Updated Compliance Dashboard and New GCP and Azure Rules Available

Views:

May 17, 2022, Conformity—The following updates and features are now available with Conformity's latest release on 17 May 2022.

What's New

Updated the note below the Compliance level Comparison section on the Main Dashboard to clearly display the number of incomplete and onboarded accounts included in the comparison.

Bug Fixes

Fixed a bug in RTM, where the 'Read Only' users could view the Configure Rules button. The button is now visible to the authorised users only.

Fixed a bug where suppressing an Azure check was returning errors after a successful suppression.

Custom Policy Updates

There is no change to the custom policy as a result of the new deployment. The current custom policy version is 1.37.

Click here to access the current custom policy.

New Rules

GCP

CloudSQL-017: Disable 'remote access' Flag for SQL Server Database Instances: This rule ensures that the "remote access" SQL Server flag is set to "off".

CloudSQL-018: Disable 'log_statement_stats' Flag for PostgreSQL Database Instances: This rule ensures that the 'log_statement_stats' PostgreSQL database flag is set to `Off`.

CloudSQL-019: Disable 'external scripts enabled' Flag for SQL Server Database Instances: This rule ensures that the "external scripts enabled" SQL Server flag is set to `Off`.

BigQuery-002: Enable BigQuery Encryption with Customer-Managed Keys: This rule ensures that BigQuery dataset tables are encrypted using Customer-Managed Keys (CMKs).

ComputeEngine-009: Enable "Block Project-Wide SSH keys" Feature: This rule ensures that the Block Project-Wide SSH keys feature is enabled for all your virtual machine instances.

CloudLogging-001: Enable Monitoring for Bucket Permission Changes: This rule ensures that each Google Cloud Platform (GCP) project has configured a GPC alerting policy that is triggered each time a Google Cloud Storage bucket permission change is made.

CloudLogging-002: Enable VPC Network Changes Monitoring: This rule ensures that VPC network route changes are being monitored using alerting policies.

CloudLogging-003: Enable VPC Network Changes Monitoring This rule ensures that Google Cloud VPC network changes are being monitored using log metrics and alerting policies.

CloudLogging-004: Enable Monitoring for Custom Role Changes: This rule ensures that custom IAM role changes are being monitored using alerting policies.

CloudLogging-005: Enable Monitoring for SQL Instance Configuration Changes: This rule ensures that SQL instance configuration changes are being monitored using alerting policies.

CloudLogging-006: Enable Monitoring for Firewall Rule Changes: This rule ensures that each Google Cloud Platform (GCP) project has configured a GCP alerting policy that is triggered every time a Virtual Private Cloud (VPC) network firewall rule change is made.

CloudLogging-007: Enable Monitoring for Audit Configuration Changes: This rule ensures that GCP project audit configuration changes are being monitored using alerting policies.

CloudLogging-009: Export All Log Entries Using Sinks: This rule ensures that all the log entries generated for your Google Cloud projects are exported using sinks.

Azure

SecurityCenter-028: All Parameters for Microsoft Defender for Cloud Default Policy: This rule ensures that all the parameters supported by Microsoft Defender for Cloud default policy are enabled.

SecurityCenter-030: Enable Defender for Endpoint Integration with Microsoft Defender for cloud: This rule ensures that Defender for Endpoint – Defender for Cloud integration is enabled.

SecurityCenter-031: Enable Defender Microsoft Defender for Cloud Apps Integration: This rule ensures that Microsoft Defender for Cloud Apps integration is enabled.

SecurityCenter-032: Enable Azure Defender for Virtual Machine Servers: This rule ensures that Azure Defender is enabled for Azure virtual machine (VM) servers.

SecurityCenter-033 Enable Microsoft Defender for Cloud for App Service Instances: This rule ensures that Microsoft Defender for Cloud is enabled for Azure App Service instances.

SecurityCenter-034: Enable Microsoft Defender for Cloud for Key Vaults: This rule ensures that Microsoft Defender for Cloud is enabled for Azure key vault resources.

Rule Updates

IAM-013: MFA For IAM Users With Console Password: The rule now supports MFA events.

VirtualMachine-001: Enable Encryption for Boot Disk Volumes, VirtualMachine-002: Enable Encryption for Non-Boot Disk Volumes, VirtualMachine-003:Enable Encryption for Unattached Disk Volumes:

Updated the rules' names to clarify encryption in Azure Disk Encryption and the risk level from `High` to `Medium`.

Rule Bug Fixes

EC2-030: EC2 Instance Termination Protection: Fixed a bug where EC2-030 was returning checks for EC2 instances that are part of Auto Scaling groups.

CT-002: CloudTrail S3 Bucket Logging Enabled, CT-003: CloudTrail Bucket Publicly Accessible, CT-004: CloudTrail Bucket MFA Delete Enabled:

Fixed how we handle AWS CloudTrail resource data to address incorrect check results with the AWS rules CT-002, CT-003, and CT-004. We also improved how we evaluate CT-002 and CT-004, you may notice that old checks are removed and recreated.

Fixed a bug where Resource types were not displayed correctly in the View by Resource tab for some resources.