Compliance Content Updates

In this topic:

    March 07 - Compliance Updates

    New Compliance Frameworks (Bundles)

    Bundle ID Bundle Name
    D9_AZU_HIPAA Azure HIPAA
    D9_AZU_SOC2 Azure Dome9 SOC2 based on AICPA TSC 2017
    D9_GCP_SOC2 GCP Dome9 SOC2 based on AICPA TSC 2017
    D9_AWS_SOC2 AWS Dome9 SOC2 based on AICPA TSC 2017

    New Rules

    Rule ID Rule Name Severity Description Affected Bundles
    D9.AWS.CRY.25.PCI Ensure ElastiCache for Memcached is not in use in AWS PCI DSS environments High Amazon ElastiCache for Memcached is not included in this AWS PCI DSS Compliance program and therefore is not compliance with PCI requrements. AWS PCI-DSS 3.2
    D9.AWS.CRY.26.PCI Ensure that ElastiCache for Redis version is compliant with AWS PCI DSS requirements High Amazon ElastiCache for Memcached is not included in this AWS PCI DSS Compliance program and therefore is not compliance with PCI requirements. AWS PCI-DSS 3.2

    March 07 rule changes - click here

    January 3 - Compliance Updates

    Rules Removed

    Rule ID Rule Name Severity Description Affected Bundles
    D9.AWS.CRY.18 DynamoDB data at rest has server side encryption (SSE) High Verify that AWS DynamoDB storage at rest is encrypted using Server-Side Encryption (SSE).
    AWS Dome9 Serverless Architectures Security
    AWS Dome9 Best Practices - Sample
    AWS HIPAA
    AWS CSA CCM v.3.0.1
    AWS NIST CSF v1.1
    AWS ISO 27001:2013
    AWS PCI-DSS 3.2
    AWS NIST 800-53 Rev 4
    AWS GDPR Readiness
    AWS Dome9 Best Practices

    Changes to existing Rules

    Rule ID Rule Name Severity Updated Fields Affected Bundles
    D9.GCP.NET.AG4.VMInstance.22.TCP VMInstance with administrative service: SSH (TCP:22) is too exposed to the public internet High description
    GCP NIST 800-53 Rev 4
    GCP PCI-DSS 3.2
    GCP Dome9 Best Practices - Sample
    GCP ISO 27001:2013
    GCP NIST CSF v1.1
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG4.VMInstance.3389.TCP VMInstance with administrative service: Remote Desktop (TCP:3389) is too exposed to the public internet High description
    GCP NIST 800-53 Rev 4
    GCP PCI-DSS 3.2
    GCP Dome9 Best Practices - Sample
    GCP ISO 27001:2013
    GCP NIST CSF v1.1
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG4.VMInstance.9090.TCP VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High description
    GCP NIST 800-53 Rev 4
    GCP PCI-DSS 3.2
    GCP Dome9 Best Practices - Sample
    GCP ISO 27001:2013
    GCP NIST CSF v1.1
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG5.VMInstance.22.TCP VMInstance with administrative service: SSH (TCP:22) is exposed to a wide network scope Medium description
    GCP Dome9 Best Practices - Sample
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG5.VMInstance.3389.TCP VMInstance with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope Medium description
    GCP Dome9 Best Practices - Sample
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG5.VMInstance.9090.TCP VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium description
    GCP Dome9 Best Practices - Sample
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.AWS.CRY.16 Use secure ciphers in CloudFront distribution High logic
    AWS HIPAA
    AWS CSA CCM v.3.0.1
    AWS NIST CSF v1.1
    AWS ISO 27001:2013
    AWS PCI-DSS 3.2
    AWS NIST 800-53 Rev 4
    AWS Dome9 Best Practices

     

    December 3 - Compliance Updates

    New Rules

    Rule ID Rule Name Severity Affected Bundles
    D9.AWS.VLN.03 Amazon GuardDuty service is enabled Medium AWS Dome9 Best Practices

    Rules Removed

    Rule ID Rule Name Severity Affected Bundles
    D9.AZU.CRY.07 Ensure that 'Storage service encryption' is enabled for the Blob Service High
    Azure NIST 800-53 Rev 4
    Azure PCI-DSS 3.2
    Azure ISO 27001:2013
    Azure GDPR Readiness
    Azure NIST CSF v1.1
    Azure Dome9 Best Practices
    D9.AZU.CRY.08 Ensure that 'Storage service encryption' is enabled for the File Service High
    Azure NIST 800-53 Rev 4
    Azure PCI-DSS 3.2
    Azure ISO 27001:2013
    Azure GDPR Readiness
    Azure NIST CSF v1.1
    Azure Dome9 Best Practices

    Changes to existing Rules

    December 03 rule changes - click here

    November 25 - Compliance Updates

    New Bundles

    Bundle Name Description
    D9_GCP_CIS100 GCP CIS Foundations v. 1.0.0
    D9_AWS_SERVERLESS AWS Dome9 Serverless Architectures Security


    New Rules

    Rule ID Rule Name Severity Affected Bundles
    D9.GCP.NET.11 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance High GCP Dome9 Best Practices - Sample
    GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.IAM.02 Ensure that corporate login credentials are used instead of Gmail accounts High GCP Dome9 Best Practices - Sample
    GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP CSA CCM v.3.0.1
    GCP Dome9 Best Practices
    D9.GCP.CRY.02 Ensure "Block Project-wide SSH keys" enabled for VM instances High GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP Dome9 Best Practices
    D9.GCP.CRY.03 Ensure oslogin is enabled for a Project High GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP Dome9 Best Practices
    D9.GCP.CRY.04 Ensure oslogin is enabled for a Virtual Machine High GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP Dome9 Best Practices
    D9.GCP.IAM.01 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs High GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP CSA CCM v.3.0.1
    GCP Dome9 Best Practices
    D9.GCP.NET.12 Ensure that SSH access is restricted from the internet High GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.13 Ensure that RDP access is restricted from the internet High GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.14 Ensure Private Google Access is enabled for all subnetwork in VPC Network High GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.AWS.IAM.43 S3 bucket should have versioning MFA delete enabled High AWS CSA CCM v.3.0.1
    AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS GDPR Readiness
    AWS NIST CSF v1.1
    D9.AWS.CRY.24 AWS Kinesis Server data at rest has server side encryption (SSE) High AWS CSA CCM v.3.0.1
    AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS GDPR Readiness
    AWS PCI-DSS 3.2
    AWS NIST CSF v1.1
    AWS Dome9 Best Practices
    D9.AWS.CRY.21 AWS Kinesis streams are encrypted with KMS customer master keys High AWS CSA CCM v.3.0.1
    AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS PCI-DSS 3.2
    AWS NIST CSF v1.1
    AWS Dome9 Best Practices
    D9.AWS.CRY.20 AWS Kinesis Streams Keys are rotated Meduim AWS CSA CCM v.3.0.1
    AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS PCI-DSS 3.2
    AWS NIST CSF v1.1
    AWS Dome9 Best Practices
    D9.AWS.IAM.46 Lambda Functions with Admin Privileges are not created High AWS CSA CCM v.3.0.1
    AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS GDPR Readiness
    AWS PCI-DSS 3.2
    AWS NIST CSF v1.1
    AWS Dome9 Best Practices
    D9.AWS.CRY.22 Ensure that your Amazon EFS file systems are encrypted High AWS CSA CCM v.3.0.1
    AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS GDPR Readiness
    AWS PCI-DSS 3.2
    AWS NIST CSF v1.1
    AWS Dome9 Best Practices
    D9.AWS.CRY.23 Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys High AWS CSA CCM v.3.0.1
    AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS PCI-DSS 3.2
    AWS NIST CSF v1.1
    AWS Dome9 Best Practices
    D9.AWS.IAM.45 Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role Medium AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS NIST CSF v1.1
    AWS Dome9 Best Practices
    D9.AWS.AS.03 Lambda Functions must have an associated tag Medium AWS Dome9 Best Practices - Sample
    AWS ISO 27001:2013
    AWS Dome9 Best Practices
    D9.AWS.AS.04 Amazon EFS must have an associated tag Low AWS ISO 27001:2013
    AWS Dome9 Best Practices

    Changes to existing Rules

    November 25, 2018 Rules Changes - click here

    September 27 - Compliance Updates

    New Bundles

    Bundle Name  Description
    AWS NIST CSF v1.1 Automated Validation of NIST CSF V1.1 for AWS
    GCP NIST CSF v1.1 Automated Validation of NIST CSF V1.1 for GCP
    Azure NIST CSF v1.1 Automated Validation of NIST CSF V1.1 for Azure

    New Rules

    Rule ID Rule Name Severity Affected Bundles
    D9.AZU.CRY.02 Ensure that logging for Azure KeyVault is 'Enabled' High Azure CIS Foundations v. 1.0.0
    Azure NIST 800-53 Rev 4
    Azure Dome9 Best Practices
    D9.AZU.CRY.12 Ensure that the expiry date is set on all Keys High Azure CIS Foundations v. 1.0.0
    Azure NIST 800-53 Rev 4
    Azure Dome9 Best Practices
    D9.AZU.CRY.13 Ensure that the expiry date is set on all Secrets High Azure CIS Foundations v. 1.0.0
    Azure NIST 800-53 Rev 4
    Azure Dome9 Best Practices
    D9.AZU.CRY.01 Ensure that KeyVault is in Use Low Azure NIST 800-53 Rev 4
    Azure Dome9 Best Practices
    D9.AWS.LOG.14 Ensure VPC Flow Logging is Enabled in all Applicable Regions High AWS HIPAA
    AWS GDPR Readiness
    AWS PCI-DSS 3.2
    AWS NIST 800-53 Rev 4
    AWS Dome9 Best Practices
    D9.GCP.LOG.01 Bucket should have logging enabled High GCP NIST 800-53 Rev 4
    GCP PCI-DSS 3.2
    GCP Dome9 Best Practices
    D9.GCP.NET.09 Ensure that Cloud Storage bucket is not anonymously and/or publicly accessible High GCP NIST 800-53 Rev 4
    GCP PCI-DSS 3.2
    GCP Dome9 Best Practices
    D9.GCP.NET.10 Ensure that there are no publicly accessible objects in storage buckets High GCP NIST 800-53 Rev 4
    GCP PCI-DSS 3.2
    GCP Dome9 Best Practices

    Deleted Rules

    Rule ID Rule Name Severity Affected Bundles
    D9.AZU.MON.04 Ensure that 'Threat Detection types' is set to 'All' Medium Azure CIS Foundations v. 1.0.0
    Azure GDPR Readiness
    Azure PCI-DSS 3.2
    Azure NIST 800-53 Rev 4
    Azure Dome9 Best Practices
    D9.AWS.NET.21 Ensure VPC Flow Logging is Enabled in all Applicable Regions High AWS GDPR Readiness
    AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.GCP.NET.02 Asset is not labeled Medium GCP Dome9 Network Alerts

    Changes to existing Rules

    September 27, 2018 Rules Changes - click here

    September 03 - Compliance Updates

    New Rules

    Rule ID Rule Name Severity Affected Bundles
    D9.GCP.NET.06 Unused firewall rules Medium GCP PCI-DSS 3.2
    GCP Dome9 Best Practices
    GCP Dome9 Network Alerts
    D9.GCP.NET.07 Global Firewall rule that allows all traffic High GCP PCI-DSS 3.2
    GCP NIST 800-53 Rev 4
    GCP Dome9 Best Practices
    GCP Dome9 Network Alerts
    D9.GCP.CRY.01 Ensure VM disks are encrypted with Customer-Supplied Encryption Keys (CSEK) High GCP PCI-DSS 3.2
    GCP Dome9 Best Practices
    D9.AWS.IAM.17.HIPAA Ensure MFA is enabled for the 'root' account High AWS HIPAA
    D9.GCP.NET.08 Disable IP forwarding while creating instances High GCP Dome9 Best Practices
    GCP Dome9 Network Alerts
    D9.AWS.CRY.19 ECS Cluster At-Rest Encryption High AWS PCI-DSS 3.2
    D9.AWS.NET.31 ECS Cluster should not have services without running tasks Medium AWS Dome9 Network Alerts
    D9.AWS.NET.33 ECS Cluster should not have running container instances with unconnected agents High AWS Dome9 Network Alerts
    D9.AWS.NET.34 Ensure that at least one instance is registered with an ECS Cluster Medium AWS Dome9 Network Alerts

    Deleted Rules

    Rule ID Rule Name Severity Affected Bundles
    D9.AZU.CRY.01 Ensure that 'SQL Encryption' is set to 'On' High
    Azure CIS Foundations v. 1.0.0
    Azure NIST 800-53 Rev 4
    Azure GDPR Readiness
    Azure PCI-DSS 3.2
    Azure Dome9 Best Practices
    D9.AZU.MON.01 Ensure that 'SQL auditing & Threat detection' is set to 'On' Medium
    Azure CIS Foundations v. 1.0.0
    Azure NIST 800-53 Rev 4
    Azure GDPR Readiness
    Azure PCI-DSS 3.2
    Azure Dome9 Best Practices
    D9.AWS.IAM.17 Ensure VIRTUAL MFA is enabled for the "root" account High AWS HIPAA
    D9.AWS.NET.22 Process for Security Group Management - Detection of new Security Groups Medium AWS NIST 800-53 Rev 4
    AWS PCI-DSS 3.2
    AWS Dome9 Network Alerts

    Changes to existing Rules

    September 03, 2018 Rules Changes - Click Here

    August 06 - Compliance Updates

    New Bundles

    AWS ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for AWS
    Azure ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for Azure
    GCP ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for GCP

    New Rules

    Ruleid Rule Name Affected Bundles
    D9.AWS.LOG.13 ELB is created with Access logs enabled AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    AWS ISO 27001:2013
    D9.AWS.NET.30 ECS Cluster should have active services AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    AWS Dome9 Network Alerts
    D9.AWS.NET.31 ECS Cluster should not have services without running tasks AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    D9.AWS.NET.32 ECS Cluster instances must be placed in a VPC AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    AWS Dome9 Network Alerts
    D9.AWS.NET.33 ECS Cluster should not have running container instances with unconnected agents AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    D9.AWS.CRY.19 ElastiCache At-Rest Encryption AWS NIST 800-53
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    D9.AWS.NET.34 Ensure that at least one instance is registered with an ECS Cluster AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 

    Changes to existing Rules

    Ruleid/Bundle ID Rule Name Change Description
    D9.AWS.IAM.16 Ensure no root account access key exists A1.2.a and 10.2 controls mapping added to PCI bundle
    D9.AWS.IAM.17 Ensure VIRTUAL MFA is enabled for the "root" account 10.2.2 control mapping added to PCI bundle
    D9.AWS.IAM.18 Ensure HARDWARE MFA is enabled for the 'root' account 10.2.2 control mapping added to PCI bundle
    D9.AWS.LOG.02 Ensure CloudTrail log file validation is enabled 10.2.3 control mapping added to PCI bundle
    D9.AWS.LOG.01 Ensure CloudTrail is enabled in all regions 10.2.1, 10.2.4, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6 controls mapping added to PCI bundle
    D9.AWS.MON.05 Ensure a log metric filter and alarm exist for CloudTrail configuration 10.2.6 controls mapping added to PCI bundle
    D9.AWS.IAM.27
    D9.AWS.IAM.40
    D9.AWS.IAM.36
    D9.AWS.IAM.37
    D9.AWS.IAM.38
    D9.AWS.IAM.39
    D9.AWS.IAM.41
    D9.AWS.IAM.29
    D9.AWS.IAM.44
    D9.AWS.IAM.28
    D9.AWS.IAM.31
    D9.AWS.IAM.30
    D9.AWS.IAM.35
    D9.AWS.IAM.34
    D9.AWS.IAM.33
    D9.AWS.IAM.32
    Ensure IAM policies that allow full "*:*" administrative privileges are not created
    S3 bucket should not allow all actions from all principals
    S3 bucket should not allow delete actions from all principals
    S3 bucket should not allow get actions from all principals
    S3 bucket should not allow list actions from all principals
    S3 bucket should not allow put actions from all principals
    S3 bucket should not allow put or restore actions from all principals
    S3 bucket should not be world-listable
    IAM Users - with Inline IAM Policies applied
    S3 bucket should not be world-listable from anonymous users
    S3 bucket should not be world-writable
    S3 bucket should not be world-writable from anonymous users
    S3 bucket should not have world-readable permissions
    S3 bucket should not have world-readable permissions from anonymous users
    S3 bucket should not have world-writable permissions
    S3 bucket should not have writable permissions from anonymous users
    §164.308(a)(4)(i) controls mapping added to HIPAA bundle
    D9.AZU.IAM.01
    D9.AZU.NET.05
    D9.AZU.NET.06
    D9.AZU.NET.07
    D9.AZU.NET.15
    D9.AZU.NET.16
    SQL Server Active Directory Administrators
    Change Control for Network Security Group Configuration
    Unused Network Security Groups
    Virtual Machine and Subnet without attached Network Security Group, VM is accessible from the internet
    Redis attached subnet Network Security Group should allow ingress traffic only to ports 6379 or 6380
    Redis attached subnet Network Security Group should allow egress traffic only to ports 6379 or 6380
    Security Group upated to Network Security Group
    D9.AWS.NET.29 Public AMI D9.AZU.NET.29 ID changed to D9.AWS.NET.29
    D9.AWS.CRY.01
    D9.AWS.CRY.02
    D9.AWS.CRY.03
    D9.AWS.CRY.04
    D9.AWS.CRY.05
    D9.AWS.CRY.06
    D9.AWS.CRY.07
    D9.AWS.CRY.08
    D9.AWS.CRY.09
    D9.AWS.CRY.10
    D9.AWS.CRY.11
    D9.AWS.CRY.12
    D9.AWS.CRY.13
    D9.AWS.CRY.14
    D9.AWS.CRY.15
    D9.AWS.CRY.16
    D9.AWS.CRY.17
    Use encrypted storage for instances that might host a database.
    ELB is setup with SSL for secure communication
    S3 Buckets Server Side Encryption At Rest
    S3 Buckets Secure Transport (SSL)
    Encrypted RDS storage
    Remove Weak Ciphers for ELB
    ELB - Recommended SSL/TLS protocol version
    SSL/TLS certificates expire in one week
    SSL/TLS certificates expire in one month
    ELB secured listener certificate expires in one week
    ELB secured listener certificate expires in one month
    ALB secured listener certificate expires in one week
    ALB secured listener certificate about to expire in one month
    Use encryption for S3 Bucket write actions
    Use KMS CMK customer-managed keys for Redshift clusters
    Use secure ciphers in CloudFront distribution
    Use encrypted connection between CloudFront and origin server

    Wording Changes

    Updated Rule Names,

    Description and Remediation Fields

    D9.AWS.IAM.43 S3 bucket should have versioning MFA delete enabled, updated GSL to: S3Bucket should have versioning.mfaDelete=true GSL Bug FIx
    D9.AWS.CRY.16 GSL updated to: CloudFront should have distributionConfig.viewerCertificate.minimumProtocolVersion like 'TLSv1.1%' GSL Bug FIx
    D9.AWS.MON.02 GSL Updated to: List<CloudTrail> should have items with [ hasSNSSubscriber='true' and metricFilters with [filterPattern isFilterPatternEqual('{ ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != Yes) }') or filterPattern isFilterPatternEqual('{ $.userIdentity.sessionContext.attributes.mfaAuthenticated != true }')] ] length() > 0] GSL Bug FIx

    July 01 - Compliance Updates

    New Rules

    D9.AWS.CRY.18 DynamoDB - Server Side Encryption High AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices  
    D9.AWS.OPE.01 Lambda Functions must have an associated tag Medium AWS Dome9 Best Practices 
    D9.AZU.AS.01 Instances outside of Europe High Azure GDPR Readiness
    D9.AZU.NET.29 Public AMI Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts
    AWS PCI-DSS 3.2
    D9.AWS.AS.02 S3 Buckets outside of Europe High AWS GDPR Readiness

    D9.AWS.NET.AG4.

    ApplicationLoadBalancer.

    9090.TCP

    ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG4.ELB.

    9090.TCP

    ELB with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG4.Instance.

    9090.TCP

    Instance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG4.

    NetworkLoadBalancer.

    9090.TCP

    NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG5.

    ApplicationLoadBalancer.

    9090.TCP

    ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG5.ELB.

    9090.TCP

    ELB with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG5.Instance.

    9090.TCP

    Instance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG5.

    NetworkLoadBalancer.

    9090.TCP

    NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    Changes to existing Rules

    Ruleid/Bundle ID Change Description Updated Field Bundles Affected
    D9_AWS_NIST800534
    D9_AZU_NIST800534
    D9_GCP_NIST800534
    Bundle Titles and Descriptions update:
    AWS/GCP/Azure NIST 800-53 Rev 4 updated to AWS/GCP/Azure NIST 800-53 Rev 4 (FedRAMP)
    AWS NIST 800-53 Rev 4 (FedRAMP)
    Azure NIST 800-53 Rev 4 (FedRAMP)
    GCP NIST 800-53 Rev 4 (FedRAMP)
    AWS NIST 800-53 Rev 4
    Azure NIST 800-53 Rev 4
    GCP NIST 800-53 Rev 4
    D9.AWS.LOG.12 Change to Description  Update title to "S3 bucket should have server access logging enabled" AWS Dome9 Best Practices
    D9.GCP.NET.02 Changed Compliance tag to - 'Operational'   GCP Dome9 Best Practices
    GCP Dome9 Network Alerts
    GCP PCI-DSS 3.2
    GCP NIST 800-53

    D9.AWS.NET.AG
    #entity.port.

    protocol

    Multiple Network Security Rules-URLs updated to Zendesk   AWS Dome9 Best Practices
    AWS Dome9 Network Alerts
    AWS PCI-DSS 3.2
    AWS NIST 800-53
    D9.AWS.CRY.04 Update to GSL

    Rule Name:

    S3 Bucket should have encryption in transit for read actions

    NEW GSL:

    S3Bucket should not have policy.Statement contain [Effect='Deny' and Condition.Bool.aws:SecureTransport='false']
    and policy.Statement contain [Action contain ['s3:GetObject'] or Action contain ['s3:*']]

    AWS Dome9 S3 Bucket Security
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts
    AWS PCI-DSS 3.2
    AWS NIST 800-53
    AWS GDPR Readiness
    D9.AWS.CRY.14 Update to GSL

    Rule Name:

    S3 Bucket should have encryption in transit for write actions

    NEW GSL:

    S3Bucket should not have policy.Statement contain [Effect='Deny' and Condition.Bool.aws:SecureTransport='false']
    and policy.Statement contain [Action contain ['s3:PutObject'] or Action contain ['s3:*']]

    AWS Dome9 S3 Bucket Security
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts
    AWS PCI-DSS 3.2
    AWS NIST 800-53
    AWS GDPR Readiness