Custom Policy Updates
The custom policy has been updated to version 1.28 as a result of the new deployment. You’ll need to update your custom policy to the latest version. The permissions added include:
Click here to access the new Custom Policy.
- ComputeOptimizer-001 Compute Optimizer EC2 Instance Findings
Ensure that your Amazon EC2 instances are optimized for better cost and performance.
- IAM-066: Check for IAM Groups with Admin Privileges
This rule checks for any IAM Groups with Admin privileges through checking if specific managed policies or actions are attached. The managed policies are AdministratorAccess, FullAccess, Admin, AdminPolicy and PowerUser. The actions are Delete, Create, Update* and *. You can also define your own managed policies and actions for IAM-066 to check.
- Lambda-009: Use AWS KMS Customer Master Keys for Lambda Environment Variables Encryption
Updated this rule logic to return a result only when Lambda Environment Variables exist.
- Improved Conformity’s handling of S3 scanning when Customer has SCPs
Conformity has Improved Conformity Bot’s handling of regions blocked by a customer’s SCP. Prior to this improvement, Conformity bot used to use the Customer instance’s hosted region (i.e. eu-west-1, ap-southeast-2 or us-west-2) as a region value when querying the S3 service. However, if any of these regions is blocked by a customer’s SCP, Conformity will be blocked from retrieving the customer’s S3 buckets to produce S3 checks. Conformity will now use the first region enabled on Conformity Bot settings to access the S3 service’.
- DynamoDB-005: DynamoDB Backup and Restore
This rule was updated to consider backups of all types (including from the AWS Backup service) during evaluation to reduce false positives.
- RDS-042: Enable Aurora Cluster Copy Tags to Snapshots
RDS-035: Cluster Deletion Protection
RDS-007: RDS Multi-AZ
Fixed a bug where the ‘link to resource’ for these rules was not redirecting users to the correct resources.