November 19, 2021, Conformity—The following features and updates were released to
Conformity on 19th November 2021.
Conformity now available in the Terraform Provider Registry
Conformity is now supported as a Terraform Provider allowing you to provision and
manage your Conformity account settings via Terraform templates. The functionality
includes onboarding and managing AWS and Azure accounts, users, profiles and account
rule settings, reports, conformity bot frequency, and communication channels. Read more >>
GCP Account Onboarding
- You can now upload a service account key file while Adding a GCP account instead of using the copy and paste option.
- You can also view the number of existing GCP projects added to the service account.
Profiles - UX Improvements
- We’ve updated the ‘Apply to’ dialogue box to be more descriptive of the search function.
- We’ve also updated the Profile Summary page providing clarity around the ‘manually configured’ and ‘available to be configured’ rules.
- Additionally, we’ve added a ‘Rule Summary’ section under Rule Settings for individual accounts.
Bug Fixes
- Fixed a bug to update the Communication Channel API endpoint to make it consistent with the UI.
- Fixed a bug where incomplete accounts were being displayed in the unmonitored account list on the All accounts tab in the Threat monitoring dashboard.
- Fixed a bug to make Azure conformity bot using consistent region naming for filter and check results.
- Fixed a bug with validation while creating/updating report configs using the API to check for all items and reject the request on finding any invalid formats in the email array.
Custom Policy Updates
The custom policy has been updated as a result of the new deployment. The current
custom policy version is 1.34.
The permission added is:
- config:SelectResourceConfig
New Rules
Azure
- ActiveDirectory-024: Enable Security Defaults: This rule ensures that the Security Defaults feature is enabled for Azure Active Directory (AAD) to help protect your organization from common attacks. It is a set of basic identity security mechanisms recommended by Microsoft and provided at no extra cost in Active Directory.
- ActiveDirectory-023: Restrict User Access to AAD Group Features in Azure Access Panel: This rule ensures that the ‘Restrict user ability to access groups features in the Access Panel’ setting is enabled to ascertain that non-privileged users are unable to create and manage security groups using the Azure Access Panel.
Rule Updates
- CS-001: AWS Custom Rule (ConfigService): This rule now allows you to configure the following categories to custom rules. If you’ve not configured a custom category, then the default categories will apply to all custom rules.
- Security,
- Reliability,
- Performance Efficiency,
- Cost Optimisation, and
- Operational Excellence
- CloudFormation Rules: Updated this rule to generate a rule failure if a DENY NACL rule is ineffective due to a higher priority ALLOW rule.
Rule Bug Fixes
- RDS-005: RDS Encrypted With KMS Customer Master Keys: Fixed bug where the rule was generating false positives when encrypted using AWS default keys.
- RDS-007: RDS Multi-AZ: Fixed a bug on RDS-007 such that no check is returned Aurora Serverless DB cluster.
- Fixed the bug where RTM did not generate checks for the following rules when an IAM role was created or updated.
- IAM-50: Cross-Account Access LAcks External ID and MFA
- IAM-057: Check for Untrusted Cross-Account IAM Roles