|   Trend Micro Cloud One™
Open menu

10 November 2020 - Rule Update Notice

Custom Policy Updates

The custom policy has been updated to version 1.21 as a result of the new deployment. You’ll need to update your custom policy to the latest version. The permissions added include:

  1. access-analyzer:ListAnalyzers
  2. access-analyzer:ListFindings

Click here to access the new Custom Policy.

New Rules

Azure

  1. KeyVault-006: Enable SSL Certificate Auto-Renewal
    This rule ensures that the Auto-Renewal feature is enabled for your Azure Key Vault SSL certificates.
    Microsoft Azure Key Vault service can renew your SSL certificates automatically in order to prevent any application or service outage, credential leak, or process violation that can disrupt your business. As long as your information with the public Certificate Authority (CA) is up-to-date, the Auto-Renewal feature does not require any action from you.
  2. KeyVault-011: Check for Certificate Minimum Key Size
    This rule ensures that your Microsoft Azure Key Vault RSA certificates are generated with the minimum key size allowed within your organization, for security and compliance purposes.
  3. KeyVault-012: Enable Certificate Transparency
    This rule ensures that the Certificate Transparency feature is enabled for all Azure Key Vault SSL/TLS certificates in order to adhere to web security best practices.
  4. KeyVault-013: Check for Sufficient Certificate Auto-Renewal Period
    This rule ensures that your Microsoft Azure Key Vault SSL certificates have a sufficient auto-renewal period configured for security and compliance purposes.
  5. ActivityLog-016: Create Alert for “Update Key Vault” Events
    This rule checks that an Azure activity log alert is fired whenever “Update Key Vault” events are triggered within your Microsoft Azure cloud account.
  6. ActivityLog-017: Create Alert for “Delete Key Vault” Events
    This rule checks that a Microsoft Azure activity log alert is fired whenever a “Delete Key Vault” event is triggered inside your Azure cloud account.
  7. Subscriptions-001: Check for Azure Cloud Budget Alerts
    This rule checks that budget exceeding alerts are created to prevent unexpected expenditure within your Azure account.
  8. AppService-013: Enable Automated Backups
    This rule checks that the Backup and Restore feature is enabled and configured to create automated (scheduled) backups for your Microsoft Azure App Services applications.
  9. AppService-015: Enable Always On Feature
    This rule checks that your Microsoft Azure App Services web applications have ‘Always On’ feature enabled in order to prevent applications from being idle timeout due to inactivity.
  10. ActivityLog-023: Create Alert for “Create or Update Load Balancer” Events
    This rule checks that an Azure activity log alert exists for “Create or Update Load Balance” events.
  11. ActivityLog-024: Create Alert for “Delete Load Balancer” Events
    This rule checks that an Azure activity log alert exists for “Delete Load Balancer” events.
  12. AKS-002: Latest Kubernetes Version Installed
    This rule checks that your Azure Kubernetes Service (AKS) clusters are using the latest available version of Kubernetes platform in order to receive new or enhanced features and the most recent security fixes. Which will check if your AKS clusters have the latest Kubernetes version installed.
  13. ActivityLog-020: Create Alert for “Delete PostgreSQL Database” Events
    This rule checks that an Azure activity log alert exists for “Delete PostgreSQL Database” events.
  14. ActivityLog-019: Create Alert for “Create/Update PostgreSQL Database” Events
    This rule ensures that an activity log alert exists for “Create/Update PostgreSQL Database” events

AWS

  1. AccessAnalyzer-001: IAM Access Analyzer Findings
    This rule checks to see if you have any active IAM Access Analyzer Findings. It returns a failure if found or success for findings that are resolved or archived.

Rule Updates

  1. S3-025: S3 Buckets Encrypted with Customer-Provided CMKs
    Updated the rule logic to h adhere to AWS best practices in the following ways:
    • Return failure check if Server-Side Encryption is configured to use “Amazon S3 Managed Keys
    • Return failure check if Sever-Side Encryption is configured to use AWS managed CMK
    • Return failure if Server-Side Encryption is configured to use cross-account CMK
  2. Route53-008: Sender Policy Framework In Use
    Updated the rule logic to look for record type TXT with a regex along the lines of value begins with v=spf1 (as opposed to looking for a straight SPF record) and updated the knowledge base page, “Server-Side Encryption with Customer-Provided Keys (SSE-C)” to “Server-Side Encryption with customer-managed CMKs”.
  3. Rule Update CT-002
    Rule exceptions can now be configured for this rule by CloudTrail S3 bucket name, or by S3 bucket tags.
  4. CT-006: CloudTrail Global Services Logging Duplicated
    The title of the Rule has been changed from “CloudTrail Global Services Logging Duplicated” to “Avoid duplicate entries in Amazon CloudTrail logs” and the knowledge base has been updated to reflect the latest Cloudtrail AWS Console.

Bug Fixes

  1. EC2-056: Unused AWS EC2 Key Pairs
    Fixed a bug in EC2-056 where it was not factoring in the region when looking for unused key pairs.
  2. Route53-011: Dangling DNS Records
    Fixed the bug where the rule was generating false positives when Elastic IP address is a Private IP address.
  3. VPC-013: Specific Gateway Attached To Specific VPC
    Fixed a bug where rule configuration was not returned in the results for the GET rule settings API endpoint.