Custom Policy Updates
The custom policy has been updated to version 1.24 as a result of the new deployment. You’ll need to update your custom policy to the latest version. The permissions added include:
_Click here to access the new Custom Policy.
- ECR-003: Enable Scan on Push for ECR Container Images
This rule ensures that each Amazon ECR container image is automatically scanned for vulnerabilities when pushed to a repository.
- EBS-014: Enable Encryption by Default for EBS Volumes
This rule ensures that all your new Amazon EBS volumes are encrypted by default within the specified AWS cloud region in order to reach your data protection and compliance goals.
- CC-003: Trend Micro Cloud One™ – Conformity Insufficient Access Permissions
This rule ensures that Amazon IAM policies created to grant access to the Conformity Bot on your behalf provides all the permissions required to scan your AWS infrastructure in order to get the latest conformity rules, new features, and best practices.
- Subscriptions-003: Ensure “Not Allowed Resource Types” Policy Assignment in Use
This rule ensures that a “Not Allowed Resource Types” policy is assigned to your Azure subscriptions in order to deny deploying restricted resources within your Azure cloud account for security and compliance purposes.
- Network-013: Review Network Interfaces with IP Forwarding Enabled
This rule ensures that the Azure network interfaces with IP forwarding enabled are regularly reviewed.
IAM-036: AWS IAM Users with Admin Privileges
Fixed a bug that made the rule too strict and resulted in false positives. The rule has also been updated to:
- Check more scenarios of users with admin privileges including checking users assigned to customer-managed and inline policies and specific action permissions.
- Enable users via rule settings to specify the list of AWS Managed Policies or Actions for which Users with Administrator Privileges will be checked.
WAF-001: AWS Web Application Firewall in Use
WAF-001 was previously verifying WAF classic resources only. The rule now checks for WAFv2 as well.