Views:
March 28, 2022, Conformity—The following features and updates are now available with Conformity's latest release on 28 March 2022.
  • Updated NIST 800-53 Rev5 Compliance & Conformity Report: We've updated the NIST 800-53 Rev5 Compliance & Conformity report to include rules and enhanced controls.
  • Updated Suppression Data Behaviour for Azure Accounts: We've updated the suppression data behaviour for Azure accounts where suppressed Azure checks disappeared on recreating the check.
Custom Policy Updates
The custom policy has been updated as a result of the new deployment. The current custom policy version is 1.36 and the permission added is: firehose:ListTagsForDeliveryStream. Click here to access the current custom policy.
New Rules
Azure
  • StorageAccounts-018: Account Encryption using Customer Managed Keys: This rule ensures that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys (i.e. default keys used by Microsoft Azure for data encryption), to have more granular control over your Azure Storage data encryption and decryption process.
AWS
  • Firehose-002: Firehose Delivery Stream Server-Side Encryption: This rule ensures that Kinesis Data Firehose delivery streams enforce Server-Side Encryption, ideally using Customer-Managed Keys (CMKs).
GCP
  • CloudIAM-007: Login Credentials In Use: This rule ensures the use of corporate login credentials instead of personal accounts such as Gmail accounts.
  • CloudStorage-002: Check for Enable Uniform Bucket-Level Access: This rule ensures that Google Cloud Storage buckets have uniform bucket-level access enabled. With this level of access, object access is controlled entirely through bucket-level permissions (IAM) to ensure uniform access to all the objects within a storage bucket.
Rules Updates
  • StorageAccounts-006: Disable Anonymous Access to Blob Containers
  • StorageAccounts-012: Enable Immutable Blob Storage
  • StorageAccounts-016: Check for Publicly Accessible Web Containers
  • StorageAccounts-017: Review Storage Accounts with Static Website Configuration
The rules now support exceptions by tags retrieved from Azure Blob Container Metadata.
  • Lambda-008: Enable Encryption in Transit for Environment Variables
  • Lambda-009: Enable Encryption at Rest for Environment Variables using Customer Master Keys
Updated the rules' names and descriptions to clearly specify encryption in transit and at rest.
  • IAM-054: IAM Configuration Changes: Updated this rule allowing you to change the severity for each IAM configuration event via rule settings.
Rules Bug Fixes
  • IAM-034: Valid IAM Identity Providers: We've improved how we handle IAM identity provider data and fixed an issue with remediating OpenID Connect identity providers to prevent false positives.
  • EBS-004: EBS Volumes Recent Snapshots
  • EBS-005: EBS Volumes Too Old Snapshots
We've updated the way we handle AWS EBS Volumes and EBS Volume Snapshots to improve reliability and functionality for the rules. AWS rules EBS-004 and EBS-005.
  • AG-001: APIs CloudWatch Logs
  • AG-002: APIs Detailed CloudWatch Metrics
  • AG-003: Tracing Enabled
  • AG-004: Content Encoding
  • AG-007: Private Endpoint
  • AG-008: Rotate Expiring SSL Client Certificates
  • AG-009: Enable Encryption for API Cache
  • AG-010: Enable API Cache
  • RG-001: Tags
Fixed a bug to resolve the throttling issue for API Gateway rules by reducing the API Gateway API call concurrency.