2018 Releases

Owned by Guy Shteinberg
Jul 14, 2019
13 min read


Deployment - December 16, 2018

BUG FIXES

DFT-394 - GSL fix - Use secure ciphers in CloudFront distribution Rule ID: D9.AWS.CRY.16

DFT-396 - D9.GCP.NET.AG5.VMInstance.22.TCP- Correct description and Remediation

DFT-408 - Dynamo DB -Remove the rule D9.AWS.CRY.18 due to Default encryption settings

DFT-412 - Remove the rules D9.AZU.CRY.07 and D9.AZU.CRY.08

Click here for more details












Deployment - December 10, 2018

Compliance and governance:

  • Compliance Reports:
    • Export to CSV Tags separation.
  • Continuous Compliance:
    • Notification to alert console as default.
  • Compliance Dashboard:
    • Fixed results calculation with exclusions.

BUG FIXES

  • DFT-265 - Fix Run assessments for GovCloud accounts.








Deployment - December 5, 2018

Protected Assets: 

  • Instance entity:
    • Added Inspector and findings table.

Email notifications:

  • Added filter for cloud accounts.








Deployment - November 25, 2018


Compliance and governance:

  • Compliance Policies:
    • New look and feel.
    • optimized filtering.

Compliance Updates:

New Bundles:

  • GCP CIS Foundations v. 1.0.0
  • AWS Dome9 Serverless Architectures Security

New Rules:

  • D9.GCP.NET.11 - Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
  • D9.GCP.IAM.02 - Ensure that corporate login credentials are used instead of Gmail accounts
  • D9.GCP.CRY.02 - Ensure "Block Project-wide SSH keys" enabled for VM instances
  • D9.GCP.CRY.03 - Ensure oslogin is enabled for a Project
  • D9.GCP.CRY.04 - Ensure oslogin is enabled for a Virtual Machine
  • D9.GCP.IAM.01 - Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
  • D9.GCP.NET.12 - Ensure that SSH access is restricted from the internet
  • D9.GCP.NET.13 - Ensure that RDP access is restricted from the internet
  • D9.GCP.NET.14 - Ensure Private Google Access is enabled for all subnetwork in VPC Network
  • D9.AWS.IAM.43 - S3 bucket should have versioning MFA delete enabled
  • D9.AWS.CRY.24 - AWS Kinesis Server data at rest has server side encryption (SSE)
  • D9.AWS.CRY.21 - AWS Kinesis streams are encrypted with KMS customer master keys
  • D9.AWS.CRY.20 - AWS Kinesis Streams Keys are rotated
  • D9.AWS.IAM.46 - Lambda Functions with Admin Privileges are not created
  • D9.AWS.CRY.22 - Ensure that your Amazon EFS file systems are encrypted
  • D9.AWS.CRY.23 - Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys
  • D9.AWS.IAM.45 - Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role
  • D9.AWS.AS.03 - Lambda Functions must have an associated tag
  • D9.AWS.AS.04 - Amazon EFS must have an associated tag

November 25, 2018 Rules Changes - click here

BUG FIXES

  • DFT-371 - Fix GSL logic for 'ELB - Recommended SSL/TLS protocol version'
  • DFT-963 - Fix GSL logic for D9.AZU.NET.06 "NetworkSecurityGroup should have networkAssetsStats..."
  • DFT-362 - Fix GSL logic for Compliance policy failing for SQLServer should have AD authentication












Deployment - November 23, 2018

Compliance and governance:

PREVIEW

  • Compliance exclusions:
    • Allows exclusions of specific findings,
      For more information - click here.













Deployment - November 18, 2018

Compliance and governance:

PREVIEW

  • Compliance engine:
    • AWS EcsService entity
    • AWS EcsTask entity
    • Azure DataWarehouse entity
    • GCP IamPolicy entity
    • GCP KmsKeyRing entity


BUG FIXES

Compliance:

  • DFT-366 - Azure KeyVault enableSoftDelete not updated.
  • DFT-369 - "securityGroup" property is not being populated in Azure GSL "Subnet" & Vnet "subnets" Entity.
  • DFT-337 - Azure Subnet does not display VNET info via assessment results.








Deployment - November 14, 2018

Cross system:

  • UI 
    • Icons and symbols improvements

Compliance and governance:

  • Continuous Compliance
    • Added validations to notifications fields.

BUG FIXES

Compliance rule builder:

  • DOME-7483 - Fixed several logical issues.








Deployment - November 13, 2018

Compliance and governance:

  • Compliance dashboard
    • Added external id to the cloud account name.
  • Compliance policies
    • Optimized bundle select mechanism.









Deployment - November 8, 2018

Administration

  • Account settings - Security:
    • Added Session idle timeout management policy.









Deployment - November 5, 2018

Compliance and governance:

  • Continuous Compliance
    • Added new fields to CSV report.
    • Added summary to CSV report.
  • Compliance policies
    • Optimized bundle select mechanism. 

BUG FIXES

System Dashboard:

  • DFT-332,294 - Fixed compliance system data sync.

Compliance report:

  • DOME-8456 - Fixed compliance report percentage calculation.








Deployment - November 1, 2018

Compliance and governance:

PREVIEW

  • Compliance engine:
    • GCP IAM Policy entity
    • GCP ServiceAccount entity
    • GCP Project entity


  • Compliance entities updates:
    • Azure VM - Added IsRunning property. 
    • GCP VM - Added additional properties
      • IsDefaultServiceAccount property.
      • Disk encryption keys properties.








Deployment - October 29, 2018

BUG FIXES

Protected Assets:

  • DFT-272 - Fixed ALB / NLB exception handling.








Deployment - October 23, 2018

Administration:

  • Findings Alerts page:
    • Added Copy Finding key to clipboard. 








Deployment - October 11, 2018

Compliance and governance:

  • Compliance rules and bundles:
    • Added Rules and bundles audit events. 
    • Added link to the new rules knowledge base.
  • Continuous compliance:
    • Added new scheduled report type - CSV findings.

Administration:

  • My settings - Email notifications:
    • Improved UI - category view same as the menu.  
    • Added Compliance section.








Deployment - October 10, 2018

Cloud Accounts

  • Azure Accounts:
    • Added Edit credentials for expired cloud accounts keys.








Deployment - October 8, 2018

Administration

  • Account settings:
    • Added Security user lock down policy.








Deployment - October 4, 2018

PREVIEW to GA

  • Azure Protection mode:
    • NSG Tamper protection support.








Deployment - September 27, 2018

Compliance Updates:

New Bundles:

  • AWS NIST CSF v1.1 Automated Validation of NIST CSF V1.1 for AWS
  • GCP NIST CSF v1.1 Automated Validation of NIST CSF V1.1 for GCP
  • Azure NIST CSF v1.1 Automated Validation of NIST CSF V1.1 for Azure

New Rules:

  • D9.AZU.CRY.10 - Ensure that storage account access keys are periodically regenerated
  • D9.AZU.NET.02 - SQL Server accessibility to the entire Azure Infrastructure
  • D9.AZU.NET.03 - SQL Server accessibility to wide address range
  • D9.AWS.LOG.12 - S3 bucket should have server access logging enabled
  • D9.GCP.NET.06 - Unused firewall rules
  • D9.GCP.CRY.01 - Ensure VM disks are encrypted with Customer-Supplied Encryption Keys (CSEK)
  • D9.AWS.IAM.28 - S3 bucket should not be world-listable from anonymous users
  • D9.AWS.IAM.29 - S3 bucket should not be world-listableDeleted Rules:
  • D9.AZU.CRY.01 - Ensure that 'SQL Encryption' is set to 'On'
  • D9.AZU.MON.01 - Ensure that 'SQL auditing & Threat detection' is set to 'On'
  • D9.AWS.IAM.17 - Ensure VIRTUAL MFA is enabled for the "root" account
  • D9.AWS.NET.22 - Process for Security Group Management - Detection of new Security Groups
September 27, 2018 Rules Changes - click here

BUG FIXES

Compliance engine:

  • DFT-314 - Fixed assessments run failures due to null values.
  • DFT-319 - Fixed ECS Cluster EC2 instances update.

Compliance rules:

  • DFT-288: D9.AZU.MON.07 GSL updated - SQLDB should have auditing.retentionDays>90 or (state.Enabled=true and days=0)
  • DFT-312: D9.AWS.CRY.17 GSL updated - CloudFront where not distributionConfig.origins.items with [ s3OriginConfig] should have distributionConfig.origins.items with [ customOriginConfig.originProtocolPolicy='https-only' ] 
  • DFT-286: D9.AZU.CRY.11 GSL updated - encryption.status='enabled' needs to change to "Enabled". 
 
 












Deployment - September 17, 2018


BUG FIXES

  • Findings page:
    • DFT-279 - Custom date query fix
  • Add GCP Cloud Account page:
    • DFT-143 - Updated on boarding steps and improved look and feel








Deployment - September 16, 2018

BUG FIXES

  • Policy reports page:
    • DFT-308 - AWS instances - Export to CSV fix
  • Compliance result page:
    • DFT-151 - Result Entities link generation fix








Deployment - September 06, 2018

BUG FIXES

  • Cloud account page:
    • DOME-8091 - Missing permissions improved look and feel








Deployment - September 04, 2018

Compliance Updates:

New Rules:

  • D9.GCP.NET.06  - Unused firewall rules
  • D9.GCP.NET.07  - Global Firewall rule that allows all traffic
  • D9.GCP.CRY.01  - Ensure VM disks are encrypted with Customer-Supplied Encryption Keys (CSEK)
  • D9.AWS.IAM.17.HIPAA  - Ensure MFA is enabled for the 'root' account
  • D9.GCP.NET.08  - Disable IP forwarding while creating instances
  • D9.AWS.CRY.19 - ECS Cluster At-Rest Encryption
  • D9.AWS.NET.31 - ECS Cluster should not have services without running tasks
  • D9.AWS.NET.33 - ECS Cluster should not have running container instances with unconnected agents
  • D9.AWS.NET.34 - Ensure that at least one instance is registered with an ECS Cluster

Deleted Rules:

  • D9.AZU.CRY.01 - Ensure that 'SQL Encryption' is set to 'On'
  • D9.AZU.MON.01 - Ensure that 'SQL auditing & Threat detection' is set to 'On'
  • D9.AWS.IAM.17 - Ensure VIRTUAL MFA is enabled for the "root" account
  • D9.AWS.NET.22 - Process for Security Group Management - Detection of new Security Groups

Changes To Existing Rules  - Click Here

BUG FIXES

  • DFT-289 Rename rule in GCP bundle
  • DFT-287 Remove Duplicate Azure Rule "Ensure that 'SQL auditing & Threat detection' is set to 'On'
  • DFT-286 Remove Duplicate Azure RuleSQLDB should not have encryption.status='Disabled'
  • DFT-290 - D9.AZU.MON.04 GSL Update to SQLDB should have threatDetection.state='Enabled'
  • DFT-296 Rule Update - New rule added for HIPAA bundle only: IamUser where name like '%root_account%' should have mfaType='Hardware' or mfaType='Virtual'
  • DFT-299 CIS Foundations 1.1.0 Rule "D9.AWS.MON.07" logic update

For more information please click here




Deployment - August 22, 2018

Compliance and governance:

  • Continuous compliance is now GA
  • Continuous compliance - Updated reports format and improved look and feel








Deployment - August 22, 2018
  • Assessment history page:
    • Added sticky headers

BUG FIXES

  • Cloud accounts page:
    • DFT-275 - fixed GCP projects not visible.








Deployment - August 20, 2018

BUG FIXES

  • Audit trail:
    • DFT-270 - fixed export to CSV








Deployment - August 16, 2018
  • Compliance engine:
    • New scoring calculations.
      The new score would be based on tests (=rule assessed on a cloud entity), and not rules, as done today. Today even single failure in a test fails the entire rule.

Example:

  • 10 rules running, each on 10 entities. Let's say that 2 entities fail for each of the first 5 rules. Today's score: 50% (5 rules without fails). Since 15th: 10 failures out of 100 tests = 90%.








Deployment - August 15, 2018

PREVIEW

  • Compliance engine:
    • ElasticIP entity
    • Customer gateway entity
       
  • New assessment history page

Example:

  • GSL Examples:  
    Make sure CustomerGateway has VPN connections established
    CustomerGateway should have vpnConnections
     
    EIP should be associated with an instance
    ElasticIP should have associationId
     
    EIP should be allocated in a VPC
    ElasticIP should have domain = 'vpc'








Deployment August 05, 2018

August 06 Compliance Updates:

New Bundles:

  • AWS ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for AWS
  • Azure ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for Azure
  • GCP ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for GCP

New Rules:

  • D9.AWS.LOG.13 - ELB is created with Access logs enabled
  • D9.AWS.NET.30 - ECS Cluster should have active services
  • D9.AWS.NET.31 - ECS Cluster should not have services without running tasks
  • D9.AWS.NET.32 - ECS Cluster instances must be placed in a VPC
  • D9.AWS.NET.33 - ECS Cluster should not have running container instances with unconnected agents
  • D9.AWS.CRY.19 - ElastiCache At-Rest Encryption
  • D9.AWS.NET.34 - Ensure that at least one instance is registered with an ECS Cluster

Rules Changes:

Bug Fixes:

  • DFT-221 - S3 bucket should have versioning MFA delete enabled. GSL updated to: S3Bucket should have versioning.mfaDelete=true
  • DFT-254 - Use secure ciphers in CloudFront distribution. GSL updated to: CloudFront should have distributionConfig.viewerCertificate.minimumProtocolVersion like 'TLSv1.1%'
  • DOME-7844 - Ensure a log metric filter and alarm exist for Management Console sign-in without MFA GSL Updated to: List<CloudTrail> should have items with [ hasSNSSubscriber='true' and metricFilters with [filterPattern isFilterPatternEqual('{ ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != Yes) }') or filterPattern isFilterPatternEqual('{ $.userIdentity.sessionContext.attributes.mfaAuthenticated != true }')] ] length() > 0]

Additional  Rule Changes including Wording Changes - Updated Rule Names, Description and Remediation Fields, Compliance Sections Updates.

For more information please click here

Deployment July 12, 2018

PREVIEW

Compliance engine
Azure KeyVault entity support.

Examples:
Ensure KeyVault is not empty
KeyVault should have keys

Deployment July 02, 2018

Compliance engine:

New Rules:

  • D9.AWS.AS.02 -  S3 Buckets outside of Europe
  • D9.AZU.AS.01 - Instances outside of Europe
  • D9.AWS.CRY.18  - DynamoDB - Server Side Encryption
  • D9.AWS.OPE.01  - Lambda Functions must have an associated tag
  • D9.AZU.NET.29 -  Public AMI
  • D9.AWS.NET.AG4.ApplicationLoadBalancer.9090.TCP  - ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
  • D9.AWS.NET.AG4.ELB.9090.TCP  - ELB with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
  • D9.AWS.NET.AG4.Instance.9090.TCP -  Instance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
  • D9.AWS.NET.AG4.NetworkLoadBalancer.9090.TCP - NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
  • D9.AWS.NET.AG5.ApplicationLoadBalancer.9090.TCP - ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
  • D9.AWS.NET.AG5.ELB.9090.TCP - ELB with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
  • D9.AWS.NET.AG5.Instance.9090.TCP - Instance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
  • D9.AWS.NET.AG5.NetworkLoadBalancer.9090.TCP - NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope

Rules Updated:

  • D9.AWS.CRY.04- S3 Bucket should have encryption in transit for read actions 
  • D9.AWS.CRY.14 - S3 Bucket should have encryption in transit for write actions 

Bundle Titles and Descriptions update:

  • AWS NIST 800-53 Rev 4 (FedRAMP)
  • Azure NIST 800-53 Rev 4 (FedRAMP)
  • GCP NIST 800-53 Rev 4 (FedRAMP)

For more information please click here

Deployment June 18, 2018

Compliance Bundles change

We have expanded and updated our compliance bundles!

Updated some existing rules / bundles mappings including the following bug Fixes

  • DFT-197 - Update compliance section references for AWS NIST 800-53 bundle. 
  • DFT-206 - improved ELB with weak ciphers rules.
  • DFT-207 - fixed rules with "contain" usages.

Bug fixes:
Clarity:
DFT-216 - Fixed VPC Peering to cross region handling.
Compliance engine:
DFT-191 - Fixed tool tips and UI flickering.

Deployment June 14, 2018

PREVIEW

Compliance engine
AWS VPN Connection entity support.

Dynamic Access page:
Added UI improvements.
Added terminate all support 

Bug fixes:
Policy reports:
DFT-141 - Fixed export to CSV formatting.
IAM Reports:
DFT-194 - Fixed Credentials report export to CSV date fields support.
Home Page:
DFT-214 - Fixed cloud account findings.

Deployment June 11, 2018

PREVIEW

Compliance engine
Azure Locks entity support.

Cross system:
New Main menu
Improved the product categories

Bug fixes:
Security groups:
DOME-5165- Added SG type name to the title.
IAM Reports:
DOME-7284 - Fixed Credentials report date fields sorting.
Home Page:
DFT-157 - Fixed inaccurate cloud account information sync.

Deployment June 6, 2018

Compliance engine
IAM UserAdded new field: "mfaType" which will be of values "None" / "Hardware" / "Virtual".
CloudTrailExpanded the metric filters structure to better troubleshoot sns subscriptions,

Bug fixes:
Compliance engine:
DFT-50 - Fixed missing region field for S3Buckets.

Deployment May 31, 2018

PREVIEW

Compliance engine
AWS WAF Regional entity support.

Bug fixes:
Compliance engine:
DOME-7510 - IAM Role combined policies fix.
Clarity:
DOME-6084 - Performance improvements.

Deployment May 30, 2018

AWS Onboarding:
Updated the dome9-read-only policy in order to support WAF for web ACL [/wiki/spaces/DG/pages/265781396].

Bug fixes:
Compliance engine:
DOME-7480 - Dashboard - Improved exporting large files to CSV.
Policy Reports and Security groups page:
DFT-171 - UI text and titles fixes.

Deployment May 28, 2018

Compliance Bundles change

We have expanded and updated our compliance bundles!

As security threats continue to evolve, we want to ensure that you are adhering to up-to-date compliance requirements and security best practices in the public cloud.
As part of this commitment, we are constantly updating our compliance bundles included in our product.

We have made the following enhancements to our compliance module.

1. Added 5 new bundles for additional GCP and Azure coverage:

  • Azure CIS Foundations v. 1.0.0
  • Azure NIST 800-53 Rev 4
  • Azure PCI-DSS 3.2
  • Azure GDPR Readiness
  • GCP NIST 800-53 Rev 4
  • GCP PCI-DSS 3.2

2. Added new rules to include additional security guidelines
3. Updated some existing rules / bundles mappings including the following bug Fixes

  • DFT-154 - Update Route53 hosted zone check
  • DFT-152 - Typo in PCI bundle (default')
  • DFT-138 - Remove Security Group checks from S3 bundle

Additional Client Impact:
New Findings in Continuous Compliance Scheduled Reports
New Findings being sent to SIEM system
Compliance score changes

Bug fixes:
Security Group page:
DFT-94 - Dome9 Description text fix.

Deployment May 23, 2018

Bug fixes:
Compliance engine:
DOME-7474 - Dashboard - Failed to trigger download CSV file.
Clarity
DFT-169 - VPC without assets fix.

Deployment May 16, 2018

Compliance engine:
ElastiCache entity added tags support.

Bug fixes:
Clarity
DFT-14 - Peered VPC assets fix.

Deployment May 15, 2018

PREVIEW

Compliance engine
AWS VPN Gateway entity support.

Compliance engine
Added List<Entity> rules support.
Added GroupBy [object] rules support.

Examples:
Ensure no more than 5 IAM Admins exist in any particular account.
List<IamUser> should have items with[name like 'admin' or name like 'administrator'] length() < LIMIT
To detect if your account is near the EC2 Security Group Limit in a VPC.
List<SecurityGroup> should have items groupBy [vpc.id] contain-all [values length() < LIMIT]

Bug fixes:
Compliance engine - Assessments history
DFT-2 - User Permissions fix.

Deployment May 14, 2018

PREVIEW

Compliance engine
AWS AMI entity support.

Check if the image is private
AMI should have isPublic='false'

Deployment May 9, 2018

Bug fixes:
DFT-4 - GSL query 'Region should have hasCloudTrail=true' returns invalid results after 'isMultiRegion' is toggled OFF
DFT-135 - Setting default access lease time does not reflect or update 'GET ACCESS' default time.

Deployment May 8, 2018

PREVIEW

Azure Protection mode
Added NSG Tamper protection support.

Cloud accounts:
Added support for Azure tamper protection view.

Audits and Alerts page:
Added Invalid credentials alert for Azure. 

Compliance engine - Bundle bug fixes:
DFT-125 - Fixing typo in description to shouldn't (EC2 Instance there shouln't be any High level findings in Inspector Scans).
DOME-7391 - Update name of the s3 to stay in 1 line to " AWS Dome9 S3 Bucket Security"

Deployment May 7, 2018

Compliance engine - Assessment history:
Added triggered by column.

Deployment May 3, 2018

Compliance engine:
KMS entity added tags support.

Deployment May 2, 2018

Home page:
Optimized the account statistics on the homepage (Network, IAM and S3 information).

Deployment May 1, 2018

PREVIEW

Compliance engine
AWS DynamoDB entity support.

Examples:

DynamoDB is encrypted:
DynamoDbTable should have encrypted=true
DynamoDB table size:
DynamoDbTable should have tableSizeBytes<100
DynamoDB number of items:
DynamoDbTable should have itemCount<100

Compliance engine:
AWS Instance entity added Image details support (Image name, Is public, owner Id, etc').

AWS Onboarding:
Updated the dome9-read-only policy in order to support DynamoDB and ElasticCache tags [/wiki/spaces/DG/pages/265781396].

Deployment Apr 30, 2018

Compliance engine:
Redshift entity added tags support.

Deployment Apr 26, 2018

Compliance engine:
Kinesis entity added tags support.
Lambda entity added tags support.
EFS entity added tags support.

Bug Fixes:
DFT-127 - Cross system - Export to CSV component fix.
DOME-6868 - Security groups page - Clone security groups - peered security groups fix.

Deployment Apr 24, 2018

Compliance Bundles change

Dome9 now has new and improved compliance bundles!
Compliance Engine bundle management will be based on the unified mapping of the Dome9 compliance checks to various security and compliance frameworks.
Additional Client Impact:
New Findings in Continuous Compliance Scheduled Reports
New Findings being sent to SIEM system
For more information please click /wiki/spaces/DG/pages/219152392

Compliance engine:
RDS entity added tags support.

Bug Fixes:
DFT-113 - Compliance engine - Edit Bundle JSON - UI freeze.
DFT-114 - Protected Assets - Roles info data validation fix.
DFT-121IAM Reports - Fixed role entity managed policies support.

Deployment Apr 12, 2018

PREVIEW

Compliance engine:
Azure Storage entity support.


Examples:
Encryption key is enabled rule:
StorageAccount should have encryption.key.enabled=true
Check that StorageAccount uses only https traffic:
StorageAccount should have httpsOnlyTraffic=true
Deployment Apr 8, 2018

PREVIEW

Compliance engine:
Route53 Domain entity support.


Examples:
Route53Domain should not have expirationTime before(-1, 'minutes')
Route53Domain should not have autoRenew=false
Route53Domain should not have expirationTime before(7, 'days')

Compliance engine:
Added GDPR Readiness bundle.
Added NIST 800-53 Rev 4 bundle.

Account page:
Billable assets definition and link to protected assets.

Bug Fixes:
DOME-7257 - Compliance engine - Navigation exceptions from compliance reports.
DOME-7258 - IAM Reports - Fixed role entity support.

Deployment Mar 27, 2018

PREVIEW

Protected assets page: 
Guard Duty integration, Added Alerts and findings tab to show findings.

AWS Onboarding:
Updated the dome9-read-only policy in order to support Guard duty [/wiki/spaces/DG/pages/265781396].

Deployment Mar 25, 2018

PREVIEW

Compliance engine
Azure Redis entity support.

Deployment Mar 19, 2018

PREVIEW

Compliance engine
AcmCertificate entity support.

Examples:
AcmCertificate should not have notAfter before(-1, 'minutes')
ApplicationLoadBalancershould not havelisteners with [ certificates with [ expiration before(-1, 'minutes') ] ] 
ELBshould not haveelbListeners with [ certificate.expiration before(-1, 'minutes') ]

Cloud Accounts:
Added Validate all permissions button, will try to validate permissions on all of the missing permissions cloud accounts.

Bug Fixes:
DOME-7177 - Compliance engine - fixed tags result output.

Deployment Mar 15, 2018

PREVIEW

Compliance engine
Route53 entity support.

Examples:
Route53HostedZone should not have recordSets contain-any [ records contain-any [ assetMetadata.type='S3Bucket' and assetMetadata.exists=false] ]
Route53HostedZone should not have recordSets contain-any [ records contain-any [ assetMetadata.type='CloudFront' and assetMetadata.exists=false] ]
Route53HostedZone should not have recordSets contain-any [ records contain-any [ assetMetadata.type='CloudFront' and assetMetadata.active=false] ]

Deployment Mar 11, 2018

PREVIEW

Compliance engine
IAMServerCertificates entity support.
ELB and ApplicationLoadBalancer entities added IAM Certificate support.

Examples:
IamServerCertificate should not have expiration before(0, 'minutes')
ELB should not have elbListeners with [ certificate.iamServerCertificate.expiration before(1, 'months') ]
ApplicationLoadBalancer should not have listeners with [ certificates with [ iamServerCertificate.expiration before(0, 'minutes') ] ]

Deployment Mar 8, 2018

Compliance engine - S3 Bucket Security Posture: 
This bundle has been updated to include the rule - S3 Buckets - without server-side-encryption enabled.

Deployment Mar 7, 2018

PREVIEW

Compliance engine
ELB entity added security policies and ciphers support.
ApplicationLoadBalancer entity added access logs support.
NetworkLoadBalancer entity added access logs support.

Examples:
ELB should not have elbListeners with [ policies with [ attributes contain-any [$ in ( 'ECDHE-RSA-RC4-SHA', 'EXP-RC4-MD5') ] ] ]
ApplicationLoadBalancer should have attributes contain-any [ key='access_logs.s3.enabled' and value='true' ]

Deployment Mar 6, 2018

Compliance engine - Dome9 AWS Dashboards policy: 
S3 Buckets - without server-side-encryption enabled - expanded rule to support all server side encryption types.

Bug Fixes:
DOME-6913 - Fixed tab panels items when refreshing page.
DOME-6985 - S3 Buckets - without server-side-encryption enabled rule - causes false positives for customers

Deployment Mar 5, 2018

PREVIEW

Compliance engine
Kinesis entity support.

AWS Onboarding:
Updated the dome9-read-only policy in order to support Kinesis [/wiki/spaces/DG/pages/265781396].

Deployment Mar 1, 2018

Clarity:
Added EFS asset count and attached security groups icon

Bug fixes:
Clarity
DOME-6378 - Fixed internal network RFC6890 support.
DOME-6048 - Fixed RDS and Redshift state coloring.
DOME-7018 - Fixed un-managed VPC display for wrong security groups.

Deployment Feb 28, 2018

Compliance dashboard:
Export all findings to CSV button - Create failed entities CSV report for all cloud accounts and bundles. 

Bug fixes:
DOME-7023 - Fixed menu page selection marker.

Deployment Feb 27, 2018

PREVIEW

Compliance engine
CloudFront entity support.

Compliance engine:
GCP VMInstance entity - added labels attributes

Cloud Accounts:
Divided Update permissions to Validate permissions and Run permissions wizard buttons,
Validate permissions will validate the missing permissions, run permissions wizard is a step by step guide to update the permissions. 

Deployment Feb 25, 2018

PREVIEW

Compliance engine:
Volume entity - added EBS Volume attributes,
which allow to verify unattached EBS volumes attributes
For example: Volume should have encrypted=true

Compliance engine:
RDS entity - added Encryption key attributes,which allow to verify if the RDS is encrypted and its encryption attributes.
For example: RDS should have encryptionKey.enabled=true

Deployment Feb 23, 2018

PREVIEW

Compliance engine:
ELB entity - added "accessLog" attributes,
which allow to verify the ELB access logs attributes: access logs enabled, the logging interval and the S3 Bucket used to store those logs.
For example: ELB should have accessLog.enabled=true

Deployment Feb 19, 2018

Compliance engine:
Export to CSV report - Added Cloud account ID and Name.

Account page:
Improvements for AWS marketplace plans.

Bug Fixes:
DOME-6939 - Cloud accounts page - Edit credentials fix for empty cloud accounts.
DOME-6927 - Fixed several broken links to the cloud account page.
DOME-6990 - Fixed AWS LogGroups fetching partial data issue.

Deployment Feb 15, 2018

Compliance engine:
Added CIS AWS Foundations v. 1.1.0 bundle [/wiki/spaces/DG/pages/217972857].

Bug Fixes:
DOME-6473 - ICMP ports on GCP causing incorrect compliance results fix.
DOME-6798 - Fixed Typo in SQLDB property in compliance engine.

Deployment Feb 14, 2018

Compliance engine:
IamUser entity - added "virtualMfaEnabled" attribute,which allow to verify if the Iam User have virtual MFA device enabled.
For example: IamUser should have virtualMfaEnabled=true

Deployment Feb 6, 2018

Cloud Accounts:
Changed "Delete" account button to "Remove".
For additional information visit our documentation [/wiki/spaces/DG/pages/177242193]. 

Compliance engine:
Added system audits for assessments runs
EFS entity - added "encryptionKey" attribute,which allow to verify if the EFS encrypted and the encryption key parameters.
VPC entity - added "hasFlowLogs" attribute, which allow to verify if the VPC have flow logs or not.

Account page:
UI improvements and fixes for new AWS metered plans.

Bug Fixes:
DOME-6901 - VPC Flow Logs - Fixed undefined values on VPC selector
DOME-6907 - Account page - Fix old Plans support on the UI.

Deployment Feb 1, 2018

Cloud Accounts:
Improved and optimized the UI, added filtering and cloud account state
For additional information visit our documentation [/wiki/spaces/DG/pages/177242193]. 

Account page:
UI improvements for new AWS metered plans.

Deployment Jan 25, 2018

Compliance engine:
EFS - added "Encryption" attribute,which allow to verify if the EFS encrypted.
For example: EFS should have encrypted=true

CIS AWS Foundations bundle updates (CIS Amazon Web Services Foundations Benchmark 1.0.0)
Updating the remediation field, removing old PDF from rules remediation, and changing Bundle description.

Bug fixes:
Clarity - VPC Flow Logs UI fixes.

Deployment Jan 24, 2018

Cross system:
Update password policy to require complex passwords

Bug fixes:
Clarity bug fixes.

Deployment Jan 22, 2018

PREVIEW

Cross system:
Added Japanese language support.

Bug fixes:
Add cloud account using API fix.
Left side menu - links fix.

Deployment Jan 18, 2018

AWS Onboarding:
Updated the dome9-read-only policy due to AWS SecurityAudit Policy update.

Cloud account page:
Added improved missing permissions mechanism.

Account page:
Added updated payment plans.

Deployment Jan 17, 2018

Bug fixes:
small UI fixes for the compliance rule builder.
Security groups - fixing navigation issue to instances.

Deployment Jan 16 2018

PREVIEW

Compliance engine:
Added AWS ECS Cluster support.
Added AWS ECS Task definitions support.

Bug fixes:
IAM - Improved Credentials report error handling.

Deployment Jan 11 2018

PREVIEW

Compliance engine:
Added AWS Network Interface support.

Bug fixes:
Clarity - small UI fixes.