Logo of Trend Micro

Conformity Custom Policy Version

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: CC-001

Ensure that your AWS account is using the latest version of Cloud Conformity custom access policy in order to get the latest Cloud Conformity features and best practices that might require further access to the security configuration metadata of your AWS infrastructure.

This rule can help you with the following compliance standards:

Operational
excellence

Cloud Conformity updates the custom access policy as new conformity rules, features and best practices are introduced. If the Cloud Conformity engine does not use the latest version of the policy to access your AWS security configuration metadata, it won’t be able to highlight the newest potential security risks, cost or reliability inefficiencies.

Audit

To determine if your AWS account is using the latest version of Cloud Conformity custom access policy (version 1.2), perform the following:

Using AWS CloudFormation Console

01 Sign in to the AWS account registered with Cloud Conformity.

02 Navigate to CloudFormation dashboard at https://console.aws.amazon.com/cloudformation/.

03 Select the CloudFormation stack used during the registration process to grant access to your Cloud Conformity account.

04 Select Outputs tab from the dashboard bottom panel to access the stack output parameters.

05 Check the value set for the Version parameter, available in the Value column:

If the version number is lower than the latest policy version number

If the version number is lower than the latest policy version number (e.g. 1.2), the access policy utilized is outdated, therefore your AWS account is not using the latest version of Cloud Conformity custom access policy.

06 Repeat steps no. 1 – 5 for each AWS account registered with Cloud Conformity, that you want to examine.

Using AWS CLI

01 Run list-stacks command (OSX/Linux/UNIX) to list the names of all CloudFormation stacks provisioned within the AWS account registered with Cloud Conformity: 

aws cloudformation list-stacks
	--region us-east-1
	--output table
	--query 'StackSummaries[*].StackName'

02 The command output should return a table with the requested stack names: 

-----------------------
|     ListStacks      |
+---------------------+
|  CloudConformity    |
|  ProductionWebApp   |
|  WebServerCFNStack  |
+---------------------+

03 Run describe-stacks command (OSX/Linux/UNIX) using custom query filters to get the version number of the access policy used by the CloudFormation stack, named "CloudConformity", provided by Cloud Conformity during the registration process: 

aws cloudformation describe-stacks
	--region us-east-1
	--stack-name CloudConformity
	--query 'Stacks[*].Outputs[?(OutputKey==`Version`)].OutputValue[]'

04 The command output should return the version number for the custom access policy used: 

[
    "1.0"
]

If the version number returned by the describe-stacks command output is lower than the latest policy version number (i.e. 1.2), the access policy utilized is outdated, therefore your AWS account is not using the latest version of Cloud Conformity custom access policy.

05 Repeat steps no. 1 – 4 for each AWS account registered with Cloud Conformity, that you want to examine.

Remediation / Resolution

To update the Cloud Conformity custom access policy for your AWS account, perform the following actions:

Using Cloud Conformity Console

01 Sign in to Cloud Conformity Dashboard, select your account >> Settings >> Access Settings >> Update access settings.

02 Click on Cloud Conformity stack edit page link.

03 Select Specify an Amazon S3 template URL

04 Enter the following URL and click Next until you get to the Review page.
https://s3-us-west-2.amazonaws.com/cloudconformity/CloudConformity.template

05 Check "I acknowledge that AWS CloudFormation might create IAM resources with custom names." and click Update

06 Repeat steps no. 1 – 5 to update the custom access policy for other AWS accounts registered with Cloud Conformity.

Using AWS CLI

01 Run describe-stacks command (OSX/Linux/UNIX) to describe the parameters of the CloudFormation stack, named "CloudConformity", used by the Cloud Conformity engine during the registration process: 

aws cloudformation describe-stacks
	--region us-east-1
	--stack-name CloudConformity
	--query 'Stacks[*].Outputs[]'

02 The command output should return the requested parameters metadata, information that will be useful later when the CloudFormation stack will be updated: 

[
    {
        "OutputKey": "Version",
        "OutputValue": "1.0"
    },
    {
        "OutputKey": "CloudConformityRoleArn",
        "OutputValue": "arn:aws:iam::123456789012:role/CloudConformity"
    }
]

03 Run update-stack command (OSX/Linux/UNIX) using the configuration details returned at the previous step as parameters to update the AWS CloudFormation stack used for Cloud Conformity registration. Once the update process is complete, the Cloud Conformity custom access policy will be updated to the latest version (i.e. 1.2): 

aws cloudformation update-stack
	--region us-east-1
	--stack-name CloudConformity
	--template-url https://s3-us-west-2.amazonaws.com/cloudconformity/CloudConformity.template
	--capabilities "CAPABILITY_NAMED_IAM"
	--parameters ParameterKey="AccountId",ParameterValue="123456789012" ParameterKey="ExternalId",ParameterValue="AAABBBCCCDDD"

04 The command output should return the ID of the updated AWS CloudFormation stack: 

{
   "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/conformity/aaaabbbb-cccc-dddd-eeee-aaabbbcccddd"
}

05 Repeat steps no. 1 – 4 to update the custom access policy for other AWS accounts registered with Cloud Conformity.

References

Publication date Nov 21, 2017

Related Cloud Conformity rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Conformity Custom Policy Version

Risk level: High