Compliance Content Updates

In this topic:

    May 23 - Compliance Updates

    New Rules

    Rule ID Rule Name Severity Affected Bundles
    D9.AWS.CRY.26 Ensure expired certificates are removed from the AWS Certificate Manager (ACM) Medium AWS Dome9 Best Practices
    D9.AWS.CRY.27 Ensure ACM only has certificates with single domain names, and none with wildcard domain names Low AWS Dome9 Best Practices
    D9.AWS.CRY.28 Ensure the AWS Certificate Manager (ACM) has no unused certificates Medium AWS Dome9 Best Practices
    D9.AWS.CRY.29 Ensure invalid or failed certificates are removed from ACM Low AWS Dome9 Best Practices
    D9.AWS.NET.40 Ensure AWS Application Load Balancer (ALB) listeners block connection requests over HTTP Medium AWS Dome9 Best Practices
    D9.AZU.DR.03 Ensure that Azure Virtual Machine is assigned to an availability set Medium Azure Dome9 Best Practices
    D9.AZU.NET.18 Ensure Azure Application Gateway Web application firewall (WAF) is enabled Medium Azure Dome9 Best Practices
    D9.AZU.NET.19 Ensure that Azure Virtual Network subnet is configured with a Network Security Group Medium Azure Dome9 Best Practices
    D9.AZU.NET.20 Ensure that Azure Resource Group has resource lock enabled Low Azure Dome9 Best Practices
    D9.AZU.NET.21 Ensure that Azure Virtual network peering is connected Low Azure Dome9 Best Practices
    D9.GCP.AS.01 Ensure GCP VM Instances have Labels Low GCP Dome9 Best Practices
    D9.GCP.AS.02 Ensure GCP VM Instances have Custom metadata information Low GCP Dome9 Best Practices
    D9.GCP.GKE.15 Ensure GKE Cluster HTTP load balancing is enabled Medium GCP Dome9 Best Practices
    D9.GCP.GKE.16 Ensure the GKE Cluster alpha cluster feature is disabled Medium GCP Dome9 Best Practices
    D9.GCP.GKE.17 Ensure GKE Clusters use specific purspose-designed networks instead of the default network Medium GCP Dome9 Best Practices
    D9.GCP.NET.15 Ensure VPC Flow logs is enabled for every subnet in VPC Network Medium GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.AWS.NET.AG10.ApplicationLoadBalancer.110.TCP ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a small network scope Low AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG10.ApplicationLoadBalancer.25.TCP ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small network scope Low AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG10.ELB.110.TCP ELB with service 'POP3' (TCP:110) is exposed to a small network scope Low AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG10.ELB.25.TCP ELB with service 'SMTP' (TCP:25) is exposed to a small network scope Low AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG10.Instance.110.TCP Instance with service 'POP3' (TCP:110) is exposed to a small network scope Low AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG10.Instance.25.TCP Instance with service 'SMTP' (TCP:25) is exposed to a small network scope Low AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG10.NetworkLoadBalancer.110.TCP NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a small network scope Low AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG10.NetworkLoadBalancer.25.TCP NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small network scope Low AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG6.ApplicationLoadBalancer.110.TCP Public ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to the entire internet High AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG6.ApplicationLoadBalancer.25.TCP Public ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to the entire internet High AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG6.ELB.110.TCP Public ELB with service 'POP3' (TCP:110) is exposed to the entire internet High AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG6.ELB.25.TCP Public ELB with service 'SMTP' (TCP:25) is exposed to the entire internet High AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG6.Instance.110.TCP Public Instance with service 'POP3' (TCP:110) is exposed to the entire internet High AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG6.Instance.25.TCP Public Instance with service 'SMTP' (TCP:25) is exposed to the entire internet High AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG6.NetworkLoadBalancer.110.TCP Public NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to the entire internet High AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG6.NetworkLoadBalancer.25.TCP Public NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to the entire internet High AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG7.ApplicationLoadBalancer.110.TCP Public ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a wide public network High AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG7.ApplicationLoadBalancer.25.TCP Public ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a wide public network High AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG7.ELB.110.TCP Public ELB with service 'POP3' (TCP:110) is exposed to a wide public network High AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG7.ELB.25.TCP Public ELB with service 'SMTP' (TCP:25) is exposed to a wide public network High AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG7.Instance.110.TCP Public Instance with service 'POP3' (TCP:110) is exposed to a wide public network High AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG7.Instance.25.TCP Public Instance with service 'SMTP' (TCP:25) is exposed to a wide public network High AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG7.NetworkLoadBalancer.110.TCP Public NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a wide public network High AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG7.NetworkLoadBalancer.25.TCP Public NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a wide public network High AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG8.ApplicationLoadBalancer.110.TCP Public ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a small public network Medium AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG8.ApplicationLoadBalancer.25.TCP Public ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small public network Medium AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG8.ELB.110.TCP Public ELB with service 'POP3' (TCP:110) is exposed to a small public network Medium AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG8.ELB.25.TCP Public ELB with service 'SMTP' (TCP:25) is exposed to a small public network Medium AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG8.Instance.110.TCP Public Instance with service 'POP3' (TCP:110) is exposed to a small public network Medium AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG8.Instance.25.TCP Public Instance with service 'SMTP' (TCP:25) is exposed to a small public network Medium AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG8.NetworkLoadBalancer.110.TCP Public NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a small public network Medium AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG8.NetworkLoadBalancer.25.TCP Public NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small public network Medium AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG9.ApplicationLoadBalancer.110.TCP ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a wide network scope Medium AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG9.ApplicationLoadBalancer.25.TCP ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a wide network scope Medium AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG9.ELB.110.TCP ELB with service 'POP3' (TCP:110) is exposed to a wide network scope Medium AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG9.ELB.25.TCP ELB with service 'SMTP' (TCP:25) is exposed to a wide network scope Medium AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG9.Instance.110.TCP Instance with service 'POP3' (TCP:110) is exposed to a wide network scope Medium AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG9.Instance.25.TCP Instance with service 'SMTP' (TCP:25) is exposed to a wide network scope Medium AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG9.NetworkLoadBalancer.110.TCP NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a wide network scope Medium AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AWS.NET.AG9.NetworkLoadBalancer.25.TCP NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a wide network scope Medium AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.AZU.NET.AG10.VirtualMachine.110.TCP VirtualMachine with service 'POP3' (TCP:110) is exposed to a small network scope Low Azure Dome9 Network Alerts
    Azure Dome9 Best Practices
    D9.AZU.NET.AG10.VirtualMachine.25.TCP VirtualMachine with service 'SMTP' (TCP:25) is exposed to a small network scope Low Azure Dome9 Network Alerts
    Azure Dome9 Best Practices
    D9.AZU.NET.AG6.VirtualMachine.110.TCP VirtualMachine with service 'POP3' (TCP:110) is exposed to the entire internet High Azure Dome9 Network Alerts
    Azure Dome9 Best Practices
    D9.AZU.NET.AG6.VirtualMachine.25.TCP VirtualMachine with service 'SMTP' (TCP:25) is exposed to the entire internet High Azure Dome9 Network Alerts
    Azure Dome9 Best Practices
    D9.AZU.NET.AG7.VirtualMachine.110.TCP VirtualMachine with service 'POP3' (TCP:110) is exposed to a wide public network High Azure Dome9 Network Alerts
    Azure Dome9 Best Practices
    D9.AZU.NET.AG7.VirtualMachine.25.TCP VirtualMachine with service 'SMTP' (TCP:25) is exposed to a wide public network High Azure Dome9 Network Alerts
    Azure Dome9 Best Practices
    D9.AZU.NET.AG8.VirtualMachine.110.TCP VirtualMachine with service 'POP3' (TCP:110) is exposed to a small public network Medium Azure Dome9 Network Alerts
    Azure Dome9 Best Practices
    D9.AZU.NET.AG8.VirtualMachine.25.TCP VirtualMachine with service 'SMTP' (TCP:25) is exposed to a small public network Medium Azure Dome9 Network Alerts
    Azure Dome9 Best Practices
    D9.AZU.NET.AG9.VirtualMachine.110.TCP VirtualMachine with service POP3 (TCP:110) is exposed to a wide network scope Medium Azure Dome9 Network Alerts
    Azure Dome9 Best Practices
    D9.AZU.NET.AG9.VirtualMachine.25.TCP VirtualMachine with service SMTP (TCP:25) is exposed to a wide network scope Medium Azure Dome9 Network Alerts
    Azure Dome9 Best Practices
    D9.GCP.NET.AG10.VMInstance.110.TCP VMInstance with service POP3(TCP:110) is exposed to a small network scope Low GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG10.VMInstance.25.TCP VMInstance with service SMTP(TCP:25) is exposed to a small network scope Low GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG6.VMInstance.110.TCP Public VMInstance with service POP3(TCP:110) is exposed to the entire internet High GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG6.VMInstance.25.TCP Public VMInstance with service SMTP(TCP:25) is exposed to the entire internet High GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG7.VMInstance.110.TCP Public VMInstance with service POP3(TCP:110) is exposed to a wide public network High GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG7.VMInstance.25.TCP Public VMInstance with service SMTP(TCP:25) is exposed to a wide public network High GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG8.VMInstance.110.TCP Public VMInstance with service POP3(TCP:110) is exposed to a small public network Medium GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG8.VMInstance.25.TCP Public VMInstance with service SMTP(TCP:25) is exposed to a small public network Medium GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG9.VMInstance.110.TCP VMInstance with service POP3(TCP:110) is exposed to a wide network scope Medium GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG9.VMInstance.25.TCP VMInstance with service SMTP(TCP:25) is exposed to a wide network scope Medium GCP Dome9 Network Alerts
    GCP Dome9 Best Practices

    Rules Changes

    Rule ID Rule Name Severity Updated Fields Affected Bundles
    D9.AZU.CRY.12 Ensure that the expiry date is set on all keys High logic Azure HIPAA
    Azure Dome9 SOC2 based on AICPA TSC 2017
    Azure CSA CCM v.3.0.1
    Azure CIS Foundations v. 1.0.0
    Azure NIST 800-53 Rev 4
    Azure ISO 27001:2013
    Azure GDPR Readiness
    Azure NIST CSF v1.1
    Azure PCI-DSS 3.2
    Azure Dome9 Best Practices
    D9.AZU.CRY.13 Ensure that the expiry date is set on all secrets High logic Azure HIPAA
    Azure Dome9 SOC2 based on AICPA TSC 2017
    Azure CSA CCM v.3.0.1
    Azure CIS Foundations v. 1.0.0
    Azure NIST 800-53 Rev 4
    Azure ISO 27001:2013
    Azure GDPR Readiness
    Azure NIST CSF v1.1
    Azure PCI-DSS 3.2
    Azure Dome9 Best Practices
    D9.AWS.IAM.45 Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role Medium logic AWS Dome9 Serverless Architectures Security
    AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS ISO 27001:2013
    AWS NIST CSF v1.1
    AWS Dome9 SOC2 based on AICPA TSC 2017
    AWS Dome9 Best Practices
    D9.GCP.CRY.01 Ensure VM disks are encrypted with Customer-Supplied Encryption Keys (CSEK) High logic GCP Dome9 Best Practices - Sample
    GCP CIS Foundations v. 1.0.0
    GCP PCI-DSS 3.2
    GCP NIST 800-53 Rev 4
    GCP ISO 27001:2013
    GCP NIST CSF v1.1
    GCP Dome9 Best Practices
    D9.GCP.NET.14 Ensure Private Google Access is enabled for all subnetworks in VPC Network High name GCP CIS Foundations v. 1.0.0
    GCP PCI-DSS 3.2
    GCP NIST 800-53 Rev 4
    GCP ISO 27001:2013
    GCP NIST CSF v1.1
    GCP Dome9 Best Practices
    GCP Dome9 Network Alerts
    D9.GCP.CRY.02 Ensure "Block Project-wide SSH keys" enabled for non-windows VM instances High name
    logic
    GCP CIS Foundations v. 1.0.0
    GCP PCI-DSS 3.2
    GCP NIST 800-53 Rev 4
    GCP ISO 27001:2013
    GCP NIST CSF v1.1
    GCP Dome9 Best Practices
    D9.GCP.GKE.04 Ensure Kubernetes web UI / Dashboard is disabled High description GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.GKE.07 Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image High logic GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
     68 rules starting with D9.AWS.NET.AG1.XXX.XXX Added "potentially" in all the descriptions to adjust the test name High name AWS NIST 800-53 Rev 4
    AWS GDPR Readiness
    AWS ISO 27001:2013
    AWS PCI-DSS 3.2
    AWS NIST CSF v1.1
    AWS CSA CCM v.3.0.1
    AWS Dome9 SOC2 based on AICPA TSC 2017
    AWS Dome9 Network Alerts
    AWS Dome9 Best Practices

    May 23 Rules Changes - click here

    Rules Removed

    Rule ID Rule Name Severity Description Affected Bundles
    D9.GCP.IAM.03 Ensure that multi-factor authentication is enabled for all non-service accounts High Setup multi-factor authentication for Google Cloud Platform accounts. Multi-factor authentication requires more than one mechanism to authenticate a user. This secures your logins from attackers exploiting stolen or weak credentials. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.IAM.07 Ensure user-managed/external keys for service accounts are rotated every 90 days or less High Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices

    May 01 - Compliance Updates

    New Rules

    Rule ID Rule Name Severity Description Affected Bundles
    D9.GCP.IAM.03 Ensure that multi-factor authentication is enabled for all non-service accounts High Setup multi-factor authentication for Google Cloud Platform accounts. Multi-factor authentication requires more than one mechanism to authenticate a user. This secures your logins from attackers exploiting stolen or weak credentials. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.IAM.04 Ensure that there are only GCP-managed service account keys for each service account High User managed service account should not have user managed keys. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.IAM.05 Ensure that ServiceAccount has no Admin privileges High A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service , so that the users aren't directly involved It's recommended not to use admin access for ServiceAccount. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.IAM.06 Ensure that IAM users are not assigned Service Account User role at project level High It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.IAM.07 Ensure user-managed/external keys for service accounts are rotated every 90 days or less High Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.IAM.08 Ensure that Separation of duties is enforced while assigning service account related roles to users High It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.IAM.09 Ensure that Separation of duties is enforced while assigning KMS related roles to users High It is recommended that principle of Separation of duties is enforced while assigning KMS related roles to users GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.GKE.01 Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters High In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.GKE.02 Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters High Authorized networks are a way of specifying a restricted range of IP addresses that are permitted to access your container cluster's Kubernetes master endpoint. Kubernetes Engine uses both Transport Layer Security (TLS) and authentication to provide secure access to your container cluster's Kubernetes master endpoint from the public internet. This provides you the flexibility to administer your cluster from anywhere; however, you might want to further restrict access to a set of IP addresses that you control. You can set this restriction by specifying an authorized network. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.GKE.03 Ensure Kubernetes Clusters are configured with Labels High A cluster label is a key-value pair that helps you organize your Google Cloud Platform resources, such as clusters. You can attach a label to each resource, then filter the resources based on their labels. Information about labels is forwarded to the billing system, so you can break down your billing charges by the label. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.GKE.04 Ensure Kubernetes web UI / Dashboard is disabled High Dashboard is a web-based Kubernetes user interface. You can use Dashboard to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster itself along with its attendant resources. You can use Dashboard to get an overview of applications running on your cluster, as well as for creating or modifying individual Kubernetes resources (such as Deployments, Jobs, DaemonSets, etc). For example, you can scale a Deployment, initiate a rolling update, restart a pod or deploy new applications using a deploy wizard. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.GKE.05 Ensure `Automatic node repair` is enabled for Kubernetes Clusters High Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.GKE.06 Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes High Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.GKE.07 Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image High Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.GKE.08 Ensure Basic Authentication is disabled on Kubernetes Engine Clusters High Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.GKE.09 Ensure Network policy is enabled on Kubernetes Engine Clusters High A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.GKE.10 Ensure Kubernetes Cluster is created with Client Certificate enabled High A client certificate is a base64-encoded public certificate used by clients to authenticate to the cluster endpoint. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.GKE.11 Ensure Kubernetes Cluster is created with Alias IP ranges enabled High Google Cloud Platform Alias IP Ranges lets you assign ranges of internal IP addresses as aliases to a virtual machine's network interfaces. This is useful if you have multiple services running on a VM and you want to assign each service a different IP address. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.GKE.12 Ensure Kubernetes Cluster is created with Private cluster enabled High A private cluster is a cluster that makes your master inaccessible from the public internet. In a private cluster, nodes do not have public IP addresses, so your workloads run in an environment that is isolated from the internet. Nodes have addressed only in the private RFC 1918 address space. Nodes and masters communicate with each other privately using VPC peering. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.GKE.13 Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets High Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices
    D9.GCP.GKE.14 Ensure default Service account is not used for Project access in Kubernetes Clusters High A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. GCP CIS Foundations v. 1.0.0
    GCP Dome9 Best Practices

    Compliance Tags Removed

    Rule ID Rule Name Severity Description Affected Bundles
    D9.AWS.IAM.12.PCI Password Policy must require minimal length of 7 Medium Verify that password policy is enabled for the account. PCI-DSS Section 8.2, 8.3 Verify that PCI-DSS password policy requirements are configured and enforced. AWS ISO 27001:2013
    D9.AWS.IAM.14.PCI Password policy must prevent reuse of previously used passwords Low IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. Preventing password reuse increases account resiliency against brute force login attempts. AWS ISO 27001:2013

    March 07 - Compliance Updates

    New Compliance Frameworks (Bundles)

    Bundle ID Bundle Name
    D9_AZU_HIPAA Azure HIPAA
    D9_AZU_SOC2 Azure Dome9 SOC2 based on AICPA TSC 2017
    D9_GCP_SOC2 GCP Dome9 SOC2 based on AICPA TSC 2017
    D9_AWS_SOC2 AWS Dome9 SOC2 based on AICPA TSC 2017

    New Rules

    Rule ID Rule Name Severity Description Affected Bundles
    D9.AWS.CRY.25.PCI Ensure ElastiCache for Memcached is not in use in AWS PCI DSS environments High Amazon ElastiCache for Memcached is not included in this AWS PCI DSS Compliance program and therefore is not compliance with PCI requrements. AWS PCI-DSS 3.2
    D9.AWS.CRY.26.PCI Ensure that ElastiCache for Redis version is compliant with AWS PCI DSS requirements High Amazon ElastiCache for Memcached is not included in this AWS PCI DSS Compliance program and therefore is not compliance with PCI requirements. AWS PCI-DSS 3.2

    March 07 rule changes - click here

    January 3 - Compliance Updates

    Rules Removed

    Rule ID Rule Name Severity Description Affected Bundles
    D9.AWS.CRY.18 DynamoDB data at rest has server side encryption (SSE) High Verify that AWS DynamoDB storage at rest is encrypted using Server-Side Encryption (SSE).
    AWS Dome9 Serverless Architectures Security
    AWS Dome9 Best Practices - Sample
    AWS HIPAA
    AWS CSA CCM v.3.0.1
    AWS NIST CSF v1.1
    AWS ISO 27001:2013
    AWS PCI-DSS 3.2
    AWS NIST 800-53 Rev 4
    AWS GDPR Readiness
    AWS Dome9 Best Practices

    Changes to existing Rules

    Rule ID Rule Name Severity Updated Fields Affected Bundles
    D9.GCP.NET.AG4.VMInstance.22.TCP VMInstance with administrative service: SSH (TCP:22) is too exposed to the public internet High description
    GCP NIST 800-53 Rev 4
    GCP PCI-DSS 3.2
    GCP Dome9 Best Practices - Sample
    GCP ISO 27001:2013
    GCP NIST CSF v1.1
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG4.VMInstance.3389.TCP VMInstance with administrative service: Remote Desktop (TCP:3389) is too exposed to the public internet High description
    GCP NIST 800-53 Rev 4
    GCP PCI-DSS 3.2
    GCP Dome9 Best Practices - Sample
    GCP ISO 27001:2013
    GCP NIST CSF v1.1
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG4.VMInstance.9090.TCP VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High description
    GCP NIST 800-53 Rev 4
    GCP PCI-DSS 3.2
    GCP Dome9 Best Practices - Sample
    GCP ISO 27001:2013
    GCP NIST CSF v1.1
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG5.VMInstance.22.TCP VMInstance with administrative service: SSH (TCP:22) is exposed to a wide network scope Medium description
    GCP Dome9 Best Practices - Sample
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG5.VMInstance.3389.TCP VMInstance with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope Medium description
    GCP Dome9 Best Practices - Sample
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.AG5.VMInstance.9090.TCP VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium description
    GCP Dome9 Best Practices - Sample
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.AWS.CRY.16 Use secure ciphers in CloudFront distribution High logic
    AWS HIPAA
    AWS CSA CCM v.3.0.1
    AWS NIST CSF v1.1
    AWS ISO 27001:2013
    AWS PCI-DSS 3.2
    AWS NIST 800-53 Rev 4
    AWS Dome9 Best Practices

     

    December 3 - Compliance Updates

    New Rules

    Rule ID Rule Name Severity Affected Bundles
    D9.AWS.VLN.03 Amazon GuardDuty service is enabled Medium AWS Dome9 Best Practices

    Rules Removed

    Rule ID Rule Name Severity Affected Bundles
    D9.AZU.CRY.07 Ensure that 'Storage service encryption' is enabled for the Blob Service High
    Azure NIST 800-53 Rev 4
    Azure PCI-DSS 3.2
    Azure ISO 27001:2013
    Azure GDPR Readiness
    Azure NIST CSF v1.1
    Azure Dome9 Best Practices
    D9.AZU.CRY.08 Ensure that 'Storage service encryption' is enabled for the File Service High
    Azure NIST 800-53 Rev 4
    Azure PCI-DSS 3.2
    Azure ISO 27001:2013
    Azure GDPR Readiness
    Azure NIST CSF v1.1
    Azure Dome9 Best Practices

    Changes to existing Rules

    December 03 rule changes - click here

    November 25 - Compliance Updates

    New Bundles

    Bundle Name Description
    D9_GCP_CIS100 GCP CIS Foundations v. 1.0.0
    D9_AWS_SERVERLESS AWS Dome9 Serverless Architectures Security


    New Rules

    Rule ID Rule Name Severity Affected Bundles
    D9.GCP.NET.11 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance High GCP Dome9 Best Practices - Sample
    GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.IAM.02 Ensure that corporate login credentials are used instead of Gmail accounts High GCP Dome9 Best Practices - Sample
    GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP CSA CCM v.3.0.1
    GCP Dome9 Best Practices
    D9.GCP.CRY.02 Ensure "Block Project-wide SSH keys" enabled for VM instances High GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP Dome9 Best Practices
    D9.GCP.CRY.03 Ensure oslogin is enabled for a Project High GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP Dome9 Best Practices
    D9.GCP.CRY.04 Ensure oslogin is enabled for a Virtual Machine High GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP Dome9 Best Practices
    D9.GCP.IAM.01 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs High GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP CSA CCM v.3.0.1
    GCP Dome9 Best Practices
    D9.GCP.NET.12 Ensure that SSH access is restricted from the internet High GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.13 Ensure that RDP access is restricted from the internet High GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.GCP.NET.14 Ensure Private Google Access is enabled for all subnetwork in VPC Network High GCP PCI-DSS 3.2
    GCP NIST CSF v1.1
    GCP ISO 27001:2013
    GCP NIST 800-53 Rev 4
    GCP Dome9 Network Alerts
    GCP Dome9 Best Practices
    D9.AWS.IAM.43 S3 bucket should have versioning MFA delete enabled High AWS CSA CCM v.3.0.1
    AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS GDPR Readiness
    AWS NIST CSF v1.1
    D9.AWS.CRY.24 AWS Kinesis Server data at rest has server side encryption (SSE) High AWS CSA CCM v.3.0.1
    AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS GDPR Readiness
    AWS PCI-DSS 3.2
    AWS NIST CSF v1.1
    AWS Dome9 Best Practices
    D9.AWS.CRY.21 AWS Kinesis streams are encrypted with KMS customer master keys High AWS CSA CCM v.3.0.1
    AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS PCI-DSS 3.2
    AWS NIST CSF v1.1
    AWS Dome9 Best Practices
    D9.AWS.CRY.20 AWS Kinesis Streams Keys are rotated Meduim AWS CSA CCM v.3.0.1
    AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS PCI-DSS 3.2
    AWS NIST CSF v1.1
    AWS Dome9 Best Practices
    D9.AWS.IAM.46 Lambda Functions with Admin Privileges are not created High AWS CSA CCM v.3.0.1
    AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS GDPR Readiness
    AWS PCI-DSS 3.2
    AWS NIST CSF v1.1
    AWS Dome9 Best Practices
    D9.AWS.CRY.22 Ensure that your Amazon EFS file systems are encrypted High AWS CSA CCM v.3.0.1
    AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS GDPR Readiness
    AWS PCI-DSS 3.2
    AWS NIST CSF v1.1
    AWS Dome9 Best Practices
    D9.AWS.CRY.23 Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys High AWS CSA CCM v.3.0.1
    AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS PCI-DSS 3.2
    AWS NIST CSF v1.1
    AWS Dome9 Best Practices
    D9.AWS.IAM.45 Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role Medium AWS HIPAA
    AWS NIST 800-53 Rev 4
    AWS NIST CSF v1.1
    AWS Dome9 Best Practices
    D9.AWS.AS.03 Lambda Functions must have an associated tag Medium AWS Dome9 Best Practices - Sample
    AWS ISO 27001:2013
    AWS Dome9 Best Practices
    D9.AWS.AS.04 Amazon EFS must have an associated tag Low AWS ISO 27001:2013
    AWS Dome9 Best Practices

    Changes to existing Rules

    November 25, 2018 Rules Changes - click here

    September 27 - Compliance Updates

    New Bundles

    Bundle Name  Description
    AWS NIST CSF v1.1 Automated Validation of NIST CSF V1.1 for AWS
    GCP NIST CSF v1.1 Automated Validation of NIST CSF V1.1 for GCP
    Azure NIST CSF v1.1 Automated Validation of NIST CSF V1.1 for Azure

    New Rules

    Rule ID Rule Name Severity Affected Bundles
    D9.AZU.CRY.02 Ensure that logging for Azure KeyVault is 'Enabled' High Azure CIS Foundations v. 1.0.0
    Azure NIST 800-53 Rev 4
    Azure Dome9 Best Practices
    D9.AZU.CRY.12 Ensure that the expiry date is set on all Keys High Azure CIS Foundations v. 1.0.0
    Azure NIST 800-53 Rev 4
    Azure Dome9 Best Practices
    D9.AZU.CRY.13 Ensure that the expiry date is set on all Secrets High Azure CIS Foundations v. 1.0.0
    Azure NIST 800-53 Rev 4
    Azure Dome9 Best Practices
    D9.AZU.CRY.01 Ensure that KeyVault is in Use Low Azure NIST 800-53 Rev 4
    Azure Dome9 Best Practices
    D9.AWS.LOG.14 Ensure VPC Flow Logging is Enabled in all Applicable Regions High AWS HIPAA
    AWS GDPR Readiness
    AWS PCI-DSS 3.2
    AWS NIST 800-53 Rev 4
    AWS Dome9 Best Practices
    D9.GCP.LOG.01 Bucket should have logging enabled High GCP NIST 800-53 Rev 4
    GCP PCI-DSS 3.2
    GCP Dome9 Best Practices
    D9.GCP.NET.09 Ensure that Cloud Storage bucket is not anonymously and/or publicly accessible High GCP NIST 800-53 Rev 4
    GCP PCI-DSS 3.2
    GCP Dome9 Best Practices
    D9.GCP.NET.10 Ensure that there are no publicly accessible objects in storage buckets High GCP NIST 800-53 Rev 4
    GCP PCI-DSS 3.2
    GCP Dome9 Best Practices

    Deleted Rules

    Rule ID Rule Name Severity Affected Bundles
    D9.AZU.MON.04 Ensure that 'Threat Detection types' is set to 'All' Medium Azure CIS Foundations v. 1.0.0
    Azure GDPR Readiness
    Azure PCI-DSS 3.2
    Azure NIST 800-53 Rev 4
    Azure Dome9 Best Practices
    D9.AWS.NET.21 Ensure VPC Flow Logging is Enabled in all Applicable Regions High AWS GDPR Readiness
    AWS Dome9 Network Alerts
    AWS Dome9 Best Practices
    D9.GCP.NET.02 Asset is not labeled Medium GCP Dome9 Network Alerts

    Changes to existing Rules

    September 27, 2018 Rules Changes - click here

    September 03 - Compliance Updates

    New Rules

    Rule ID Rule Name Severity Affected Bundles
    D9.GCP.NET.06 Unused firewall rules Medium GCP PCI-DSS 3.2
    GCP Dome9 Best Practices
    GCP Dome9 Network Alerts
    D9.GCP.NET.07 Global Firewall rule that allows all traffic High GCP PCI-DSS 3.2
    GCP NIST 800-53 Rev 4
    GCP Dome9 Best Practices
    GCP Dome9 Network Alerts
    D9.GCP.CRY.01 Ensure VM disks are encrypted with Customer-Supplied Encryption Keys (CSEK) High GCP PCI-DSS 3.2
    GCP Dome9 Best Practices
    D9.AWS.IAM.17.HIPAA Ensure MFA is enabled for the 'root' account High AWS HIPAA
    D9.GCP.NET.08 Disable IP forwarding while creating instances High GCP Dome9 Best Practices
    GCP Dome9 Network Alerts
    D9.AWS.CRY.19 ECS Cluster At-Rest Encryption High AWS PCI-DSS 3.2
    D9.AWS.NET.31 ECS Cluster should not have services without running tasks Medium AWS Dome9 Network Alerts
    D9.AWS.NET.33 ECS Cluster should not have running container instances with unconnected agents High AWS Dome9 Network Alerts
    D9.AWS.NET.34 Ensure that at least one instance is registered with an ECS Cluster Medium AWS Dome9 Network Alerts

    Deleted Rules

    Rule ID Rule Name Severity Affected Bundles
    D9.AZU.CRY.01 Ensure that 'SQL Encryption' is set to 'On' High
    Azure CIS Foundations v. 1.0.0
    Azure NIST 800-53 Rev 4
    Azure GDPR Readiness
    Azure PCI-DSS 3.2
    Azure Dome9 Best Practices
    D9.AZU.MON.01 Ensure that 'SQL auditing & Threat detection' is set to 'On' Medium
    Azure CIS Foundations v. 1.0.0
    Azure NIST 800-53 Rev 4
    Azure GDPR Readiness
    Azure PCI-DSS 3.2
    Azure Dome9 Best Practices
    D9.AWS.IAM.17 Ensure VIRTUAL MFA is enabled for the "root" account High AWS HIPAA
    D9.AWS.NET.22 Process for Security Group Management - Detection of new Security Groups Medium AWS NIST 800-53 Rev 4
    AWS PCI-DSS 3.2
    AWS Dome9 Network Alerts

    Changes to existing Rules

    September 03, 2018 Rules Changes - Click Here

    August 06 - Compliance Updates

    New Bundles

    AWS ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for AWS
    Azure ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for Azure
    GCP ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for GCP

    New Rules

    Ruleid Rule Name Affected Bundles
    D9.AWS.LOG.13 ELB is created with Access logs enabled AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    AWS ISO 27001:2013
    D9.AWS.NET.30 ECS Cluster should have active services AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    AWS Dome9 Network Alerts
    D9.AWS.NET.31 ECS Cluster should not have services without running tasks AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    D9.AWS.NET.32 ECS Cluster instances must be placed in a VPC AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    AWS Dome9 Network Alerts
    D9.AWS.NET.33 ECS Cluster should not have running container instances with unconnected agents AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    D9.AWS.CRY.19 ElastiCache At-Rest Encryption AWS NIST 800-53
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 
    D9.AWS.NET.34 Ensure that at least one instance is registered with an ECS Cluster AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices 

    Changes to existing Rules

    Ruleid/Bundle ID Rule Name Change Description
    D9.AWS.IAM.16 Ensure no root account access key exists A1.2.a and 10.2 controls mapping added to PCI bundle
    D9.AWS.IAM.17 Ensure VIRTUAL MFA is enabled for the "root" account 10.2.2 control mapping added to PCI bundle
    D9.AWS.IAM.18 Ensure HARDWARE MFA is enabled for the 'root' account 10.2.2 control mapping added to PCI bundle
    D9.AWS.LOG.02 Ensure CloudTrail log file validation is enabled 10.2.3 control mapping added to PCI bundle
    D9.AWS.LOG.01 Ensure CloudTrail is enabled in all regions 10.2.1, 10.2.4, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6 controls mapping added to PCI bundle
    D9.AWS.MON.05 Ensure a log metric filter and alarm exist for CloudTrail configuration 10.2.6 controls mapping added to PCI bundle
    D9.AWS.IAM.27
    D9.AWS.IAM.40
    D9.AWS.IAM.36
    D9.AWS.IAM.37
    D9.AWS.IAM.38
    D9.AWS.IAM.39
    D9.AWS.IAM.41
    D9.AWS.IAM.29
    D9.AWS.IAM.44
    D9.AWS.IAM.28
    D9.AWS.IAM.31
    D9.AWS.IAM.30
    D9.AWS.IAM.35
    D9.AWS.IAM.34
    D9.AWS.IAM.33
    D9.AWS.IAM.32
    Ensure IAM policies that allow full "*:*" administrative privileges are not created
    S3 bucket should not allow all actions from all principals
    S3 bucket should not allow delete actions from all principals
    S3 bucket should not allow get actions from all principals
    S3 bucket should not allow list actions from all principals
    S3 bucket should not allow put actions from all principals
    S3 bucket should not allow put or restore actions from all principals
    S3 bucket should not be world-listable
    IAM Users - with Inline IAM Policies applied
    S3 bucket should not be world-listable from anonymous users
    S3 bucket should not be world-writable
    S3 bucket should not be world-writable from anonymous users
    S3 bucket should not have world-readable permissions
    S3 bucket should not have world-readable permissions from anonymous users
    S3 bucket should not have world-writable permissions
    S3 bucket should not have writable permissions from anonymous users
    §164.308(a)(4)(i) controls mapping added to HIPAA bundle
    D9.AZU.IAM.01
    D9.AZU.NET.05
    D9.AZU.NET.06
    D9.AZU.NET.07
    D9.AZU.NET.15
    D9.AZU.NET.16
    SQL Server Active Directory Administrators
    Change Control for Network Security Group Configuration
    Unused Network Security Groups
    Virtual Machine and Subnet without attached Network Security Group, VM is accessible from the internet
    Redis attached subnet Network Security Group should allow ingress traffic only to ports 6379 or 6380
    Redis attached subnet Network Security Group should allow egress traffic only to ports 6379 or 6380
    Security Group upated to Network Security Group
    D9.AWS.NET.29 Public AMI D9.AZU.NET.29 ID changed to D9.AWS.NET.29
    D9.AWS.CRY.01
    D9.AWS.CRY.02
    D9.AWS.CRY.03
    D9.AWS.CRY.04
    D9.AWS.CRY.05
    D9.AWS.CRY.06
    D9.AWS.CRY.07
    D9.AWS.CRY.08
    D9.AWS.CRY.09
    D9.AWS.CRY.10
    D9.AWS.CRY.11
    D9.AWS.CRY.12
    D9.AWS.CRY.13
    D9.AWS.CRY.14
    D9.AWS.CRY.15
    D9.AWS.CRY.16
    D9.AWS.CRY.17
    Use encrypted storage for instances that might host a database.
    ELB is setup with SSL for secure communication
    S3 Buckets Server Side Encryption At Rest
    S3 Buckets Secure Transport (SSL)
    Encrypted RDS storage
    Remove Weak Ciphers for ELB
    ELB - Recommended SSL/TLS protocol version
    SSL/TLS certificates expire in one week
    SSL/TLS certificates expire in one month
    ELB secured listener certificate expires in one week
    ELB secured listener certificate expires in one month
    ALB secured listener certificate expires in one week
    ALB secured listener certificate about to expire in one month
    Use encryption for S3 Bucket write actions
    Use KMS CMK customer-managed keys for Redshift clusters
    Use secure ciphers in CloudFront distribution
    Use encrypted connection between CloudFront and origin server

    Wording Changes

    Updated Rule Names,

    Description and Remediation Fields

    D9.AWS.IAM.43 S3 bucket should have versioning MFA delete enabled, updated GSL to: S3Bucket should have versioning.mfaDelete=true GSL Bug FIx
    D9.AWS.CRY.16 GSL updated to: CloudFront should have distributionConfig.viewerCertificate.minimumProtocolVersion like 'TLSv1.1%' GSL Bug FIx
    D9.AWS.MON.02 GSL Updated to: List<CloudTrail> should have items with [ hasSNSSubscriber='true' and metricFilters with [filterPattern isFilterPatternEqual('{ ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != Yes) }') or filterPattern isFilterPatternEqual('{ $.userIdentity.sessionContext.attributes.mfaAuthenticated != true }')] ] length() > 0] GSL Bug FIx

    July 01 - Compliance Updates

    New Rules

    D9.AWS.CRY.18 DynamoDB - Server Side Encryption High AWS NIST 800-53
    AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS HIPAA
    AWS Dome9 Best Practices  
    D9.AWS.OPE.01 Lambda Functions must have an associated tag Medium AWS Dome9 Best Practices 
    D9.AZU.AS.01 Instances outside of Europe High Azure GDPR Readiness
    D9.AZU.NET.29 Public AMI Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts
    AWS PCI-DSS 3.2
    D9.AWS.AS.02 S3 Buckets outside of Europe High AWS GDPR Readiness

    D9.AWS.NET.AG4.

    ApplicationLoadBalancer.

    9090.TCP

    ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG4.ELB.

    9090.TCP

    ELB with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG4.Instance.

    9090.TCP

    Instance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG4.

    NetworkLoadBalancer.

    9090.TCP

    NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet High AWS PCI-DSS 3.2
    AWS GDPR Readiness
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG5.

    ApplicationLoadBalancer.

    9090.TCP

    ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG5.ELB.

    9090.TCP

    ELB with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG5.Instance.

    9090.TCP

    Instance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    D9.AWS.NET.AG5.

    NetworkLoadBalancer.

    9090.TCP

    NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope Medium AWS Dome9 Best Practices
    AWS Dome9 Network Alerts

    Changes to existing Rules

    Ruleid/Bundle ID Change Description Updated Field Bundles Affected
    D9_AWS_NIST800534
    D9_AZU_NIST800534
    D9_GCP_NIST800534
    Bundle Titles and Descriptions update:
    AWS/GCP/Azure NIST 800-53 Rev 4 updated to AWS/GCP/Azure NIST 800-53 Rev 4 (FedRAMP)
    AWS NIST 800-53 Rev 4 (FedRAMP)
    Azure NIST 800-53 Rev 4 (FedRAMP)
    GCP NIST 800-53 Rev 4 (FedRAMP)
    AWS NIST 800-53 Rev 4
    Azure NIST 800-53 Rev 4
    GCP NIST 800-53 Rev 4
    D9.AWS.LOG.12 Change to Description  Update title to "S3 bucket should have server access logging enabled" AWS Dome9 Best Practices
    D9.GCP.NET.02 Changed Compliance tag to - 'Operational'   GCP Dome9 Best Practices
    GCP Dome9 Network Alerts
    GCP PCI-DSS 3.2
    GCP NIST 800-53

    D9.AWS.NET.AG
    #entity.port.

    protocol

    Multiple Network Security Rules-URLs updated to Zendesk   AWS Dome9 Best Practices
    AWS Dome9 Network Alerts
    AWS PCI-DSS 3.2
    AWS NIST 800-53
    D9.AWS.CRY.04 Update to GSL

    Rule Name:

    S3 Bucket should have encryption in transit for read actions

    NEW GSL:

    S3Bucket should not have policy.Statement contain [Effect='Deny' and Condition.Bool.aws:SecureTransport='false']
    and policy.Statement contain [Action contain ['s3:GetObject'] or Action contain ['s3:*']]

    AWS Dome9 S3 Bucket Security
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts
    AWS PCI-DSS 3.2
    AWS NIST 800-53
    AWS GDPR Readiness
    D9.AWS.CRY.14 Update to GSL

    Rule Name:

    S3 Bucket should have encryption in transit for write actions

    NEW GSL:

    S3Bucket should not have policy.Statement contain [Effect='Deny' and Condition.Bool.aws:SecureTransport='false']
    and policy.Statement contain [Action contain ['s3:PutObject'] or Action contain ['s3:*']]

    AWS Dome9 S3 Bucket Security
    AWS Dome9 Best Practices
    AWS Dome9 Network Alerts
    AWS PCI-DSS 3.2
    AWS NIST 800-53
    AWS GDPR Readiness