Views:
May 17, 2022, Conformity—The following updates and features are now available with Conformity's latest release on 17 May 2022.
What's New
  • Updated the note below the Compliance level Comparison section on the Main Dashboard to clearly display the number of incomplete and onboarded accounts included in the comparison.
Bug Fixes
  • Fixed a bug in RTM, where the 'Read Only' users could view the Configure Rules button. The button is now visible to the authorised users only.
  • Fixed a bug where suppressing an Azure check was returning errors after a successful suppression.
Custom Policy Updates
There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.37.
New Rules
GCP
  • CloudSQL-017: Disable 'remote access' Flag for SQL Server Database Instances: This rule ensures that the "remote access" SQL Server flag is set to "off".
  • CloudSQL-018: Disable 'log_statement_stats' Flag for PostgreSQL Database Instances: This rule ensures that the 'log_statement_stats' PostgreSQL database flag is set to `Off`.
  • CloudSQL-019: Disable 'external scripts enabled' Flag for SQL Server Database Instances: This rule ensures that the "external scripts enabled" SQL Server flag is set to `Off`.
  • BigQuery-002: Enable BigQuery Encryption with Customer-Managed Keys: This rule ensures that BigQuery dataset tables are encrypted using Customer-Managed Keys (CMKs).
  • ComputeEngine-009: Enable "Block Project-Wide SSH keys" Feature: This rule ensures that the Block Project-Wide SSH keys feature is enabled for all your virtual machine instances.
  • CloudLogging-001: Enable Monitoring for Bucket Permission Changes: This rule ensures that each Google Cloud Platform (GCP) project has configured a GPC alerting policy that is triggered each time a Google Cloud Storage bucket permission change is made.
  • CloudLogging-002: Enable VPC Network Changes Monitoring: This rule ensures that VPC network route changes are being monitored using alerting policies.
  • CloudLogging-003: Enable VPC Network Changes Monitoring This rule ensures that Google Cloud VPC network changes are being monitored using log metrics and alerting policies.
  • CloudLogging-004: Enable Monitoring for Custom Role Changes: This rule ensures that custom IAM role changes are being monitored using alerting policies.
  • CloudLogging-005: Enable Monitoring for SQL Instance Configuration Changes: This rule ensures that SQL instance configuration changes are being monitored using alerting policies.
  • CloudLogging-006: Enable Monitoring for Firewall Rule Changes: This rule ensures that each Google Cloud Platform (GCP) project has configured a GCP alerting policy that is triggered every time a Virtual Private Cloud (VPC) network firewall rule change is made.
  • CloudLogging-007: Enable Monitoring for Audit Configuration Changes: This rule ensures that GCP project audit configuration changes are being monitored using alerting policies.
  • CloudLogging-009: Export All Log Entries Using Sinks: This rule ensures that all the log entries generated for your Google Cloud projects are exported using sinks.
Azure
  • SecurityCenter-028: All Parameters for Microsoft Defender for Cloud Default Policy: This rule ensures that all the parameters supported by Microsoft Defender for Cloud default policy are enabled.
  • SecurityCenter-030: Enable Defender for Endpoint Integration with Microsoft Defender for cloud: This rule ensures that Defender for Endpoint – Defender for Cloud integration is enabled.
  • SecurityCenter-031: Enable Defender Microsoft Defender for Cloud Apps Integration: This rule ensures that Microsoft Defender for Cloud Apps integration is enabled.
  • SecurityCenter-032: Enable Azure Defender for Virtual Machine Servers: This rule ensures that Azure Defender is enabled for Azure virtual machine (VM) servers.
  • SecurityCenter-033 Enable Microsoft Defender for Cloud for App Service Instances: This rule ensures that Microsoft Defender for Cloud is enabled for Azure App Service instances.
  • SecurityCenter-034: Enable Microsoft Defender for Cloud for Key Vaults: This rule ensures that Microsoft Defender for Cloud is enabled for Azure key vault resources.
Rule Updates
  • IAM-013: MFA For IAM Users With Console Password: The rule now supports MFA events.
  • VirtualMachine-001: Enable Encryption for Boot Disk Volumes, VirtualMachine-002: Enable Encryption for Non-Boot Disk Volumes, VirtualMachine-003:Enable Encryption for Unattached Disk Volumes:
Updated the rules' names to clarify encryption in Azure Disk Encryption and the risk level from `High` to `Medium`.
Rule Bug Fixes
  • EC2-030: EC2 Instance Termination Protection: Fixed a bug where EC2-030 was returning checks for EC2 instances that are part of Auto Scaling groups.
  • CT-002: CloudTrail S3 Bucket Logging Enabled, CT-003: CloudTrail Bucket Publicly Accessible, CT-004: CloudTrail Bucket MFA Delete Enabled:
Fixed how we handle AWS CloudTrail resource data to address incorrect check results with the AWS rules CT-002, CT-003, and CT-004. We also improved how we evaluate CT-002 and CT-004, you may notice that old checks are removed and recreated.
  • Fixed a bug where Resource types were not displayed correctly in the View by Resource tab for some resources.