Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Cloud Conformity Custom Policy Version

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: CC-001

Ensure that your AWS account is using the latest version of Cloud Conformity custom access policy in order to get the latest Cloud Conformity features and best practices that might require further access to the security configuration metadata of your AWS infrastructure.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

Operational
excellence

Cloud Conformity updates the custom access policy as new conformity rules, features and best practices are introduced. If the Cloud Conformity engine does not use the latest version of the policy to access your AWS security configuration metadata, it won’t be able to highlight the newest potential security risks, cost or reliability inefficiencies.

Audit

To determine if your AWS account is using the latest version of Cloud Conformity custom access policy (version 1.1), perform the following:

Using AWS CloudFormation Console

01 Sign in to the AWS account registered with Cloud Conformity.

02 Navigate to CloudFormation dashboard at https://console.aws.amazon.com/cloudformation/.

03 Select the CloudFormation stack used during the registration process to grant access to your Cloud Conformity account.

04 Select Outputs tab from the dashboard bottom panel to access the stack output parameters.

05 Check the value set for the Version parameter, available in the Value column: https://goo.gl/aY9xNY. If the version number is lower than the latest policy version number (e.g. 1.1), the access policy utilized is outdated, therefore your AWS account is not using the latest version of Cloud Conformity custom access policy.

06 Repeat steps no. 1 – 5 for each AWS account registered with Cloud Conformity, that you want to examine.

Using AWS CLI

01 Run list-stacks command (OSX/Linux/UNIX) to list the names of all CloudFormation stacks provisioned within the AWS account registered with Cloud Conformity: 

aws cloudformation list-stacks
  --region us-east-1
  --output table
  --query 'StackSummaries[*].StackName'

02 The command output should return a table with the requested stack names: 

-----------------------
|     ListStacks      |
+---------------------+
|  CloudConformity    |
|  ProductionWebApp   |
|  WebServerCFNStack  |
+---------------------+

03 Run describe-stacks command (OSX/Linux/UNIX) using custom query filters to get the version number of the access policy used by the CloudFormation stack, named "CloudConformity", provided by Cloud Conformity during the registration process: 

aws cloudformation describe-stacks
  --region us-east-1
  --stack-name CloudConformity
  --query 'Stacks[*].Outputs[?(OutputKey==`Version`)].OutputValue[]'

04 The command output should return the version number for the custom access policy used: 

[
	"1.0"
]

If the version number returned by the describe-stacks command output is lower than the latest policy version number (i.e. 1.1), the access policy utilized is outdated, therefore your AWS account is not using the latest version of Cloud Conformity custom access policy.

05 Repeat steps no. 1 – 4 for each AWS account registered with Cloud Conformity, that you want to examine.

Remediation / Resolution

To update the Cloud Conformity custom access policy for your AWS account, perform the following actions:

Using Cloud Conformity Console

01 Sign in to the AWS account registered with Cloud Conformity.

02 Navigate to CloudFormation dashboard at https://console.aws.amazon.com/cloudformation/.

03 Select the CloudFormation stack used during the registration process to grant access to your Cloud Conformity account.

04 Click the Actions dropdown button from the CloudFormation dashboard top menu and selectUpdate Stack.

05 On the Select Template page, inside Choose a template section, select Specify an Amazon S3 template URL option and paste the following template URL: https://s3-us-west-2.amazonaws.com/cloudconformity/CloudConformity.template within the box. Click Next to continue the update process.

06 On the Specify Details page, within Parameters section, update the policy version number available in the Version box and click Next to continue.

07 On the Options page, leave the default settings unchanged, then click Next.

08 On the Review page, inside Capabilities section, select I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox, then click Update to update the stack. Once the update process is complete, the stack status should change from UPDATE_IN_PROGRESS to UPDATE_COMPLETE and the Cloud Conformity custom access policy should be updated to the latest version (i.e. 1.1).

09 Repeat steps no. 1 – 8 to update the custom access policy for other AWS accounts registered with Cloud Conformity.

Using AWS CLI

01 Run describe-stacks command (OSX/Linux/UNIX) to describe the parameters of the CloudFormation stack, named "CloudConformity", used by the Cloud Conformity engine during the registration process: 

aws cloudformation describe-stacks
  --region us-east-1
  --stack-name CloudConformity
  --query 'Stacks[*].Parameters[]'

02 The command output should return the requested parameters metadata, information that will be useful later when the CloudFormation stack will be updated: 

[
	{
		"ParameterValue": "123456789012",
		"ParameterKey": "AccountId"
	},
	{
		"ParameterValue": "1.0",
		"ParameterKey": "Version"
	},
	{
		"ParameterValue": "AAABBBCCCDDD",
		"ParameterKey": "ExternalId"
	}
]

03 Run update-stack command (OSX/Linux/UNIX) using the configuration details returned at the previous step as parameters to update the AWS CloudFormation stack used for Cloud Conformity registration. Once the update process is complete, the Cloud Conformity custom access policy will be updated to the latest version (i.e. 1.1): 

aws cloudformation update-stack
  --region us-east-1
  --stack-name CloudConformity
  --template-url https://s3-us-west-2.amazonaws.com/cloudconformity/CloudConformity.template
  --capabilities "CAPABILITY_NAMED_IAM"
  --parameters ParameterKey="Version",ParameterValue="1.1" ParameterKey="AccountId",ParameterValue="123456789012" ParameterKey="ExternalId",ParameterValue="AAABBBCCCDDD"

04 The command output should return the ID of the updated AWS CloudFormation stack: 

{
	"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/CloudConformity/aaaabbbb-cccc-dddd-eeee-aaabbbcccddd"
}

05 Repeat steps no. 1 – 4 to update the custom access policy for other AWS accounts registered with Cloud Conformity.

References

Publication date Nov 21, 2017

Related Cloud Conformity rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Cloud Conformity Custom Policy Version

Risk Level: High