November 04, 2021, Conformity—The following features and updates were released to
Conformity on 4th November 2021.
- The Custom Check API now enables a user to specify a TTL field to auto remove/expire their check.
- The extra data for checks earlier available through the Get Check Details API and UI is now included in the 'Meta' column of CSV reports.
- We’ve Improved the RTM eventBridge rule to exclude data events.
Bug Fixes
- Fixed an issue with the Jira communication channel configuration where the ‘Save’ and the ‘Test’ buttons got stuck when testing against an invalid priority.
- Improved the performance of "Create Account" Public API, response time is now reduced.
- Added missing metadata, page number, and size to the payload response examples in the Checks API Reference documentation.
- Fixed a bug to display corresponding ticketing channels while viewing checks for ‘All Cloud Accounts’.
Custom Policy Updates
The custom policy has been updated as a result of the new deployment. The current
custom policy version is 1.33. The permissions added are:
- macie2:GetClassificationExportConfiguration
- macie2:ListClassificationJobs
- macie2:GetFindingStatistics
New Rules
AWS
- S3-029: Amazon Macie Finding Statistics for S3: This rule captures summary statistics about Amazon Macie security findings on a per-S3 bucket basis.
- Macie2-002: Amazon Macie Sensitive Data Repository: This rule ensures that a data repository bucket is defined for Amazon Macie within each AWS region.
- Macie2-003: Amazon Macie Discovery Jobs: This rule ensures that Amazon Macie data discovery jobs are created and configured within each AWS region.
Azure
- SecurityCenter-029: Configure Additional Email Addresses for Azure Security Center Notifications: This rule ensures that additional email addresses are provided to receive security notifications.
Rule Updates
- SSM-003: Check for SSM Managed Instances: Updated the rule to no longer produce checks for EC2 Instances in 'Stopped' state.
- IAM-054: IAM Configuration Changes: Add a new rule configuration for setting a regular expression of ARNs for users (IAMUser, AssumedRole or FederatedUser) whose activity will not be checked against this rule (e.g. ^(arn:aws:iam::\\d{12}:user\\/James-.+)$)”
- RTM-011: Unintended AWS API Calls Detected: This rule now supports ‘PasswordRecoveryRequested’, ‘PasswordRecoveryCompleted’, ‘PasswordUpdated’ root user events.
- Updated Default Risk Levels for S3-026 and S3-027
We’ve updated the default risk levels for these rules to reduce alarm noise and provide
more relevant notifications from the other S3 rules that do control exposure of a
bucket to public access.
- S3-026: Enable S3 Block Public Access for S3 Buckets - from 'Very High' to 'Medium'.
- S3-027: Enable S3 Block Public Access for AWS Accounts - from 'Very High' to 'Low'.
Because an Account admin can only use the S3 Block Public Access feature to restrict
public access to a bucket, but they cannot grant public access to the bucket. They
need to use a policy or an ACL to open a given access point and buckets to grant public
access. Therefore, failing the checks for the rules S3-026 & S3-027 with a ‘Very High’
severity overstates the exposure of the buckets in an account.
The severities of 'Medium' and 'Low' respectively provide a closer depiction of the
exposure since the 'Very High' Severity rules S3-001, S3-002, S3-003, S3-004, S3-005,
and S3-014 directly control public access to a bucket.
For more information see AWS documentation on Block Public Access and Access Control Block Public Access.
Bug Fixes
- IAM-17: Unused IAM Group: Fixed the bug which RTM generates false positive check result for IAM-017 rule.
- Fix a bug where duplicate notifications were generated for the following rules:
- VirtualMachines-001: Enable Encryption for Boot Disk Volumes
- VirtualMachines-002: Enable Encryption for Non-Boot Disk Volumes
- VirtualMachines-003: Enable Encryption for Unattached Disk Volumes
- Fixed a bug where EBS service retained stale checks for users with a large amount of EBS snapshots.
- Fixed a bug where ELB related rules were not being triggered by RTM events. Added support for Terraform plans AWS KMS key resourceDB instance resource.
- IAM-047: IAM Manager Roles: Fixed a bug where false negative checks were being generated for the rule.