuleId: 1349b94a-b3f9-11eb-8529-0242ac130003) - High
• EC2 security group should restrict public access to SMTP Relay port (25) (RuleId: 5de68a58-b3fb-11eb-8529-0242ac130003) - Medium

Azure – New Rules

• Network security group should restrict public access to Redis Cache port (6379) (RuleId: da6fbf30-b3f2-11eb-8529-0242ac130003) - Medium
• Network security group should restrict public access to SMB port (445 and 139) (RuleId: 4245ef44-b3ee-11eb-8529-0242ac130003) - Medium
• Network security group should restrict public access to SMTP Relay port (25) (RuleId: dd6ed91a-b3f1-11eb-8529-0242ac130003) - Medium
• Network security group should restrict public access to WinRM port (5985 and 5986) (RuleId: ad3fe424-b3f0-11eb-8529-0242ac130003) - Medium

GCP – New Rules

• VM instance should restrict public access to Redis Cache port (6379) (RuleId: 41a16722-b3fc-11eb-8529-0242ac130003) - High
• VM instance should restrict public access to SMB ports (445 and 139) (RuleId: 11f9a1f0-b3fd-11eb-8529-0242ac130003) - High
• VM instance should restrict public access to SMTP Relay port (25) (RuleId: 3d726154-b3fe-11eb-8529-0242ac130003) - High
• VM instance should restrict public access to WinRM ports (5985 and 5986) (RuleId: a57f53d4-b3fd-11eb-8529-0242ac130003) - High

AWS – Updated Rules

Updated the query for following rule to check for active access keys for the root user:

• IAM root user access key should not exist (RuleId: 5c8c25fc7a550e1fb6560bda) - Low

Updated the display name for the following rule:

• IAM user, group, or role should not have access to create an EC2 instance and pass any IAM role (RuleId: 99d931f0-b2aa-4366-8a3f-bfc6d2e9286f) - Medium

Updated knowledge base articles for rules that have automatic remediation with links to more information about configuring remediation service. The following services contain one or more rules that can be automatically remediated:

• CloudTrail
• Classic Load Balancer
• EC2
• KMS
• RDS
• S3
• SQS

Azure – Updated Rules

Rules for the following services received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard.

• Insight
• Network
• KeyVault

Updated knowledge base articles for rules that have automatic remediation with links to more information about configuring remediation service. The following services contain one or more rules that can be automatically remediated:

• Compute
• KeyVault
• MySQL
• Network
• PostgreSQL
• SQL
• Storage

GCP – Updated Rules

Rules for the following services received updates to their display titles to conform to a new, consistent naming standard.

• Compute

Updated Compliance Frameworks

The following framework received additional rules mappings:

• PCI DSS 3.2.1 for AWS

Azure – Machine Learning

• Machine Learning workspace should be configured with private endpoint (RuleId: b92f18be-edff-409c-80b2-b15937916eba) - Medium
• Machine Learning workspace should be configured with user assigned managed identity (RuleId: e34a5959-41de-4daa-b8fc-e30edb2ce0fe) - Medium
• Machine Learning workspace should be encrypted with customer-managed key (RuleId: efd42f90-1a79-4f7d-8a06-d74df8400d1b) - Medium
• Machine Learning workspace should be configured with diagnostic settings (RuleId: feacc6e3-de39-409a-b4b6-e3766c6ffc7a) - Low

AWS – New Rules

• EC2 instance should restrict public access to SMTP Relay (25) - (RuleId: d55fb946-b19f-11eb-8529-0242ac130003) - High
• EC2 security group should restrict public access to Redis Cache port (6379) - (RuleId: 863b0eee-b193-11eb-8529-0242ac130003) - Medium
• EC2 security group should restrict public access to SMB ports (445/139) - (RuleId: 3f7bb56e-b196-11eb-8529-0242ac130003) - Low
• EC2 security group should restrict public access to WinRM ports (5985/5986) - (RuleId: e63656f8-b18b-11eb-8529-0242ac130003) - Low

Azure – New Rules

• Virtual machine should restrict public access to Redis Cache port (6379) - (RuleId: f9f177ea-b190-11eb-8529-0242ac130003) - High
• Virtual machine should restrict public access to SMB port (445/139) - (RuleId: 6ad14456-b194-11eb-8529-0242ac130003) - High
• Virtual machine should restrict public access to SMTP Relay port (25) - (RuleId: 5385917e-b1a0-11eb-8529-0242ac130003) - High
• Virtual machine should restrict public access to WinRM port (5985/5986) - (RuleId: 02a30c70-b180-11eb-8529-0242ac130003) - High

GCP – New Rules

• Firewall should restrict public access to Redis Cache port (6379) - (RuleId: dc7014f2-b18f-11eb-8529-0242ac130003) - Medium
• Firewall should restrict public access to Server Message Block (SMB) port (445 or 139) - (RuleId: 54c09ea4-b195-11eb-8529-0242ac130003) - Medium
• Firewall should restrict public access to SMTP Relay port (25) - (RuleId: d0c04814-b1a0-11eb-8529-0242ac130003) - Medium
• Firewall should restrict public access to WinRM port (5985 or 5986) - (RuleId: 544d1580-b17f-11eb-8529-0242ac130003) - Medium

AWS – New Rules

• IAM roles should not have ReadOnlyAccess access for external AWS accounts (RuleId: 29a75ff9-b97a-435b-9180-10efb6a778d2) - High

Azure – Updated Rules

Rules for the following services received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard.

• CosmosDB
• EventHubs
• Firewall
• FrontDoor
• Functions

GCP – Updated Rules

Display titles for GCP Cloud Armor rules were updated to state the service name.

• Cloud Armor Security Policy should have Adaptive Protection enabled (RuleId: f782cacb-1113-4ea8-b991-39151d424dc1) - High
• Cloud Armor Security Policy should be associated with a resource (RuleId: 2fb657e7-2b58-416b-bb6a-56b7af7a4527) - Medium
• Cloud Armor Security Policy should have deny as default action (RuleId: 171ab231-54fc-40e8-91c8-9e8b76511ae8) - Medium
• Cloud Armor Security Policy should have non-default rules defined (RuleId: ed090324-2f3d-4938-9e18-6eb6bde1c1a2) - Medium

Updated Compliance Frameworks

The following framework was mapped to GCP for the first time:

• EU GDPR 2016-679 for GCP

AWS – New Rules

• IAM user, group, or role should not have access to create an EC2 instance and pass any IAM role (RuleId: 99d931f0-b2aa-4366-8a3f-bfc6d2e9286f) – Medium

AWS – Updated Rules

Added new SSL policies.

• Elastic Load Balancer should be configured with a secure SSL policy (RuleId: 1f050769-1e9d-415c-8ec3-43153e47aef1) – Medium

Azure – Updated Rules

Updated rule names and KB articles.

• All Cache and CDN rules received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard.

Updated Compliance Frameworks

The following framework received additional rules mappings:

• EU GDPR 2016-679 for Azure.

Azure HD Insight

• HDInsight cluster should be configured with Virtual Network (RuleId: 798eaf7a-87c8-4867-b628-89ed68833d30) – High
• HDInsight cluster should use encryption at host to encrypt data at rest (RuleId: 346732aa-68c0-4ecf-91a7-049201cc20ba) – High
• HDInsight cluster should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes (RuleId: 0994c06d-e687-4843-bab6-8114de68ca9a) – High
• HDInsight cluster should be configured with latest TLS version (RuleId: f15eee50-cc59-45f8-a0ff-c16502ee952c) – Medium
• HDInsight cluster should be encrypted with customer-managed key (RuleId: bdf9776e-689d-4eec-b4dc-adc4aa8a6d69) – Medium
• HDInsight cluster should be configured with diagnostic settings (RuleId: 97989384-6cba-4175-911d-f5d76544aa14) – Low

Azure – Updated Rules

Updated rule names and KB articles.

• All Authorization rules received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard.

Updated Compliance Frameworks

The following framework received additional rules mappings:

• EU GDPR 2016-679 for AWS

AWS – New Rules

• KMS key should not be scheduled for deletion (RuleId: f11ce04f-398c-465d-81ba-148f0540288a) - High
• Elastic Load Balancer should not have invalid HTTP headers (RuleId: df70d6b1-fdca-4589-88d6-f9d08df4db0d) – Medium
• RDS DB instance should not have IAM database authentication disabled (RuleId: af19173e-8beb-4a38-aa71-342231d583df) – Medium
• RDS DB instance should not have Multi-AZ support disabled (RuleId: 189714a1-0466-415e-b540-50b88e642cf4) - Medium
• RDS DB cluster should not have deletion protection disabled (RuleId: 0a61290a-194b-451d-8aaf-f8e63280f279) – Low
• RDS DB instance should not have deletion protection disabled (RuleId: 95b2648a-f699-4425-81f9-57f8f4584fc1) – Low

Azure – Updated Rules

Updated rule names and KB articles.

• All Application Gateway, AppService, Active Directory, and AKS rules received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard.

AWS - New Rules

• IAM user, group, or role should generally not have access to create, configure Lambda functions with IAM roles and invoke them (Rule Id: d19cb41d-ac6c-4e95-848a-48f0fe9a9176) - Medium

GCP - New Rules

• Secret Manager secrets should be encrypted using customer managed keys (Rule Id: 70288b27-4775-4a2e-b458-ccffe5feed1c) - Low

Azure - Updated rules

Updated rule names and KB articles.

• All Compute rules received updates to their display titles and knowledge base articles to conform to a new, consistent naming and style standard.

AWS – New Rules

• IAM user, group, or role should not have access to edit inline user, group or role policies (Rule Id: d7030621-bd0e-4161-97cd-5d59417d696a) - High
• IAM user, group, or role should generally not have access to update Lambda function configuration (and layers) (Rule Id: c0a3957a-4f44-426d-bbcb-a64cba21ed20) - Medium
• IAM user, group, or role should generally not have access to update Lambda function versions (Rule Id: 839ce1d3-d96c-475c-9787-164560f8a106) - Medium
• IAM user, group, or role should not have access to add users to groups (Rule Id: 3f053c2e-2cfe-44b2-8a35-912a8ddb1270) - Medium
• IAM user, group, or role should not have access to both edit assume role policies and assume IAM roles (Rule Id: c71c5c06-1911-4977-a5af-bb2642fccfda) - Medium
• IAM user, group, or role should not have access to create and configure AWS Data Pipelines with IAM roles (Rule Id: ffb33116-7979-433c-b1ba-1bf444056db0) - Medium
• IAM user, group, or role should not have access to create and configure Lambda functions with IAM roles for cross-account access (Rule Id: 5932b183-dd61-46fe-af40-e4105f5c8189) - Medium
• IAM user, group, or role should not have access to create and share AWS SageMaker Notebooks with IAM roles (Rule Id: 233c0746-bd77-40df-bcd5-31d55ea48194) - Medium
• IAM user, group, or role should not have access to create CloudFormation stacks with IAM roles (Rule Id: b008d1ef-f30c-421f-9348-da73c2bf599b) - Medium
• IAM user, group, or role should not have access to create Glue Development endpoints with IAM roles (Rule Id: d9c662ba-b854-4072-9411-ef6f68f61f15) - Medium
• IAM user, group, or role should not have access to create Lambda functions with IAM roles and configure the functions as DynamoDB triggers (Rule Id: d2075105-4b00-4e3c-8573-0f62d256e90d) - Medium
• IAM user, group, or role should not have access to update Glue Development endpoints (Rule Id: a3107909-1df5-4ab3-8ded-5087e529b7f8) - Medium

Azure – New Rules

• Container Registry should be configured with private endpoints (Rule Id: 2fa25af6-06bc-4854-a2f0-e54007fce2de) - High
• Container Registry should have restricted access (Rule Id: a49e9f7b-355f-4c89-931e-125b8bed043a) - High
• Container Registry should have SKUs that support Private Links (Rule Id: f2fa3206-718d-4759-8302-b61ad93d8371) - High
• Container Registry should be encrypted with customer-managed key (Rule Id: 4a034ec7-9012-4c74-962a-b1b466a8c8ce) - Medium
• Container Registry should be configured with diagnostic settings (Rule Id: 69108f7b-8cb3-424a-ad5a-220b13dbb4d3) - Low

AWS – Updated Rules

Updated rule triggers.

• CloudFormation stack should not be configured with admin privileges (Rule Id: cf6babbf-49c0-43a8-93f0-972fc83a6573) - High
• CloudFormation stack should not allow unrestricted access (Rule Id: 59e3dae0-b99c-4ce0-b294-56f669d166e3) - High
• ECS container definition should not have elevated privileges (Rule Id: 315e1cd5-e6af-4737-b637-e6847fdb9273) - High
• EC2 VPC endpoint should not have unrestricted access (Rule Id: bfc755bd-f58c-498c-9d57-809e712b48c2) - High

Updated rule names.

• IAM user, group, or role should not have access to attach policy versions (Rule Id: 99c8f4c9-4916-46f9-980c-5b088c410fbf) - High
• IAM user, group, or role should not have access to create or update login profiles (passwords) for IAM users (Rule Id: 08a4bc9c-d04d-4f0b-9304-6e88224dfb0a) - High

Updated KB articles.

• All Kinesis, KMS, Lambda, RDS, Route53, Secrets Managers, SNS, SQS and SSM rules received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard.

New Compliance Frameworks

• MITRE ATT&CK Cloud v8 for AWS

Updated Compliance Frameworks

Additional rules mappings.

• NIST SP800 Rev 5 for GCP
• AICPA SOC 2 2017 for GCP
• ISO 27001 2013 for GCP

GCP – New Rules

Added new GCP cloud armor rules.

• GCP Security Policy should have Adaptive Protection enabled (Rule Id: f782cacb-1113-4ea8-b991-39151d424dc1) - High
• GCP Security Policy should be associated with a resource (Rule Id: 2fb657e7-2b58-416b-bb6a-56b7af7a4527) - Medium
• GCP Security Policy should have deny as default action (Rule Id: 171ab231-54fc-40e8-91c8-9e8b76511ae8) - Medium
• GCP Security Policy should have rules defined (Rule Id: ed090324-2f3d-4938-9e18-6eb6bde1c1a2) - Medium

AWS – Updated Rules

All ELB and ELBv2 rules received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard.

New Compliance Frameworks

• MITRE ATT&CK Cloud v8 for Azure

Updated Compliance Frameworks

Added new rules mappings.

• NIST SP800 rev 5 for Azure
• AICPA SOC 2 2017 for Azure
• ISO IEC 27001 2013 for Azure

AWS – New Rules

Added new AWS rules for privilege escalation vectors.

• IAM user, group, or role should not have access to attach policy versions (Rule Id: 99c8f4c9-4916-46f9-980c-5b088c410fbf) - High
• IAM user, group, or role should not have access to create or update login profiles (passwords) for IAM users (Rule Id: 08a4bc9c-d04d-4f0b-9304-6e88224dfb0a) - High
• IAM user, group, or role should not have access to set default policy versions (Rule Id: 0ab2af7c-d8d7-4929-a843-faf404bb6a6d) - Medium

GCP – New Rules

Added new GCP port rules for compute instance and firewall.

• Firewall FTP control port (21) should restrict public access (Rule Id: af45d0b3-a215-4429-b91c-1a0bdb8f0257) - High
• Firewall Kibana port (5601) should restrict public access (Rule Id: 8ff80d75-c805-4109-a5d2-a20ebe382b64) - High
• Firewall should restrict public access to Elastic Search port (9200 or 9300) (Rule Id: 6110d29f-4814-4358-b932-747e8b57d723) - Medium
• Firewall should restrict public access to FTP control port (21) (Rule Id: ac6e29d0-d27c-4a88-afa6-6c691892e86c) - Medium
• Firewall should restrict public access to FTP data port (20) (Rule Id: 64323b09-d750-4095-bbca-727a7e383e57) - Medium
• Firewall should restrict public access to Kibana port (5601) (Rule Id: ad73b261-a43b-4057-8a5d-db96d268a2ad) - Medium
• Firewall should restrict public access to Memcached port (11211) (Rule Id: 53a599ba-82df-4222-b608-2c0765cdf8de) - Medium
• Firewall should restrict public access to MongoDB port (27017) (Rule Id: b1bcce76-97c4-4b34-b23b-ca4f5440a7cf) - Medium
• Firewall should restrict public access to MySQL port (3306) (Rule Id: fd3258ca-5c6e-4cc5-9786-3d2cbfb3e384) - Medium
• Firewall should restrict public access to Oracle SQL port (1521) (Rule Id: 044c7617-323f-4d2d-b211-49b4fe686148) - Medium
• Firewall should restrict public access to Postgre port (5432) (Rule Id: 41ac7052-24a7-4fc3-a1c6-432b448f4be2) - Medium
• Firewall should restrict public access to SQL Server port (1433) (Rule Id: c8e27022-bb3d-4b2a-87c7-bf4504381599) - Medium
• Firewall should restrict public access to TCP port (8080) (Rule Id: a6dddef8-fb5a-41e7-9db0-2f8166f70e61) - Medium
• Firewall should restrict public access to Telnet port (23) (Rule Id: ec33aaf3-e074-4701-b076-f57a8137bae8) - Medium

AWS – Updated Rules

All ACM and CloudFormation rules received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard.

Updated Compliance Frameworks

Added new rules mappings.

• NIST SP800-R5 rev 5 for AWS
• AICPA SOC 2 2017 for AWS
• ISO IEC 27001 2013 for AWS

Deprecated Compliance Frameworks

The following framework will be deprecated on 3/25. If you would like to continue using the framework, you can clone it using the "Clone a framework" instructions in the Compliance Management User Guide.

• CIS Azure Foundations Benchmark 1.0.0

AWS – New Rules

Added new EKS rule with CIS compliance support.

• EKS Cluster secrets are not encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Rule Id: 59d0732c-6700-4e17-bf81-be5618a28167) - Medium

Azure – New Rules

Added new virtual machine and network security group rules for port public access.

• Virtual machine should restrict public access to Elasticsearch port (9200/9300) (Rule Id: daa148d1-2bc5-44f9-8a3f-90dc482548c3) - High
• Virtual machine should restrict public access to FTP data port (20) (Rule Id: 2fc98720-c0d1-444c-b58d-ad0e06e6b07b) - High
• Virtual machine should restrict public access to FTP control port (21) (Rule Id: e27ec88f-e1ca-4f4e-b4ae-468b78e62c20) - High
• Virtual machine should restrict public access to Kibana port (5601) (Rule Id: 52417a55-e531-497e-90f4-1064578f26b7) - High
• Virtual machine should restrict public access to Memcache UDP port (11211) (Rule Id: b5d94e44-240f-4e76-a884-640c22b2578d) - High
• Virtual machine should restrict public access to MongoDB server port (27017) (Rule Id: cfd8dfa8-aeeb-488c-9a88-971cbe1fd658) - High
• Virtual machine should restrict public access to MySQL server port (3306) (Rule Id: 3c2f27ec-1efa-4f37-a043-730e23dfb151) - High
• Virtual machine should restrict public access to Oracle SQL port (1521) (Rule Id: f5fc9ea2-bff5-4734-aa38-2e82937bce34) - High
• Virtual machine should restrict public access to PostgreSQL Server port (5432) (Rule Id: d3138d15-7386-4bc2-87f2-9a0eb86fd9db) - High
• Virtual machine should restrict public access to Remote Desktop port (3389) (Rule Id: 005e1104-4350-4536-a7db-838903c25d07) - High
• Virtual machine should restrict public access to SQLServer port (1433) (Rule Id: 68104100-4e6d-41e0-b8d2-5095462f019d) - High
• Virtual machine should restrict public access to Telnet port (23) (Rule Id: 6bc809d8-f426-455d-9c26-71b659562c5f) - High
• Virtual machine should restrict public access to TCP port (8080) (Rule Id: eecda59c-c8ae-4a17-9635-92994ce5b065) - High
• Network security group should restrict public access to Elasticsearch port (9200 and 9300) (Rule Id: ba68d9c9-ef6b-4dc2-836d-4f2b04d8ec4c) - Medium
• Network security group should restrict public access to Kibana data port (5601) (Rule Id: f07ef150-1e1d-468b-b6b6-ac58b24bbac4) - Medium
• Network security group should restrict public access to Memcached port (11211) (Rule Id: 014efc27-84dc-4e86-974a-321f023bc2d1) - Medium

AWS – Updated Rules

Updated CIS EKS compliance-related rules for AWS.

• ECR repository policy allows unrestricted access for all the users (Rule Id: 49b81f0b-ac31-4913-a962-bfdde0f0c896) - High
• ECR repository has scan image on push configuration disabled (Rule Id: 66e6f364-0efb-4640-83f3-c9a0eedfd9ae) - Medium
• EKS cluster is publicly accessible (Rule Id: 3f0b8ac5-ed0d-48cc-a8e9-edde722a5848) - Medium
• EKS control plane API logging is disabled (Rule Id: 3fedf4d7-1177-45b3-899f-f0ea150d3c01) - Low
• EKS control plane audit logging is disabled (Rule Id: aae0bb31-a2e8-4256-8e05-cf9a7edb33ac) - Low
• EKS control plane authenticator logging is disabled (Rule Id: 266ab640-f22b-4b79-993e-95e1c65fbb83) - Low
• EKS control plane controller manager logging is disabled (Rule Id: 4f5d7fa2-f377-4ce9-8076-e98c0208ee78) - Low
• EKS control plane scheduler logging is disabled (Rule Id: 7a8a2e88-c8cf-462d-85fe-e821688afd11) - Low

Updated additional rules for style consistency.

• AWS CloudFront and DynamoDB rules received updates to their display titles and knowledge base articles to conform to a new, consistent naming standard. For example, "CloudFront distribution access logging is not enabled" is now "CloudFront distribution access logging should be enabled", and so on.

Azure – Updated Rules

Updated Azure rules for network security group public access.

• Virtual machine should restrict public access to SSH port (22) (Rule Id: d7a3ad03-860c-4928-9ba8-789e84a835be) - High
• Network security group should restrict public access to FTP control port (21) (Rule Id: e5f3234a-fb21-11ea-adc1-0242ac120002) - Medium
• Network security group should restrict public access to FTP data port (20) (Rule Id: f4858182-fb12-11ea-adc1-0242ac120002) - Medium
• Network security group should restrict public access to MongoDB server port (27017) (Rule Id: 27fc7cce-fbfd-11ea-adc1-0242ac120002) - Medium
• Network security group should restrict public access to MySQL server port (3306) (Rule Id: 42f31f34-fb25-11ea-adc1-0242ac120002) - Medium
• Network security group should restrict public access to Oracle SQL server port (1521) (Rule Id: 381f229a-fc08-11ea-adc1-0242ac120002) - Medium
• Network security group should restrict public access to PostgreSQL server port (5432) (Rule Id: 86f23c94-fb32-11ea-adc1-0242ac120002) - Medium
• Network security group should restrict public access to Remote Desktop port (3389) (Rule Id: 5c8c267e7a550e1fb6560c9c) - Medium
• Network security group should restrict public access to SSH port (22) (Rule Id: 5c8c26847a550e1fb6560cab) - Medium
• Network security group should restrict public access to SQL server port (1433) (Rule Id: 5c8c26927a550e1fb6560cca) - Medium
• Network security group should restrict public access to TCP port (8080) (Rule Id: 082fa52a-fb39-11ea-adc1-0242ac120002) - Medium
• Network security group should restrict public access to Telnet port (23) (Rule Id: 937e0bdc-fb2d-11ea-adc1-0242ac120002) - Medium
• Network security group should restrict public access to UDP ports (Rule Id: 4e27676b-7e87-4e2e-b756-28c96ed4fdf8) - Medium

New Compliance Frameworks

• CIS Amazon Elastic Kubernetes Service (EKS) Benchmark, version 1.0.1 – Covers managed services and audit logging.
• CIS Azure Foundations Benchmark, version 1.3.0

Updated Compliance Frameworks

• AICPA SOC2, version 2017 – Updated to include support for all applicable Azure rules.

Google Load Balancer

• Load balancer backend service exposed to internet traffic should be attached to Google Cloud Armor (Rule Id: b58ddc02-e8fc-48c9-aab5-ee1faa906371) - High
• Load balancer backend service should have a secure protocol (Rule Id: afdecbb6-1f63-4568-8f7e-a29e514baadf) - High
• Load balancer SSL policy should use latest TLS version (Rule Id: 5e9f8cff-91f3-4179-ae62-164bf46309f9) - Medium
• Load balancer backend service should have logging enabled (Rule Id: 2506690d-6a47-47e4-84f5-80d27dc6bced) - Low
• Load balancer SSL policy should use restricted profile (Rule Id: 0ba35c1b-1ca2-459b-9ba0-4f5885d92c6e) - Low

Azure – New Rules

• Activity log should generate an alert for delete policy assignment events (Rule Id: e26607e4-2b03-49d2-bfc2-f0412dee3b22) - Medium
• Container registries should have Azure Defender enabled (Rule Id: ccd026c2-d24f-4edd-9611-a44692d04907) - Medium
• SQL servers on machines should have Azure Defender enabled (Rule Id: 33a5948a-8973-4205-9c3e-7a5824104fa6) - Medium

GCP – Updated Rules

Updated to have separate policies for organization, folder, project and resource:

• IAM service account should not have admin privileges (Rule Id: 187e240c-1249-11eb-adc1-0242ac120002) - High
• IAM user has service account user or service account token creator role (Rule Id: 1f48bfac-13a9-11eb-adc1-0242ac120002) - High
• IAM has personal gmail account in use (Rule Id: b5ffd8d0-1a85-11eb-adc1-0242ac120002) - Medium
• IAM audit logs are not configured for all services and users (Rule Id: 6d06acce-1537-11eb-adc1-0242ac120002) - Low

Updated Compliance Frameworks

• GCP AICPA SOC 2 2017
• AWS AICPA SOC 2 2017

Google Cloud Run

• Cloud Run revision should not be configured with privileged service accounts (Rule Id: 413f7f19-363b-4480-801d-c26d4a50e369) - High
• Cloud Run service should not be configured with privileged service accounts (Rule Id: defbb7d3-89cf-43b2-8b53-14729cd25648) - High
• Cloud Run service should restrict public access (Rule Id: d772e58b-5dea-4e27-b9a3-7e67227162a9) - High
• Cloud Run service should not allow unauthenticated access (Rule Id: 0ffc9e50-c38d-480a-89c1-e4f35ac1b67b) - Medium
• Cloud Run service should not be configured with the allow all traffic ingress setting (Rule Id: 5cb25483-690a-4131-ac25-16090face1f9) - Medium
• Cloud Run revision should be configured with a VPC connector (Rule Id: 1ea4a9d0-69f7-40a6-9e3c-7e96cabc9495) - Low
• Cloud Run revision should not be configured with default service account (Rule Id: db7e3cf6-c89b-4a4d-8ee7-6eaf0f9732a9) - Low

Google Container Registry

• GCR storage bucket user access should be restricted (Rule Id: 40432704-6d29-11eb-9439-0242ac130002) - Medium
• GCR user access should be restricted (Rule Id: 7984a600-6d33-11eb-9439-0242ac130002) - Medium

GCP – New Rules

• Compute image should be encrypted with customer-managed key (CMK) (Rule Id: 5ea1f44d-b25d-411f-9102-84a273f29ce2) - Medium
• Compute image should restrict public access (Rule Id: 8887e8dc-bb5e-4221-a226-8bf50cd426fa) - Medium
• GKE cluster container scanning should be enabled (Rule Id: e3fe88da-6d0f-11eb-9439-0242ac130002) - Medium
• Instance template should be configured with Shielded VM (Rule Id: 59ee3efb-1074-4351-b057-3f97603d54f9) - Medium
• Instance template should disable interactive serial console access (Rule Id: c4d43b0d-c817-47fd-a26a-d91b71df2bd5) - Medium
• Instance template should have OS Login enabled (Rule Id: 59e3a98c-7c27-46ab-ac9e-f6fa818eb3c4) -Medium
• Instance template should not be configured with external IP addresses (Rule Id: 00d7996a-6f2e-4fab-91f8-a8ef7a0e7915) - Medium
• Instance template should not have IP forwarding not disabled (Rule Id: 3323525a-d8f0-4ca4-b065-26d9b4784bff) - Medium
• Instance template should not use a service account with unrestricted Cloud API access (Rule Id: beb84ab9-2cd9-4e75-beae-ffe1cbf0097e) - Medium
• Instance template should not use default service account (Rule Id: a1b94167-bbca-4e0c-a92d-fd73fd81ea54) - Medium
• Instance template should restrict project-wide SSH keys (Rule Id: 09807a0c-b718-405d-abf5-5c0e36a7d721) - Medium

AWS – Updated Rules

• All AWS CloudTrail rules received updates to their display titles and knowledge base articles to conform to a more consistent naming standard. For example, "CloudTrails logs are not encrypted" now reads as "CloudTrail logs should be encrypted", and so on.

GCP – Updated Rules

Updated to check instance status. Applicable only for instances in running state:

• Block Project-wide SSH keys is not enabled for VM instances (Rule Id: f352face-dd9e-11ea-87d0-0242ac130003) - High
• Firewall Elasticsearch ports (9200 and 9300) should restrict public access (Rule Id: eeabe70c-353b-11eb-adc1-0242ac120002) - High
• Firewall FTP port (20) should restrict public access (Rule Id: 86ee04e0-353d-11eb-adc1-0242ac120002) - High
• Firewall Memcached port (11211) should restrict public access (Rule Id: 7411dede-353b-11eb-adc1-0242ac120002) - High
• Firewall MongoDB port (27017) should restrict public access (Rule Id: 35c55f34-353b-11eb-adc1-0242ac120002) - High
• Firewall MySQL port (3306) should restrict public access (Rule Id: 74873596-3539-11eb-adc1-0242ac120002) - High
• Firewall Oracle port (1521) should restrict public access (Rule Id: 439579ac-3539-11eb-adc1-0242ac120002) - High
• Firewall PostgreSQL port (5432) should restrict public access (Rule Id: 97503dc4-353a-11eb-adc1-0242ac120002) - High
• Firewall RDP port (3389) should restrict public access (Rule Id: a98f335c-0435-459c-91a9-a2f590d320f7) - High
• Firewall SSH port (22) should restrict public access (Rule Id: 835f7ba8-33b0-11eb-adc1-0242ac120002) - High
• Firewall SQL port (1433) should restrict public access (Rule Id: 9149d35c-3537-11eb-adc1-0242ac120002) - High
• Firewall Telnet port (23) should restrict public access (Rule Id: 1a81fa9c-3537-11eb-adc1-0242ac120002) - High
• Firewall web service port (8080) should restrict public access (Rule Id: e72860ec-353a-11eb-adc1-0242ac120002) - High
• Instance interaction with a serial port is not disabled (Rule Id: 1d4edf1a-f1ee-11ea-adc1-0242ac120002) - High
• Instance IP forwarding is not disabled (Rule Id: cc28dfb0-f250-11ea-adc1-0242ac120002) - High
• Instance should not have unrestricted access from all IP addresses and for all protocols from internet (Rule Id: b195c42e-362f-11eb-adc1-0242ac120002) - High
• Instances are configured to use the default service account (Rule Id: e0857d80-ed3f-11ea-adc1-0242ac120002) - High
• Instances are configured to use the default service account with full access to all Cloud APIs (Rule Id: f03bd4a2-f1e7-11ea-adc1-0242ac120002) - High
• Instances are configured to have external IP addresses (Rule Id: af8d1ab2-f299-11ea-adc1-0242ac120002) - Medium
• Instances are not launched with Shielded VM enabled (Rule Id: 12806f14-f292-11ea-adc1-0242ac120002) - Medium
• VM instance should not be configured with default network (Rule Id: c3d8e638-354a-11eb-adc1-0242ac120002) - Medium

Updated to check for any active root access:

• IAM root user account should not have multiple access keys (Rule Id: 5c8c26137a550e1fb6560c01) - Medium

New Compliance Framework

• ISO/IEC 27001 version 2013 for AWS, Azure, and GCP

AWS – Deprecated Rules

This rule is no longer applicable due to recent updates in the Azure platform and Azure CIS benchmark:

• SQL database should have Advanced Threat Protection types set to all (Rule Id: 5c8c26977a550e1fb6560cd4) - Low

GCP – New Rules

• Cloud Functions function should not be configured with privileged service accounts (Rule Id: 5626c77f-78be-4f69-ac9c-3a0d5908d5ab) - High
• Cloud Functions function should not be configured with public access (Rule Id: bc539de3-a365-47c9-9128-bf335078fe0b) - High
• Cloud Functions function should not be configured with the allow all traffic ingress setting (Rule Id: a2de6208-5a1b-447f-b3ab-9ebb8ac7724a)
• Cloud Functions function should not allow unauthenticated invocation (Rule Id: 5a051d73-c205-4287-9e8e-7aea97187d8c) - Medium
• Cloud Functions Function should not be configured with default service account (Rule Id: 9b5311b3-1481-4808-8b0e-02d3c2c16a17) - Low
• Cloud Functions function should be configured with a VPC connector (Rule Id: db74dfb4-7b70-41d3-9b38-9b5c4435daff) - Low

AWS – Updated Rules

Updated to check for PublicBlockAccess, RestrictPublicBuckets, and IgnorePublicAcls flags during evaluation:

• S3 bucket should restrict full public access (Rule Id: 5c8c26507a550e1fb6560c57) - High
• S3 bucket should restrict public read access (Rule Id: 5c8c26517a550e1fb6560c59) - High
• S3 bucket should restrict public read ACL access (Rule Id: 5c8c26537a550e1fb6560c5a) - High
• S3 bucket should restrict public write access (Rule Id: 5c8c26537a550e1fb6560c5b) - High
• S3 bucket should restrict public write ACL access (Rule Id: 5c8c26547a550e1fb6560c5c) - High
• S3 bucket should not give full access to all authenticated users (Rule Id: 5c8c26567a550e1fb6560c5d) - High
• S3 bucket should not give read access to all authenticated users (Rule Id: 5c8c26577a550e1fb6560c5e) - High
• S3 bucket should not give read ACL access to all authenticated users (Rule Id: 5c8c26587a550e1fb6560c5f) - High
• S3 bucket should not give write access to all authenticated users (Rule Id: 5c8c26587a550e1fb6560c60) - High
• S3 bucket should not give write ACL access to all authenticated users (Rule Id: 5c8c26597a550e1fb6560c61) - High
• S3 bucket policy should restrict full public access (Rule Id: 5c8c26617a550e1fb6560c69) - High
• S3 bucket policy should restrict public delete access (Rule Id: 5c8c26627a550e1fb6560c6a) - High
• S3 bucket policy should restrict public get access (Rule Id: 5c8c26637a550e1fb6560c6b) - High
• S3 bucket policy should restrict public list access (Rule Id: 5c8c26657a550e1fb6560c6c) - High
• S3 bucket policy should restrict public put access (Rule Id: 5c8c26667a550e1fb6560c6d) - High

Updated to resolve a scenario where user access keys are created but never used:

• IAM account should not be inactive for 90 days or longer (Rule Id: 5c8c26187a550e1fb6560c07) - Low

Updated to check for application ELBv2 exclusively during evaluation:

• ELBv2 application load balancer exposed to internet traffic should be attached to WAF (Rule Id: 75f69f27-a187-421d-9e5e-6824302157a2) - High

New Compliance Framework

• NIST SP 800-53 – Revision 5 for AWS

AWS – New Rules

• IAM user, group, or role should not have access to create policy versions (Rule Id: c7ed8c8a-661a-444d-9f27-7a5e040386d5) - High

GCP – New Rules

• Cloud AppEngine application custom domain SSL certificate expiration time should be 30 days or more (Rule Id: 51a2db05-bcc1-4502-91ee-4806b352621d) - Medium
• Cloud AppEngine application firewall rule should not have open access from any source IP address (Rule Id: e83fd038-3b89-4507-ae11-ffcdc49a6c3e) - Medium
• Cloud AppEngine service should not allow cross-origin resource sharing for all domains (Rule Id: 92fb86ca-ff65-48c3-ac1d-39b349b06f7c) - Medium
• Cloud AppEngine service should require HTTPS connections (Rule Id: bc938b17-e3f7-413b-9e5f-51ce885c2949) - Medium
• GKE cluster nodes should restrict public access (Rule Id: c11702ec-5c94-11eb-ae93-0242ac130002) - High
• GKE cluster should have private endpoint enabled and public access disabled (Rule Id: dac65f00-5c88-11eb-ae93-0242ac130002) - High
• GKE basic authentication using static password should be disabled (Rule Id: 4f01a8b6-5f09-11eb-ae93-0242ac130002) - Medium
• GKE client certificate authentication should be disabled (Rule Id: 7d582f6a-5f0d-11eb-ae93-0242ac130002) - Medium
• GKE cluster node images should be Container-Optimized OS (Rule Id: 49a70dda-5c6f-11eb-ae93-0242ac130002) - Medium
• GKE cluster should have binary authorization enabled (Rule Id: 712ef76a-5aed-11eb-ae93-0242ac130002) - Medium
• GKE cluster should not use default service account for compute engine (Rule Id: cb8c9d4a-5afa-11eb-ae93-0242ac130002) - Medium
• GKE legacy compute engine instance metadata APIs should be disabled (Rule Id: ccb3d090-5c0c-11eb-ae93-0242ac130002) - Medium
• GKE legacy authorization should be disabled (Rule Id: c01b46a8-5f11-11eb-ae93-0242ac130002) - Medium
• GKE master authorized networks should be enabled (Rule Id: f8753a18-5c78-11eb-ae93-0242ac130002) - Medium
• GKE secrets should be encrypted with a Cloud KMS key (Rule Id: 7f74f958-5be9-11eb-ae93-0242ac130002) - Medium
• GKE alpha clusters should be disabled (Rule Id: d8a4b5e2-5f16-11eb-ae93-0242ac130002) - Low
• GKE cluster nodes should have auto-repair enabled (Rule Id: 208c5d08-5c72-11eb-ae93-0242ac130002) - Low
• GKE cluster nodes should have auto-upgrade enabled (Rule Id: 394e3c2a-5c73-11eb-ae93-0242ac130002) - Low
• GKE logging and monitoring should be enabled (Rule Id: c08c3a5e-5c9e-11eb-ae93-0242ac130002) - Low
• GKE should use VPC-native clusters (Rule Id: 4e44cb9c-5cc5-11eb-ae93-0242ac130002) - Low

New Compliance Frameworks

• CIS Google Kubernetes Engine (GKE) Benchmark (1.0.0) for managed services
• NIST SP 800-53 – Revision 5 for GCP

GCP – New Rules

• Cloud Bigtable instance should not be configured with privileged service accounts (RuleId: 1c008009-812a-4ac7-95e3-137c089ad1c4 ) - High
• Cloud Bigtable table should not be configured with privileged service accounts (RuleId: 96572fd8-acf0-4af8-ac85-d0a5a147a63e ) - High
• Cloud Bigtable backup expiration time should be 30 days or more (RuleId: c1d3fdc1-ed80-4bd7-a35d-aaedf76cd5f9 ) - Low
• Cloud Spanner backup should not be configured with privileged service accounts (RuleId: 1bdc3089-e6e3-404a-bfe7-72cffc2a1275 ) - High
• Cloud Spanner database should not be configured with privileged service accounts (RuleId: 7b751ac8-7e17-43b0-8d69-9619d5d2f021 ) - High
• Cloud Spanner instance should not be configured with privileged service accounts (RuleId: 71b04d6c-8c26-4f73-bab1-df31f6e40130 ) - High
• Cloud Spanner backup expiration time should be 30 days or more (RuleId: 28df5432-c4d0-488f-98e2-335fb778f721 ) - Low

AWS – New Rules

• ELBv2 load balancer exposed to internet traffic should be attached to WAF (RuleId: 75f69f27-a187-421d-9e5e-6824302157a2) - High
• WAFv2 web ACL should have rules defined (RuleId: 48472edb-5a1a-48d2-9c46-fcbd81b5cebe) - Medium
• WAFv2 web ACL should have AWS Managed Core rule set (RuleId: faad52af-c1e0-45f7-bb58-9e5cb4ab832c) - Medium
• WAFv2 web ACL should be associated with a resource (RuleId: a9b1c81f-f599-490d-9d9c-733391948a49) - Medium

AWS – Updated Rules

• All AWS EC2 rules received updates to their display titles and knowledge base article to conform to a new, consistent naming standard. For example, "An EC2 instance has administrator permissions" is now "EC2 instance should not have administrator permissions", and so on.

Azure – New Rules

• App Service Authentication should be enabled (RuleId: 20ba4048-9457-4999-9f42-38b06ef1a538) - Medium
• Virtual Machine should have endpoint protection installed (RuleId: 60fa3acb-87f3-4e36-b941-21add519253c) - Low
• ASC default policy setting should not be disabled (RuleId: 91a1fe6e-c5a2-4e46-812e-babe9dcde2ec) - Low
• MySQL server should have Enforce SSL connection enabled (RuleId: 677cbf2f-3096-4111-af16-05da43d95d80) - Medium
• MySQL server should have diagnostic settings configured (RuleId: ac7df5ab-3894-4dad-a8b5-e32c9a957adf) - Low
• AKS should have diagnostic settings configured (RuleId: 21a40464-93df-436a-8bc8-cd730c1c8788) - Low
• CosmosDB Database account should have diagnostic settings configured (RuleId: a6165558-1c0a-4821-97ad-2686900d4ec2) - Low
• Firewall should have diagnostic settings configured (RuleId: b3ad0179-5e76-47bf-a0f6-999f51ade98c) - Low
• Network security group should have diagnostic settings configured (RuleId: 13093667-58ed-44d9-9f4e-2c3a7381f34e) - Low
• Virtual network should have diagnostic settings configured (RuleId: d4730f88-16c1-4729-85a0-827ea7ed43b5) - Low

Azure – Updated Rules

• Virtual machine attached to a network interface has IP forwarding enabled (RuleId: a03b7fa8-ce1b-48e2-9ea2-539b31f0ba50) - Medium
  • Change: Updated query to evaluate rules only on active VMs.
• Virtual machine OS disk is not encrypted with Azure Disk Encryption (ADE) (RuleId: 5c6cc5d703dcc90f363146ad) - High
  • Change: Updated query to evaluate rules only on active VMs.
• Virtual machines are not configured with managed disks (RuleId: 53aa45f7-32b0-4698-a1a1-5c649ffae97d) - Medium
  • Change: Updated query to evaluate rules only on active VMs.
• Virtual machine OS and data disks are not encrypted (Server Side) with customer managed key (CMK) (RuleId: 35c9bbbd-a85d-4031-af9f-f35e2261f651) - Medium
  • Change: Updated query to evaluate rules only on active VMs.