April 28, 2022, Conformity—The following rules and updates are now available with
Conformity's latest release on 28 April 2022.
- We've updated the PCI DSS c3.2.1 standard to support the new AWS and Azure rules added to Conformity.
- You can now view the GCP Project ID for the GCP Account under Settings > Update General Settings.
Bug Fixes
- Fixed a bug with the API documentation to include descriptions for the fields appearing under the API endpoint.
- Fixed a bug with the check count statistics on the Evolution API to reflect the average number across bot runs instead of a cumulative number.
- Fixed a bug that stopped the Conformity bot from running successfully.
- Fixed up a bug to display an error for the unverified user(s) when creating or updating an SMS or email channel via our public API.
- Fixed a bug to set the default cooldown value for the Autoscaling group to 300 seconds if it is not specified in the CloudFormation template.
Custom Policy Updates
We've updated the custom policy as a result of the new deployment. The latest custom
policy version is 1.37 and the permissions added are:
- inspector:DescribeAssessmentTargets
- inspector:DescribeResourceGroups
- inspector:ListAssessmentTargets
- inspector:PreviewAgents
New Rules
Azure
- Monitor-009: Enable Exporting Activity Logs for Azure Cloud Resources: This rule ensures that exporting activity logs is enabled for each cloud resource within a subscription.
- StorageAccounts-019: Enable Logging for Azure Storage Blob Service: This rule ensures that storage logging is enabled for the Azure Storage Blob service.
- StorageAccounts-020: Enable Logging for Azure Storage Table Service: This rule ensures that storage logging is enabled for the Azure Storage Table service.
AWS
- EC2-078: Instances Scanned by Amazon Inspector: This rule ensures that all your Amazon EC2 instances are included in at least one Inspector Classic assessment target to make sure that Amazon Inspector Classic service can evaluate your EC2 instances for potential security issues and common vulnerabilities during assessment runs.
GCP
- CloudDNS-003: Check for DNSSEC Zone-Signing Algorithm in Use: This rule ensures that DNSSEC key signing is not using RSASHA1 as a signature algorithm for the Zone-Signing Key (ZSK) associated with your public DNS managed zone.
- CloudIAM-009: Configure Google Cloud Audit Logs to Track All Activities: This rule ensures that the Audit Logs feature is configured to record all service and user activities.
- CloudAPI-001: Google Cloud API Keys: This rule ensures that all the API keys created for your Google Cloud Platform (GCP) projects are regularly rotated.
Rules Updates
- ELBv2-003: ALB Security Policy
- ELBv2-009 Network Load Balancer Security Policy: Updated ELBv2-003 and ELBv2-009 to use the latest and most secure security policies.
- IAM-036: AWS IAM Users with Admin Privileges: Updated IAM-036 to show the policies attached to privileged IAM Users.