Custom Policy Updates
The custom policy has been updated to version 1.21 as a result of the new deployment. You’ll need to update your custom policy to the latest version. The permissions added include:
Click here to access the new Custom Policy.
- KeyVault-006: Enable SSL Certificate Auto-Renewal
This rule ensures that the Auto-Renewal feature is enabled for your Azure Key Vault SSL certificates.
Microsoft Azure Key Vault service can renew your SSL certificates automatically in order to prevent any application or service outage, credential leak, or process violation that can disrupt your business. As long as your information with the public Certificate Authority (CA) is up-to-date, the Auto-Renewal feature does not require any action from you.
- KeyVault-011: Check for Certificate Minimum Key Size
This rule ensures that your Microsoft Azure Key Vault RSA certificates are generated with the minimum key size allowed within your organization, for security and compliance purposes.
- KeyVault-012: Enable Certificate Transparency
This rule ensures that the Certificate Transparency feature is enabled for all Azure Key Vault SSL/TLS certificates in order to adhere to web security best practices.
- KeyVault-013: Check for Sufficient Certificate Auto-Renewal Period
This rule ensures that your Microsoft Azure Key Vault SSL certificates have a sufficient auto-renewal period configured for security and compliance purposes.
- ActivityLog-016: Create Alert for “Update Key Vault” Events
This rule checks that an Azure activity log alert is fired whenever “Update Key Vault” events are triggered within your Microsoft Azure cloud account.
- ActivityLog-017: Create Alert for “Delete Key Vault” Events
This rule checks that a Microsoft Azure activity log alert is fired whenever a “Delete Key Vault” event is triggered inside your Azure cloud account.
- Subscriptions-001: Check for Azure Cloud Budget Alerts
This rule checks that budget exceeding alerts are created to prevent unexpected expenditure within your Azure account.
- AppService-013: Enable Automated Backups
This rule checks that the Backup and Restore feature is enabled and configured to create automated (scheduled) backups for your Microsoft Azure App Services applications.
- AppService-015: Enable Always On Feature
This rule checks that your Microsoft Azure App Services web applications have ‘Always On’ feature enabled in order to prevent applications from being idle timeout due to inactivity.
- ActivityLog-023: Create Alert for “Create or Update Load Balancer” Events
This rule checks that an Azure activity log alert exists for “Create or Update Load Balance” events.
- ActivityLog-024: Create Alert for “Delete Load Balancer” Events
This rule checks that an Azure activity log alert exists for “Delete Load Balancer” events.
- AKS-002: Latest Kubernetes Version Installed
This rule checks that your Azure Kubernetes Service (AKS) clusters are using the latest available version of Kubernetes platform in order to receive new or enhanced features and the most recent security fixes. Which will check if your AKS clusters have the latest Kubernetes version installed.
- ActivityLog-020: Create Alert for “Delete PostgreSQL Database” Events
This rule checks that an Azure activity log alert exists for “Delete PostgreSQL Database” events.
- ActivityLog-019: Create Alert for “Create/Update PostgreSQL Database” Events
This rule ensures that an activity log alert exists for “Create/Update PostgreSQL Database” events
- AccessAnalyzer-001: IAM Access Analyzer Findings
This rule checks to see if you have any active IAM Access Analyzer Findings. It returns a failure if found or success for findings that are resolved or archived.
- S3-025: S3 Buckets Encrypted with Customer-Provided CMKs
Updated the rule logic to h adhere to AWS best practices in the following ways:
- Return failure check if Server-Side Encryption is configured to use “Amazon S3 Managed Keys
- Return failure check if Sever-Side Encryption is configured to use AWS managed CMK
- Return failure if Server-Side Encryption is configured to use cross-account CMK
- Route53-008: Sender Policy Framework In Use
Updated the rule logic to look for record type TXT with a regex along the lines of value begins with v=spf1 (as opposed to looking for a straight SPF record) and updated the knowledge base page, “Server-Side Encryption with Customer-Provided Keys (SSE-C)” to “Server-Side Encryption with customer-managed CMKs”.
- Rule Update CT-002
Rule exceptions can now be configured for this rule by CloudTrail S3 bucket name, or by S3 bucket tags.
- CT-006: CloudTrail Global Services Logging Duplicated
The title of the Rule has been changed from “CloudTrail Global Services Logging Duplicated” to “Avoid duplicate entries in Amazon CloudTrail logs” and the knowledge base has been updated to reflect the latest Cloudtrail AWS Console.
- EC2-056: Unused AWS EC2 Key Pairs
Fixed a bug in EC2-056 where it was not factoring in the region when looking for unused key pairs.
- Route53-011: Dangling DNS Records
Fixed the bug where the rule was generating false positives when Elastic IP address is a Private IP address.
- VPC-013: Specific Gateway Attached To Specific VPC
Fixed a bug where rule configuration was not returned in the results for the GET rule settings API endpoint.