Open menu

30 November 2020 - Rule Update Notice

Custom Policy Updates

There is no change to the custom policy as a result of the new Trend Micro Cloud One™ – Conformity release and hence no user action is required. The current custom policy version is 1.21.

New Rules

  1. SecurityCenter-021: Enable Monitoring of Deprecated Accounts
    This rule ensures that monitoring of deprecated accounts within your Azure subscription(s) is enabled.
  2. SecurityCenter-022: Monitor the Total Number of Subscription Owners
    This rule ensures that the total number of subscription owners within your Azure account is monitored.
  3. SecurityCenter-023: Enable Virtual Machine IP Forwarding Monitoring
    This rule ensures that the IP Forwarding feature available for your Microsoft Azure virtual machines (VMs) is monitored by the Azure Security Center service for security and compliance purposes.
  4. SecurityCenter-024: Monitor External Accounts with Write Permissions
    This rule ensures that the external accounts with write permissions are monitored using Azure Security Center.
  5. SecurityCenter-025: Enable DDoS Protection Standard Monitoring for Public Virtual Networks
    This rule ensures that the monitoring of “DDoS Protection Standard” feature is enabled within your Microsoft Azure cloud account settings so that Azure Security Center can assess if DDoS protection is enabled for all the Azure Virtual Networks (VNets) with a subnet that is part of an application gateway with a public IP.
  6. RedisCache-001: Enable In-Transit Encryption for Redis Cache Servers
    This rule ensures that the SSL connection to your Azure Redis Cache servers is enabled in order to meet cloud security and compliance requirements.
  7. CosmosDB-001: Enable Advanced Threat Protection
    This rule ensures that your Microsoft Azure Cosmos DB accounts are using the Advanced Threat Protection feature to detect unusual and potentially harmful attempts to access or exploit the Cosmos DB account resources.
  8. CosmosDB-002: New Rule: Enable Automatic Failover
    This rule ensures that your Microsoft Azure Cosmos DB accounts are using the Automatic Failover feature in order to enable resource replication and fault tolerance at the account level.
  9. AppService-016: Enable Application Insights
    This rule ensures that the Application Insights feature is enabled for all your Microsoft Azure App Services web applications in order to provide advanced application monitoring.
  10. AppService-014: Check for Sufficient Backup Retention Period
    This rule ensures that your Microsoft Azure App Services applications have a sufficient daily backup retention period configured for scheduled backups, in order to follow security and regulatory requirements.
  11. PostgreSQL-009: Check for PostgreSQL Major Version
    This rule ensures that PostgreSQL database servers are using the latest major version of the PostgreSQL database.
  12. PostgreSQL-010: Enable Geo-Redundant Backups
    This rule ensures that geo-redundant backups are enabled for your Azure PostgreSQL database servers in order to allow you to restore your PostgreSQL servers to a different Azure region in the event of a regional outage or a disaster.
  13. PostgreSQL-011: Enable Storage Auto-Growth
    This rule checks if PostgreSQL storage Auto-Growth is enabled on Azure PostgreSQL database servers. Storage auto-growth prevents your PostgreSQL servers from running out of storage and becoming read-only.
  14. KeyVault-007: Restrict Default Network Access for Azure Key Vaults
    This rule ensures that your Microsoft Azure Key Vaults are configured to deny access to traffic from all networks including the public Internet. In order to provide Cloud Conformity with secure read-only access to your Key Vault attributes to run Key Vault rules, please, see Azure integration for more information.
  15. KeyVault-008: App Tier Customer-Managed Key In Use

    This rule ensures that a Customer-Managed Key (CMK), also known as Bring Your Own Key (BYOK), is created and configured for your Microsoft Azure application tier in order to meet cloud security and compliance requirements within your organization.

  16. KeyVault-009: Database Tier Customer-Managed Key In Use
    This rule ensures that a Customer-Managed Key (CMK), also known as Bring Your Own Key (BYOK), is created and configured for your Microsoft Azure database tier in order to meet cloud security and compliance requirements within your organization.
  17. KeyVault-010: Web Tier Customer-Managed Key In Use
    This rule ensures that a Customer-Managed Key (CMK), also known as Bring Your Own Key (BYOK), is created and configured for your Microsoft Azure web tier in order to meet cloud security and compliance requirements.
  18. KeyVault-014: Check for Allowed Certificate Key Types Events
    This rule ensures that Azure Key Vault certificates are using the appropriate key type(s) for security and compliance purposes.
  19. StorageAccounts-017: Review Storage Accounts with Static Website Configuration
    This rule ensures that all the Microsoft Azure Storage Accounts configured to host static websites are regularly reviewed for security and compliance purposes. Upon enabling this rule on your Cloud Conformity console, you must specify the storage account or the list of storage accounts that are expected to host static content (HTML, CSS, JavaScript, and image files).

Rule Updates

  1. ECS-001: ECS Configuration Changes
    Added a new setting for ECS-001 that allows setting user identity exceptions for the rule.
  2. IAM-054: IAM Configuration Changes
    Users can configure the rule with a safelist of user ARNs, whose activities will not trigger a check for this rule.
  3. SecretManager-002: Secret rotation enabled Fixed the rule logic where secret rotation is disabled but a success check is generated instead of a failure check.
  4. SecretManager-003: Secret rotation interval
    Fixed the rule logic where secret rotation is disabled but a failure check is generated instead of no check.

Bug Fixes

  1. ELBv2: ALB Listener Security
    Fixed a bug where the rule produced a check for load balancer without listeners.
  2. IAM-013: MFA for IAM users with console password
    Fixed a bug where the correct configuration of IAM users with console password does not generate success checks, or otherwise.
  3. Fixed a bug where auto-remediation resources generate failure checks.