Google Cloud Platform (GCP) Preview, Compliance Reports, Customization, and New Rules Released

Views:

October 08, 2021, Conformity—The following feature and updates were released to Conformity on 8th October 2021.

Preview for Google Cloud Platform (GCP) Now Available!

You can now onboard Google Cloud Projects to Conformity as cloud accounts and scan to produce checks. All GCP projects onboarded to Conformity during the Preview period will be monitored free of charge. Please refer to the Rules section below for Rules included in the Preview release. For details see: Add a GCP Account.

Standards and Compliance Reports

We now support the CIS AWS Foundations v1.3 Compliance Standard reports including the Excel version.

We’ve also added the NIST CyberSecurity Framework compliance reporting for Azure.

New Rules Start Date

You can now customize 'New Rules Start Date' in both organization settings and account settings. Any rules released after this set date will be treated as new rules.

Download Report Summary as PNG

You can download Report Summary as a PNG image from Dashboard > Overview and click on the three dots next to Configured Reports > Export PNG.

CSV Reports Update

CSV reports will now include 'Check Id' and 'Link to resource' fields.

Checks API Update

Added a `consistentPagination` parameter in the Checks API that can be set to ‘false’ to get better performance at the cost of consistency when paginating.

Filter RTM Rules with Services API

Updated v1/services API to indicate which rules are supported by RTM. Here is an example of using 'jq' command to parse the v1/services endpoint response to filter RTM rules:

```

curl https://ap-southeast-2.cloudconformity.com/v1/services > conformityservices.json

cat conformityservices.json | jq '.included[] | select(.attributes.rtm==true)' > rtmrules.json

```

View all unmonitored accounts in the Threat Monitoring section

Conformity now displays all the accounts unmonitored by RTM on the Threat Monitoring section as compared to previously displaying up to 10 accounts only.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.32. Click here to access the latest custom policy.

Conformity Bot Updates

Improved Conformity Bot to prevent duplicate notifications or false positives due to throttling without a change in the customer resources. We applied this improvement to some AWS rules for EC2, Route-53, VPC, IAM, KMS, CWL, Inspector, Trusted Advisor, Sheild, EMR, WAF, Lambda, Organisations, Cloud Conformity, Secrets Manager, BackUp, and Well-Architected.

New Rules

The following new rules will be available with the Preview release of the Google Cloud Platform to Conformity.

CloudSQL-002: Enable Automated Backups for Cloud SQL Database Instances: This rule ensures that Cloud SQL database instances are configured with automated backups.

CloudSQL-003: Enable High Availability for Cloud SQL Database Instances: This rule ensures that the production SQL database instances are configured to automatically failover to another zone within the selected cloud region.

BigQuery-001: Check for Publicly Accessible BigQuery Datasets: This rule checks for publicly accessible Google Cloud BigQuery datasets.

CloudStorage-001: Check for Publicly Accessible Cloud Storage Buckets: This rule ensures that there are no publicly accessible Cloud Storage buckets within your Google Cloud Platform (GCP) account.

CloudVPC-001: Check for Unrestricted RDP Access: This rule ensures that there are no VPC firewall rules that allow unrestricted inbound access on TCP port 3389 (RDP).

CloudVPC-002: Check for Unrestricted SSH Access: This rule ensures that no VPC firewall rules allow unrestricted inbound access on TCP port 22 (SSH).

CloudVPC-003: Enable VPC Flow Logs for VPC Subnets: This rule ensures that the VPC Flow Logs feature is enabled for all VPC network subnets.

CloudIAM-001: Restrict Administrator Access for Service Accounts: This rule ensures that user-managed service accounts are not using administrator-based roles.

ComputeEngine-001: Check for Virtual Machine Instances with Public IP Addresses: This rule ensures that your Google Compute Engine instances are not configured to have external IP addresses to minimize their exposure to the Internet.

CloudKMS-001: Check for Publicly Accessible Cloud KMS Keys: This rule ensures that there are no publicly accessible KMS cryptographic keys available within your Google Cloud account.

Rule Updates

RTM-009: VPC Network Configuration Changes: This rule now supports an ‘allow list’ of users based on ARNs such that checks are not generated for users added to this list. The Supported user types are IAMUser, AssumedRole, and FederatedUser.

VPC-015: Ineffective Network ACL DENY Rules: Updated this rule to generate a rule failure if a DENY NACL rule is ineffective due to a higher priority ALLOW rule.

Route53-003: Route 53 Domain Transfer Lock: This rule has been updated to not check the transfer lock status of these domains as AWS does not support transfer lock for the following top-level domains:
“.ch”
“.co.nz”
“.co.za”
“.com.ar”
“.com.au”
“.de”
“.es”
“.eu”
“.fi”
1“.fr”
“.jp”
“.net.au”
“.net.nz”
“.nl”
“.it”
“.org.nz”
“.qa”
“.ru”
“.se”
“.uk”

Rules labeled as 'New' have been updated to 'Recently added'.

Rule Bug Fixes

The following VPC Network ACLs rules will no longer scan shared VPC and produce checks
VPC-010: Unrestricted Network ACL Outbound Traffic
VPC-011: Unrestricted Network ACL Inbound Traffic
VPC-015: Ineffective Network ACL DENY Rules
VPC-017: Unrestricted Inbound Traffic on Remote Server Administration Ports

Fixed a bug to prevent false positives from being generated for the following rules:
SNS-006 - SNS Topic Encrypted
SNS-007 - SNS Topic Encrypted With KMS Customer Master Keys