Compliance Content Updates

In this topic:

    JULY 01 - Compliance Updates

    New Rules

    D9.AWS.CRY.18 DynamoDB - Server Side Encryption High AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices  
    D9.AWS.OPE.01 Lambda Functions must have an associated tag Medium AWS Dome9 Best Practices 
    D9.AZU.AS.01 Instances outside of Europe High Azure GDPR Readiness
    D9.AZU.NET.29 Public AMI Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts
    AWS PCI-DSS 3.2
    D9.AWS.AS.02 S3 Buckets outside of Europe High AWS GDPR Readiness

    D9.AWS.NET.AG4.

    ApplicationLoadBalancer.

    9090.TCP

    ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG4.ELB.

    9090.TCP

    ELB with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG4.Instance.

    9090.TCP

    Instance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG4.

    NetworkLoadBalancer.

    9090.TCP

    NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG5.

    ApplicationLoadBalancer.

    9090.TCP

    ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG5.ELB.

    9090.TCP

    ELB with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG5.Instance.

    9090.TCP

    Instance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG5.

    NetworkLoadBalancer.

    9090.TCP

    NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    Changes to existing Rules

    Ruleid/Bundle ID Change Description Updated Field Bundles Affected
    D9_AWS_NIST800534
    D9_AZU_NIST800534
    D9_GCP_NIST800534
    Bundle Titles and Descriptions update:
    AWS/GCP/Azure NIST 800-53 Rev 4 updated to AWS/GCP/Azure NIST 800-53 Rev 4 (FedRAMP)
    AWS NIST 800-53 Rev 4 (FedRAMP)
    Azure NIST 800-53 Rev 4 (FedRAMP)
    GCP NIST 800-53 Rev 4 (FedRAMP)
    AWS NIST 800-53 Rev 4
    Azure NIST 800-53 Rev 4
    GCP NIST 800-53 Rev 4
    D9.AWS.LOG.12 Change to Description  Update title to "S3 bucket should have server access logging enabled" AWS Dome9 Best Practices
    D9.GCP.NET.02 Changed Compliance tag to - 'Operational'   GCP Dome9 Best Practices
    GCP Dome9 Network Alerts
    GCP PCI-DSS 3.2
    GCP NIST 800-53

    D9.AWS.NET.AG
    #entity.port.

    protocol

    Multiple Network Security Rules-URLs updated to Zendesk   AWS Dome9 Best Practices
    AWS Dome9 Network Alerts
    AWS PCI-DSS 3.2
    AWS NIST 800-53
    D9.AWS.CRY.04 Update to GSL

    Rule Name:

    S3 Bucket should have encryption in transit for read actions

    NEW GSL:

    S3Bucket should not have policy.Statement contain [Effect='Deny' and Condition.Bool.aws:SecureTransport='false']
    and policy.Statement contain [Action contain ['s3:GetObject'] or Action contain ['s3:*']]

    AWS Dome9 S3 Bucket Security
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts
    AWS PCI-DSS 3.2
    AWS NIST 800-53
    AWS GDPR Readiness
    D9.AWS.CRY.14 Update to GSL

    Rule Name:

    S3 Bucket should have encryption in transit for write actions

    NEW GSL:

    S3Bucket should not have policy.Statement contain [Effect='Deny' and Condition.Bool.aws:SecureTransport='false']
    and policy.Statement contain [Action contain ['s3:PutObject'] or Action contain ['s3:*']]

    AWS Dome9 S3 Bucket Security
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts
    AWS PCI-DSS 3.2
    AWS NIST 800-53
    AWS GDPR Readiness