Views:
April 08, 2022, Conformity—The following rules and updates will be available with Conformity's latest release on 12 April 2022.
Conformity will now support the new 'Sustainability' pillar
Conformity can now help customers benchmark and remediate their sustainability impact. AWS Well-Architected Framework added the 'Sustainability' pillar in December 2021. We've updated our Rules, Reports, Checks filter, Compliance Level Comparison Table, and the Compliance Status Widget in accordance with the AWS Well-Architected Framework updated version.
API Updates
  • Conformity now supports Trend Micro's domain when using Conformity's public API
  • The legacy users (signed up for Conformity in the 'us-west-2', 'ap-southeast-2',  and 'eu-west-1' regions) won't be affected by this change.
  • Cloud One Conformity users can now use 'https://conformity.{region}.cloudone.trendmicro.com/api' to access Conformity's public APIs.
Custom Policy Updates
There are no changes to the custom policy as a result of the new deployment. The current custom policy version is 1.36. Click here to access the current custom policy.
New Rules
Azure
  • Monitor-007: Configure Diagnostic Setting Categories: This rule ensures that the diagnostic settings are configured to capture the appropriate categories.
  • Monitor-008: Enable Diagnostic Logs for the Supported Resources: This rule ensures that Diagnostic Logs are enabled for the supported Azure cloud resources.
AWS
  • EC2-077: Require IMDSv2 for EC2 Instances: This rule ensures that all the Amazon EC2 instances require the use of Instance Metadata Service Version 2 (IMDSv2) when requesting instance metadata in order to protect against vulnerabilities that could be used to access the Instance Metadata Service (IMDS).
GCP
  • CloudDNS-001: Enable DNSSEC for Google Cloud DNS Zones: This rule ensures that DNSSEC security feature is enabled for all your Google Cloud Domain Name System (DNS) managed zones.
  • CloudDNS-002: Check for DNSSEC Key-Signing Algorithm in Use: This rule ensures that RSASHA1 signature algorithm is not used for DNSSEC key signing.
  • CloudAPI-002: Check for API Key Application Restrictions: This rule ensures that your Google Cloud API key usage is restricted to trusted hosts, HTTP referrers, or applications.
  • CloudAPI-003: Check for API Key API Restrictions: This rule ensures that API keys have restrictions in place to only allow access to specific APIs, and not general access to all GCP APIs.
  • CloudIAM-008: Rotate Google Cloud API Keys: This rule ensures that all the API keys created for your Google Cloud Platform (GCP) projects are regularly rotated.
Rules Updates
  • SQL-005: Enable Transparent Data Encryption for SQL Databases: Updated the rule title to 'Enable Transparent Data Encryption for SQL Databases' for an appropriate representation of the best practice recommendation.
Rule Bug Fixes
  • Firehose-001: Firehose Delivery Stream Destination Encryption
  • Firehose-002: Enable Firehose Delivery Stream Server-Side Encryption
Fixed a bug where the rule - Firehose-001 did not have a link to their resources. Also, both the rules Firehose-001 and Firehose-002 did not support tags for "DirectPut" Delivery Stream Type Firehose Delivery Streams.
  • Lambda-009: Enable Encryption at Rest for Environment Variables using Customer Master Keys
Fixed a bug where Lambda-009 did not generate a SUCCESS check after remediation steps have been followed to encrypt Lambda Environment variables at rest using CMKs.