August 4, 2022 Rules Release

Updated Azure Rules

The following rule queries have SSQL conversion updates:

  • PostgreSQL server firewall should not allow access from all IP addresses (RuleId: 5fa6cb96-eb8d-11ea-adc1-0242ac120002) - High
  • SQL Server should be configured with firewall and virtual network rule (RuleId: 47d17995-2026-46af-bd8d-e23f26764432) - High
  • SQL Server should be configured with restricted access from other azure services and resources (RuleId: 8e70dd36-83c0-41d7-81ec-e470a3df23c5) - High
  • SQL Server should have Active Directory Admin configured (RuleId: 5c8c26887a550e1fb6560cb5) - High
  • SQL server auditing should be enabled (RuleId: 5c8c268a7a550e1fb6560cb9) - Medium
  • PostgreSQL server should have checkpoint logs enabled (RuleId: ff8a170d-491f-4d7d-b3b4-f0425ffaea9b) - Low
  • PostgreSQL server should have connection logs enabled (RuleId: e4ae194f-4691-41b8-bb57-48963006e25a) - Low
  • PostgreSQL server should have connection throttling enabled (RuleId: eb495d1e-4822-4977-96e0-5db6f76408cd) - Low
  • PostgreSQL server should have disconnection logs enabled (RuleId: b1a4d39a-3264-4d48-a0c8-b8e0f23a34f1) - Low
  • PostgreSQL server should have duration logs enabled (RuleId: dabeb926-68d4-4c9d-8924-cce3b8383ed5) - Low
  • SQL server should have Advanced Threat Protection configured to send email notification to admins and subscription owners (RuleId: 5c8c268e7a550e1fb6560cc4) - Low
  • SQL server should have Azure Defender vulnerability assessments configured to send email notification to admins and subscription owners (RuleId: 8d4e6c71-61f9-43e2-914d-4a7eb8df8626) - Low
  • SQL server should have Azure Defender vulnerability assessments configured with an email destination for scan reports (RuleId: f039f2e4-f960-4904-83a6-7cc6c420bf8e) - Low
  • SQL server should have recurring scans enabled in Azure Defender vulnerability assessments (RuleId: 9b30dbbe-9b48-4621-abde-773f9034f8e4) - Low
  • SQL server should have vulnerability assessment settings configured for Azure Defender (RuleId: 81e68de9-08de-496a-b10f-edff93a59e51) - Low
  • SQL server should retrain audit logs for 90 days or more (RuleId: 5c8c268c7a550e1fb6560cbd) - Low

Changing rule queries from Gremlin to SSQL provides greater transparency into what a rule is specifically checking for and also enables customers to more easily use queries to create explore searches and custom rules. SSQL queries will eventually be added to the rules page, but in meantime you can review them in the change log for a specific rule.

Deprecated Compliance Framework

The following framework is deprecated:

  • CIS GCP Foundations Benchmark, version 1.1.0

July 28, 2022 Rules Release

Updated AWS Rules

The following rules received remediation steps:

  • RDS DB cluster should have encryption enabled (RuleId: 301daea0-43af-4f17-b658-271f8d9b1a50) - High
  • RDS DB instance should have encryption enabled (RuleId: 5c8c26467a550e1fb6560c46) - High
  • RDS DB snapshot should have encryption enabled (RuleId: 5c8c26497a550e1fb6560c4b) - High
  • Redshift cluster should require SSL connections (RuleId: 5c8c264c7a550e1fb6560c51) - High
  • S3 bucket access is restricted only by IP address (RuleId: 5c8c265f7a550e1fb6560c68) - High
  • S3 bucket policy should restrict public delete access (RuleId: 5c8c26627a550e1fb6560c6a) - High
  • S3 bucket policy should restrict public list access (RuleId: 5c8c26657a550e1fb6560c6c) - High
  • S3 bucket policy should restrict public put access (RuleId: 5c8c26667a550e1fb6560c6d) - High
  • SNS topic policy should restrict access to required users (RuleId: 156f2900-2bb3-471c-8f0a-02284cf585b7) - High
  • Route53 hosted zone records should be configured with health check (RuleId: 3861c363-849f-4c5f-a4a3-e48465e08e81) - Medium
  • Route53 hosted zone should contain a TXT record (RuleId: 9ba3563e-18b3-49c8-9b80-699000c0b1a0) - Medium
  • Redshift cluster encryption should be enabled (RuleId: 5c8c264c7a550e1fb6560c4f) - Low
  • Redshift cluster should have audit logging enabled (RuleId: 5c8c264d7a550e1fb6560c52) - Low
  • Redshift cluster should have user activity logging enabled (RuleId: 5c8c264d7a550e1fb6560c53) - Low
  • Redshift engine automatic upgrades should be enabled (RuleId: 5c8c264f7a550e1fb6560c54) - Low
  • Route53 domain should have privacy protection enabled (RuleId: 5be474cf-8e53-4835-a359-088002b97b4a) - Low
  • SNS topic should be configured to log delivery failure notification status (RuleId: 19eef42e-77b1-4e33-a5e3-cd3d60fdbf00) - Low
  • SNS topic should be encrypted with a customer master key (RuleId: 96223bba-bf2d-4bb9-99f7-1ea2d9b6f8e9) - Low
  • SQS queue should be encrypted with a customer master key (RuleId: 7bb18f75-9952-49c7-955b-2897a11d0fc0) - Low

July 21, 2022 Rules Release

New AWS Rule

  • S3 bucket should have event notifications enabled (RuleId: 0844fdb5-3e57-4d60-9b13-f92dddb07a57) - Medium

Updated AWS Rules

The following rule queries received SSQL conversion updates:

  • CloudFront distribution should be attached to WAF (RuleId: e4444590-1316-4ddd-91cb-541c5c054820) - High
  • EBS volume should be encrypted (RuleId: baac9053-990e-4cc3-bcd4-50233f19c344) - High
  • RDS DB instance should be deployed in VPC (RuleId: 3c1476e2-5480-4eb5-ae8d-800c887ea813) - High
  • RDS DB snapshot should restrict public access (RuleId: 5c8c26487a550e1fb6560c4a) - High
  • Redshift cluster should restrict public access (RuleId: 5c8c264f7a550e1fb6560c55) - High
  • SageMaker Endpoint should be encrypted (RuleId: 0954f1f8-0990-4f5d-920a-4164df420450) - High
  • SageMaker Notebook instance should be encrypted (RuleId: 970c9d10-ede7-4d1b-9d07-7981f68215bb) - High
  • CloudTrail log file should be encrypted (RuleId: 5c8c25e47a550e1fb6560bac) - Medium
  • DynamoDB table should have auto scaling enabled for provisioned capacity mode (RuleId: 303e26e2-ae95-4555-bce6-5f326ce5bf5f) - Medium
  • ECS Cluster execute command logging encryption should be enabled (RuleId: 6f743c71-0fbc-4710-805b-61044a204e6a) - Medium
  • WorkSpaces workspace should have volume encryption enabled (RuleId: b0ff08a5-148b-421c-9ca9-9ec3080bb9d9) - Medium
  • CloudFront distribution access logging should be enabled (RuleId: 2f9da251-dbbf-408b-954c-fdcdd902aa1e) - Low
  • SageMaker Model should be hosted on a VPC (RuleId: 436b441e-f623-41ae-a3de-95bf0f4ea269) - Low
  • Unused network access control lists should be removed (RuleId: 9b6fdd1a-1b2a-4180-8e01-b75a658ef77d) - Low

Changing rule queries from Gremlin to SSQL provides greater transparency into what a rule is specifically checking for and also enables customers to more easily use queries to create explore searches and custom rules. SSQL queries will eventually be added to the rules page, but in meantime you can review them in the change log for a specific rule.

Updated Azure Rules

The following rule queries received SSQL conversion updates:

  • DDoS Protection Standard should be enabled (RuleId: 3abf3147-ea53-4302-b237-caab4d764c77) -High
  • HDInsight cluster should use encryption at host to encrypt data at rest (RuleId: 346732aa-68c0-4ecf-91a7-049201cc20ba) - High
  • HDInsight cluster should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes (RuleId: 0994c06d-e687-4843-bab6-8114de68ca9a) - High
  • Network Watcher should be enabled for Azure subscriptions (RuleId: 5c8c26747a550e1fb6560c8d) - High
  • App Service resources should have Azure Defender enabled (RuleId: 9cda959b-d4d9-4cf4-af65-7f48417848ea) -Medium
  • Container registries should have Azure Defender enabled (RuleId: ccd026c2-d24f-4edd-9611-a44692d04907) -Medium
  • DNS should have Azure Defender enabled (RuleId: 5b08cec4-8364-4972-89f9-0aeb2d93c712) -Medium
  • Cache for Redis should have SSL port enabled (RuleId: 1bc83d8a-de2a-11ea-87d0-0242ac130003) - Medium
  • Cache for Redis should not use outdated TLS protocol (RuleId: 56c00e82-de2e-11ea-87d0-0242ac130003) - Medium
  • Cache for Redis patch schedule should be enabled (RuleId: d64a2e02-de34-11ea-87d0-0242ac130003) - Medium
  • Key Vault resources should have Azure Defender enabled (RuleId: 80b47c29-c6db-4dac-bcc1-1e441a42c4d2) -Medium
  • Kubernetes resources should have Azure Defender enabled (RuleId: 602d5204-d78b-42ee-a2c0-7571052dd272) - Medium
  • MySQL server should have Enforce SSL connection enabled (RuleId: 677cbf2f-3096-4111-af16-05da43d95d80) - Medium
  • Open-source relational databases should have Azure Defender enabled (RuleId: 64b8f999-f402-4139-ba55-b20af9461ec8) -Medium
  • PostgreSQL server infrastructure double encryption should be enabled (RuleId: ddf0dbc4-4e0c-4697-b6f2-9c1807c4da28) - Medium
  • PostgreSQL server should have Enforce SSL connection enabled (RuleId: e25a319c-0ca7-4e6a-b4b9-19beba480b3b) - Medium
  • PostgreSQL server should be configured to deny public network access (RuleId: 775fa7b0-eb8a-11ea-adc1-0242ac120002) - Medium
  • Resource Manager should have Azure Defender enabled (RuleId: bdca1454-57e2-4ab8-ad4d-9b48da6d82c7) - Medium
  • Server resources should have Azure Defender enabled (RuleId: 577792f3-88e2-4443-bda0-53fc404e82bf) - Medium
  • SQL servers on machines should have Azure Defender enabled (RuleId: 33a5948a-8973-4205-9c3e-7a5824104fa6) - Medium
  • SQL server should have Advanced Data Security (ADS) and Advanced Threat Protection (ATP) enabled (RuleId: 5c14c779-7d1d-4e8f-8811-f5479d174f46) - Medium
  • Storage resources should have Azure Defender enabled (RuleId: b99caf1a-16f9-4c10-846c-d31c78f563b0) - Medium
  • Subnet should be associated with a Network Security Group (RuleId: 40521413-6a36-4ade-a6c1-a78013ef1674) - Medium
  • Virtual machine network interface should have IP forwarding disabled (RuleId: a03b7fa8-ce1b-48e2-9ea2-539b31f0ba50) - Medium
  • Machine Learning workspace should be configured with diagnostic settings (RuleId: feacc6e3-de39-409a-b4b6-e3766c6ffc7a) - Low
  • Microsoft Cloud App Security should be enabled (RuleId: ccd5b008-127d-11eb-adc1-0242ac120002) - Low
  • Microsoft Defender Advanced Threat Protection should be enabled (RuleId: e7aa5db6-127d-11eb-adc1-0242ac120002) - Low
  • MySQL server should have diagnostic settings configured (RuleId: ac7df5ab-3894-4dad-a8b5-e32c9a957adf) - Low
  • Network security group should have diagnostic settings configured (RuleId: 13093667-58ed-44d9-9f4e-2c3a7381f34e) - Low
  • PostgreSQL server administrator should be configured with Azure Active Directory (RuleId: 9e78a246-4a70-430f-8692-c285cb98801b) - Low
  • PostgreSQL server security should have alert policy enabled (RuleId: 20fca066-eb90-11ea-adc1-0242ac120002) - Low
  • PostgreSQL server should use a customer-managed key for encryption (RuleId: 41702b6e-eb82-11ea-adc1-0242ac120002) - Low
  • PostgreSQL server should be configured with virtual network access rules (RuleId: f3ee87a8-eb92-11ea-adc1-0242ac120002) - Low
  • PostgreSQL server should have diagnostic settings configured (RuleId: 2e115272-eb88-11ea-adc1-0242ac120002) - Low
  • Resource Manager deployment mode should be set to incremental (RuleId: 0244b3ac-f423-11ea-adc1-0242ac120002) - Low

Changing rule queries from Gremlin to SSQL provides greater transparency into what a rule is specifically checking for and also enables customers to more easily use queries to create explore searches and custom rules. SSQL queries will eventually be added to the rules page, but in meantime you can review them in the change log for a specific rule.

Updated GCP Rules

The following rule queries received SSQL conversion updates:

  • BigQuery data set should be encrypted with customer managed encryption key (RuleId: 8779a3b1-4012-44c6-a8de-50d79f89021c) - Medium
  • Cloud Storage bucket should be encrypted with customer-managed key (RuleId: 6c658a25-3d27-451a-8027-c9d4b08134b2) - Medium
  • GKE cluster should have binary authorization enabled (RuleId: 712ef76a-5aed-11eb-ae93-0242ac130002) - Medium
  • Image should be encrypted with a customer-supplied encryption key (RuleId: 5ea1f44d-b25d-411f-9102-84a273f29ce2) - Medium
  • Secret Manager secret should be encrypted with customer managed encryption key (RuleId: 70288b27-4775-4a2e-b458-ccffe5feed1c) - Low

Changing rule queries from Gremlin to SSQL provides greater transparency into what a rule is specifically checking for and also enables customers to more easily use queries to create explore searches and custom rules. SSQL queries will eventually be added to the rules page, but in meantime you can review them in the change log for a specific rule.

July 11, 2022 Rules Release

New GCP Rules

  • Compute Instance confidential computing should be enabled for N2D machine types (RuleId: f20e7c5f-cadd-4518-9d7f-f9641ddaa298) - Medium
  • GKE cluster cloud asset inventory should be enabled (RuleId: 1ce93959-934c-4e66-a1f2-dc4498990646) - Medium

Updated AWS Rules

The following rule queries received SSQL conversion updates:

  • Redshift snapshot should have a retention period of 30 days or more (RuleId:5c8c26507a550e1fb6560c56) - High
  • Systems Manager managed instance patch should be in compliant status (RuleId:993ece60-6a4e-497e-bf04-ad65dc9b8543) - Medium
  • Route53 domain should have automatic renewal enabled (RuleId:581388b0-952a-4bbb-b9e3-46580f43c6f8) - Low
  • Route53 domain should have privacy protection enabled (RuleId:5be474cf-8e53-4835-a359-088002b97b4a) - Low

Changing rule queries from Gremlin to SSQL provides greater transparency into what a rule is specifically checking for and also enables customers to more easily use queries to create explore searches and custom rules. SSQL queries will eventually be added to the rules page, but in meantime you can review them in the change log for a specific rule.

Updated GCP Rules

The following rule queries received SSQL conversion updates:

  • Cloud Armor Security Policy should have Adaptive Protection enabled (RuleId: f782cacb-1113-4ea8-b991-39151d424dc1) - High
  • GKE cluster nodes should restrict public access (RuleId: c11702ec-5c94-11eb-ae93-0242ac130002) - High
  • GKE cluster should have private endpoint enabled and public access disabled (RuleId: dac65f00-5c88-11eb-ae93-0242ac130002) - High
  • Load balancer backend service should have a secure protocol (RuleId: afdecbb6-1f63-4568-8f7e-a29e514baadf) - High
  • Project should not have a legacy network (RuleId: b0f6e060-f2a6-11ea-adc1-0242ac120002) - High
  • VM instance IP forwarding should be disabled (RuleId: cc28dfb0-f250-11ea-adc1-0242ac120002) - High
  • VM instance should block project-wide SSH keys (RuleId:f352face-dd9e-11ea-87d0-0242ac130003) - High
  • VM instance should have OS Login enabled (RuleId: 04f18636-f1ec-11ea-adc1-0242ac120002) - High
  • VM instance should have serial port access disabled (RuleId: 1d4edf1a-f1ee-11ea-adc1-0242ac120002) - High
  • VPC Flow Logs should be enabled for VPC network subnets (RuleId: 3e0e7d08-f2a9-11ea-adc1-0242ac120002) - High
  • Cloud Functions function should not be configured with the allow all traffic ingress setting (RuleId: a2de6208-5a1b-447f-b3ab-9ebb8ac7724a) - Medium
  • Cloud Run service should not be configured with the allow all traffic ingress setting (RuleId: 5cb25483-690a-4131-ac25-16090face1f9) - Medium
  • Cloud SQL database instance should have a private IP address (RuleId: c3651998-0713-11eb-adc1-0242ac120002) - Medium
  • Cloud SQL database instance should have SSL enabled (RuleId: e7a005eb-ccae-4477-ae3e-c7213609201a) - Medium
  • Cloud Storage bucket should have uniform bucket-level access enabled (RuleId: 27493eda-fd64-11ea-adc1-0242ac120002) - Medium
  • GKE basic authentication using static password should be disabled (RuleId: 4f01a8b6-5f09-11eb-ae93-0242ac130002) - Medium
  • GKE client certificate authentication should be disabled (RuleId: 7d582f6a-5f0d-11eb-ae93-0242ac130002) - Medium
  • GKE legacy authorization should be disabled (RuleId: c01b46a8-5f11-11eb-ae93-0242ac130002) - Medium
  • GKE master authorized networks should be enabled (RuleId: f8753a18-5c78-11eb-ae93-0242ac130002) - Medium
  • GKE secrets should be encrypted with a Cloud KMS key (RuleId: 7f74f958-5be9-11eb-ae93-0242ac130002) - Medium
  • Instance template should be configured with Shielded VM (RuleId: 59ee3efb-1074-4351-b057-3f97603d54f9) - Medium
  • Instance template should have interactive serial console access disabled (RuleId: c4d43b0d-c817-47fd-a26a-d91b71df2bd5) - Medium
  • Instance template should have OS Login enabled (RuleId: 59e3a98c-7c27-46ab-ac9e-f6fa818eb3c4) - Medium
  • Instance template should not have IP forwarding enabled (RuleId: 3323525a-d8f0-4ca4-b065-26d9b4784bff) - Medium
  • Instance template should restrict project-wide SSH keys (RuleId: 09807a0c-b718-405d-abf5-5c0e36a7d721) - Medium
  • Load balancer SSL policy should use latest TLS version (RuleId: 5e9f8cff-91f3-4179-ae62-164bf46309f9) - Medium
  • Project should not have a default network (RuleId: eb83d4d2-f2aa-11ea-adc1-0242ac120002) - Medium
  • VM instance should be configured with Shielded VM (RuleId: 12806f14-f292-11ea-adc1-0242ac120002) - Medium
  • VM instance should not be configured with an external IP address (RuleId: af8d1ab2-f299-11ea-adc1-0242ac120002) - Medium
  • Cloud DNS managed zone should enable Domain Name System Security Extensions (RuleId: 497fad4a-79cd-4776-b4e0-e5fc563986c2) - Low
  • Cloud Functions function should be configured with a VPC connector (RuleId: db74dfb4-7b70-41d3-9b38-9b5c4435daff) - Low
  • Cloud SQL database instance should be configured with automatic backups (RuleId: 3969e65a-0872-11eb-adc1-0242ac120002) - Low
  • Cloud Storage bucket should have logging enabled (RuleId: 29b472df-72f9-402e-9cd1-bbd1c669ccb4) - Low
  • Firewall logging should be enabled (RuleId: f387573e-3540-11eb-adc1-0242ac120002) - Low
  • GKE alpha clusters should be disabled (RuleId: d8a4b5e2-5f16-11eb-ae93-0242ac130002) - Low
  • GKE logging and monitoring should be enabled (RuleId: c08c3a5e-5c9e-11eb-ae93-0242ac130002) - Low
  • GKE should use VPC-native clusters (RuleId: 4e44cb9c-5cc5-11eb-ae93-0242ac130002) - Low
  • Load balancer backend service should have logging enabled (RuleId: 2506690d-6a47-47e4-84f5-80d27dc6bced) - Low
  • Load balancer SSL policy should use restricted profile (RuleId: 0ba35c1b-1ca2-459b-9ba0-4f5885d92c6e) - Low

Changing rule queries from Gremlin to SSQL provides greater transparency into what a rule is specifically checking for and also enables customers to more easily use queries to create explore searches and custom rules. SSQL queries will eventually be added to the rules page, but in meantime you can review them in the change log for a specific rule.

The following rules received updates to their remediation steps in adherence to controls for CIS GCP Foundations Benchmark 1.3.0:

  • Project should contain sink to export all log entries (RuleId: 3e5b1201-ecf7-44b0-8789-fca005dd8fe4) - High
  • VM instance should not use the default service account (RuleId: e0857d80-ed3f-11ea-adc1-0242ac120002) - High
  • VPC Flow Logs should be enabled for VPC network subnets (RuleId: 3e0e7d08-f2a9-11ea-adc1-0242ac120002) - High
  • BigQuery dataset should restrict public access (RuleId: 405cbd6e-1ebd-11eb-adc1-0242ac120002) - Medium
  • Firewall rule for instance behind an Identity Aware Proxy (IAP) should only allow traffic from health check and proxy addresses (RuleId: f1660eae-98bf-4fcb-82ae-ec3c0e3dab0d) - Medium

The following rule received updates to its remediation steps in adherence to controls for CIS GCP Foundations Benchmark 1.3.0:

  • Cloud SQL for PostgreSQL database instance should have the log_hostname flag disabled (RuleId: 00349301-943d-4b39-aa15-f0bf941a8633) - Low

New Compliance Framework

  • CIS GCP Foundations Benchmark, version 1.3.0

Updated Compliance Frameworks

The following framework received mappings for the first time to AWS, Azure, GCP, and Non-CIS Kubernetes rules:

  • MITRE ATT&CK Cloud, version 10.0

June 23, 2022 Rules Release

Updated Azure Rules

The following rule queries received SSQL conversion updates:

  • Front Door custom domain should be configured with HTTPS protocol (RuleId: 3e775bcb-b132-48be-af09-952daa1c77dd) - High
  • Front Door WAF should be configured (RuleId: 9210c25c-856c-4b53-ad2d-d55e0be57c6e) - High
  • CosmosDB Database account should restrict public access (RuleId: 2a2026f2-d1ac-11ea-87d0-0242ac130003) - Medium
  • Event Hub encryption at rest should be configured with customer-managed key (RuleId: f0bcf8c6-5d2c-49fd-9030-7457722319d5) - Medium
  • Event Hub should have shared access policy defined (RuleId: fa2048aa-a0b0-4b2f-ac8b-b0397db6e094) - Medium
  • Front Door custom domain should be configured with latest TLS version (RuleId: a97de6b5-f833-4de5-9163-b43b993e926f) - Medium
  • Front Door health probe setting should be enabled (RuleId: b35eee6a-c4dc-47ec-bc1f-b31448bf22a2) - Medium
  • Functions App FTP state should be Disabled or FTPS only (RuleId: 780ee8d0-6ade-4a91-8843-1509b239bd35) - Medium
  • Functions App should be configured with latest TLS version (RuleId: 09e43aa4-ec41-11ea-adc1-0242ac120002) - Medium
  • HDInsight cluster should be configured with latest TLS version (RuleId: f15eee50-cc59-45f8-a0ff-c16502ee952c) - Medium
  • HDInsight cluster should be encrypted with customer-managed key (RuleId: bdf9776e-689d-4eec-b4dc-adc4aa8a6d69) - Medium
  • Key Vault should be recoverable (RuleId: e2090e34-3580-4088-a815-2ead6a72700f) - Medium
  • Machine Learning workspace should be configured with user assigned managed identity (RuleId: e34a5959-41de-4daa-b8fc-e30edb2ce0fe) - Medium
  • CosmosDB Database account should be encrypted with customer-managed key (RuleId: c76c305e-d1a7-11ea-87d0-0242ac130003) - Low
  • CosmosDB Database account should have diagnostic settings configured (RuleId: a6165558-1c0a-4821-97ad-2686900d4ec2) - Low
  • Event Hub should be configured with diagnostic settings (RuleId: 1b4a6e6b-bcd1-4ca2-afa3-9de56f9f4daa) - Low
  • Firewall should have diagnostic settings configured (RuleId: b3ad0179-5e76-47bf-a0f6-999f51ade98c) - Low
  • Front Door diagnostic settings should be enabled (RuleId: 8a9534a5-a520-4260-8e65-d87cedd8c64b) - Low
  • Functions monitoring should be enabled (RuleId: d8014e82-ec40-11ea-adc1-0242ac120002) - Low
  • HDInsight cluster should be configured with diagnostic settings (RuleId: 97989384-6cba-4175-911d-f5d76544aa14) - Low

Changing rule queries from Gremlin to SSQL provides greater transparency into what a rule is specifically checking for and also enables customers to more easily use queries to create explore searches and custom rules. SSQL queries will eventually be added to the rules page, but in meantime you can review them in the change log for a specific rule.

June 16, 2022 Rules Release

Updated AWS Rules

The following rules received query updates for improved accuracy:

  • RDS DB instance should have automatic minor version upgrades enabled (RuleId: 5c8c264a7a550e1fb6560c4c) - High
  • RDS DB cluster should have automatic minor version upgrades enabled (RuleId: 82b3358c-3acd-4cf2-a394-97558cb04d3e) - High

The following rules received SSQL conversion updates in their queries:

  • GuardDuty is not configured for all the enabled regions (RuleId: 8be2a51c-bbe8-49bc-a9e5-0d3c5332d3c5) - High
  • IAM password policy should prevent password reuse (RuleId: 5c8c26107a550e1fb6560bfc) - High
  • IAM password should be configured to expire after 90 days (RuleId: 5c8c25fd7a550e1fb6560bde) - High
  • RDS DB cluster should have encryption enabled (RuleId: 301daea0-43af-4f17-b658-271f8d9b1a50) - High
  • GuardDuty Detector is suspended (RuleId: afc0f9af-b5b8-4ac5-a190-e5e6989ad46f) - Medium
  • GuardDuty Detector S3 data source is disabled (RuleId: 2eaa21ca-5407-41d2-bbca-a19f70b0fa71) - Medium
  • GuardDuty publishing destination is not configured (RuleId: daa933b9-9524-4ce7-b7a7-5bff243c10f9) - Medium
  • IAM password policy should have password expiration enabled (RuleId: ce66044f-644b-4f58-a134-1b322bd66a2a) - Medium
  • IAM password policy should require lowercase characters (RuleId: 5c8c260a7a550e1fb6560bf2) - Medium
  • IAM password policy should require numbers (RuleId: 5c8c260c7a550e1fb6560bf6) - Medium
  • IAM password policy should require symbols (RuleId: 5c8c260e7a550e1fb6560bf8) - Medium
  • IAM password policy should require uppercase characters (RuleId: 5c8c260f7a550e1fb6560bfa) - Medium
  • IAM password policy should set a minimum length (RuleId: 5c8c260b7a550e1fb6560bf4) - Medium
  • KMS service should be enabled (RuleId: 5c8c26227a550e1fb6560c14) - Low
  • KMS should have automated key rotation enabled (RuleId: 5c8c26217a550e1fb6560c12) - Medium
  • OpenSearch application should have at least three data nodes (RuleId: 8b1c727b-4e96-40cc-8141-b550ba8e3fad) - Medium
  • OpenSearch domain should be configured with at least three dedicated master nodes (RuleId: 4b5a5862-4c5d-4bcc-863d-dfa609395c52) - Medium
  • OpenSearch domain should be encrypted with TLS-1.2 (RuleId: 53ca72de-a66e-4107-8ac5-56998aa0b221) - Medium
  • EKS control plane should have authenticator logging enabled (RuleId: 266ab640-f22b-4b79-993e-95e1c65fbb83) - Low
  • EKS control plane should have controller manager logging enabled (RuleId: 4f5d7fa2-f377-4ce9-8076-e98c0208ee78) - Low
  • EKS control plane should have scheduler logging enabled (RuleId: 7a8a2e88-c8cf-462d-85fe-e821688afd11) - Low
  • EKS cluster should restrict public access (RuleId: 3f0b8ac5-ed0d-48cc-a8e9-edde722a5848) - Medium
  • RDS DB cluster backup retention period should be greater than 30 days (RuleId: fe3e6365-03c4-4502-bdf8-74e7dafa085d) - Low
  • RDS DB cluster should be configured to copy tags to snapshot (RuleId: 905a491a-5360-4574-a9e6-6b2be63e3806) - Low

Changing rule queries from Gremlin to SSQL provides greater transparency into what a rule is specifically checking for and also enables customers to more easily use queries to create explore searches and custom rules. SSQL queries will eventually be added to the rules page, but in meantime you can review them in the change log for a specific rule:

Edit query: {"inventoryQueryType":"Graph","queryString":"g.V().has('entityType', 'AWS.IAM.AccountPasswordPolicy').not(has('property.PasswordReusePrevention'))"} -> {"inventoryQueryType":"SSQL","queryString":"entityType=AWS.IAM.AccountPasswordPolicy and not propertyName(PasswordReusePrevention)"}

Azure - Updated Rules

The following rules received SSQL conversion updates to their queries:

  • AKS cluster should be private (RuleId: 072e5d67-bbb7-4f90-b5d1-535b9565f911) - High
  • AKS cluster should have private node (RuleId: b500ea29-935e-4476-9318-ed7994c04854) - High
  • CDN endpoint should be configured with WAF (RuleId: fc750575-3783-499c-8394-35aca63b0e91) - High
  • CDN endpoint should require HTTPS connections (RuleId: fce9c690-4155-4b32-8f0c-b2599004955d) - High
  • Container Instance container group image repository should be restricted from public access (RuleId: aedd80e9-9842-4e4a-b54a-ec510d32dd53) - High
  • Container Instance container group should be restricted from public access (RuleId: d0b49297-9c6d-4f77-8e19-53482f001fd2) - High
  • App Service Authentication should be enabled (RuleId: 20ba4048-9457-4999-9f42-38b06ef1a538) - Medium
  • App Service FTP state should be Disabled or FTPS only (RuleId: 3d606cc8-2af1-459e-a30a-4338b0639915) - Medium
  • App Service should be configured to accept incoming client certificates (RuleId: bb2ff362-08ba-11eb-adc1-0242ac120002) - Medium
  • App Service should be registered with Azure Active Directory (RuleId: 32fab8ea-02e0-11eb-adc1-0242ac120002) - Medium
  • App Service should enforce HTTPS-only traffic (RuleId: 3a79eaf4-08c7-11eb-adc1-0242ac120002) - Medium
  • Compute unattached disk should be encrypted with a customer-managed key (RuleId: 9bafe936-5579-47ca-af41-b98ca801c2ea) - Medium
  • Container Instance container group should be encrypted with a CMK (RuleId: 31527120-12dd-49e5-a78b-69b1db7edc17) - Medium
  • Container Registry should be encrypted with customer-managed key (RuleId: 4a034ec7-9012-4c74-962a-b1b466a8c8ce) - Medium
  • AKS cluster should have role-based access control enabled (RuleId: 794bfead-114f-4c09-a091-91d3ef2e1109) - Low
  • AKS cluster should use disk encryption with a customer-managed key (RuleId: 769857eb-9eec-4976-84c6-8026bd0a1a32) - Low
  • AKS should have diagnostic settings configured (RuleId: 21a40464-93df-436a-8bc8-cd730c1c8788) - Low
  • Application Gateway should be configured with a WAF (RuleId: c458ed4b-d506-4607-a272-01475c2515f6) - High
  • Application Gateway should have diagnostic settings enabled (RuleId: d30cc6cb-139c-4fea-bbd8-8b811c3a30ac) - Low
  • App Service monitoring should be enabled (RuleId: 8218f5c8-0221-11eb-adc1-0242ac120002) - Low
  • App Service should use the latest HTTP version (RuleId: e962e32e-0267-11eb-adc1-0242ac120002) - Low
  • CDN endpoint should be configured with diagnostic settings (RuleId: 5632baf4-d98c-4565-a709-0a64e0d5a754) - Low
  • CDN profile should be configured with diagnostic settings (RuleId: e97a2d3c-07bb-4ed1-a1ed-294a7d2230ff) - Low
  • Container Instance container group should be enabled with azure monitor logs (RuleId: 2fc88f4c-f083-495c-8c60-c8600b5ecdb4) - Low

Changing rule queries from Gremlin to SSQL provides greater transparency into what a rule is specifically checking for and also enables customers to more easily use queries to create explore searches and custom rules. SSQL queries will eventually be added to the rules page, but in meantime you can review them in the change log for a specific rule:

Edit query: {"inventoryQueryType":"Graph","queryString":"g.V().has('entityType', 'AWS.IAM.AccountPasswordPolicy').not(has('property.PasswordReusePrevention'))"} -> {"inventoryQueryType":"SSQL","queryString":"entityType=AWS.IAM.AccountPasswordPolicy and not propertyName(PasswordReusePrevention)"}

Updated Azure Rules

The following rules received SSQL conversion updates to their queries:

  • AKS cluster should be private (RuleId: 072e5d67-bbb7-4f90-b5d1-535b9565f911) - High
  • AKS cluster should have private node (RuleId: b500ea29-935e-4476-9318-ed7994c04854) - High
  • CDN endpoint should be configured with WAF (RuleId: fc750575-3783-499c-8394-35aca63b0e91) - High
  • CDN endpoint should require HTTPS connections (RuleId: fce9c690-4155-4b32-8f0c-b2599004955d) - High
  • Container Instance container group image repository should be restricted from public access (RuleId: aedd80e9-9842-4e4a-b54a-ec510d32dd53) - High
  • Container Instance container group should be restricted from public access (RuleId: d0b49297-9c6d-4f77-8e19-53482f001fd2) - High
  • App Service Authentication should be enabled (RuleId: 20ba4048-9457-4999-9f42-38b06ef1a538) - Medium
  • App Service FTP state should be Disabled or FTPS only (RuleId: 3d606cc8-2af1-459e-a30a-4338b0639915) - Medium
  • App Service should be configured to accept incoming client certificates (RuleId: bb2ff362-08ba-11eb-adc1-0242ac120002) - Medium
  • App Service should be registered with Azure Active Directory (RuleId: 32fab8ea-02e0-11eb-adc1-0242ac120002) - Medium
  • App Service should enforce HTTPS-only traffic (RuleId: 3a79eaf4-08c7-11eb-adc1-0242ac120002) - Medium
  • Compute unattached disk should be encrypted with a customer-managed key (RuleId: 9bafe936-5579-47ca-af41-b98ca801c2ea) - Medium
  • Container Instance container group should be encrypted with a CMK (RuleId: 31527120-12dd-49e5-a78b-69b1db7edc17) - Medium
  • Container Registry should be encrypted with customer-managed key (RuleId: 4a034ec7-9012-4c74-962a-b1b466a8c8ce) - Medium
  • AKS cluster should have role-based access control enabled (RuleId: 794bfead-114f-4c09-a091-91d3ef2e1109) - Low
  • AKS cluster should use disk encryption with a customer-managed key (RuleId: 769857eb-9eec-4976-84c6-8026bd0a1a32) - Low
  • AKS should have diagnostic settings configured (RuleId: 21a40464-93df-436a-8bc8-cd730c1c8788) - Low
  • Application Gateway should be configured with a WAF (RuleId: c458ed4b-d506-4607-a272-01475c2515f6) - High
  • Application Gateway should have diagnostic settings enabled (RuleId: d30cc6cb-139c-4fea-bbd8-8b811c3a30ac) - Low
  • App Service monitoring should be enabled (RuleId: 8218f5c8-0221-11eb-adc1-0242ac120002) - Low
  • App Service should use the latest HTTP version (RuleId: e962e32e-0267-11eb-adc1-0242ac120002) - Low
  • CDN endpoint should be configured with diagnostic settings (RuleId: 5632baf4-d98c-4565-a709-0a64e0d5a754) - Low
  • CDN profile should be configured with diagnostic settings (RuleId: e97a2d3c-07bb-4ed1-a1ed-294a7d2230ff) - Low
  • Container Instance container group should be enabled with azure monitor logs (RuleId: 2fc88f4c-f083-495c-8c60-c8600b5ecdb4) - Low

Changing rule queries from Gremlin to SSQL provides greater transparency into what a rule is specifically checking for and also enables customers to more easily use queries to create explore searches and custom rules. SSQL queries will eventually be added to the rules page, but in meantime you can review them in the change log for a specific rule:

Edit query:{"inventoryQueryType":"Graph","queryString":"g.V().has('entityType', 'Azure.AKS.ManagedCluster').has('property.ProvisioningState', 'Succeeded').has('property.EnablePrivateCluster', false)"} -> {"inventoryQueryType":"SSQL","queryString":"entityType=Azure.AKS.ManagedCluster and ProvisioningState=Succeeded and EnablePrivateCluster=false"}

June 9, 2022 Rules Release

Updated AWS Rules

The following queries received SSQL conversion updates:

  • CloudFront distribution should use HTTPS to communicate with application viewers (RuleId: b7d0e509-3703-4e2d-9da7-c1b84d221950) - High
  • KMS key should not be scheduled for deletion (RuleId: f11ce04f-398c-465d-81ba-148f0540288a) - High
  • Redshift cluster should have enhanced VPC routing enabled (RuleId: 6020fc49-cd03-452c-9b1c-d50721b17d19) - High
  • SageMaker Notebook instance should have direct internet access disabled (RuleId: bebd0339-ae61-45b0-a4b4-b355f55771ad) - High
  • Aurora MySQL clusters should not have backtracking disabled (RuleId: 40d265ff-f1b0-4500-83a8-49d3436c6510) - Medium
  • CloudFormation stack should not be in a drifted state (RuleId: 265bfe2e-0674-4858-a934-139e16460749) - Medium
  • CloudFront distribution should use security policy with secure SSL protocol (RuleId: e60ca6e7-479b-4840-9075-5ece35c7cb3c) - Medium
  • EC2 instance should be configured to use IMDSv2 (RuleId: ec6d20f7-dc81-4e64-98df-5b9b95abdb18) - Medium
  • ECR repository should have scan image on push configuration enabled (RuleId: 66e6f364-0efb-4640-83f3-c9a0eedfd9ae) - Medium
  • RDS DB cluster should be configured for multiple Availability Zones (RuleId: 18d82921-696c-4053-9c69-01f1fe4fcd7c) - Medium
  • RDS DB cluster should not have IAM authentication disabled (RuleId: 006ce8ff-ace8-437c-a9ba-262c1326c77f) - Medium
  • S3 bucket should have versioning and MFA delete enabled (RuleId: fb3c1bbc-2019-420f-b0df-598fd7e5a66f) - Medium
  • SageMaker Model should have network isolation enabled (RuleId: 88f700ad-53e2-41b5-b2ad-298bce36c388) - Medium
  • SageMaker Notebook instance should have root access disabled (RuleId: 80a37713-dba7-4e02-9e97-e9d4f90a145f) - Medium
  • WAFv2 web ACL should have logging enabled (RuleId: c5fe3d7e-ee5b-471c-963f-b00047446a72) - Medium
  • CloudTrail log file validation should be enabled (RuleId: 5c8c25e27a550e1fb6560ba6) - Low
  • CloudTrail should be enabled (RuleId: 5c8c25e67a550e1fb6560bb0) - Low
  • EKS control plane should have API logging enabled (RuleId: 3fedf4d7-1177-45b3-899f-f0ea150d3c01) - Low
  • EKS control plane should have audit logging enabled(RuleId: aae0bb31-a2e8-4256-8e05-cf9a7edb33ac) - Low
  • Organization should have all features enabled (RuleId: 8b672fd8-dce1-40c0-b84c-09aa1fe432e5) - Low
  • RDS DB cluster should not have deletion protection disabled (RuleId: 0a61290a-194b-451d-8aaf-f8e63280f279) - Low

The following rule received a query and trigger update for improved results:

  • EC2 VPC Peering should not have cross account connection (RuleId: 1e025bc1-ff97-409f-982d-39a810d5fa25) - Medium

June 2, 2022 Rules Release

Updated AWS Rules

The following rules received SSQL conversion updates to their queries:

  • OpenSearch service domain should restrict public access (RuleId: 42176a6a-06e2-4897-a53b-89189b110b9f) - High
  • RDS DB snapshot should have encryption enabled (RuleId: 5c8c26497a550e1fb6560c4b) - High
  • Secrets Manager secret should restrict access to required users (RuleId: fa4150c3-9cee-4820-b6f9-8c2a0f8e627b) - High
  • Classic Load Balancer should have access logs enabled (RuleId: 657c46b7-1cd0-4cce-80bb-9d195f49c987) - Medium
  • Classic Load Balancer should have connection draining enabled (RuleId: 4150dadf-2f01-4c51-84d4-c22adf5b62f8) - Medium
  • Classic Load Balancer should have cross-zone load balancing enabled (RuleId: 084348fa-552d-4828-ba91-9c0e95d26c57) - Medium
  • Classic Load Balancer should not use default security group (RuleId: c07c9476-0e3e-45ef-8596-ca3dcee7cef6) - Medium
  • Classic Load Balancer should not use a default VPC (RuleId: 7e57a820-4518-4d9c-97af-0ad42ca7b338) - Medium
  • CloudTrail S3 bucket should have access logging enabled (RuleId: 5c8c265c7a550e1fb6560c63) - Medium
  • OpenSearch data at rest should be encrypted (RuleId: 95b2cdd3-feb3-4c4e-a4a1-877dda005a83) - Medium
  • OpenSearch domain should require HTTPS requests (RuleId: 46ce480c-3a30-45c2-8b91-85828e60ed71) - Medium
  • OpenSearch node to node encryption should be enabled (RuleId: 4f7f6670-346a-42f6-8b5d-47aff9d1745f) - Medium
  • OpenSearch zone awareness should be enabled (RuleId: 43d0530b-0e45-49a1-97aa-2d1dd094b13d) - Medium
  • Secrets Manager secret should have automatic rotation enabled (RuleId: 82b26701-6d4a-44d1-b792-ba8314dbe985) - Medium
  • OpenSearch application logging should be enabled (RuleId: d9daf307-56b9-430b-8d4d-03115c690465) - Low
  • OpenSearch index slow logging should be enabled (RuleId: b5437b0d-6476-45b6-a318-504a10b5ca1d) - Low
  • OpenSearch search slow logging should be enabled (RuleId: 4e00da2c-b031-41be-806d-2795444e4196) - Low
  • Redshift cluster encryption should be enabled (RuleId:5c8c264c7a550e1fb6560c4f) - Low
  • Redshift cluster should have audit logging enabled (RuleId: 5c8c264d7a550e1fb6560c52) - Low
  • Redshift engine automatic upgrades should be enabled (RuleId: 5c8c264f7a550e1fb6560c54) - Low
  • Systems Manager managed instance association should be in compliant status (RuleId: bc8f3ffa-09d8-4465-80b6-068ebba38a31) - Low
  • Secrets Manager secret should be encrypted with a customer master key (RuleId: 3c43ff29-5b19-4c77-9d4e-41c35bd22769) - Low

The following rules received remediation steps:

  • RDS DB cluster should have automatic minor version upgrades enabled (RuleId: 82b3358c-3acd-4cf2-a394-97558cb04d3e) - High
  • RDS DB instance should have automatic minor version upgrades enabled (RuleId: 5c8c264a7a550e1fb6560c4c) - High
  • RDS DB instance should restrict public access (RuleId: 5c8c26467a550e1fb6560c48) - High
  • RDS DB snapshot should restrict public access (RuleId: 5c8c26487a550e1fb6560c4a) - High
  • Redshift cluster should restrict public access (RuleId: 5c8c264f7a550e1fb6560c55) - High
  • Redshift snapshot should have a retention period of 30 days or more (RuleId: 5c8c26507a550e1fb6560c56) - High
  • Route53 domain should have transfer lock enabled (RuleId: 4852bdbc-d226-43c6-9a6c-08de2b8045a7) - High
  • Route53 domain should be renewed before it expires (RuleId: 771b3455-fafd-46c1-940a-97029d210c65) - Medium
  • Route53 health check should be configured for monitoring (RuleId: 3cd6f10b-6799-476d-b9fe-db590bdec205) - Medium
  • Route53 hosted zone should be configured with query logging (RuleId: 5123680e-751c-4966-a88e-6c1e81079c04) - Medium
  • RDS DB cluster backup retention period should be greater than 30 days (RuleId: fe3e6365-03c4-4502-bdf8-74e7dafa085d) - Low
  • Route53 domain should have automatic renewal enabled (RuleId: 581388b0-952a-4bbb-b9e3-46580f43c6f8) - Low

Updated Azure Rules

The following rule received query and trigger updates for improved accuracy:

  •  Automation account should be configured with managed identity (RuleId: 2dda5843-a250-4c81-af2a-b6c1256d9730) - Medium

Kubernetes Rules

The following rules received updates to display name, description, and suggested action:

  • Cluster Networking Service should not be exposed on NodePort (RuleId: 69de13a2-fed4-11eb-9a03-0242ac130003) - Medium
  • Cluster Networking Service should not use an external IP (RuleId: c621e3a6-a707-45dd-ae48-462ed52e91f0) - Medium
  • Cluster role rule should not allow users to run commands in a container (RuleId: 0e353ce5-eca0-4f8b-aaf4-94f1e7dfa063) - Medium
  • Cluster role rule should not grant unrestricted access to API groups (RuleId: 2ad90c7e-1cc7-471f-b338-110c55ddec30) - Medium
  • Cluster role rule should not grant unrestricted access to resources (RuleId: 70f72cdb-0bd8-44a1-829c-be540aaf1969) - Medium
  • Cluster role rule should not grant unrestricted access to verbs (RuleId: b0bf0781-c66c-4143-a7f6-85d19cf5af6d) - Medium
  • Default service account should not automount API credentials (RuleId: d0451802-c275-4996-8d70-fef051fcddcc) - Medium
  • Role rule should not allow users to run commands in a container (RuleId: f7dd58ea-11f9-47da-bbb8-fa917425d4b2) - Medium
  • Role rule should not grant bind, impersonate, or escalate permissions to subjects (RuleId: 1ef765d3-1354-4240-ba34-d8dc42bc560f) - Medium
  • Role rule should not grant unrestricted access to API groups (RuleId: 2abd9957-0b65-490e-9c35-999213278f31) - Medium
  • Role rule should not grant unrestricted access to resources (RuleId: e2b83a1e-7bdd-42b8-8c47-a08e6d87cf27) - Medium
  • Role rule should not grant unrestricted access to verbs (RuleId: a3c254e5-b0a8-45be-b9b8-b8671f49e894) - Medium
  • System:node cluster role should not allow access to secrets on all API groups (RuleId: cf68560e-0572-49d4-bd25-12ab0a251ad0) - Medium
  • System:node cluster role should not allow access to the core API with unrestricted resource and verb permissions (RuleId: 824d5009-47b5-4ac1-bbfa-d71254ad0485) - Medium
  • System:node cluster role should not allow get access to all API groups and resources (RuleId: bc1a9c99-d0ed-46d3-a79d-a25e580361dc) - Medium
  • System:node cluster role should not allow full access to API groups and resources (RuleId: 03eee21c-8e12-431c-87f7-774a74abe633) - Medium
  • System:node role should not allow access to the core API with unrestricted resource and verb permissions (RuleId: deddc807-56a4-4d71-aa75-4e14371bd88d) - Medium
  • User-defined cluster role binding should not grant access to create pods (RuleId: 2dea1658-e243-480e-b09f-d71eb09232a3) - Medium
  • User-defined cluster role binding should not include system:masters group as a subject (RuleId: 5f3224c1-8c73-4dfa-a3cc-3bfec1119aa3) - Medium
  • User-defined cluster role binding should not provide access to cluster-admin (RuleId: eef24422-24d9-4b69-8931-4f33f771af22) - Medium
  • User-defined role binding should not provide access to cluster-admin (cluster role) (RuleId: dc89c28f-4f76-43fd-aa3e-62ca63e0a172) - Medium
  • User-defined role binding should not provide access to cluster-admin (role) (RuleId: a715b5f1-ee3f-42ab-9e11-e563f64153b9) - Medium
  • Cluster should not use the default namespace (RuleId: b9b6c2dd-f868-44b4-99c8-d3e76f0a2931) - Low
  • Namespace should have a network policy (RuleId: bdf73fad-97fd-4453-b543-c84d26c98d0b) - Low

May 26, 2022 Rules Release

Updated AWS Rules

AWS - Updated Rules

The following rules received a query update for improved accuracy:

  • Glue security configuration should have S3 and CloudWatch logs encryption enabled (RuleId: 89cbbe7e-9830-41b6-98b2-54e85b96d789) - High

The following rules received a query update for SSQL conversion:

  • ACM Certificate Transparency logging should be enabled (RuleId: 42529cd0-c4c8-462b-b890-1eaea0541058) – Medium
  • API Gateway REST API should be private (RuleId: ef408f0b-7d6f-4486-bfbc-b3440b40dc07) - Medium
  • Auto Scaling launch configuration should be configured to use IMDSv2 (RuleId: 59bdf6ae-f7b1-4d55-b0bd-8c52bd922992) - Medium
  • Cognito user pool client should have direct user/password authentication flows disabled (RuleId: d57ec353-4721-4767-a986-aed0ad804bfe) - Medium
  • Cognito user pool client should not indicate if user is registered (RuleId: 4e038c40-3e96-4fcf-802c-a31d4f175ec4) - Medium
  • EC2 subnets should not automatically assign public IP addresses (RuleId: 9acc58ab-ccad-48f2-a454-f114b9293b68) - Medium
  • EFS file system should be encrypted (RuleId: b5acf981-e74e-42f0-bb7b-aa78ed540df5) - Medium
  • Athena Workgroup should have publish cloudwatch metrics enabled (RuleId: fa5dd258-7b8f-438e-b753-a5fd2c39fbaa) – Low
  • AWS Config should be enabled in all regions (RuleId: b1bc556c-c77f-4938-9934-29029255e454) - Low
  • Cognito user pool should have advanced security enabled (RuleId: 32e039e8-2539-42a6-acf4-dd04d2546157) - Low
  • Cognito user pool should have multi-factor authentication enabled (RuleId: 27189d80-b788-436a-8735-85a134ef0315) - Low
  • ECS Cluster should have container insights enabled (RuleId: 8efed7d2-9b25-4602-b1d9-a8e99c3c6017) - Low
  • OpenSearch audit logging should be enabled (RuleId: 800e2c67-ccc3-4a3e-a030-c321aad59f6a) - Low

May 19, 2022 Rules Release

New AWS Rules

  • EMR cluster data should be encrypted at rest (RuleId: 4b5ebc47-c1f5-44de-bef6-1f87628c2670) - High
  • EMR cluster data should be encrypted in transit (RuleId: ae0c4f5e-0ed5-45ec-afcf-76a160849129) - High
  • EMR block public access should be enabled (RuleId: bd3b07f4-11e2-4ac4-892b-dea861f94336) - Medium
  • EMR cluster should have EC2 instance metadata service v2 enabled (RuleId: d0f378f3-7119-47ef-aad7-5a518d0f9e22) - Medium

New Kubernetes Rules

  • Cluster role rule should not grant bind, impersonate, or escalate permissions to subjects (RuleId: fafa387b-698a-404c-a290-93083285cb71) - Medium
  • Role rule should not grant bind, impersonate, or escalate permissions to subjects (RuleId: 1ef765d3-1354-4240-ba34-d8dc42bc560f) - Medium
  • User-defined role binding should not include system:masters group as a subject (RuleId: 317752a7-6298-4d3a-8897-bcd4931076a0) - Medium
  • User-defined cluster role binding should not include system:masters group as a subject (RuleId: 5f3224c1-8c73-4dfa-a3cc-3bfec1119aa3) - Medium

Updated AWS Rules

The following rules received query and trigger updates to improve results:

  • Glue Data Catalog settings should have metadata encryption and connection passwords enabled (RuleId: 786c659a-c4d4-47e0-94ae-c8bba9d7c01e) - High
  • Firehose delivery stream destination should use an encrypted S3 bucket (RuleId: 8b76d13b-8c3a-4c4a-8993-a0e6f9af46c7) - Medium

New Compliance Framework

The following frameworks were mapped to Kubernetes rules for the first time:

  • CIS Kubernetes V1.20 Benchmark, version 1.0.0
  • CIS Kubernetes V1.23 Benchmark, version 1.0.0

May 13, 2022 Rules Release

Updated AWS Rules

The following rules received remediation steps:

  • EC2 instance should restrict public access to alternative HTTP port (8888) (RuleId: 7a57f2c5-8ba1-4862-867b-110249fef2e7) - High
  • EC2 instance should restrict public access to Elasticsearch ports (9200 and 9300) (RuleId: 04700175-adbe-49e1-bc7a-bc9605597ce2) - High
  • EC2 instance should restrict public access to FTP control port (21) (RuleId: 5c8c263d7a550e1fb6560c3a) - High
  • EC2 instance should restrict public access to FCP port (5500) (RuleId: f49878b2-c89e-44d9-80eb-d0e6bf560e75) - High
  • EC2 instance should restrict public access to FTP data port (20) (RuleId: 5c8c263d7a550e1fb6560c39) - High
  • EC2 instance should restrict public access to Go, Node.js, and Ruby web development frameworks port data port (3000) (RuleId: 279aae5a-7db7-475c-92dc-854c41fad45d) - High
  • EC2 instance should restrict public access to IMAP data port (143) (RuleId: 38315534-5242-4917-bc04-8698359d7570) - High
  • EC2 instance should restrict public access to Kibana port (5601) (RuleId: 4823ede0-7bed-4af0-a182-81c2ada80203) - High
  • EC2 instance should restrict public access to legacy HTTP port (8088) (RuleId: 2f155bea-fe84-4ae4-a991-6a4d5b83fd6d) - High
  • EC2 instance should restrict public access to Memcache UDP port (11211) (RuleId: bd9d77b6-635d-4e06-9760-8957d8eaeb38) - High
  • EC2 instance should restrict public access to MongoDB server port (27017) (RuleId: 5c8c26427a550e1fb6560c40) - High
  • EC2 instance should restrict public access to MSSQL data port (1434) (RuleId: 615537d1-e056-48e0-8180-787462598c6b) - High
  • EC2 instance should restrict public access to MySQL server port (3306) (RuleId: 5c8c26427a550e1fb6560c41) - High
  • EC2 instance should restrict public access to Oracle SQL port (1521) (RuleId: 5c8c26417a550e1fb6560c3e) - High
  • EC2 instance should restrict public access to POP3 data port (110) (RuleId: 2da3fb11-7564-4a0b-9471-986bf9aa082f) - High
  • EC2 instance should restrict public access to PostgreSQL server port (5432) (RuleId: 5c8c26437a550e1fb6560c43) - High
  • EC2 instance should restrict public access to Python web development frameworks port (5000) (RuleId: 430dc795-4733-4a27-93fd-e60bb479570e) - High
  • EC2 instance should restrict public access to Redis Cache port (6379) (RuleId: 3e2ec500-b3fa-11eb-8529-0242ac130003) - High
  • EC2 instance should restrict public access to Redshift port (5439) (RuleId: 5c8c26447a550e1fb6560c44) - High
  • EC2 instance should restrict public access to Remote Desktop port (3389) (RuleId: 5c8c26437a550e1fb6560c42) - High
  • EC2 instance should restrict public access to RPC data port (135) (RuleId: c7f36771-25a9-4e66-92eb-d1b7e69eaa81) - High
  • EC2 instance should restrict public access to SMB ports (445 and 139) (RuleId: 72090764-b3f5-11eb-8529-0242ac130003) - High
  • EC2 instance should restrict public access to SMTP Relay (25) (RuleId: d55fb946-b19f-11eb-8529-0242ac130003) - High
  • EC2 instance should restrict public access to SQL Server port (1433) (RuleId: 5c8c26417a550e1fb6560c3d) - High
  • EC2 instance should restrict public access to SSH port (22) (RuleId: 5c8c26417a550e1fb6560c3f) - High
  • EC2 instance should restrict public access to TCP port (8080) (RuleId: 5c8c26407a550e1fb6560c3c) - High
  • EC2 instance should restrict public access to Telnet port (23) (RuleId: 5c8c263e7a550e1fb6560c3b) - High
  • EC2 instance should restrict public access to WinRM ports (5985 and 5986) (RuleId: 1349b94a-b3f9-11eb-8529-0242ac130003) - High
  • IAM password policy should prevent password reuse (RuleId: 5c8c26107a550e1fb6560bfc) - High
  • IAM root user account should be configured with hardware MFA (RuleId: 5c8c26067a550e1fb6560bec) - High
  • IAM root user account should require multi-factor authentication (RuleId: 5c8c26167a550e1fb6560c03) - High
  • IAM user, group, or role should have MFA permissions restricted (RuleId: bdc54b11-ece6-44b4-92a6-2bd3783fd0f2) - High
  • IAM user, group, or role should restrict IAM access key permissions (RuleId: 6b67bc0d-73c3-441a-b474-ddbee36dd42c) - High
  • IAM user, group, or role should restrict permissions to bypass S3 Object Lock (RuleId: b39a563e-a9b8-4c34-a2fb-0cb06a7df708) - High
  • IAM password policy should have password expiration enabled (RuleId: ce66044f-644b-4f58-a134-1b322bd66a2a) - Medium
  • IAM password policy should require lowercase characters (RuleId: 5c8c260a7a550e1fb6560bf2) - Medium
  • IAM password policy should require numbers (RuleId: 5c8c260c7a550e1fb6560bf6) - Medium
  • IAM password policy should require symbols (RuleId: 5c8c260e7a550e1fb6560bf8) - Medium
  • IAM password policy should require uppercase characters (RuleId: 5c8c260f7a550e1fb6560bfa) - Medium
  • IAM password policy should set a minimum length (RuleId: 5c8c260b7a550e1fb6560bf4) - Medium

May 5, 2022 Rules Release

New Service - Azure Automation

  • Automation account should be configured with managed identity (RuleId: 2dda5843-a250-4c81-af2a-b6c1256d9730) - Medium
  • Automation account should be configured with diagnostic settings (RuleId: 4802183c-5ce8-4a47-a251-0d330dd448b7) - Low
  • Automation runbook logging should be enabled (RuleId: ba62c2e9-afaa-43e3-9e62-decccb5a3d7f) - Low 

New AWS Rules

  • EC2 VPN connection category should be VPN (RuleId: b8abe97f-1f14-4046-9443-9f9bc91849bc) - Medium
  • RDS database cluster should use a custom administrator username (RuleId: ddd1ffc2-938d-440b-bf10-d09c641c3ce7) - Medium
  • RDS database instance should use a custom administrator username (RuleId: 563903f9-45ff-48c4-9f7c-4a9aaa36220f) - Medium
  • Redshift cluster should not use the default Admin username (RuleId: 19658840-0e60-40e1-b92a-c025fc48be1d) - Medium
  • CloudFront distribution should not have default SSL/TLS certificate enabled (RuleId: 2860d86d-bf00-49fc-aef9-9b36c46251b8) - Low
  • CloudFront distribution should use SNI to serve HTTPS requests (RuleId: 2b5c5e61-69e3-46d0-aec4-3a3d777216fb) - Low
  • EC2 Client VPN endpoint connection logging should be enabled (RuleId: 2069afa5-3760-4671-922e-5d368172c34f) - Low

Updated AWS Rules

The following rule received a query updated to improve accuracy:

  • Route53 domain should have transfer lock enabled (RuleId: 4852bdbc-d226-43c6-9a6c-08de2b8045a7) - High

The following rules received remediation steps:

  • IAM password should be changed after CloudBleed exploit (RuleId: 5c8c25fd7a550e1fb6560bdd) - High
  • IAM password should be configured to expire after 90 days (RuleId: 5c8c25fd7a550e1fb6560bde) - High
  • Classic Load Balancer should have access logs enabled (RuleId: 657c46b7-1cd0-4cce-80bb-9d195f49c987) - Medium
  • Classic Load Balancer should have connection draining enabled (RuleId: 4150dadf-2f01-4c51-84d4-c22adf5b62f8) - Medium
  • Classic Load Balancer should have cross-zone load balancing enabled (RuleId: 084348fa-552d-4828-ba91-9c0e95d26c57) - Medium
  • Classic Load Balancer should not use a default VPC (RuleId: 7e57a820-4518-4d9c-97af-0ad42ca7b338) - Medium
  • Classic Load Balancer should not use default security group (RuleId: c07c9476-0e3e-45ef-8596-ca3dcee7cef6) - Medium
  • Classic Load Balancer should use a secure listening protocol (RuleId: 664ee373-cb7a-4aa6-93db-667f6a6c9590) - Medium
  • Elastic Load Balancer should have access logs enabled (RuleId: 09905d97-4075-4820-afc6-ec5ada60db46) - Medium
  • Elastic Load Balancer should have cross-zone load balancing enabled (RuleId: 62506173-0c0d-4772-a212-2ed1e431df93) - Medium
  • Elastic Load Balancer should have delete protection enabled (RuleId: 4f9b64a1-494f-40ee-b1b5-eb4a9c13bf31) - Medium
  • Elastic Load Balancer should have one or more listeners configured (RuleId: 50930efe-3e9b-4d89-8026-da840f9c906b) - Medium
  • Elastic Load Balancer should not use a default VPC (RuleId: 72a8f6d6-da07-4907-a671-009787f1e14b) - Medium
  • Elastic Load Balancer should not use default security group (RuleId: ef57998d-d4bb-46d5-8cec-5df6c7ad67fc) - Medium
  • IAM user access key should be rotated every 90 days (RuleId: 5c8c25fb7a550e1fb6560bd8) -Medium
  • IAM user account should not have administrator privileges (RuleId: 5c8c261c7a550e1fb6560c0e) - Medium
  • OpenSearch data at rest should be encrypted (RuleId: 95b2cdd3-feb3-4c4e-a4a1-877dda005a83) - Medium
  • OpenSearch domain should require HTTPS requests (RuleId: 46ce480c-3a30-45c2-8b91-85828e60ed71) - Medium
  • OpenSearch node to node encryption should be enabled (RuleId: 4f7f6670-346a-42f6-8b5d-47aff9d1745f) - Medium
  • OpenSearch zone awareness should be enabled (RuleId: 43d0530b-0e45-49a1-97aa-2d1dd094b13d) - Medium
  • Classic Load Balancer should be attached to one or more instances (RuleId: fa29cb64-9f8d-4625-a167-a9acf14d4b80) - Low
  • IAM groups should have one or more users defined (RuleId: 5c8c261a7a550e1fb6560c0b) - Low
  • IAM role for customer support should be created (RuleId: 5c8c26177a550e1fb6560c05) - Low
  • IAM root user access key should not exist (RuleId: 5c8c25fc7a550e1fb6560bda) - Low
  • IAM user credentials should be removed if inactive for 30 days of more (RuleId: 5c8c261e7a550e1fb6560c10) - Low
  • IAM users should not have policies attached (RuleId: 5c8c261b7a550e1fb6560c0c) - Low
  • OpenSearch application logging should be enabled (RuleId: d9daf307-56b9-430b-8d4d-03115c690465) - Low
  • OpenSearch index slow logging should be enabled (RuleId: b5437b0d-6476-45b6-a318-504a10b5ca1d) - Low
  • OpenSearch search slow logging should be enabled (RuleId: 4e00da2c-b031-41be-806d-2795444e4196) - Low

New Compliance Framework

The following framework was mapped to AWS, Azure and GCP rules for the first time:

  • CCPA, 2018

April 26, 2022 Rules Release

New Service: AWS Glue

  • Glue Data Catalog settings should have metadata encryption and connection passwords enabled (RuleId: 786c659a-c4d4-47e0-94ae-c8bba9d7c01e) - High
  • Glue policy should not have unrestricted access (RuleId: 12d1eea1-199f-4b4f-bf72-141214e001e8) - High
  • Glue security configuration should have S3 and CloudWatch logs encryption enabled (RuleId: 89cbbe7e-9830-41b6-98b2-54e85b96d789) - High
  • Glue jobs should have job bookmarks enabled (RuleId: e381a702-1769-445d-880e-c28252761848) - Low

New AWS Rules

  • EMR cluster should be launched in a virtual private cloud on the EC2-VPC platform (RuleId: e4464c8c-5706-4b58-9de8-8b4599d4a2be) - Medium
  • EMR cluster should have logging enabled (RuleId: f1b86939-f5aa-4f37-a652-cc6118fd3a91) - Low
  • EMR cluster should have termination protection enabled (RuleId: 50d01faf-7b4e-424f-b190-319d41dcbc94) - Low

Updated AWS Rules

The following rule received a query and trigger update for improved accuracy:

  • IAM account should not be inactive for 45 days or longer (RuleId: b6b7e70f-c1aa-4dec-8822-4189d0d67a52) - Low

The following rules received remediation steps:

  • ACM should not have certificates that are expired or expiring in the next 30 days (RuleId: 305fc570-c11e-4a76-b57a-ad75c5d27996) - High
  • CloudFormation stack should not allow unrestricted access (RuleId: 59e3dae0-b99c-4ce0-b294-56f669d166e3) - High
  • CloudFormation stack should not be configured with admin privileges (RuleId: cf6babbf-49c0-43a8-93f0-972fc83a6573) - High
  • EBS volume snapshot should be private (RuleId: 2cdb8877-7ac3-4483-9ed0-1e792171d125) - High
  • ElastiCache cluster data is not encrypted at rest (RuleId: 878d98d2-c141-4c33-895d-2f96f8c9a89a) - High
  • ElastiCache cluster in-transit encryption should be enabled (RuleId: 8c3253a0-e3de-43f2-b5ff-c5b467562460) - High
  • OpenSearch policy should not allow unrestricted access for all users (RuleId: 5f034e02-36b2-490c-943b-62f49393cb00) - High
  • ACM Certificate Transparency logging should be enabled (RuleId: 42529cd0-c4c8-462b-b890-1eaea0541058) - Medium
  • CloudFormation stack should not be in a drifted state (RuleId: 265bfe2e-0674-4858-a934-139e16460749) - Medium
  • CloudTrail log file should be encrypted (RuleId: 5c8c25e47a550e1fb6560bac) - Medium
  • DynamoDB table should have auto scaling enabled for provisioned capacity mode (RuleId: 303e26e2-ae95-4555-bce6-5f326ce5bf5f) - Medium
  • DynamoDB table should have continuous backups enabled through point-in-time recovery (RuleId: 65aa8448-9dba-45a4-af6e-2401593c9351) - Medium
  • DynamoDB table should enable encryption with a customer master key (RuleId: db7b4c32-0e11-4572-8a76-569323534f78) - Medium
  • EBS volume should be encrypted with a customer master key (RuleId: 2012a29b-a9bb-4fa3-bf8d-4405725e4fe0) - Medium
  • EC2 instance should be configured to use IMDSv2 (RuleId: ec6d20f7-dc81-4e64-98df-5b9b95abdb18) - Medium
  • EC2 instance should not use default VPC (RuleId: 111e2dc0-e803-4b32-8bfa-f44502551281) – Medium
  • EC2 security group should restrict public access to Redis Cache port (6379) (RuleId: 863b0eee-b193-11eb-8529-0242ac130003) – Medium
  • EC2 security group should restrict public access to SMTP Relay port (25) (RuleId: 5de68a58-b3fb-11eb-8529-0242ac130003) - Medium
  • EC2 security group should restrict public access to SSH port (22) (RuleId: 5c8c25ec7a550e1fb6560bbe) - Medium
  • ElastiCache cluster authentication token is disabled (RuleId: d817b2e7-f506-43b4-97e2-5e503bd2d1fd) - Medium
  • ElastiCache cluster is accessible from the public internet for any source address (RuleId: c533a4ce-5094-48b8-84d4-51bb55b8046f) - Medium
  • ACM should not have a certificate with a wildcard domain (RuleId: cccdf6ca-3d4b-48c6-96bf-12894cfa5624) - Low
  • CloudTrail log file validation should be enabled (RuleId: 5c8c25e27a550e1fb6560ba6) - Low
  • CloudTrail should be enabled (RuleId: 5c8c25e67a550e1fb6560bb0) - Low
  • CloudTrail should be enabled in all regions (RuleId: 5c8c25e87a550e1fb6560bb5) - Low
  • EC2 security group should be attached to at least one instance or group (RuleId: 5c8c25f67a550e1fb6560bd0) - Low
  • EC2 security group should not contain instance host IP addresses (RuleId: 5c8c25f67a550e1fb6560bcf) - Low
  • EC2 security group should not define a port range (RuleId: 5c8c25f77a550e1fb6560bd2) – Low
  • EC2 security group should restrict public access (RuleId: 5c8c25f77a550e1fb6560bd3) - Low
  • EC2 security group should restrict public access to Elasticsearch port (9200 and 9300) (RuleId: 18bd422d-6d42-443e-aba3-7feaea03617a) - Low
  • EC2 security group should restrict public access to FTP data port (20) (RuleId: 5c8c25eb7a550e1fb6560bbb) - Low
  • EC2 security group should restrict public access to FTP control port (21) (RuleId: 5c8c25ec7a550e1fb6560bbd) - Low
  • EC2 security group should restrict public access to Kibana port (5601) (RuleId: 44ba842d-dd19-4294-a298-f335218f2cfe) - Low
  • EC2 security group should restrict public access to Memcached UDP port (11211) (RuleId: ebc18466-9700-4720-a931-7307785ddbd6) - Low
  • EC2 security group should restrict public access to MongoDB server port (27017) (RuleId: 5c8c25ee7a550e1fb6560bc2) - Low
  • EC2 security group should restrict public access to MySQL Server port (3306) (RuleId: 5c8c25ee7a550e1fb6560bc3) – Low
  • EC2 security group should restrict public access to Oracle SQL port (1521) (RuleId: 5c8c25ea7a550e1fb6560bba) - Low
  • EC2 security group should restrict public access to Redshift port (5439) (RuleId: 5c8c25f07a550e1fb6560bc7) - Low
  • EC2 security group should restrict public access to SMB ports (445/139) (RuleId: 3f7bb56e-b196-11eb-8529-0242ac130003) - Low
  • EC2 security group should restrict public access to SQL Server port (1433) (RuleId: 5c8c25ea7a550e1fb6560bb6) - Low
  • EC2 security group should restrict public access to TCP port (8080) (RuleId: 5c8c25f17a550e1fb6560bc8) - Low
  • EC2 security group should restrict public access to Telnet port (23) (RuleId: 5c8c25ed7a550e1fb6560bc1) - Low
  • EC2 security group should restrict public access to WinRM ports (5985/5986) (RuleId: e63656f8-b18b-11eb-8529-0242ac130003) – Low
  • ElastiCache cluster is using a default VPC (RuleId: 56014666-6bb5-4496-94b4-76976babcabe) - Low
  • VPC flow logs should be enabled (RuleId: 5c8c25f97a550e1fb6560bd4) - Low

April 7, 2022 Rules Release

Updated AWS Rule

  • EBS volume should be encrypted (RuleId: baac9053-990e-4cc3-bcd4-50233f19c344) - High

Updated Compliance Framework

The following framework was refreshed with 265 new rules mapped across AWS, Azure, and GCP rules. The breakdown for each provider is as follows:

  • US HIPAA 164, 2017-10-01
    • 141 AWS rules added.
    • 73 Azure rules added.
    • 51 GCP rules added.

March 24, 2022 Rules Release

New AWS Rules

  • EC2 instance should not allow unrestricted inbound access (RuleId: 7de42b49-ee2a-4633-8b9f-ccea0cfd1568) - High

Updated AWS Rules

The following rule received a query update to add checks for the IncludeManagementEvents and ReadWriteType event selectors:

  • CloudTrail event for S3 bucket policy changes should have alarm configured (RuleId: 5c8c26357a550e1fb6560c2d) - High

The following rule received a query update to resolve a timeout issue:

  • ElastiCache cluster data is not encrypted at rest (RuleId: 878d98d2-c141-4c33-895d-2f96f8c9a89a) - High

The following rule received an update for public EC2 SG:

  • EC2 instance should not have a public IP address (RuleId: 5c8c263d7a550e1fb6560c38) - High

Updated GCP Rules

The following rules received new remediation steps:

  • Project should not have a legacy network (RuleId: b0f6e060-f2a6-11ea-adc1-0242ac120002) - High
  • VM instance IP forwarding should be disabled (RuleId: cc28dfb0-f250-11ea-adc1-0242ac120002) - High
  • VM instance should block project-wide SSH keys (RuleId: f352face-dd9e-11ea-87d0-0242ac130003) - High
  • VM instance should have serial port access disabled (RuleId: 1d4edf1a-f1ee-11ea-adc1-0242ac120002) - High
  • VM instance should not use a service account with unrestricted Cloud API access (RuleId: f03bd4a2-f1e7-11ea-adc1-0242ac120002) - High
  • VM instance should not use the default app engine service account (RuleId: a30fdd53-1960-4eb9-974a-2773bc2c8ced) - High
  • VM instance should not use the default service account (RuleId: e0857d80-ed3f-11ea-adc1-0242ac120002) - High
  • VPC Flow Logs should be enabled for VPC network subnets (RuleId: 3e0e7d08-f2a9-11ea-adc1-0242ac120002) - High
  • Disk should be encrypted with a customer-supplied encryption key (RuleId: 211c7078-f28c-11ea-adc1-0242ac120002) - Medium
  • Firewall should restrict public access to RDP port (3389) (RuleId: 85a39a00-f2b2-11ea-adc1-0242ac120002) - Medium
  • Firewall should restrict public access to Redis Cache port (6379) (RuleId: dc7014f2-b18f-11eb-8529-0242ac130003) - Medium
  • Firewall should restrict public access to SSH port (22) (RuleId: 6e2fb0ac-f2ad-11ea-adc1-0242ac120002) - Medium
  • Image should be encrypted with a customer-supplied encryption key (RuleId: 5ea1f44d-b25d-411f-9102-84a273f29ce2) - Medium
  • Instance template should be configured with Shielded VM (RuleId: 59ee3efb-1074-4351-b057-3f97603d54f9) - Medium
  • Instance template should have interactive serial console access disabled (RuleId: c4d43b0d-c817-47fd-a26a-d91b71df2bd5) - Medium
  • Instance template should not be configured with external IP addresses (RuleId: 00d7996a-6f2e-4fab-91f8-a8ef7a0e7915) - Medium
  • Instance template should have OS Login enabled (RuleId: 59e3a98c-7c27-46ab-ac9e-f6fa818eb3c4) - Medium
  • Instance template should not have IP forwarding enabled (RuleId: 3323525a-d8f0-4ca4-b065-26d9b4784bff) - Medium
  • Instance template should restrict project-wide SSH keys (RuleId: 09807a0c-b718-405d-abf5-5c0e36a7d721) - Medium
  • VM instance should be configured with Shielded VM (RuleId: 12806f14-f292-11ea-adc1-0242ac120002) - Medium
  • VM instance should not be configured with an external IP address (RuleId: af8d1ab2-f299-11ea-adc1-0242ac120002) - Medium

Deprecated AWS Rules

  • EC2 instance should not allow unrestricted protocol access (RuleId: 9f32d42a-2f4f-4e2a-ae10-a3686f0ec1e2) - High
  • EC2 security group should not allow unrestricted protocol access (RuleId: 5c8c25f27a550e1fb6560bc9) - Low

March 16, 2022 Rules Release

Updated AWS Rules

The following rule received a query update:

  • ECR Public repository policy should restrict access to required users (RuleId: 26c97798-8974-11ec-a8a3-0242ac120002) - High

The following rule received a change in rule name and kb link:

  • ECS Service tasks should not have access to EC2 instance metadata(RuleId: 1c9b757e-7c63-497a-a555-54129cbb9dd1) - Medium

Updated Azure Rules

The following rule received a change in KB link:

  • MySQL Flexible server should have the latest TLS version(RuleId: f7e6fa0f-f59b-465a-b297-b5ad3e9cefab) - Medium

Updated GCP Rules

The following rule received a change in KB link:

  • GCR user access should be restricted (RuleId: 7984a600-6d33-11eb-9439-0242ac130002) - Medium

New Compliance Framework

The following framework was mapped to AWS, Azure, and GCP rules for the first time.

  • HITRUST CSF, version 9.5.0

Deprecated Compliance Framework

The following framework is deprecated:

  • CIS Azure Foundations Benchmark, version 1.2.0

March 4, 2022 Rules Release

New Services - AWS Organization

  • Account should be a member of an Organization (RuleId: 9757f255-2410-4d03-9ba6-67d8a8ae10bc) - Medium
  • Organization service control policy should restrict access to all services when attached to other resources (RuleId: ea804e4b-edd3-4282-9e40-173ac9267b19) - Medium
  • Organization should have all features enabled (RuleId: 8b672fd8-dce1-40c0-b84c-09aa1fe432e5) - Low

New AWS Rules

  • Cognito user pool client should have direct user/password authentication flows disabled (RuleId: d57ec353-4721-4767-a986-aed0ad804bfe) - Medium
  • Cognito user pool client should not indicate if user is registered (Rule Id: 4e038c40-3e96-4fcf-802c-a31d4f175ec4) - Medium

Updated AWS Rules

The following rules received query and kb updates for CloudTrail event Alarm metric filter pattern configurations:

  • CloudTrail event for unauthorized API access attempts should have alarm configured (RuleId: 5c8c26377a550e1fb6560c30) - Medium
  • CloudTrail event for AWS Console logins without MFA should have alarm configured (RuleId: 5c8c262a7a550e1fb6560c21) - Medium

Deprecated AWS Rules

The following rule is deprecated as it was duplicating the rule: CloudWatch monitoring should be configured for any changes in AWS Config settings (RuleId: 64334788-3bc0-11eb-adc1-0242ac120002) - Low

  • CloudTrail event for AWS Config changes should have alarm configured (RuleId: 5c8c26267a550e1fb6560c1b9) - Low

February 24, 2022 Rules Release

New AWS Rules

  • ECR Public repository policy should restrict access to required users(RuleId: 26c97798-8974-11ec-a8a3-0242ac120002) - High
  • ECR Public repository policy should restrict push access to required users(RuleId: b0024250-8975-11ec-a8a3-0242ac120002) - High

New GCP Rules

  • BigQuery data set should be encrypted with customer managed encryption key (RuleId: 8779a3b1-4012-44c6-a8de-50d79f89021c) - Medium
  • Cloud DNS policy should log for all VPC networks (RuleId: 9d5f1432-a3e8-4b66-80dd-eab114e14c7c) - Medium
  • Firewall rule for instance behind an Identity Aware Proxy (IAP) should only allow traffic from health check and proxy addresses (RuleId: f1660eae-98bf-4fcb-82ae-ec3c0e3dab0d) - Medium
  • Cloud SQL for MySQL database instance should have the skip_show_database flag enabled (RuleId: ec7db329-4edf-443c-b8ca-c27c4969b411) - Low
  • Cloud SQL for PostgreSQL database instance should have the log_duration flag enabled (RuleId: 247937fc-a018-4e45-a76c-913f476b168e) - Low
  • Cloud SQL for PostgreSQL database instance should have the log_error_verbosity flag set to default or stricter (RuleId: 886dd76d-4437-4901-94ab-b6daf7df290d) - Low
  • Cloud SQL for PostgreSQL database instance should have the log_executor_stats flag disabled (RuleId: bbe84b21-7fe2-4583-bc40-3ca1e7f2f242) - Low
  • Cloud SQL for PostgreSQL database instance should have the log_hostname flag disabled (RuleId: 00349301-943d-4b39-aa15-f0bf941a8633) - Low
  • Cloud SQL for PostgreSQL database instance should have the log_min_error_statement flag set to error or stricter (RuleId: f6cba398-2dab-423c-866b-e4ab2c654050) - Low
  • Cloud SQL for PostgreSQL database instance should have the log_planner_stats disabled (RuleId: 4e4cc4e7-f50f-4d6a-adef-999831bb531d) - Low
  • Cloud SQL for PostgreSQL database instance should have the log_statement flag set to ddl (RuleId: 0c243f61-a6ff-4e2d-91c9-9087fdd86bee) - Low
  • Cloud SQL for PostgreSQL database instance should have the log_statement_stats flag disabled (RuleId: 8d8f1019-9d32-42c6-b7c2-43e8b73888e1) - Low
  • Cloud SQL for SQL Server database instance 3625 trace log should be disabled (RuleId: 6485e8d9-b98b-4996-8886-8a0684a8019f) - Low
  • Cloud SQL for SQL Server database instance external scripts should be disabled (RuleId: bd7fedf2-93e6-44d6-bfa6-8246933e2648) - Low
  • Cloud SQL for SQL Server database instance remote access should be disabled (RuleId: 771ca73a-91ca-4734-a797-78ca6ed6b9b1) - Low
  • Cloud SQL for SQL Server database instance user connections should be configured for a valid number of users (RuleId: a9813ebe-ca53-4d99-8e88-9f97c7e88665) - Low
  • Cloud SQL for SQL Server database instance user options should not be configured (RuleId: fe40e8b4-79a5-4c8d-8684-327eb8d62ca2) - Low

Updated AWS Rules

The following rule received query and trigger updates to add filters for AWS Managed Policy:

  • IAM user, group, or role should require SSL/TLS when managing or viewing IAM access keys (RuleId: d42158b9-c08d-4983-bade-5d5f478ce3bc) - High

The following rule received a query update to improve accuracy:

  • WorkSpaces workspace should have volume encryption enabled(RuleId: b0ff08a5-148b-421c-9ca9-9ec3080bb9d9) - Medium

New Compliance Framework

  • CIS GCP Foundations Benchmark, version 1.2.0

February 17, 2022 Rules Release

Updated AWS Rule

The following rule received a query update to show connected subnets for a given DB Instance:

  • RDS DB instance should restrict public access (RuleId: 5c8c26467a550e1fb6560c48) - High

February 10, 2022 Rules Release

New Service - Amazon Cognito

  • Cognito user pool should have advanced security enabled (RuleId: 32e039e8-2539-42a6-acf4-dd04d2546157) - Low
  • Cognito user pool should have multi-factor authentication enabled (RuleId: 27189d80-b788-436a-8735-85a134ef0315) - Low

New AWS Rules

  • RDS DB cluster should have automatic minor version upgrades enabled (RuleId: 82b3358c-3acd-4cf2-a394-97558cb04d3e) - High
  • RDS DB cluster should have encryption enabled (RuleId: 301daea0-43af-4f17-b658-271f8d9b1a50) - High
  • RDS DB cluster should not have password authentication enabled (RuleId: 65682478-8f41-42b3-9ce1-947cc4d6598c) - Medium
  • RDS DB cluster backup retention period should be greater than 30 days (RuleId: fe3e6365-03c4-4502-bdf8-74e7dafa085d) - Low

Updated AWS Rules

The following rules received query updates to capture violations on RDS DB instances which are not managed by an RDS DB Cluster:

  • RDS DB instance should have automatic minor version upgrades enabled (RuleId: 5c8c264a7a550e1fb6560c4c) - High
  • RDS DB instance should have encryption enabled (RuleId: 5c8c26467a550e1fb6560c46) - High
  • RDS DB instance should restrict public access (RuleId: 5c8c26467a550e1fb6560c48 ) - High
  • RDS DB instance should not have password authentication enabled (RuleId: 5d488bda-4f6f-4f0d-a37b-935941641130) - Medium
  • RDS DB instance backup retention period should be greater than 30 days (RuleId: 5c8c264a7a550e1fb6560c4d ) - Low
  • RDS DB instance should be configured to copy tags to snapshot (RuleId: 930f940f-5a82-4a54-8776-58480a9eaaef) - Low
  • RDS DB instance should not have deletion protection disabled (RuleId: 95b2648a-f699-4425-81f9-57f8f4584fc1) - Low
  • RDS DB instance should not use a database engine default port (RuleId: a3ed4fd1-eaa9-4947-8061-e95be99088f6) - Low

The following rules received a change in display name:

  • RDS DB snapshot should have encryption enabled (RuleId: 5c8c26497a550e1fb6560c4b) - High
  • RDS DB cluster should be configured for multiple Availability Zones (RuleId: 18d82921-696c-4053-9c69-01f1fe4fcd7c) - Medium
  • RDS DB cluster should not use a database engine default port (RuleId: cf2d7f4c-2695-4128-951a-710675ba2b5d) - Low

The following rules received query and trigger updates to filter service-role and reserved-role from IAM role checks:

  • IAM user, group, or role should restrict IAM access key permissions (RuleId: 6b67bc0d-73c3-441a-b474-ddbee36dd42c) - High
  • IAM user, group, or role should have MFA permissions restricted (RuleId: bdc54b11-ece6-44b4-92a6-2bd3783fd0f2) - High
  • IAM user, group, or role should require SSL/TLS when managing or viewing IAM access keys (RuleId: d42158b9-c08d-4983-bade-5d5f478ce3bc) - High
  • IAM user, group, or role should generally not have access to update Lambda function configuration (and layers) (RuleId: c0a3957a-4f44-426d-bbcb-a64cba21ed20) - Medium
  • IAM user, group, or role should generally not have access to update Lambda function versions (RuleId: 839ce1d3-d96c-475c-9787-164560f8a106) - Medium
  • IAM user, group, or role should not have access to create and configure Lambda functions with IAM roles for cross-account access (RuleId: 5932b183-dd61-46fe-af40-e4105f5c8189) - Medium
  • IAM user, group, or role should not have access to create Glue Development endpoints with IAM roles (RuleId: d9c662ba-b854-4072-9411-ef6f68f61f15) - Medium
  • IAM user, group, or role should not have access to create Lambda functions with IAM roles and configure the functions as DynamoDB triggers (RuleId: d2075105-4b00-4e3c-8573-0f62d256e90d) - Medium

February 3, 2022 Rules Release

New Azure Rules

  • Storage account should be set with the latest TLS version (RuleId: 5543c923-7ce6-4ddb-bd17-dca1fcc3d6e2) - High
  • MySQL Flexible server should have TLS version set to TLS Version 1.2 (RuleId: f7e6fa0f-f59b-465a-b297-b5ad3e9cefab) - Medium
  • PostgreSQL server infrastructure double encryption should be enabled (RuleId: ddf0dbc4-4e0c-4697-b6f2-9c1807c4da28 ) - Medium
  • Virtual Machine should have extensions that are provisioned successfully (RuleId: 1790b003-3bc6-4cd3-82e8-9250dadb9aad) - Low

Updated Azure Rules

The following rules received updates to remediation steps:

  • Storage container for activity logs should restrict public access(RuleId: 7de59b4e-aa94-11ea-bb37-0242ac130002) - High
  • Security contact email addresses should be set (RuleId: 5c8c267f7a550e1fb6560c9f ) - High
  • App Service Authentication should be enabled (RuleId: 20ba4048-9457-4999-9f42-38b06ef1a538) - Medium
  • Key Vault logging should be enabled(RuleId: 5c8c26687a550e1fb6560c72) - Medium
  • App Service resources should have Azure Defender enabled(RuleId: 9cda959b-d4d9-4cf4-af65-7f48417848ea) - Medium
  • Container registries should have Azure Defender enabled (RuleId: ccd026c2-d24f-4edd-9611-a44692d04907 ) - Medium
  • Key Vault resources should have Azure Defender enabled (RuleId: 80b47c29-c6db-4dac-bcc1-1e441a42c4d2 ) - Medium
  • Kubernetes resources should have Azure Defender enabled(RuleId: 602d5204-d78b-42ee-a2c0-7571052dd272) - Medium
  • Server resources should have Azure Defender enabled(RuleId: 577792f3-88e2-4443-bda0-53fc404e82bf ) - Medium
  • Storage account blob service should be configured with soft delete (RuleId: 643eb5fc-7747-4df4-b217-41c4e97e0c07 ) - Medium
  • Storage account for activity logs should be encrypted with customer-managed key(RuleId: ef8a23c0-aa9c-11ea-bb37-0242ac130002) - Medium
  • Storage account should be configured for access from trusted Microsoft services (RuleId: 7ba94354-ab4c-11ea-bb37-0242ac130002 ) - Medium
  • Storage encryption should be enabled (RuleId: 5c8c26847a550e1fb6560cad ) - Medium
  • Storage resources should have Azure Defender enabled (RuleId: b99caf1a-16f9-4c10-846c-d31c78f563b0 ) - Medium
  • SQL server should have Advanced Data Security (ADS) and Advanced Threat Protection (ATP) enabled (RuleId: 5c14c779-7d1d-4e8f-8811-f5479d174f46 ) - Medium
  • SQL server should have TDE protector encrypted with customer-managed key (RuleId: 7406e56f-bbf0-4571-8e50-21bd344e0fdb ) - Medium
  • SQL servers on machines should have Azure Defender enabled(RuleId: 33a5948a-8973-4205-9c3e-7a5824104fa6 ) - Medium
  • Microsoft Monitoring Agent auto provisioning should be enabled (RuleId: 5c8c26797a550e1fb6560c97 ) - Medium
  • Microsoft Cloud App Security should be enabled (RuleId: ccd5b008-127d-11eb-adc1-0242ac120002) - Low
  • Microsoft Defender Advanced Threat Protection should be enabled (RuleId: e7aa5db6-127d-11eb-adc1-0242ac120002 ) - Low
  • Security alert emails should be enabled (RuleId: 5c8c26817a550e1fb6560ca3) - Low
  • Security alert emails should be enabled for security policy subscribers (RuleId: 5c8c26817a550e1fb6560ca5 ) - Low
  • SQL database should have Azure Defender for SQL enabled (RuleId: 5c8c26937a550e1fb6560ccc) - Low

New Compliance Rules

The following frameworks were added for the first time for CIS Azure control mappings:

  • CIS Azure Benchmark V1.4.0

January 27, 2022 Rules Release

New Azure Rules

  • Storage account should be set with the latest TLS version (RuleId: 5543c923-7ce6-4ddb-bd17-dca1fcc3d6e2) - High
  • MySQL Flexible server should have TLS version set to TLS Version 1.2 (RuleId: f7e6fa0f-f59b-465a-b297-b5ad3e9cefab) - Medium
  • PostgreSQL server infrastructure double encryption should be enabled (RuleId: ddf0dbc4-4e0c-4697-b6f2-9c1807c4da28 ) - Medium
  • Virtual Machine should have extensions that are provisioned successfully (RuleId: 1790b003-3bc6-4cd3-82e8-9250dadb9aad) - Low

Updated Azure Rules

The following rules received updates to remediation steps:

  • Storage container for activity logs should restrict public access(RuleId: 7de59b4e-aa94-11ea-bb37-0242ac130002) - High
  • Security contact email addresses should be set (RuleId: 5c8c267f7a550e1fb6560c9f ) - High
  • App Service Authentication should be enabled (RuleId: 20ba4048-9457-4999-9f42-38b06ef1a538) - Medium
  • Key Vault logging should be enabled(RuleId: 5c8c26687a550e1fb6560c72) - Medium
  • App Service resources should have Azure Defender enabled(RuleId: 9cda959b-d4d9-4cf4-af65-7f48417848ea) - Medium
  • Container registries should have Azure Defender enabled (RuleId: ccd026c2-d24f-4edd-9611-a44692d04907 ) - Medium
  • Key Vault resources should have Azure Defender enabled (RuleId: 80b47c29-c6db-4dac-bcc1-1e441a42c4d2 ) - Medium
  • Kubernetes resources should have Azure Defender enabled(RuleId: 602d5204-d78b-42ee-a2c0-7571052dd272) - Medium
  • Server resources should have Azure Defender enabled(RuleId: 577792f3-88e2-4443-bda0-53fc404e82bf ) - Medium
  • Storage account blob service should be configured with soft delete (RuleId: 643eb5fc-7747-4df4-b217-41c4e97e0c07 ) - Medium
  • Storage account for activity logs should be encrypted with customer-managed key(RuleId: ef8a23c0-aa9c-11ea-bb37-0242ac130002) - Medium
  • Storage account should be configured for access from trusted Microsoft services (RuleId: 7ba94354-ab4c-11ea-bb37-0242ac130002 ) - Medium
  • Storage encryption should be enabled (RuleId: 5c8c26847a550e1fb6560cad ) - Medium
  • Storage resources should have Azure Defender enabled (RuleId: b99caf1a-16f9-4c10-846c-d31c78f563b0 ) - Medium
  • SQL server should have Advanced Data Security (ADS) and Advanced Threat Protection (ATP) enabled (RuleId: 5c14c779-7d1d-4e8f-8811-f5479d174f46 ) - Medium
  • SQL server should have TDE protector encrypted with customer-managed key (RuleId: 7406e56f-bbf0-4571-8e50-21bd344e0fdb ) - Medium
  • SQL servers on machines should have Azure Defender enabled(RuleId: 33a5948a-8973-4205-9c3e-7a5824104fa6 ) - Medium
  • Microsoft Monitoring Agent auto provisioning should be enabled (RuleId: 5c8c26797a550e1fb6560c97 ) - Medium
  • Microsoft Cloud App Security should be enabled (RuleId: ccd5b008-127d-11eb-adc1-0242ac120002) - Low
  • Microsoft Defender Advanced Threat Protection should be enabled (RuleId: e7aa5db6-127d-11eb-adc1-0242ac120002 ) - Low
  • Security alert emails should be enabled (RuleId: 5c8c26817a550e1fb6560ca3) - Low
  • Security alert emails should be enabled for security policy subscribers (RuleId: 5c8c26817a550e1fb6560ca5 ) - Low
  • SQL database should have Azure Defender for SQL enabled (RuleId: 5c8c26937a550e1fb6560ccc) - Low

New Compliance Framework

The following frameworks were added for the first time for CIS Azure control mappings:

  • CIS Azure Benchmark V1.4.0

January 20, 2022 Rules Release

New Azure Rules

  • Virtual machine should restrict public access to custom Python port (8000) (RuleId: 5b14fe7c-fdc9-46ab-9020-81efeb2d51e1) - High
  • Virtual machine should restrict public access to IMAP data port (143) (RuleId: c90b028f-bd65-481e-b202-9cec1b44693e) - High
  • Virtual machine should restrict public access to Oracle Database Enterprise Manager data port (5500) (RuleId: f0261693-4279-4799-b595-61f5663ee747 ) - High
  • Virtual machine should restrict public access to POP3 data port (110) (RuleId: eaebe087-6bc2-42b4-b541-78bc815905ec) - High
  • Virtual machine should restrict public access to Python web development data port (5000) (RuleId: 8448d25f-283b-4cb4-8dce-39a6763ef257) - High
  • Virtual machine should restrict public access to Resource Manager web UI port (8088) (RuleId: a1dd9d62-f877-4e10-8d86-6616e03a4a30 ) - High
  • Virtual machine should restrict public access to Resource Manager web UI port (8888) (RuleId: 5eed44af-b376-47ee-ae7f-0893b566d1cf ) - High
  • Virtual machine should restrict public access to RPC data port (135) (RuleId: 0b86619c-434c-42dc-9e23-0063ef937de2 ) - High
  • Virtual machine should restrict public access to websites data port (3000) (RuleId: 3822f631-b06e-4f1c-ad19-48e619e9b371) - High
  • Network security group should restrict public access to alternative HTTP port (8888) (RuleId: 641f253a-daba-48e3-82b1-e05120910f2a ) - Medium
  • Network security group should restrict public access to custom Python web development port (8000) (RuleId: 19f07aa6-f631-4cb7-a0b3-9a600414ea2a ) - Medium
  • Network security group should restrict public access to IMAP port (143) (RuleId: aa27203f-fd5c-468f-9046-5264f83616fa ) - Medium
  • Network security group should restrict public access to POP3 port (110) (RuleId: 2d9803c0-5a99-45a4-b3d1-7853368285b3 ) - Medium
  • Network security group should restrict public access to Oracle Database Enterprise Manager data port (5500) (RuleId- 673c63a9-fec1-476e-b772-f30d7e344a75 ) - Medium
  • Network security group should restrict public access to Python web development port (5000) (RuleId: 5b5ad2f0-e9ff-45ff-b51d-a4472dfde9a4 ) - Medium
  • Network security group should restrict public access to Resource Manager Web UI port (8088) (RuleId: cc561df4-36f2-4666-8329-3bdad978e216 ) - Medium
  • Network security group should restrict public access to RPC port (135) (RuleId: 263a967d-9cb3-4927-88b4-e5afac5a4e05 ) - Medium
  • Network security group should restrict public access to websites port (3000) (RuleId: 0b47e86b-9513-4dc7-88c8-347132c72ce7 ) - Medium

New GCP Rules

  • VM instance should restrict public access to App Engines like Go, Node.js, Java and Ruby Web Development control port (3000) (RuleId: 42cf393c-833d-462c-b2c5-ee6f3fae9908) - High
  • VM instance should restrict public access to IMAP port (143) (RuleId: 36adcaa9-d4ad-42df-b6e6-bc6815e88181) - High
  • VM instance should restrict public access to Load Balancer port (8088) (RuleId: bc1c8ed7-5f36-4129-aac9-b2be9dfa98a4) - High
  • VM instance should restrict public access to MSSQL port (1434) (RuleId: de1b3282-998d-4363-a554-dbd4879bc54b) - High
  • VM instance should restrict public access to POP3 port (110) (RuleId: 30a26410-b76d-4f4d-b738-180ada58d534) - High
  • VM instance should restrict public access to RPC port (135) (RuleId: 18a19c62-28a8-4007-8abc-f43172c0ee1e) - High
  • Firewall should restrict public access to App Engines like Go, Node.js, Java and Ruby Web Development control port (3000)(RuleId: e0830c02-21de-4758-a826-e03e9b6f1ca8) - Medium
  • Firewall should restrict public access to IMAP control port (143) (RuleId: 39fbbb77-cf04-4280-aace-4c6d19329c35) - Medium
  • Firewall should restrict public access to Load Balancer control port (8088) (RuleId: 24693779-7c32-4246-9e7c-4fc96c5d2c64) - Medium
  • Firewall should restrict public access to MSSQL control port (1434) (RuleId: 49e091ed-7824-4beb-8245-f46852bcb896) - Medium
  • Firewall should restrict public access to POP3 control port (110) (RuleId: 10785849-1666-433c-9f08-8e63cd7c2d34) - Medium
  • Firewall should restrict public access to Python App Engine control port (5000) (RuleId: 3b8a9c61-cfde-4817-8c24-c94b366a96a6) - Medium
  • Firewall should restrict public access to RPC control port (135) (RuleId: b5c3d88e-5974-4762-915b-101ab67b6e32) - Medium

Updated AWS Rules

The following rule received a query and trigger update:

  • RDS DB instance should be deployed in VPC (RuleId: 3c1476e2-5480-4eb5-ae8d-800c887ea813) - High

The following rule was replaced with a new rule (The password authentication should not be enabled for RDS DBInstance. Instead, it can have IAM Database authentication or a custom authentication through Kerberos):

  • RDS DB instance should not have IAM database authentication disabled - (RuleId: af19173e-8beb-4a38-aa71-342231d583df) - Medium -> RDS DB instance should not have password authentication enabled - (RuleId: 5d488bda-4f6f-4f0d-a37b-935941641130) - Medium

January 6, 2022 Rules Release

New Service - Amazon WorkSpaces

  • WorkSpaces directory should have IAM roles with restricted permissions (RuleId: 16e0581d-14da-4780-9a15-20c686b402c3) - High
  • WorkSpaces workspace should have volume encryption enabled (RuleId: b0ff08a5-148b-421c-9ca9-9ec3080bb9d9) - Medium

New AWS Rules

  • IAM user or role should not have an administrative policy as permissions boundary (RuleId - 57629c1f-a6d0-40e0-9474-9f11bc958e8f) - High
  • IAM user or role should not have permission to delete their own permissions boundary (RuleId - 7b8aab5b-5ca8-4e8a-9a89-d53d683d26b0) - High

New Azure Rules

  • SQL Server should be configured with firewall and virtual network rule (RuleId: 47d17995-2026-46af-bd8d-e23f26764432) - High
  • SQL Server should be configured with restricted access from other azure services and resources (RuleId: 8e70dd36-83c0-41d7-81ec-e470a3df23c5) - High

Updated AWS Rules

In response to a recent AWS update, the following rules received a service name change from Elasticsearch to OpenSearch in their descriptions, display names, and knowledge base articles:

  • Firehose delivery stream destination associated with S3 bucket should have restricted access (RuleId: bda0713a-6e4f-426d-a409-10527f1a5da2) - High
  • Firehose delivery stream should have IAM roles with restricted permissions (RuleId: 0d1aa184-e8c9-4ba7-9b5d-9f99672b5026) - High
  • OpenSearch service domain should restrict public access (RuleId: 42176a6a-06e2-4897-a53b-89189b110b9f) - High
  • OpenSearch policy should not allow unrestricted access for all users (RuleId: 5f034e02-36b2-490c-943b-62f49393cb00) - High
  • OpenSearch policy should not allow unrestricted traffic from all IP addresses (RuleId: c2e77784-0dc8-4ddc-bcd0-10ca3b989234) - High
  • Firehose delivery stream destination should use an encrypted S3 bucket (RuleId: 8b76d13b-8c3a-4c4a-8993-a0e6f9af46c7 ) - Medium
  • Firehose delivery stream should have server side encryption enabled (RuleId: 77485161-b61f-4c11-b160-48c59ede5ed2) - Medium
  • OpenSearch domain should be encrypted with TLS-1.2 (RuleId: 53ca72de-a66e-4107-8ac5-56998aa0b221) - Medium
  • OpenSearch application should have at least three data nodes (RuleId: 8b1c727b-4e96-40cc-8141-b550ba8e3fad) - Medium
  • OpenSearch data at rest should be encrypted (RuleId: 95b2cdd3-feb3-4c4e-a4a1-877dda005a83) - Medium
  • OpenSearch domain should be configured with at least three dedicated master nodes (RuleId: 4b5a5862-4c5d-4bcc-863d-dfa609395c52) - Medium
  • OpenSearch domain should require HTTPS requests (RuleId: 46ce480c-3a30-45c2-8b91-85828e60ed71) - Medium
  • OpenSearch node to node encryption should be enabled (RuleId: 4f7f6670-346a-42f6-8b5d-47aff9d1745f) - Medium
  • OpenSearch zone awareness should be enabled (RuleId: 43d0530b-0e45-49a1-97aa-2d1dd094b13d) - Medium
  • Firehose delivery stream should have destination error logs enabled (RuleId: edad94df-ff76-4c26-a30e-c177badcd53a) - Low
  • OpenSearch application logging should be enabled (RuleId: d9daf307-56b9-430b-8d4d-03115c690465) - Low
  • OpenSearch audit logging should be enabled (RuleId: 800e2c67-ccc3-4a3e-a030-c321aad59f6a) - Low
  • OpenSearch index slow logging should be enabled (RuleId: b5437b0d-6476-45b6-a318-504a10b5ca1d) - Low
  • OpenSearch search slow logging should be enabled (RuleId: 4e00da2c-b031-41be-806d-2795444e4196) - Low

Updated Compliance Frameworks

The following frameworks received new controls for AWS, Azure, and GCP rules:

  • CSA CCM, version 3.0.1
  • CSA CCM, version 4.0.3
check-circle-line exclamation-circle-line close-line
Scroll to top icon