Contents 
What rules does Trend Vision One™ – Cloud Posture support?
Cloud Posture supports over
540
rules founded on cloud and security governance best practices, and
Compliance Standards.
Cloud Posture's rules cover the 6
categories of security and governance best practices:
-
Cost Optimisation
-
Operational Excellence
-
Reliability
-
Performance Efficiency
-
Sustainability
Rules are run against your cloud account services, resources, their settings, and
configurations.
What is the frequency of running the rules?
Cloud Posture rules are run:
Procedure
- Periodically on your added Accounts by the Cloud Posture Scan, or
What to do next
What rules are run?
Refer to Cloud Posture Knowledge Base
for all the rules supported by Cloud Posture.
- Is there any rule that looks for open access to all ports? Rule: EC2-001 (Security Group Port Range) checks for any range of open ports including all ports.
- Are all the rules in AWS Config included? We support every rule
in AWS Config as soon as they become available through
config:DescribeConfigRulesAPI
New Accounts
When an account is first added to Cloud Posture, a set of default rules
will be run on the account by the Cloud Posture Scan.
Rules configuration
Rules can be configured to better cater to your organisation's circumstances and
governance needs. Some rules require configuration before they can be run, and
all rules have configuration options including adjusting severity and
enabling/disabling.
See Rule
Configuration.
Rule settings
There are common rule settings (such as new rule behavior, and rule
configurations) that can be managed at the Cloud
Accounts level.
Anatomy of a rule
A Cloud Posture rule is run against an
AWS (or other Cloud Provider) or Cloud Posture Service. For example
Guard Duty, CloudTrail, Cloud Posture.
A full list of services can be found on the Knowledge
Base.
Cloud Posture runs Checks
for each Rule against the Service and or Service resources, the Rule belongs to.
Checks can fail or succeed and are captured by Cloud Posture's numerous reporting
tools.
Note: New rules or rules that are updated will be marked
accordingly for 10 days after the release.
Check summary
Provides a count for different check statuses. See Model:
Check for more info on each status.
Not scored
Some rules are documented by Cloud Posture but cannot be tested against your cloud infrastructure due to not being
applicable to cloud infrastructure or limitations of the data provided by the
cloud provider. Rules that cannot be tested are identified as Not
Scored. For more information see Model
Check.
Deprecated Rules
Rules marked for removal by Cloud Posture are identified as Deprecated Rules.
Why are rules marked for deprecation?
A Deprecated Rule has been identified for future removal because the
associated recommendation is either no longer valid, has been superseded by
another recommendation, or has been incorporated into another rule
recommendation.
How do I know a rule is deprecated?
The rule title and associated Knowledge Base page will reflect
whether a rule is deprecated. A warning message will display in an account's
Rule Settings and in Profile Settings if a rule
marked for deprecation has been configured.
What should I do if I have configured deprecated rules in an
account?
Deprecated Rules should be left with default settings in place. This
is important to avoid disruption on your account for when the rule is later
removed.
If a deprecated rule is configured in a Account Rule Settings, to
edit via the Dashboard:
Procedure
- Click on the account and navigate to Settings, Rule settings and click Update rule settings
- Search for the offending rule and click Configure
- In the rule settings window, click Reset to default
What to do next
What should I do if I have configured deprecated rules in a
Profile?
If a deprecated rule is configured in a Profile, to edit via the
Dashboard:
-
Click on the Profile
-
Search for the offending rule
-
Click the Reset button to remove any rule settings
-
When asked to if you are sure you want to remove the rule setting, click Yes, remove it
If you have any Profile JSON files stored elsewhere, remove all the
configurations connected to the deprecated rule and follow your normal
Profile update processes.
Rule Removal
After a rule has been deprecated for some time, we will remove the rule entirely
from the system. To ensure there is no disruption, do not forget to leave the
rule in the default state.
Rules supported by Real Time Monitoring
AWS
|
Service
|
Rules
|
|
Backup
|
Backup-001
|
|
CloudFormation
|
CFM-001, CFM-002, CFM-004, CFM-005, CFM-006, CFM-007
|
|
CloudFront
|
CF-002, CF-003, CF-004, CF-005, CF-006, CF-007, CF-008,
CF-009, CF-011
|
|
CloudTrail
|
CT-013
|
|
Config
|
Config-005
|
|
DynamoDB
|
DynamoDB-001, DynamoDB-003, DynamoDB-004, DynamoDB-005
|
|
EC2
|
EC2-001, EC2-002, EC2-003, EC2-004, EC2-005, EC2-006,
EC2-007, EC2-008, EC2-014, EC2-015, EC2-016, EC2-017,
EC2-020, EC2-021, EC2-022, EC2-023, EC2-024, EC2-025,
EC2-026, EC2-027, EC2-028, EC2-029, EC2-030, EC2-031,
EC2-032, EC2-033, EC2-034, EC2-035, EC2-036, EC2-038,
EC2-039, EC2-040, EC2-041, EC2-042, EC2-043, EC2-044,
EC2-045, EC2-046, EC2-047, EC2-053, EC2-055, EC2-056,
EC2-058, EC2-059, EC2-061, EC2-063, EC2-064, EC2-065,
EC2-066, EC2-069, EC2-070, EC2-071, EC2-072, EC2-073,
EC2-074, EC2-075
|
|
ECS
|
ECS-001
|
|
ELB
|
ELB-001, ELB-002, ELB-003, ELB-004, ELB-005, ELB-006,
ELB-007, ELB-008, ELB-009, ELB-010, ELB-011, ELB-012,
ELB-013, ELB-014, ELB-015, ELB-016, ELB-017, ELB-018,
ELB-021, ELB-022
|
|
GuardDuty
|
GD-003
|
|
IAM
|
IAM-001, IAM-002, IAM-003, IAM-004, IAM-005, IAM-006,
IAM-007, IAM-008, IAM-009, IAM-010, IAM-011, IAM-012,
IAM-013, IAM-016, IAM-017, IAM-018, IAM-019, IAM-020,
IAM-021, IAM-022, IAM-024, IAM-025, IAM-026, IAM-027,
IAM-028, IAM-029, IAM-033, IAM-038, IAM-044, IAM-045,
IAM-049, IAM-050, IAM-051, IAM-052, IAM-053, IAM-054,
IAM-056, IAM-057, IAM-058, IAM-059, IAM-060, IAM-062,
IAM-064, IAM-069, IAM-071, RTPM-001, RTPM-002, RTPM-003,
RTPM-005, RTPM-008, RTPM-010
|
|
KMS
|
KMS-007
|
|
Lambda
|
Lambda-001, Lambda-002, Lambda-003, Lambda-004, Lambda-005,
Lambda-006, Lambda-007, Lambda-009
|
|
Macie
|
Macie-002
|
|
Miscellaneous
|
Misc-001, RTPM-011
|
|
Organizations
|
Organizations-003
|
|
RDS
|
RDS-001, RDS-002, RDS-003, RDS-004, RDS-005, RDS-006,
RDS-007, RDS-008, RDS-009, RDS-010, RDS-011, RDS-012,
RDS-013, RDS-019, RDS-022, RDS-023, RDS-025, RDS-026,
RDS-030, RDS-031, RDS-032, RDS-033, RDS-034, RDS-035,
RDS-036, RDS-037, RDS-038, RDS-039, RDS-040, RDS-041,
RDS-042
|
|
Route53
|
Route53-009
|
|
Route53Domains
|
Route53Domains-001
|
|
S3
|
S3-001, S3-002, S3-003, S3-004, S3-005, S3-006, S3-007,
S3-008, S3-009, S3-010, S3-011, S3-012, S3-013, S3-014,
S3-015, S3-016, S3-017, S3-018, S3-019, S3-020, S3-021,
S3-022, S3-023, S3-024, S3-025, S3-026, S3-028
|
|
SecurityHub
|
SecurityHub-001
|
|
SSM
|
SSM-003
|
|
VPC
|
VPC-001, VPC-004, VPC-005, VPC-006, VPC-010, VPC-011,
VPC-012, VPC-013, VPC-014, VPC-015, VPC-016, RTPM-009
|
Azure
|
Service
|
Rules
|
|
Network
|
Network-014
|
|
Policy
|
Policy-001
|
|
SecurityCenter
|
SecurityCenter-026, SecurityCenter-027
|
|
Sql
|
Sql-016
|
GCP
|
Service
|
Rules
|
|
CloudIAM
|
CloudIAM-014
|
|
CloudKMS
|
CloudKMS-003
|
|
CloudStorage
|
CloudStorage-004
|
|
ComputeEngine
|
ComputeEngine-012
|
|
CloudSQL
|
CloudSQL-029
|
|
CloudDNS
|
CloudDNS-004
|
|
CloudLoadBalancing
|
CloudLoadBalancing-003
|
|
GKE
|
GKE-003
|
|
ResourceManager
|
ResourceManager-004
|
|
CloudPubSub
|
CloudPubSub-001
|
Cloud Posture
|
Service
|
Rules
|
|
User sign in
|
RTPM-004, RTPM-006
|
FAQs
Procedure
- **A rule is marked as "New" or "Updated" on Cloud Posture web interface. What does it mean?**Rules that are updated and new rules are marked as "Updated" and "New" for 10 days after the release. Updates include changes to rule behavior, bug fixes, improvements, new settings, changes to default settings, changes to default risk level, etc.
- **Why does an AssumeRole action trigger a failure for our blacklisted region rule?**Sometimes regions get picked up by the browser from the last session. Say the user’s last action was in us east 1. When the user next logs in, the console login may be us east 1 even if user normally logs in to eu west 1.
- Is there a rule to check for S3 buckets with static website hosting option turned on? I created a bucket with static website hosting turned on, and it didn't trigger any **violations.**Refer to the link: S3 Buckets with Website Configuration Enabled
- How are the AWS Inspector Findings risk levels calculated?AWS Inspector Findings risk levels are calculated in the following way:Inspector.severity = High; Cloud Posture risk level = HIGHInspector.severity = Medium; Cloud Posture risk level = MEDIUMInspector.severity = Low; Cloud Posture risk level = LOWOtherwise Cloud Posture risk level = LOW
- How are the GuardDuty Findings risk levels calculated?GuardDuty Findings risk levels are calculated in the following way:GuardDuty.level >=7.0; Cloud Posture risk level = HIGHGuardDuty.level >=4.0 & GuardDuty.level <=6.9; Cloud Posture risk level = MEDIUMOtherwise Cloud Posture risk level = LOW
- **How are the Macie Alerts risk levels calculated by Cloud Posture?**Macie Alerts risk levels are calculated in the following way:Macie.severity = Critical; Cloud Posture risk level = EXTREMEMacie.severity = High; Cloud Posture risk level = HIGHMacie.severity = Medium; Cloud Posture risk level = MEDIUMMacie.severity = Low; Cloud Posture risk level = LOWMacie.severity = Informational; Cloud Posture risk level = LOW
- **Adding several trusted accounts is a very time-consuming process. Is there a better way to do it?**If you are adding several trusted accounts, you can perhaps use the Cloud Posture API. Trusted accounts are part of Cross Account rules. Example here - https://www.cloudconformity.com/knowledge-base=96b226c5-530f-49eb-b89e-74625f50f5f0/aws/SQS/sqs-cross-account-access.htmlYou can use update rule setting endpoint - https://github.com/cloudconformity/documentation-api/blob/master/Accounts.md#update-rule-setting
- **We have experienced some issues with ACM Certificates expiring recently. It is my understanding that Cloud Posture has rules for 7 Days (ACM-002), 30 Days (ACM-003), and 45 days (ACM-004) before expiry. However, when I visit our dashboard and filter by the ACM service I can only see ACM-004. I just wanted to clarify whether Cloud Posture account is checking for all of the ACM certificate expiry rules. If they are being checked, is it possible for you to explain why am I unable to see them when filtering by ACM?**Only one of ACM Certificates Renewal rule - 2,3,4 generates a Check at any given time to avoid overlapa. ACM-002 Certificate will expire within 7 daysb. ACM-003 Certificate will expire between 7 and 30 daysc. ACM-004 Certificate will expire between 30 and 45 daysThe reason for producing one Check out of ACM-002, ACM-003, an ACM-004 at any given time is to avoid overlap and create a reliable conformity score:ACM-002 is high riskACM-003 is medium riskACM-004 is low riskBetween 45 and 30 days you receive a low risk Check; between 30 and 7 days you receive a medium risk Check; and eventually, between 7 days and expiry, you get a high risk Check.
- **Is there a rule to detect whether CloudTrail is configured to log to S3?**Yes. CloudTrail Enabled rule detects whether CloudTrail is configured to log to S3. S3BucketName is required for configuring a trail.
- Is it possible to check for log ons from users that aren’t whitelistedSign-In Events rule checks Sign-In Events for IAM and Federated Users. Also, the User signed in to AWS from an approved country rule detects a user authentication session from an unapproved country.
- **Is it possible to detect if an RDS Snapshot is shared publicly?**Yes. Amazon RDS Public Snapshots rule detects any public RDS snapshots.
- **Can we export cloudwatch logs from an EC2 instance and generate alerts?**Cloud Posture doesn’t have access to CloudWatch logs so we cannot generate alerts from of EC2 instances.
- Does RTPM-004 and RTPM-006 run for Trend users? The rules; RTPM-004 (Cloud Posture user has signed in without MFA) and RTPM-006 (Users signed in to Cloud Posture from an approved country) run for Standalone Cloud Posture only and do not run for Trend Vision One users.