Views:
November 04, 2021, Conformity—The following features and updates were released to Conformity on 4th November 2021.
  • The Custom Check API now enables a user to specify a TTL field to auto remove/expire their check.
  • The extra data for checks earlier available through the Get Check Details API and UI is now included in the 'Meta' column of CSV reports.
  • We’ve Improved the RTM eventBridge rule to exclude data events.
Bug Fixes
  • Fixed an issue with the Jira communication channel configuration where the ‘Save’ and the ‘Test’ buttons got stuck when testing against an invalid priority.
  • Improved the performance of "Create Account" Public API, response time is now reduced.
  • Added missing metadata, page number, and size to the payload response examples in the Checks API Reference documentation.
  • Fixed a bug to display corresponding ticketing channels while viewing checks for ‘All Cloud Accounts’.
Custom Policy Updates
The custom policy has been updated as a result of the new deployment. The current custom policy version is 1.33. The permissions added are:
  • macie2:GetClassificationExportConfiguration
  • macie2:ListClassificationJobs
  • macie2:GetFindingStatistics
Click here to access the latest custom policy.
New Rules
AWS
  • S3-029: Amazon Macie Finding Statistics for S3: This rule captures summary statistics about Amazon Macie security findings on a per-S3 bucket basis.
  • Macie2-002: Amazon Macie Sensitive Data Repository: This rule ensures that a data repository bucket is defined for Amazon Macie within each AWS region.
  • Macie2-003: Amazon Macie Discovery Jobs: This rule ensures that Amazon Macie data discovery jobs are created and configured within each AWS region.
Azure
  • SecurityCenter-029: Configure Additional Email Addresses for Azure Security Center Notifications: This rule ensures that additional email addresses are provided to receive security notifications.
Rule Updates
  • SSM-003: Check for SSM Managed Instances: Updated the rule to no longer produce checks for EC2 Instances in 'Stopped' state.
  • IAM-054: IAM Configuration Changes: Add a new rule configuration for setting a regular expression of ARNs for users (IAMUser, AssumedRole or FederatedUser) whose activity will not be checked against this rule (e.g. ^(arn:aws:iam::\\d{12}:user\\/James-.+)$)”
  • RTM-011: Unintended AWS API Calls Detected: This rule now supports ‘PasswordRecoveryRequested’, ‘PasswordRecoveryCompleted’, ‘PasswordUpdated’ root user events.
  • Updated Default Risk Levels for S3-026 and S3-027
We’ve updated the default risk levels for these rules to reduce alarm noise and provide more relevant notifications from the other S3 rules that do control exposure of a bucket to public access.
  • S3-026: Enable S3 Block Public Access for S3 Buckets - from 'Very High' to 'Medium'.
  • S3-027: Enable S3 Block Public Access for AWS Accounts - from 'Very High' to 'Low'.
Because an Account admin can only use the S3 Block Public Access feature to restrict public access to a bucket, but they cannot grant public access to the bucket. They need to use a policy or an ACL to open a given access point and buckets to grant public access. Therefore, failing the checks for the rules S3-026 & S3-027 with a ‘Very High’ severity overstates the exposure of the buckets in an account.
The severities of 'Medium' and 'Low' respectively provide a closer depiction of the exposure since the 'Very High' Severity rules S3-001, S3-002, S3-003, S3-004, S3-005, and S3-014 directly control public access to a bucket.
For more information see AWS documentation on Block Public Access and Access Control Block Public Access.
Bug Fixes
  • IAM-17: Unused IAM Group: Fixed the bug which RTM generates false positive check result for IAM-017 rule.
  • Fix a bug where duplicate notifications were generated for the following rules:
  • VirtualMachines-001: Enable Encryption for Boot Disk Volumes
  • VirtualMachines-002: Enable Encryption for Non-Boot Disk Volumes
  • VirtualMachines-003: Enable Encryption for Unattached Disk Volumes
  • Fixed a bug where EBS service retained stale checks for users with a large amount of EBS snapshots.
  • Fixed a bug where ELB related rules were not being triggered by RTM events. Added support for Terraform plans AWS KMS key resourceDB instance resource.
  • IAM-047: IAM Manager Roles: Fixed a bug where false negative checks were being generated for the rule.