Open menu

31 May 2021 - Rule Update Notice

Last updated: 22 June 2020

Custom Policy Updates

The custom policy has been updated to version 1.30 as a result of the new deployment. You’ll need to update your custom policy to the latest version.

The permissions added include:

  1. “ecs:ListContainerInstances”
  2. “ecs:DescribeContainerInstances”
  3. “ssm:DescribeInstanceInformation”

Click here to access the new Custom Policy.

New Rules

AWS

  1. SSM-003: Check for SSM Managed Instances

    This rule ensures that all EC2 instances are managed by AWS Systems Manager (SSM) service.

  2. S3-028: Enable Amazon S3 Bucket Keys
    This rule ensures that Amazon S3 buckets are using S3 bucket keys to optimize service costs.
  3. ComputeOptimizer-002: Compute Optimizer Auto Scaling Group Findings

    This rule ensures that your Amazon EC2 Auto Scaling groups are optimized for better performance and cost savings.

  4. ECR-004: Check for Fargate Platform Version
    This rule ensures that your Amazon Elastic Container Service (ECS) cluster services are using the latest version of AWS Fargate platform to receive new, or improved capabilities, features, and security updates.
  5. ECS-005: Check for ECS Container Instance Agent Version
    This rule ensures that your Amazon ECS cluster instances are running the latest version of ECS container agent to receive new or improved features and security updates.
  6. CFM-007: AWS CloudFormation Drift Detection

    This rule ensures that Amazon CloudFormation stacks have not been drifted from their expected template configuration.

Rule Updates

  1. Improved the following rules to prevent them from generating false positives:

  2. CWE-001: AWS CloudWatch Events In Use
  3. CT-001: CloudTrail Enabled
  4. CT-005: CloudTrail Global Services Enabled
  5. Support-001: Support Plan

  6. Inspector-001: Amazon Inspector Findings
    Optimized the rule and its performance to prevent throttling for AWS Inspector APIs when facing a large number of resources. The rule now focuses on generating checks for the latest Assessment Run findings instead of old Assessment Runs and their findings.