Views:
December 15, 2022, Conformity—The following rules and updates are now available with Conformity's latest release on 15 December 2022.
Custom Policy Updates
The custom policy has been updated as a result of the new deployment. The new custom policy version is 1.39 and the permission added is:
  • `securityhub:DescribeHub`
Click here to access the new custom policy.
New Rule
AWS
SecurityHub-002: Security Hub Enabled: This rule ensures Amazon Security Hub service is enabled for your AWS accounts.
Rule Updates
  • Updated the following rules to improve error-handling and ensure that the checks are only generated in regions with security groups:
  • EC2-012: Security Group Excessive Counts
  • EC2-013: Security Group Large Counts
  • SQS-005: SQS Encrypted With KMS Customer Master Keys: Updated the rule to return a failure when the ‘Amazon SQS key (SSE-SQS)’ is selected as encryption key type. The rule continues to ensure that your SQS queues are using KMS CMK customer-managed keys instead of AWS managed-keys (i.e. default keys used in absence of defined customer keys) to benefit from a more granular control over the queues data encryption/decryption process.
  • Monitor-006: Activity Log Storage Encryption with Customer-Managed Key: Updated the rule to check storage container encryption for diagnostic settings in addition to log profiles. The rule ensure that your Microsoft Azure activity log storage container is encrypted with a Customer-Managed Key (CMK) to protect your activity log data at rest with a key from your own Azure key vault.
  • Updated the following AWS service-level rules to fix an error-handling issue and generate accurate checks when Conformity's permissions to certain AWS regions is restricted:
  • Lambda-005: Lambda Function With Admin Privileges
  • Lambda-006: Using An IAM Role For More Than One Lambda Function
  • SSM-003: Check for SSM Managed Instances
  • EC2-002: Unrestricted SSH Access
  • EC2-003: Unrestricted RDP Access
  • EC2-004: Unrestricted Oracle Access
  • EC2-005: Unrestricted MySQL Access
  • EC2-006: Unrestricted PostgreSQL Access
  • EC2-007: Unrestricted DNS Access
  • EC2-008: Unrestricted MsSQL Access
  • EC2-015: EC2 Instance Security Group Rules Counts
  • EC2-038: Unrestricted Telnet Access
  • EC2-039: Unrestricted SMTP Access
  • EC2-040: Unrestricted RPC Access
  • EC2-041: Unrestricted NetBIOS Access
  • EC2-042: Unrestricted FTP Access
  • EC2-043: Unrestricted CIFS Access
  • EC2-045: Unrestricted MongoDB Access
  • EC2-063: Unrestricted Elasticsearch Access
  • EC2-064: Unrestricted HTTP Access
  • EC2-065: Unrestricted HTTPS Access
  • EC2-074: Check for Unrestricted Redis Access
  • EC2-075: Check for Unrestricted Memcached Access