June 06, 2022, Conformity—The following features and updates are now available with
Conformity's latest release on 6 June 2022.
- Updated the FedRAMP Rev 4 Compliance Standard to support the new AWS and Azure rules released by Conformity.
- Updated the Get Services API endpoint to display data for associated compliance standards.
Bug Fixes
- Fixed a bug to display the `resource type` in the View By Resource tab for some rules.
- Fixed a bug to disable the 'Configure' button for Power users in the Conformity Administration > Users tab.
- Fixed a bug to enable users to apply a profile to over 1000 accounts at once.
- Fixed a bug that incorrectly allowed suppression of checks via the Public API without correctly setting one of the mandatory values in the request.
- Fixed a bug to remove an outdated Knowledge Base page for the rule - Route53-008.
- Fixed a bug with the drop down email selection to load all the available emails when configuring a scheduled report.
Custom Policy Updates
There is no change to the custom policy as a result of the new deployment. The current
custom policy version is 1.37. Click here to access the current custom policy.
New Rules
GCP
- CloudSQL-020: Configure 'user connections' Flag for SQL Server Database Instances: This rule ensures that SQL Server database instances have the appropriate configuration set for the `user connections` flag.
- CloudSQL-021: Disable 'user options' Flag for SQL Server Instances: This rule ensures that the `user options` SQL Server flag is not configured.
- ComputeEngine-011: Enable Confidential Computing for Virtual Machine Instances: This rule ensures that Confidential Computing is enabled for virtual machine (VM) instances.
- ComputeEngine-010: Enable OS Login for GCP Projects: This rule ensures that the OS Login feature is enabled at the GCP project level.
- CloudLogging-008: Enable Project Ownership Assignments Monitoring: This rule ensures that GCP project ownership changes are being monitored using alerting policies.
AWS
- CF-012: Cloudfront Content Distribution Network: This rule ensures that your websites/web applications are using the Amazon CloudFront Content Distribution Network (CDN) to secure the web content delivery (media files and static resource files e.g. html, .css, .js).
Azure
- SQL-017: Enable Vulnerability Assessment for Microsoft SQL Servers: This rule ensures that Vulnerability Assessment is enabled for Microsoft SQL database servers.
- Network-016: Check for Unrestricted CIFS Access: This rule ensures that Microsoft Azure Network Security Groups (NSGs) do not allow unrestricted access on TCP port 445 to protect against attackers that use brute force methods to gain access to Azure virtual machines associated with these NSGs.
- Network-017: Check for Unrestricted HTTP Access: This rule ensures that Microsoft Azure Network Security Groups (NSGs) do not allow unrestricted access on TCP port 80 to protect against attackers that use brute force methods to gain access to Azure virtual machines associated with these NSGs.
Rule Updates
- Improved the following rules to take the `resource region` into account when producing check results:
- EC2-048: Reserved Instance Lease Expiration In The Next 7 Days
- EC2-049: Reserved Instance Lease Expiration In The Next 30 Days
- EC-004: ElastiCache Reserved Cache Node Lease Expiration In The Next 7 Days
- EC-005: ElastiCache Reserved Cache Node Lease Expiration In The Next 7 Days
- ES-015: ElasticSearch Node To Node Encryption
- ES-016: Elasticsearch Reserved Instance Lease Expiration in The Next 7 Days
- ES-017: Elasticsearch Reserved Instance Lease Expiration in The Next 7 Days
- RDS-010: RDS General Purpose SSD
- RDS-011: RDS Default Port
- RDS-014: RDS Reserved DB Instance Lease Expiration In The Next 7 Days
- RDS-015: RDS Reserved DB Instance Lease Expiration In The Next 30 Days
- S3-026: Enable S3 Block Public Access for S3 Buckets
- Updated the following rules to check for additional unrestricted inbound access scenarios on Azure Network Security Groups:
- Network-001: Check for Unrestricted RDP Access
- Network-002: Check for Unrestricted SSH Access
- Network-005: Check for Unrestricted FTP Access
- Network-006: Check for Unrestricted MySQL Database Access
- Network-007: Check for Unrestricted PostgreSQL Database Access
- Network-008: Check for Unrestricted MS SQL Database Access
- Network-009: Check for Unrestricted Oracle Database Access
- Network-010: Check for Unrestricted RPC Access
- CT-003: Publicly Accessible CloudTrail Buckets: We've improved how we evaluate the CloudTrail target bucket and its access policies.
Rule Bug Fixes
- SecurityCenter-001 "Enable Microsoft Defender Standard Pricing Tier: Fixed a bug to take Microsoft's Defender (formerly Security Centre) service changes into account preventing the remediation of failed checks.