Open menu

14 April 2021 - Rule Update Notice

Custom Policy Updates

The custom policy has been updated to version 1.28 as a result of the new deployment. You’ll need to update your custom policy to the latest version. The permissions added include:

  1. “compute-optimizer:GetAutoScalingGroupRecommendations”
  2. “compute-optimizer:GetEC2InstanceRecommendations”

    Click here to access the new Custom Policy.

New Rules

AWS

  1. ComputeOptimizer-001 Compute Optimizer EC2 Instance Findings
    Ensure that your Amazon EC2 instances are optimized for better cost and performance.
  2. IAM-066: Check for IAM Groups with Admin Privileges
    This rule checks for any IAM Groups with Admin privileges through checking if specific managed policies or actions are attached. The managed policies are AdministratorAccess, FullAccess, Admin, AdminPolicy and PowerUser. The actions are Delete, Create, Update* and *. You can also define your own managed policies and actions for IAM-066 to check.

Rule Updates

  1. Lambda-009: Use AWS KMS Customer Master Keys for Lambda Environment Variables Encryption
    Updated this rule logic to return a result only when Lambda Environment Variables exist.
  2. Improved Conformity’s handling of S3 scanning when Customer has SCPs
    Conformity has Improved Conformity Bot’s handling of regions blocked by a customer’s SCP. Prior to this improvement, Conformity bot used to use the Customer instance’s hosted region (i.e. eu-west-1, ap-southeast-2 or us-west-2) as a region value when querying the S3 service. However, if any of these regions is blocked by a customer’s SCP, Conformity will be blocked from retrieving the customer’s S3 buckets to produce S3 checks. Conformity will now use the first region enabled on Conformity Bot settings to access the S3 service’.

Bug Fixes

  1. DynamoDB-005: DynamoDB Backup and Restore
    This rule was updated to consider backups of all types (including from the AWS Backup service) during evaluation to reduce false positives.
  2. RDS-042: Enable Aurora Cluster Copy Tags to Snapshots
    RDS-035: Cluster Deletion Protection
    RDS-007: RDS Multi-AZ
    Fixed a bug where the ‘link to resource’ for these rules was not redirecting users to the correct resources.