As previously announced, VMware Aria Automation for Secure Clouds has become part of VMware Tanzu Guardrails (formerly Aria Guardrails). Existing customers can continue to use VMware Aria Automation for Secure Clouds and receive Customer Success support until the end of their existing subscription term. Existing customers also now have access to VMware Tanzu Guardrails and new feature updates will happen in Tanzu Guardrails. For any further inquiries, please contact your Customer Success Manager.

As part of the move to VMware Tanzu Hub, the following VMware Automation for Secure Clouds features are now available in VMware Tanzu Hub as well.

The following features have been released for VMware Tanzu Guardrails and are available through VMware Tanzu Hub.

We are excited to announce that another VMware Aria Automation for Secure Clouds feature is available in VMware Tanzu Hub! You can now easily create a custom posture policy by saving your Explore Search SSQL query in Tanzu Hub. Using Explore Search to create new custom policies allows you to create and validate SSQL search queries to explore your cloud inventory before saving the query as a policy. For more information on creating custom posture policies, refer to the product documentation. 

This update is part of the VMware Aria Automation for Secure Clouds move to the VMware Tanzu Hub platform. Stay tuned for more updates as we continue to migrate additional features over to Tanzu Hub.

We are excited to provide you access to new features as part of your VMware Aria Automation for Secure Clouds subscription. These features are available through access to the VMware Aria Hub > Governance tab.

To access VMware Aria Hub, login to https://console.cloud.vmware.com/and click on “Launch Service” from the VMware Aria Hub card on the page. Make sure you have access to “VMware Aria Hub”,” "VMware Aria Guardrails”, and "VMware Aria Automation for Secure Cloud”. You can check your access by checking the service roles in My Account Roles - VMware Cloud Services.

With access to these additional capabilities, you can:

• Establish Landing Zones by creating new AWS and Azure accounts with pre-defined policies. Provision compliant accounts using Infrastructure as Code (Iac) templates which allows to set policies and enable governance tools proactively. Learn more.

• Monitor drift from the desired state declared using IaC templates during provisioning and enforce policies: You can choose to monitor drift from the desired policy configurations or remediate drift continuously by leveraging event-driven detection and automated remediation.

• Centralized visibility of policy violations and drift across multiple cloud accounts and policy engines: For users who are monitoring drift from the desired policy configurations in their accounts declared using policy templates, the drift alerts, and findings available in Aria Automation for Secure Clouds are now in a single dashboard. Learn more. 

• Policy management using templates: Out of the box policy templates that can be used to configure pre-defined policy configurations for your cloud accounts include bootstrap, security, network, cost, performance, and config. You can also customize templates as per the organization’s unique needs. Learn more.

For more details, refer to the product documentation. 

We are excited to announce support for two Amazon services, DocumentDB and FSx. You can now view DocumentDB and FSx resources in your inventory and manage any potential risks and misconfigurations for these resources using the newly published ruleset.

New DocumentDB Ruleset:

• DocumentDB cluster should be encrypted using customer managed key (RuleId: 71a34b4b-984c-4a86-810c-57016e36bebc) - High

• DocumentDB cluster should have encryption enabled (RuleId: 11390bea-0b54-4997-9831-96c3da024923) – High

• DocumentDB snapshot should have encryption enabled (RuleId: ad20b451-d780-4cd8-a5d3-361529c463ac) – High

• DocumentDB cluster backup retention period should be greater than or equal to 30 days (RuleId: 1d336634-43c4-43bd-8b91-282d6a4c142e) - Low

• DocumentDB cluster should not have deletion protection disabled (RuleId: 89f1e1b0-bb33-42ff-8ecf-68146c13d8cd) - Low

• DocumentDB cluster should not use a database engine default port (RuleId: f5f42879-f5f6-4658-b457-d2d0c25550fb) - Low

• DocumentDB event notifications subscription should be configured for critical cluster events (RuleId: beb0af93-7836-4efc-843a-183c41d570cd) - Low

• DocumentDB event notifications subscription should be configured for critical database instance events (RuleId: ee5f739e-a663-49b8-b962-125d42cb0922) - Low

• DocumentDB event notifications subscription should be configured for critical database parameter group events (RuleId: 39b494cd-bb7c-4f4d-89dd-2e1c96f5cb73) - Low

• DocumentDB event notifications subscription should be configured for critical database security group events (RuleId: 61293976-e499-4c15-90cb-58d9d939fd74) – Low

New FSx Ruleset:

• FSx file system should be encrypted with a customer managed key (RuleId: 5082c609-e763-4ae3-86fd-26f98feee05b) - Medium

• FSx file system should have automatic backups enabled (RuleId: b02d28a2-894e-4ce0-9259-1f681ca95363) - Medium

• FSx for Lustre file system should have logging enabled (RuleID: 6e1ed4f4-85a1-44dd-aaa0-b581c9225820) - Low

• FSx for Windows File Server file system should have audit logging enabled (RuleId: d0e431ea-7c5b-4892-9d00-7405bbec1017) - Low

The FedRAMP compliance framework is now available in VMware Aria Automation for Secure Clouds. FedRAMP leverages the National Institute of Standards and Technology’s (NIST) guidelines, specifically NIST’s Special Publication [SP] 800-53 - Security and Privacy Controls for Federal Information Systems and Organization series, baselines, and test cases. 

The FedRAMP Draft Rev. 5. Baselines were released on December 20th, 2021, and align with NIST’s Rev. 5 update. FedRAMP controls and enhancements were selected from the 800-53 Revision 5 catalog and FedRAMP also added standards above the NIST guidelines for low, moderate, and high systems.  Controls were selected to address the unique risks of cloud computing environments, including but not limited to multi-tenancy, visibility, control/responsibility, shared resource pooling, and trust.

This release supports the following control groups:

• Access Control

• Audit and Accountability 

• Assessment, Authorization, and Monitoring

• Configuration Management 

• Contingency Planning

• Identification and Authentication

• Incident Response

• Risk Assessment

• System and Services Acquisition

• System and Communications Protection 

• System and Information Integrity 

We are excited to announce the public beta of Cloud Entitlement Management for AWS. With bi-directional visibility into the relationships between cloud identities, entitlements, and resources, users can now manage excess permissions and identify sensitive cloud entitlements that could lead to risky conditions such as a credential exposure across cloud infrastructure. Users are able to:

• Visualize and categorize what human or machine identities are entitled to access a cloud resource. To view cloud entitlements by resource, you can go to Findings > Click on resource with finding> Entitlements.

• Determine which principals have access to a specific resource and understand the cloud entitlements for that principal. To explore cloud entitlements for a principal, you can go to Explore > Entitlements.

For more information, please refer to the product documentation. 

Customers can now leverage the integration with the Amazon Security Lake service to conveniently  correlate cloud resource misconfiguration data generated in VMware Aria Automation for Secure Clouds with logs from other platforms using the analytics tool of their choice. Customers can create alerts in VMware Aria Automation for Secure Clouds to export findings data in the Open Cybersecurity Schema Framework (OCSF) compliant format to Amazon Security Lake, which centralizes, normalizes and combines security data from multiple sources into a purpose-built data lake that is stored in customer’s AWS account. 

This integration is enabled through specific configuration via our outbound S3 integration. Check out the updated product documentation for more information on how to set up the integration to the Amazon Security Lake dedicated S3 bucket.

We are excited to announce that the inbound integration for GCP Security Command Center is now available in public beta! 

Inbound integrations make it easier to correlate information between cloud resource configurations, posture misconfigurations, threats, and vulnerabilities. When configured, an inbound integration enables ingestion of security findings from external sources such as Amazon GuardDuty, Amazon Inspector, and Azure Defender.  

Threat and vulnerability findings from the GCP Security Command Center can now be ingested and correlated by VMware Aria Automation for Secure Clouds, providing an additional layer of security insights and enabling security and operational teams to match cloud configurations to host vulnerabilities from one GUI or report.

GCP Security Command Center can be configured in a few short steps. You can choose which accounts to ingest findings into VMware Aria Automation for Secure Clouds under Settings > Integrations > GCP Security Command Center. To view the findings along with other VMware Aria Automation for Secure Clouds findings, navigate to the various Findings views and choose “GCP Security Command Center” in the finding source filter. To learn more about the GCP Security Command Center, please see the product documentation.

VMware Aria Automation for Secure Clouds is introducing new collectors for AWS Cost Explorer and AWS Budgets to support new resources in your cloud inventory. If you are using these services and want to monitor these resources for your onboarded accounts, you must add an inline policy to your IAM role with the necessary permissions. We use the SecurityAudit Policy and these actions are not currently available in the AWS managed policy.

To monitor resources in the AWS Budget service, add these permissions to an inline policy:

• budgets:DescribeBudgetAction

• budgets:DescribeBudgetActionsForBudget

• budgets:ViewBudget

To monitor resources in the AWS Cost Explorer service, add these permissions to an inline policy:

• ce:DescribeCostCategoryDefinition

• ce:GetAnomalyMonitors

• ce:GetAnomalySubscriptions

• ce:GetCostCategories

• ce:ListTagsForResource

• ce:ListCostCategoryDefinitions

You can also find these instructions in the onboarding documentation for AWS.

The VMware Aria Automation for Secure Clouds team has been converting native SSQL rule queries from Gremlin to SSQL to help increase the transparency of our supported rules. We have converted 587 of 1195 (~50%) native rules. You can now easily view and reference the SSQL rule query for all translated native rules in the Rules detail page. To further explore the rule query, open the query in Explore to modify and save the rule as a new custom rule. 

For more information on rules properties and rules management, please refer to the product documentation.

Cloud Entitlements enable principals (users and services) to access and perform actions in the cloud environment. Often these entitlements are inadvertently or unknowingly configured to be too permissive. As a result, cloud resources are misconfigured or worse become accessible by bad actors. Once configured, it may be complex to understand and troubleshoot issues in large environments. 

Late last year VMware Aria Automation for Secure Clouds introduced Cloud Entitlements management to help simplify the understanding of complex cloud entitlements, enabling users to review entitlements and see the effective permissions a principal has on a resource.

We are excited to announce that the Entitlements Management private beta now supports Entitlements by Resource. This allows you to determine which principals have access to a specific resource. From there you can dive in and understand the entitlements for that principal. For AWS resources, you will now see cloud entitlements when searching for resources in Explore, when looking at the findings for a specific resource, or when browsing asset inventory.  

If you're registered for the beta, this new capability has already been enabled for you. If you're interested in joining the beta, please request access here.

We are excited to announce the availability of the CIS GCP Foundations Benchmark Framework, version 2.0.0.

Updates include:

• New rules:

  • IAM user should not have Service Account Admin and Service Account User roles assigned together (RuleId: fed8c3d8-6828-445f-ae35-e14ead6b69da) - High

  • IAM user should not have the Cloud KMS Admin role assigned together with the Cloud KMS CryptoKey Encrypter/Decrypter, Cloud KMS CryptoKey Encrypter, or Cloud KMS CryptoKey Decrypter roles (RuleId:2f05cfc2-3559-4a5d-9e07-8472f5065315) - High

  • API key should be rotated every 90 days (RuleId: 02124bf7-03ee-4b9d-8c93-749fc3d7a6b4) - Medium

  • API key usage should be restricted to APIs the application needs to access (RuleId: 804c9d6b-c7c0-4ff0-a120-9706a137d4f2) - Medium

  • API key usage should be restricted to specific hosts and applications (RuleId: cc0ea365-10b1-40ca-ae0d-bb63fd01a50a) - Medium

  • BigQuery data set should be encrypted with customer managed encryption key (RuleId:70cb49d2-35ee-4e2c-851a-0b06d5c310e8) - Medium

  • Dataproc cluster should be encrypted using customer-managed encryption key (RuleId:1d164e3a-814e-484f-b56e-32be96b4f959) - Medium

  • API key should be used only on active service (RuleId: c740729c-4d23-4a29-811c-86fe9e5be264) - Low

• Updated rules: 

  • BigQuery Table should be encrypted with customer managed encryption key (RuleId: 8779a3b1-4012-44c6-a8de-50d79f89021c) - Medium

  • Container scanning should be enabled (RuleId: b11f699a-f1fc-4717-b375-7b8be52ba6f5) - Medium

  • Cloud asset inventory should be enabled (RuleId: f7fd5738-991b-4697-b0a3-d5731608415c) - Low

Any newly onboarded AWS cloud accounts now have a unique external ID for each customer tenant rather than for each cloud account. To ensure that your organization’s data is protected and cannot be accessed by another tenant, you can no longer make changes your external ID. Existing AWS cloud accounts will not be impacted and there is no action required from users.

You can now onboard a managed or self-managed Kubernetes cluster with a Helm chart in CloudHealth Secure State. If you use a Helm chart for your Kubernetes deployments, you can select the Helm version you are using, then run a single CLI command to install the chart archive with Helm and the collector in your cluster. For more information on using a Helm chart to onboard a Kubernetes cluster, please refer to the product documentation.

Third party rules (such as Amazon GuardDuty, Microsoft Defender for Cloud, and so on) can now be selected in the "Rules" criteria when creating an alert, suppression, or report in CloudHealth Secure State. This lets you focus an alert or suppression on any kind of finding, whether it comes from a CloudHealth Secure State native rule or a third-party source. Likewise, when scheduling or generating reports for findings you can set the criteria to target a report on findings from a specific rule or rules regardless of source.

Note that third-party rules don't have predictive text or validation by CloudHealth Secure State when entered as criteria, so you must verify the text matches what is defined by the provider.

For more information, see the product documentation on third-party findings.

The PCI DSS 4.0 compliance framework is now available in CloudHealth Secure State. Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem. PCI DSS 4.0 was released on March 31st, 2022, and PCI DSS v3.2.1 will continue to be supported until the next version is released or until it's retired on March 31, 2024.

Updates in the new PCI DSS 4.0 framework include:

• New controls and updated content to all controls.

• "Cardholder data" is changed to "account data" to align with usage and intent.

We are excited to announce the availability of the MITRE ATT&CK Cloud 11.0 and MITRE ATT&CK Containers 11.0 frameworks in CloudHealth Secure State. These frameworks have been mapped to controls for AWS, Azure, GCP, and Kubernetes rules. 

As part of the overall upgrade to MITRE ATT&CK Enterprise version 11.0, the following changes have been made: 

• Updated descriptions for several controls. 

• In MITRE ATT&CK Containers, the control Scheduled Task/Job (T1053.001) was replaced with Scheduled Task/Job-At (T1053.002) to better reflect adversary behavior.

You can now directly export your rules view to a CSV file with a single click. Any filters applied to your rules data will be retained in the exported CSV file. To export your rules, you can go to the Governance > Rules page in the CloudHealth Secure State client UI and click the Export CSV button at the top right.

We're excited to announce that the ServiceNow integration for IT service management (ITSM) is in private beta. Now you can easily send CloudHealth Secure State findings to ServiceNow as new incidents where they can be tracked and resolved to existing incident workflows. Furthermore, similar to the existing Jira Cloud integration, you can customize the incident template for your integration by changing, removing, or adding more fields from your organization's incident template. For more information, review the documentation.

Please contact your Technical Account Manager if you'd like to participate in the private beta.