Compliance Content Updates

In this topic:

    September 03 - Compliance Updates

    New Rules

    Rule ID Rule Name Severity Affected Bundles
    D9.GCP.NET.06 Unused firewall rules Medium GCP PCI-DSS 3.2
    GCP Dome9 Best Practices
    GCP Dome9 Network Alerts
    D9.GCP.NET.07 Global Firewall rule that allows all traffic High GCP PCI-DSS 3.2
    GCP NIST 800-53 Rev 4
    GCP Dome9 Best Practices
    GCP Dome9 Network Alerts
    D9.GCP.CRY.01 Ensure VM disks are encrypted with Customer-Supplied Encryption Keys (CSEK) High GCP PCI-DSS 3.2
    GCP Dome9 Best Practices
    D9.AWS.IAM.17.HIPAA Ensure MFA is enabled for the 'root' account High AWS HIPAA
    D9.GCP.NET.08 Disable IP forwarding while creating instances High GCP Dome9 Best Practices
    GCP Dome9 Network Alerts
    D9.AWS.CRY.19 ECS Cluster At-Rest Encryption High AWS PCI-DSS 3.2
    D9.AWS.NET.31 ECS Cluster should not have services without running tasks Medium AWS Dome9 Network Alerts
    D9.AWS.NET.33 ECS Cluster should not have running container instances with unconnected agents High AWS Dome9 Network Alerts
    D9.AWS.NET.34 Ensure that at least one instance is registered with an ECS Cluster Medium AWS Dome9 Network Alerts

    Deleted Rules

    Rule ID Rule Name Severity Affected Bundles
    D9.AZU.CRY.01 Ensure that 'SQL Encryption' is set to 'On' High
    Azure CIS Foundations v. 1.0.0
    Azure NIST 800-53 Rev 4
    Azure GDPR Readiness
    Azure PCI-DSS 3.2
    Azure Dome9 Best Practices
    D9.AZU.MON.01 Ensure that 'SQL auditing & Threat detection' is set to 'On' Medium
    Azure CIS Foundations v. 1.0.0
    Azure NIST 800-53 Rev 4
    Azure GDPR Readiness
    Azure PCI-DSS 3.2
    Azure Dome9 Best Practices
    D9.AWS.IAM.17 Ensure VIRTUAL MFA is enabled for the "root" account High AWS HIPAA
    D9.AWS.NET.22 Process for Security Group Management - Detection of new Security Groups Medium AWS NIST 800-53 Rev 4
    AWS PCI-DSS 3.2
    AWS Dome9 Network Alerts

    Changes to existing Rules

    September 03, 2018 Rules Changes - Click Here

    August 06 - Compliance Updates

    New Bundles

    AWS ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for AWS
    Azure ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for Azure
    GCP ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for GCP

    New Rules

    Ruleid Rule Name Affected Bundles
    D9.AWS.LOG.13 ELB is created with Access logs enabled AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    AWS ISO 27001:2013
    D9.AWS.NET.30 ECS Cluster should have active services AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    AWS Dome9 Network Alerts
    D9.AWS.NET.31 ECS Cluster should not have services without running tasks AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    D9.AWS.NET.32 ECS Cluster instances must be placed in a VPC AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    AWS Dome9 Network Alerts
    D9.AWS.NET.33 ECS Cluster should not have running container instances with unconnected agents AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    D9.AWS.CRY.19 ElastiCache At-Rest Encryption AWS NIST 800-53
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    D9.AWS.NET.34 Ensure that at least one instance is registered with an ECS Cluster AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 

    Changes to existing Rules

    Ruleid/Bundle ID Rule Name Change Description
    D9.AWS.IAM.16 Ensure no root account access key exists A1.2.a and 10.2 controls mapping added to PCI bundle
    D9.AWS.IAM.17 Ensure VIRTUAL MFA is enabled for the "root" account 10.2.2 control mapping added to PCI bundle
    D9.AWS.IAM.18 Ensure HARDWARE MFA is enabled for the 'root' account 10.2.2 control mapping added to PCI bundle
    D9.AWS.LOG.02 Ensure CloudTrail log file validation is enabled 10.2.3 control mapping added to PCI bundle
    D9.AWS.LOG.01 Ensure CloudTrail is enabled in all regions 10.2.1, 10.2.4, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6 controls mapping added to PCI bundle
    D9.AWS.MON.05 Ensure a log metric filter and alarm exist for CloudTrail configuration 10.2.6 controls mapping added to PCI bundle
    D9.AWS.IAM.27
    D9.AWS.IAM.40
    D9.AWS.IAM.36
    D9.AWS.IAM.37
    D9.AWS.IAM.38
    D9.AWS.IAM.39
    D9.AWS.IAM.41
    D9.AWS.IAM.29
    D9.AWS.IAM.44
    D9.AWS.IAM.28
    D9.AWS.IAM.31
    D9.AWS.IAM.30
    D9.AWS.IAM.35
    D9.AWS.IAM.34
    D9.AWS.IAM.33
    D9.AWS.IAM.32
    Ensure IAM policies that allow full "*:*" administrative privileges are not created
    S3 bucket should not allow all actions from all principals
    S3 bucket should not allow delete actions from all principals
    S3 bucket should not allow get actions from all principals
    S3 bucket should not allow list actions from all principals
    S3 bucket should not allow put actions from all principals
    S3 bucket should not allow put or restore actions from all principals
    S3 bucket should not be world-listable
    IAM Users - with Inline IAM Policies applied
    S3 bucket should not be world-listable from anonymous users
    S3 bucket should not be world-writable
    S3 bucket should not be world-writable from anonymous users
    S3 bucket should not have world-readable permissions
    S3 bucket should not have world-readable permissions from anonymous users
    S3 bucket should not have world-writable permissions
    S3 bucket should not have writable permissions from anonymous users
    §164.308(a)(4)(i) controls mapping added to HIPAA bundle
    D9.AZU.IAM.01
    D9.AZU.NET.05
    D9.AZU.NET.06
    D9.AZU.NET.07
    D9.AZU.NET.15
    D9.AZU.NET.16
    SQL Server Active Directory Administrators
    Change Control for Network Security Group Configuration
    Unused Network Security Groups
    Virtual Machine and Subnet without attached Network Security Group, VM is accessible from the internet
    Redis attached subnet Network Security Group should allow ingress traffic only to ports 6379 or 6380
    Redis attached subnet Network Security Group should allow egress traffic only to ports 6379 or 6380
    Security Group upated to Network Security Group
    D9.AWS.NET.29 Public AMI D9.AZU.NET.29 ID changed to D9.AWS.NET.29
    D9.AWS.CRY.01
    D9.AWS.CRY.02
    D9.AWS.CRY.03
    D9.AWS.CRY.04
    D9.AWS.CRY.05
    D9.AWS.CRY.06
    D9.AWS.CRY.07
    D9.AWS.CRY.08
    D9.AWS.CRY.09
    D9.AWS.CRY.10
    D9.AWS.CRY.11
    D9.AWS.CRY.12
    D9.AWS.CRY.13
    D9.AWS.CRY.14
    D9.AWS.CRY.15
    D9.AWS.CRY.16
    D9.AWS.CRY.17
    Use encrypted storage for instances that might host a database.
    ELB is setup with SSL for secure communication
    S3 Buckets Server Side Encryption At Rest
    S3 Buckets Secure Transport (SSL)
    Encrypted RDS storage
    Remove Weak Ciphers for ELB
    ELB - Recommended SSL/TLS protocol version
    SSL/TLS certificates expire in one week
    SSL/TLS certificates expire in one month
    ELB secured listener certificate expires in one week
    ELB secured listener certificate expires in one month
    ALB secured listener certificate expires in one week
    ALB secured listener certificate about to expire in one month
    Use encryption for S3 Bucket write actions
    Use KMS CMK customer-managed keys for Redshift clusters
    Use secure ciphers in CloudFront distribution
    Use encrypted connection between CloudFront and origin server

    Wording Changes

    Updated Rule Names,

    Description and Remediation Fields

    D9.AWS.IAM.43 S3 bucket should have versioning MFA delete enabled, updated GSL to: S3Bucket should have versioning.mfaDelete=true GSL Bug FIx
    D9.AWS.CRY.16 GSL updated to: CloudFront should have distributionConfig.viewerCertificate.minimumProtocolVersion like 'TLSv1.1%' GSL Bug FIx
    D9.AWS.MON.02 GSL Updated to: List<CloudTrail> should have items with [ hasSNSSubscriber='true' and metricFilters with [filterPattern isFilterPatternEqual('{ ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != Yes) }') or filterPattern isFilterPatternEqual('{ $.userIdentity.sessionContext.attributes.mfaAuthenticated != true }')] ] length() > 0] GSL Bug FIx

    July 01 - Compliance Updates

    New Rules

    D9.AWS.CRY.18 DynamoDB - Server Side Encryption High AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices  
    D9.AWS.OPE.01 Lambda Functions must have an associated tag Medium AWS Dome9 Best Practices 
    D9.AZU.AS.01 Instances outside of Europe High Azure GDPR Readiness
    D9.AZU.NET.29 Public AMI Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts
    AWS PCI-DSS 3.2
    D9.AWS.AS.02 S3 Buckets outside of Europe High AWS GDPR Readiness

    D9.AWS.NET.AG4.

    ApplicationLoadBalancer.

    9090.TCP

    ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG4.ELB.

    9090.TCP

    ELB with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG4.Instance.

    9090.TCP

    Instance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG4.

    NetworkLoadBalancer.

    9090.TCP

    NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG5.

    ApplicationLoadBalancer.

    9090.TCP

    ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG5.ELB.

    9090.TCP

    ELB with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG5.Instance.

    9090.TCP

    Instance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG5.

    NetworkLoadBalancer.

    9090.TCP

    NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    Changes to existing Rules

    Ruleid/Bundle ID Change Description Updated Field Bundles Affected
    D9_AWS_NIST800534
    D9_AZU_NIST800534
    D9_GCP_NIST800534
    Bundle Titles and Descriptions update:
    AWS/GCP/Azure NIST 800-53 Rev 4 updated to AWS/GCP/Azure NIST 800-53 Rev 4 (FedRAMP)
    AWS NIST 800-53 Rev 4 (FedRAMP)
    Azure NIST 800-53 Rev 4 (FedRAMP)
    GCP NIST 800-53 Rev 4 (FedRAMP)
    AWS NIST 800-53 Rev 4
    Azure NIST 800-53 Rev 4
    GCP NIST 800-53 Rev 4
    D9.AWS.LOG.12 Change to Description  Update title to "S3 bucket should have server access logging enabled" AWS Dome9 Best Practices
    D9.GCP.NET.02 Changed Compliance tag to - 'Operational'   GCP Dome9 Best Practices
    GCP Dome9 Network Alerts
    GCP PCI-DSS 3.2
    GCP NIST 800-53

    D9.AWS.NET.AG
    #entity.port.

    protocol

    Multiple Network Security Rules-URLs updated to Zendesk   AWS Dome9 Best Practices
    AWS Dome9 Network Alerts
    AWS PCI-DSS 3.2
    AWS NIST 800-53
    D9.AWS.CRY.04 Update to GSL

    Rule Name:

    S3 Bucket should have encryption in transit for read actions

    NEW GSL:

    S3Bucket should not have policy.Statement contain [Effect='Deny' and Condition.Bool.aws:SecureTransport='false']
    and policy.Statement contain [Action contain ['s3:GetObject'] or Action contain ['s3:*']]

    AWS Dome9 S3 Bucket Security
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts
    AWS PCI-DSS 3.2
    AWS NIST 800-53
    AWS GDPR Readiness
    D9.AWS.CRY.14 Update to GSL

    Rule Name:

    S3 Bucket should have encryption in transit for write actions

    NEW GSL:

    S3Bucket should not have policy.Statement contain [Effect='Deny' and Condition.Bool.aws:SecureTransport='false']
    and policy.Statement contain [Action contain ['s3:PutObject'] or Action contain ['s3:*']]

    AWS Dome9 S3 Bucket Security
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts
    AWS PCI-DSS 3.2
    AWS NIST 800-53
    AWS GDPR Readiness