1 April 17 2024
2 April 10 2024
3 April 04 2024
4 April 03 2024
5 March 27 2024
6 March 20 2024
7 March 13 2024
8 March 06 2024
9 February 28 2024
10 February 21 2024
11 February 14 2024
12 February 07 2024
13 January 31 2024
14 January 24 2024
15 January 17 2024
16 January 10 2024
17 January 03 2024

April 17 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.49	Ensure that AWS Secrets Manager secret rotation interval is smaller than 30 days	Low	Modification	Name	Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days	Ensure that AWS Secrets Manager secret rotation interval is smaller than 30 days	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS PIPEDA AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.IAM.83	Ensure that SQS policy does not allow all actions from all principals	High	Modification	Name	Ensure that SQS policy won't allow all actions from all principals	Ensure that SQS policy does not allow all actions from all principals	AWS HIPAA AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO 27001:2022 AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS PIPEDA AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.OPE.107	Ensure that DAX Parameter Group does not require reboot	High	Modification	Name	Ensure that DAX Parameter Group doesn't require reboot	Ensure that DAX Parameter Group does not require reboot	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NY DFS 23 CRR 500 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1
D9.AWS.IAM.58	Ensure SNS Topics administrative actions are not publicly executable without a condition	Critical	Modification	Name	Ensure SNS Topics administrative actions aren't publicly executable without a condition	Ensure SNS Topics administrative actions are not publicly executable without a condition	AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS MLPS 2.0 AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.GCP.CRY.27	Ensure that AlloyDB cluster is encrypted using CMEK	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2023.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.CRY.28	Ensure that AlloyDB cluster continuous backup is encrypted using CMEK	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2023.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.CRY.29	Ensure that AlloyDB backup is encrypted	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2023.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.DR.06	Ensure that AlloyDB cluster has backup policy enabled	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP NIST SP 800-172 GCP Secure Controls Framework (SCF) v2023.1 GCP ASD Essential Eight GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA
D9.GCP.MON.07	Ensure that AlloyDB cluster is healthy	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2023.1 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.MON.08	Ensure that AlloyDB instance is healthy	High	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2023.1 GCP NIST SP 800-171 R2 GCP NY DFS 23 CRR 500 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP EU GDPR
D9.GCP.NET.81	Ensure that AlloyDB instance enforces using connectors	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2023.1 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP EU GDPR
D9.GCP.OPE.30	Ensure AlloyDB cluster version is latest	Informational	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP FedRAMP R5 (moderate) GCP FFIEC Cybersecurity Assessment Tool (CAT) GCP Secure Controls Framework (SCF) v2023.1 GCP CMMC 2.0 v1.02 GCP NIST SP 800-171 R2 GCP NIST CSF v1.1

April 10 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.NET.111	Ensure every EC2 instance is launched inside an Auto Scaling Group (ASG) in order to follow AWS reliability and security best practices	Low	Modification	Severity	High	Low	AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST SP 800-172 AWS PIPEDA AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1
D9.AWS.NET.71	EksCluster endpoint should not be publicly accessible	Medium	Modification	Name Severity	EksCluster should not be publicly accessed Critical	EksCluster endpoint should not be publicly accessible Medium	AWS Security Risk Management AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 CloudGuard AWS Default Ruleset AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ENS 2022 Spain AWS ASD Essential Eight AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1 AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.NET.1040	Ensure no security group allows unrestricted inbound access to TCP/UDP POP3 ports (110,995)	High	Modification	Logic	SecurityGroup should not have should not have inboundRules contain [ port=110 and portTo=110 or port=995 and portTo=995 and scope in ('0.0.0.0/0', '::/0') ]	SecurityGroup should not have inboundRules contain [ port=110 and portTo=110 or port=995 and portTo=995 and scope in ('0.0.0.0/0', '::/0') ]	AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)

April 04 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.LOG.04	Ensure AWS Config is enabled in all regions	Low	Removal				AWS LGPD AWS NIST SP 800-53 R5 AWS CIS Foundations Benchmark v1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS CIS Foundations Benchmark v1.1.0 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS NIST SP 800-53 R4 AWS CIS Critical Security Controls v8 AWS CSA CCM v4 AWS CIS Foundations Benchmark v2.0.0 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ENS 2022 Spain AWS PCI DSS v3.2.1 AWS CRI Profile v1.2 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS RMiT Malaysia AWS CSA CCM v3 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS SWIFT Customer Security Programme CSCF AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS CIS Foundations Benchmark v3.0.0 AWS CIS Foundations Benchmark v1.0.0 AWS ISO 27001:2013 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls) AWS CIS Foundations Benchmark v1.2.0 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS CCPA AWS MAS TRM AWS NIST SP 800-171 R1 AWS CIS Foundations Benchmark v1.3.0 AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS CIS Foundations Benchmark v1.4.0 AWS MITRE ATT&CK Framework v10

April 03 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.AS.33	Ensure that Media Package Channel should have tags	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.45	Ensure that MediaLive Channel should have Log level	Medium	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.46	Ensure that Username is set for AWS MediaLive Channel Output Destination Settings	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.47	Ensure that Password parameter is set for AWS MediaLive Channel Output Destination Settings	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.48	Ensure that MediaLive Input should have tags	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.49	Ensure that MediaLive Reservation should have tags	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.50	Ensure that MediaLive Input SecurityGroup should have tags	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.51	Ensure that MediaLive Input Security Groups do not implicitly whitelist all public IP addresses.	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.52	Ensure that MediaPackage Channel should have tags	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.53	Ensure that ingress access logs is enabled for MediaPackage Channel	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.54	Ensure that egress access logs is enabled for MediaPackage Channel	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.55	Ensure that only successful MediaPackage Harvest jobs are available	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.56	Ensure that MediaPackage Origin Endpoint should have tags	Low	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.57	Ensure that authorization is set for MediaPackage Origin Endpoint	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.58	Ensure that Amazon Elastic Transcoder Pipelines are encrypted	High	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.AS.59	Ensure that a notification is configured for Amazon Elastic Transcoder Pipelines	Medium	New				AWS HIPAA AWS NIST SP 800-53 R5 AWS PCI DSS v4 AWS CSA CCM v4 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ENS 2022 Spain AWS CMMC 2.0 v1.02 AWS NY DFS 23 CRR 500 AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS NIST SP 800-172 AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.GCP.VLN.04	Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is not set to 'on'	Medium	Modification	Name	Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'	Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is not set to 'on'	GCP CIS Foundations Benchmark v1.3.0 GCP CIS Foundations Benchmark v2.0.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP ENS 2022 Spain GCP RMiT Malaysia GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2023.1 GCP ISO 27002:2022 GCP CIS Foundations Benchmark v3.0.0 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP CIS Foundations Benchmark v1.1.0 GCP CIS Foundations Benchmark v1.2.0 GCP CloudGuard Best Practices
D9.GCP.VLN.08	Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'	Medium	Modification	Name	Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'on'	Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'	GCP CIS Foundations Benchmark v1.3.0 GCP NIST SP 800-53 R5 GCP CIS Foundations Benchmark v2.0.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP ISO 27001:2022 GCP ENS 2022 Spain GCP RMiT Malaysia GCP FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP HITRUST CSF v11.2 GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2023.1 GCP ISO 27002:2022 GCP CRI Profile v1.2 GCP CIS Foundations Benchmark v3.0.0 GCP NIST CSF v1.1 GCP SOC 2 (AICPA TSC 2017 Controls) GCP HIPAA GCP CIS Foundations Benchmark v1.2.0 GCP CloudGuard Best Practices
D9.AZU.IAM.46	Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users	High	Modification	Logic	User where assignedRoles with [displayName like '%admin%' or displayName like '%contributor%' or displayName like '%creator%' or displayName like '%manage%' or displayName like '%owner%'] should have userCredentialRegistrationDetails.isRegisterWithMfa=true	User where assignmentRoles with [ roleName like '%owner%' or roleName like '%admin%' or roleName like '%contributor%' or roleName like '%creat%' or roleName like '%manage%' ] should have userCredentialRegistrationDetails.isRegisterWithMfa=true	Azure Security Risk Management Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure ISO 27001:2022 Azure MLPS 2.0 Azure ENS 2022 Spain Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure NIST CSF v1.1 Azure HIPAA Azure Dashboard System Ruleset Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AZU.IAM.47	Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users	High	Modification	Logic	User where assignedRoles isEmpty() or assignedRoles with [ displayName unlike '%admin%' and displayName unlike '%contributor%' and displayName unlike '%creator%' and displayName unlike '%manage%' and displayName unlike '%owner%' ] should have userCredentialRegistrationDetails.isRegisterWithMfa=true	User where assignmentRoles isEmpty() or assignmentRoles with [ roleName unlike '%owner%' and roleName unlike '%admin%' and roleName unlike '%contributor%' and roleName unlike '%creat%' and roleName unlike '%manage%' ] should have userCredentialRegistrationDetails.isRegisterWithMfa=true	Azure Security Risk Management Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure PCI DSS v4 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 CloudGuard Azure Default Ruleset Azure ASD Essential Eight Azure CMMC 2.0 v1.02 Azure CRI Profile v1.2 Azure NIST SP 800-171 R2 Azure NY DFS 23 CRR 500 Azure RMiT Malaysia Azure ACSC ISM Azure CIS Critical Security Controls v8 Azure SWIFT Customer Security Programme CSCF Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure NIST CSF v1.1 Azure HIPAA Azure Dashboard System Ruleset Azure CloudGuard Best Practices Azure Microsoft Cloud Security Benchmark (MCSB) v1
D9.AWS.IAM.59	Ensure that VPC Endpoint policy does not provide excessive permissions	High	Modification	Logic	VpcEndpoint should not have policy.Statement contain [Effect='Allow' and (Action = '' or Action contain ['%s3:%'] or Action contain ['%dynamodb:*%'] )]	VpcEndpoint should have policy.Statement contain-none [ ( (not Principal) or Principal='') and Effect='Allow' ] and policy.Statement contain-none [ Effect='Allow' and (Action = '' or Action contain ['%s3:%'] or Action contain ['%dynamodb:%'] ) ]	AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS PCI DSS v4 AWS HITRUST CSF v11.0 AWS CIS Critical Security Controls v8 CloudGuard AWS All Rules Ruleset AWS ISO 27001:2022 AWS APRA 234 AWS ENS 2022 Spain AWS MLPS 2.0 AWS CMMC 2.0 v1.02 AWS CRI Profile v1.2 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS RMiT Malaysia AWS ACSC ISM AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS FFIEC Cybersecurity Assessment Tool (CAT) AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS ISO 27002:2022 AWS NIST CSF v1.1 AWS SOC 2 (AICPA TSC 2017 Controls) AWS CloudGuard Best Practices AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.AWS.NET.1029	Ensure no security group allows unrestricted inbound access to TCP etcd port (2379)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1030	Ensure no security group allows unrestricted inbound access to TCP CouchDB port (5984)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1031	Ensure no security group allows unrestricted inbound access to TCP Kibana port (5601)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1032	Ensure no security group allows unrestricted inbound access to TCP LDAP port (389)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1033	Ensure no security group allows unrestricted inbound access to TCP MaxDB port (7210)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1034	Ensure no security group allows unrestricted inbound access to TCP MSSQL port (1434)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1035	Ensure no security group allows unrestricted inbound access to TCP NFS port (2049)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1036	Ensure no security group allows unrestricted inbound access to TCP SQL Analysis Services port (2383)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1037	Ensure no security group allows unrestricted inbound access to TCP VNC port (5500)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1038	Ensure no security group allows unrestricted inbound access to TCP/UDP ArangoDB port (8529)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1039	Ensure no security group allows unrestricted inbound access to TCP/UDP Mini SQL port (4333)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1040	Ensure no security group allows unrestricted inbound access to TCP/UDP POP3 ports (110,995)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1041	Ensure no security group allows unrestricted inbound access to TCP Cassandra ports (7000, 7001, 7199, 9042, 9142, 9160)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1042	Ensure no security group allows unrestricted inbound access to TCP ElasticSearch ports (9200, 9300)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1043	Ensure no security group allows unrestricted inbound access to TCP MongoDB ports (27017-27020)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1044	Ensure no security group allows unrestricted inbound access to TCP Oracle DB ports (1521, 1830, 2483, 8098)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1045	Ensure no security group allows unrestricted inbound access to TCP Riak ports (8087, 8098)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1046	Ensure no security group allows unrestricted inbound access to TCP Solr ports (7574, 8983)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1
D9.AWS.NET.1047	Ensure no security group allows unrestricted inbound access to TCP VNC ports (5800, 5900)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1048	Ensure no security group allows unrestricted inbound access to TCP RethinkDB ports (8080, 28015, 29015) or UDP ports (28015, 29015)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.AWS.NET.1049	Ensure no security group allows unrestricted inbound access to TCP Neo4J ports (7473, 7474), or UDP port (7473)	High	New				AWS NIST SP 800-53 R5 AWS PCI DSS v4 CloudGuard AWS All Rules Ruleset AWS CMMC 2.0 v1.02 AWS NIST SP 800-171 R2 AWS New Zealand ISM v3.6 AWS FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) v2023.1 AWS SOC 2 (AICPA TSC 2017 Controls)
D9.GCP.LOG.31	Ensure Logging is enabled for HTTP(S) Load Balancer	Low	Modification	Name	Ensure that logging is enabled for Google Cloud load balancing backend services	Ensure Logging is enabled for HTTP(S) Load Balancer	GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP ISO 27001:2022 GCP APRA 234 GCP CSA CCM v4 GCP ACSC ISM GCP SOX (Section 404) GCP Secure Controls Framework (SCF) v2023.1 GCP CRI Profile v1.2 GCP New Zealand ISM v3.6 GCP CIS Foundations Benchmark v3.0.0 GCP HIPAA
D9.GCP.MON.06	Ensure that only usable Instances are available in BigTable	Low	New				GCP NIST SP 800-53 R5 GCP PCI DSS v4 CloudGuard GCP All Rules Ruleset GCP CSA CCM v4 GCP ENS 2022 Spain GCP ACSC ISM GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP Secure Controls Framework (SCF) v2023.1 GCP ASD Essential Eight
D9.AWS.VLN.08	Ensure Lambda Functions are Not Using Deprecated Runtime	High	Modification	Name	Ensure Lambda functions are not using deprecated runtimes	Ensure Lambda Functions are Not Using Deprecated Runtime	CloudGuard AWS All Rules Ruleset AWS Foundational Security Best Practices (FSBP) AWS APRA 234 AWS ACSC ISM AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS CloudGuard Best Practices
D9.GCP.AS.18	Ensure that only operational Firebase Realtime Databases are available.	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.MON.04	Ensure that Split Health Check is enabled for App Engine services	Medium	New				CloudGuard GCP All Rules Ruleset
D9.GCP.MON.05	Enable Identity-Aware Proxy (IAP) for App Engine Services	High	New				CloudGuard GCP All Rules Ruleset

March 27 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.MON.107	Ensure that Azure Network Watcher is Enabled	Low	New				Azure CIS Foundations Benchmark v1.4.0 Azure CIS Foundations Benchmark v1.5.0 Azure NIST SP 800-53 R5 Azure CIS Foundations Benchmark v2.0.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v4 Azure ISO 27001:2022 Azure ENS 2022 Spain Azure CMMC 2.0 v1.02 Azure NIST SP 800-171 R2 Azure RMiT Malaysia Azure CIS Critical Security Controls v8 Azure FedRAMP R5 (moderate) Azure SOX (Section 404) Azure Secure Controls Framework (SCF) v2023.1 Azure ISO 27002:2022 Azure New Zealand ISM v3.6 Azure CIS Foundations Benchmark v2.1.0 Azure SOC 2 (AICPA TSC 2017 Controls) Azure HIPAA Azure CIS Foundations Benchmark v1.1.0 Azure CloudGuard Best Practices Azure CIS Foundations Benchmark v1.2.0 Azure CIS Foundations Benchmark v1.3.0 Azure HITRUST CSF v9.5 Azure CIS Foundations Benchmark v1.3.1
D9.AWS.CRY.38	Ensure to update the Security Policy of the Network Load Balancer	High	Modification	Logic	NetworkLoadBalancer where listeners contain [ protocol='TLS' ] should have listeners contain [securityPolicy in('ELBSecurityPolicy-TLS13-1-2-2021-06', 'ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04')]	NetworkLoadBalancer where listeners contain [ protocol='TLS' ] should have listeners contain [securityPolicy in('ELBSecurityPolicy-TLS13-1-2-2021-06', 'ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04')]	AWS NIST SP 800-53 R5 AWS MITRE ATT&CK Framework v11.3 AWS HITRUST CSF v11.0 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS ACSC ISM AWS NIST SP 800-172 AWS SOX (Section 404) AWS Secure Controls Framework (SCF) v2023.1 AWS Well-Architected Framework AWS CloudGuard Best Practices AWS MAS TRM AWS HITRUST CSF v9.2 AWS ITSG-33 Canada AWS MITRE ATT&CK Framework v10
D9.ALI.CRY.10	Ensure that Automatic Rotation is Enabled for KMS	High	Modification	Name	Ensure that Automatic Rotation is enabled for KMS	Ensure that Automatic Rotation is Enabled for KMS	CloudGuard Alibaba All Rules Ruleset
D9.AZU.NET.28	Ensure that Network Watcher is 'Enabled'	Low	Removal				Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure ISO 27001:2022 Azure Esquema Nacional Seguridad (ENS) 2022 Azure Cybersecurity Maturity Model Certification (CMMC) 2.0 Azure NIST Special Publication 800-171 (Rev. 2) Azure Risk Management in Technology (RMiT) Azure CIS Critical Security Controls v8 Azure US FedRAMP R5 (moderate) Azure U.S. Sarbanes-Oxley Act (Section 404) Azure Secure Controls Framework (SCF) Azure ISO 27002:2022 Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure Health Insurance Portability and Accountability Act (U.S. HIPAA) Azure CIS Foundations v. 1.1.0 Azure CloudGuard Best Practices Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure HITRUST v9.5.0 Azure CIS Foundations v. 1.3.1

March 20 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.AS.44	Ensure Resource Access Manager customer managed permissions should have tags	Informational	New				AWS Health Insurance Portability and Accountability Act (U.S. HIPAA) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NY Department of Financial Services (DFS) 23 CRR 500 AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS U.S. Sarbanes-Oxley Act (Section 404) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS NIST Cybersecurity Framework (CSF) v1.1
D9.AWS.DR.17	Ensure AWS Elastic Block Store (EBS) volumes have recent snapshots available for point-in-time recovery	High	Modification	Logic	EbsSnapshot should not have createTime before(-7, 'days')	Volume should have getResources('EbsSnapshot') contain [$.createTime after(-7, 'days') and $.volumeId = ~.volumeId]	AWS NIST Special Publication 800-53 (Rev. 5) CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS US FedRAMP R5 (moderate) AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS U.S. Sarbanes-Oxley Act (Section 404) AWS Secure Controls Framework (SCF) AWS NIST Cybersecurity Framework (CSF) v1.1
D9.AWS.DR.19	Ensure that Lightsail Relational Database has a recent snapshot	High	Modification	Logic	LightsailRelationalDatabase should have latestRestorableTime before(7, 'days')	LightsailRelationalDatabase should have latestRestorableTime after(-7, 'days')	AWS NIST Special Publication 800-53 (Rev. 5) CloudGuard AWS All Rules Ruleset AWS US FedRAMP R5 (moderate) AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS U.S. Sarbanes-Oxley Act (Section 404) AWS Secure Controls Framework (SCF) AWS NIST Cybersecurity Framework (CSF) v1.1
D9.AWS.LOG.58	Ensure that Access Logging should be enabled for AWS Elemental MediaStore Container	Medium	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.152	Ensure that AWS Elemental MediaStore Container should be ACTIVE	Low	New				CloudGuard AWS All Rules Ruleset
D9.GCP.OPE.29	Ensure that only usable Instance are available in Filestore	Low	New				CloudGuard GCP All Rules Ruleset
D9.ALI.CRY.08	Ensure Apsara File Storage NAS are encrypted	High	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CRY.09	Ensure Apsara File Storage NAS should have Encryption Type selected	High	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CRY.10	Ensure that Automatic Rotation is enabled for KMS	High	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CRY.11	Ensure that Deletion Protection is Enabled for KMS	High	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.CRY.12	Ensure only usable Keys are in the KMS	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.OPE.03	Ensure that Apsara File Storage NAS should have tags	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.OCI.AS.08	Ensure that a newly created region subscription's status is ready	Informational	New				CloudGuard OCI All Rules Ruleset
D9.K8S.IA.UN.5	Container Image – ScanSummary	Critical	New				Workload Vulnerability 2.0 with ScanSummary rule
D9.AWS.OPE.131	Ensure Resource Access Manager customer managed permissions should have tags	Informational	Removal				AWS Health Insurance Portability and Accountability Act (U.S. HIPAA) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS NY Department of Financial Services (DFS) 23 CRR 500 AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS U.S. Sarbanes-Oxley Act (Section 404) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS NIST Cybersecurity Framework (CSF) v1.1

March 13 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.GCP.CRY.01	Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)	Medium	Modification	Severity	High	Medium	GCP CloudGuard CheckUp GCP CIS Foundations v. 1.3.0 GCP Security Risk Management GCP LGPD regulation GCP NIST Special Publication 800-53 (Rev. 5) GCP PCI-DSS 4.0 GCP CIS Foundations v. 2.0 GCP MITRE ATT&CK Framework v12.1 CloudGuard GCP All Rules Ruleset GCP CIS Critical Security Controls v8 GCP CIS Foundations v. 1.0.0 GCP ISO 27001:2022 GCP APRA 234 GCP Cloud Security Alliance CCM v4 GCP Esquema Nacional Seguridad (ENS) 2022 GCP Risk Management in Technology (RMiT) GCP Australian Cyber Security Centre (ACSC) Information Security Manual GCP US FedRAMP R5 (moderate) GCP ISO 27017:2015 GCP SWIFT Customer Security Programme CSCF GCP NIST Special Publication 800-172 GCP U.S. Sarbanes-Oxley Act (Section 404) GCP PCI-DSS 3.2 GCP Secure Controls Framework (SCF) GCP ISO 27002:2022 GCP Cybersecurity Maturity Model Certification (CMMC) 2.0 GCP NIST Special Publication 800-171 (Rev. 2) GCP NIST 800-53 Rev 4 GCP NY Department of Financial Services (DFS) 23 CRR 500 GCP New Zealand Information Security Manual (NZ ISM) v3.6 GCP ISO 27001:2013 GCP NIST Cybersecurity Framework (CSF) v1.1 GCP CloudGuard SOC2 based on AICPA TSC 2017 GCP Health Insurance Portability and Accountability Act (U.S. HIPAA) GCP Dashboard System Ruleset GCP EU GDPR GCP CIS Foundations v. 1.1.0 GCP CIS Foundations v. 1.2.0 GCP CloudGuard Best Practices
D9.AWS.IAM.190	Ensure that Authorization Type in AWS Kafka Connect Connector is not set to None	High	Modification	Logic	MSKConnectConnector should not have kafkaClusterClientAuthentication.authenticationType.value!='None'	MSKConnectConnector should not have kafkaClusterClientAuthentication.authenticationType.value='None'	CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.142	Ensure that AppFlow should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.143	Ensure that MediaStoreContainer should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.144	Ensure that DataSyncStorage should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.145	Ensure that CloudTrail should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.148	Ensure that EksCluster should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.149	Ensure AWS Verified Access should have FIPS status enabled	High	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.150	Ensure AWS Verified Access should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.GCP.NET.80	Cloud Armor Security Policy Default Rule Action should be 'Deny'	High	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.21	Ensure that DnsManagedZone should have tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.22	Ensure that PubSubTopic should have tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.23	Ensure that VMInstance should have tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.24	Ensure that Filestore Instance should have tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.25	Ensure that DataprocCluster should have tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.26	Ensure that Secret should have tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.27	Ensure that Disk should have tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.28	Ensure that 'Disable Automatic IAM Grants for Default Service Accounts' policy is enforced for Google Cloud Platform (GCP) organizations	Medium	New				CloudGuard GCP All Rules Ruleset
D9.ALI.OPE.01	Ensure that Auto Scaling Group should have Deletion Protection enabled	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.ALI.OPE.02	Ensure Auto Scaling group have scaling cooldown higher than a minute	Low	New				CloudGuard Alibaba All Rules Ruleset
D9.OCI.OPE.05	Ensure that Tenancy should have defined tags	Low	New				CloudGuard OCI All Rules Ruleset

March 06 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.LOG.14	Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests in Monitoring (classic)	Low	Modification	Name	Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests	Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests in Monitoring (classic)	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure ISO 27001:2022 Azure Esquema Nacional Seguridad (ENS) 2022 Azure Cyber Risk Institute (CRI) Profile Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure U.S. Sarbanes-Oxley Act (Section 404) Azure Secure Controls Framework (SCF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure Health Insurance Portability and Accountability Act (U.S. HIPAA) Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure CIS Foundations v. 1.3.1
D9.AZU.LOG.15	Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests in Monitoring (classic)	Low	Modification	Name	Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests	Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests in Monitoring (classic)	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure ISO 27001:2022 Azure Esquema Nacional Seguridad (ENS) 2022 Azure Cyber Risk Institute (CRI) Profile Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure U.S. Sarbanes-Oxley Act (Section 404) Azure Secure Controls Framework (SCF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure Health Insurance Portability and Accountability Act (U.S. HIPAA) Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure CIS Foundations v. 1.3.1
D9.AZU.LOG.16	Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests in Monitoring (classic)	Low	Modification	Name	Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests	Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests in Monitoring (classic)	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure ISO 27001:2022 Azure Esquema Nacional Seguridad (ENS) 2022 Azure Cyber Risk Institute (CRI) Profile Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure U.S. Sarbanes-Oxley Act (Section 404) Azure Secure Controls Framework (SCF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure Health Insurance Portability and Accountability Act (U.S. HIPAA) Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure CIS Foundations v. 1.3.1

February 28 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.LOG.16	Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests	Low	Modification	Logic	StorageAccount should have tableServiceProperties.classicDiagnosticSettings.logging.read=true and tableServiceProperties.classicDiagnosticSettings.logging.write=true and blobServiceProperties.classicDiagnosticSettings.logging.delete=true	StorageAccount should have tableServiceProperties.classicDiagnosticSettings.logging.read=true and tableServiceProperties.classicDiagnosticSettings.logging.write=true and tableServiceProperties.classicDiagnosticSettings.logging.delete=true	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure ISO 27001:2022 Azure Esquema Nacional Seguridad (ENS) 2022 Azure Cyber Risk Institute (CRI) Profile Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure U.S. Sarbanes-Oxley Act (Section 404) Azure Secure Controls Framework (SCF) Azure CIS Foundations v.2.1.0 Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure Health Insurance Portability and Accountability Act (U.S. HIPAA) Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure CIS Foundations v. 1.3.1
D9.AWS.CRY.38	Ensure to update the Security Policy of the Network Load Balancer	High	Modification	Logic	NetworkLoadBalancer should have listeners contain [securityPolicy in('ELBSecurityPolicy-2016-08', 'ELBSecurityPolicy-FS-2018-06', 'ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06', 'ELBSecurityPolicy-TLS13-1-2-2021-06') ]	NetworkLoadBalancer where listeners contain [ protocol='TLS' ] should have listeners contain [securityPolicy in('ELBSecurityPolicy-TLS13-1-2-2021-06', 'ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04')]	AWS NIST Special Publication 800-53 (Rev. 5) AWS MITRE ATT&CK Framework v11.3 AWS HITRUST v11.0.0 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS NIST Special Publication 800-172 AWS U.S. Sarbanes-Oxley Act (Section 404) AWS Secure Controls Framework (SCF) AWS CloudGuard Well Architected Framework AWS CloudGuard Best Practices AWS MAS TRM Framework AWS HITRUST AWS ITSG-33 AWS MITRE ATT&CK Framework v10
D9.AZU.NET.35	Ensure Application Gateway is using the latest version of TLS encryption	High	Modification	Logic	ApplicationGateway should have sslPolicy.minProtocolVersion='1.2'	ApplicationGateway should have sslPolicy.minProtocolVersion='TLSv1_2'	Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure ISO 27001:2022 Azure Esquema Nacional Seguridad (ENS) 2022 Azure Cyber Risk Institute (CRI) Profile Azure US FedRAMP R5 (moderate) Azure U.S. Sarbanes-Oxley Act (Section 404) Azure Secure Controls Framework (SCF) Azure ISO 27002:2022 Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure Health Insurance Portability and Accountability Act (U.S. HIPAA) Azure CloudGuard Best Practices Azure HITRUST v9.5.0
D9.AWS.IAM.190	Ensure that Authorization Type in AWS Kafka Connect Connector is not set to None	High	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.141	Ensure that the AWS Kafka Connect Connector is in a Healthy State	Low	New				CloudGuard AWS All Rules Ruleset
D9.GCP.CRY.24	Ensure Vertex AI Notebook Instance Have Integrity Monitoring Enabled	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.CRY.26	Ensure That Vertex AI Notebook Instance is encrypted with Customer-Managed Encryption Key (CMEK)	High	New				CloudGuard GCP All Rules Ruleset
D9.GCP.NET.77	Ensure GCP Vertex AI Notebook Instance secure boot feature is Enabled	High	New				CloudGuard GCP All Rules Ruleset
D9.GCP.NET.78	Ensure GCP Vertex AI Notebook Instance vTPM feature is enabled	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.NET.79	Ensure Firestore Database delete protection enabled	High	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.17	Ensure that Vertex AI Notebook Instance has tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.18	Ensure that Vertex AI Notebook Instance status is healthy	High	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.19	Ensure that Vertex AI Notebook Runtime has tags	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.20	Ensure that Vertex AI Notebook Runtime status is healthy	High	New				CloudGuard GCP All Rules Ruleset

February 21 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.127	Ensure Athena Workgroups should be Encrypted at Rest	High	Modification	Name Logic	Ensure Athena workgroups should be encrypted at rest AthenaWorkGroup should not have configuration.resultConfiguration.encryptionConfiguration.encryptionOption isEmpty()	Ensure Athena Workgroups should be Encrypted at Rest AthenaWorkGroup where configuration.resultConfiguration.outputLocation isEmpty()=false should not have configuration.resultConfiguration.encryptionConfiguration.encryptionOption isEmpty()	AWS Health Insurance Portability and Accountability Act (U. S. HIPAA) AWS NIST Special Publication 800-53 (Rev. 5) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS Foundational Security Best Practices (FSBP) standard AWS APRA 234 AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-171 (Rev. 2) AWS NY Department of Financial Services (DFS) 23 CRR 500 AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP R5 (moderate) AWS ISO 27017:2015 AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS NIST Cybersecurity Framework (CSF)
D9.AZU.CRY.18	Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)	High	Modification	Logic	VirtualMachine should have (disks contain [getResource('Disk',name,'name') contain [properties.encryptionSettingsCollection.enabled=true]])	VirtualMachine should have disks contain [ sseType='EncryptionAtRestWithCustomerKey' ]	Azure CloudGuard CheckUp Azure CIS Foundations v. 1.4.0 Azure Security Risk Management Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 CIS Microsoft Azure Compute Services Benchmark v1.0.0 Azure APRA 234 AZURE MLPS 2.0 Azure Cybersecurity Maturity Model Certification (CMMC) 2.0 Azure NIST Special Publication 800-171 (Rev. 2) Azure NY Department of Financial Services (DFS) 23 CRR 500 Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure US FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure U. S. FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) Azure ISO 27002:2022 Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure EU General Data Protection Regulation (GDPR) Azure NIST Cybersecurity Framework (CSF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure Health Insurance Portability and Accountability Act (U. S. HIPAA) Azure CIS Foundations v. 1.1.0 Azure CloudGuard Best Practices Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure HITRUST v9.5.0 Azure ITSG-33 Azure CIS Foundations v. 1.3.1
D9.AZU.CRY.16	Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK)	Low	Modification	Name	Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key	Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK)	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure Australian Signals Directorate (ASD) Essential Eight Azure Cybersecurity Maturity Model Certification (CMMC) 2.0 Azure Cyber Risk Institute (CRI) Profile Azure NIST Special Publication 800-171 (Rev. 2) Azure Risk Management in Technology (RMiT) Azure CIS Critical Security Controls v8 Azure US FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure Secure Controls Framework (SCF) Azure ISO 27002:2022 Azure CIS Foundations v.2.1.0 Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CIS Foundations v. 1.1.0 Azure CloudGuard Best Practices Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure ITSG-33 Azure CIS Foundations v. 1.3.1
D9.AZU.CRY.27	Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)	Low	Modification	Name	Ensure Storage for Critical Data are Encrypted with Customer Managed Keys	Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)	Azure CIS Foundations v. 1.4.0 Azure LGPD regulation Azure CIS Foundations v. 1.5.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure ISO 27001:2022 Azure CIS Foundations v. 1.0.0 Azure Esquema Nacional Seguridad (ENS) 2022 Azure NIST Special Publication 800-171 (Rev. 2) Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure PCI-DSS 3.2 Azure NIST 800-53 Rev 4 Azure Secure Controls Framework (SCF) Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure CSA CCM v.3.0.1 Azure ISO 27001:2013 Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure Health Insurance Portability and Accountability Act (U. S. HIPAA) Azure Dashboard System Ruleset Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure New Zealand Information Security Manual (NZISM) v.3.4 Azure HITRUST v9.5.0 Azure ITSG-33 Azure CIS Foundations v. 1.3.1
D9.AZU.CRY.33	Ensure 'TLS Version' is set to 'TLSV1.2' (or higher) for MySQL flexible Database Server	High	Modification	Name	Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server	Ensure 'TLS Version' is set to 'TLSV1.2' (or higher) for MySQL flexible Database Server	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure Cyber Risk Institute (CRI) Profile Azure Risk Management in Technology (RMiT) Azure CIS Critical Security Controls v8 Azure US FedRAMP R5 (moderate) Azure Secure Controls Framework (SCF) Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1]
D9.AZU.CRY.39	Ensure that Storage Account Access Keys are Periodically Regenerated	High	Modification	Name	Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services	Ensure that Storage Account Access Keys are Periodically Regenerated	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure ISO 27001:2022 Azure Esquema Nacional Seguridad (ENS) 2022 Azure Australian Signals Directorate (ASD) Essential Eight Azure Cybersecurity Maturity Model Certification (CMMC) 2.0 Azure NIST Special Publication 800-171 (Rev. 2) Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure US FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure U. S. FFIEC Cybersecurity Assessment Tool (CAT) Azure NIST Special Publication 800-172 Azure Secure Controls Framework (SCF) Azure ISO 27002:2022 Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure NIST Cybersecurity Framework (CSF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure CIS Foundations v. 1.3.1
D9.AZU.IAM.38	Ensure Security Defaults is enabled on Microsoft Entra ID	High	Modification	Name	Ensure Security Defaults is enabled on Azure Active Directory	Ensure Security Defaults is enabled on Microsoft Entra ID	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure Australian Signals Directorate (ASD) Essential Eight Azure Cybersecurity Maturity Model Certification (CMMC) 2.0 Azure Cyber Risk Institute (CRI) Profile Azure NIST Special Publication 800-171 (Rev. 2) Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure US FedRAMP R5 (moderate) Azure ISO 27017:2015 Azure SWIFT Customer Security Programme CSCF Azure U. S. FFIEC Cybersecurity Assessment Tool (CAT) Azure NIST Special Publication 800-172 Azure Secure Controls Framework (SCF) Azure ISO 27002:2022 Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure NIST Cybersecurity Framework (CSF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure CIS Foundations v. 1.3.1
D9.AZU.MON.67	Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'	High	Modification	Name	Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'	Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure Cyber Risk Institute (CRI) Profile Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure SWIFT Customer Security Programme CSCF Azure U. S. FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure NIST Cybersecurity Framework (CSF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure CIS Foundations v. 1.2.0 Azure CIS Foundations v. 1.3.0 Azure CIS Foundations v. 1.3.1
D9.AZU.IAM.47	Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users	High	Modification	Logic	User where assignedRoles with [displayName unlike '%admin%' and displayName unlike '%contributor%' and displayName unlike '%creator%' and displayName unlike '%manage%' and displayName unlike '%owner%'] should have userCredentialRegistrationDetails.isRegisterWithMfa=true	User where assignedRoles isEmpty() or assignedRoles with [ displayName unlike '%admin%' and displayName unlike '%contributor%' and displayName unlike '%creator%' and displayName unlike '%manage%' and displayName unlike '%owner%' ] should have userCredentialRegistrationDetails.isRegisterWithMfa=true	Azure Security Risk Management Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 CloudGuard Azure Default Ruleset Azure Australian Signals Directorate (ASD) Essential Eight Azure Cybersecurity Maturity Model Certification (CMMC) 2.0 Azure Cyber Risk Institute (CRI) Profile Azure NIST Special Publication 800-171 (Rev. 2) Azure NY Department of Financial Services (DFS) 23 CRR 500 Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure SWIFT Customer Security Programme CSCF Azure Secure Controls Framework (SCF) Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure NIST Cybersecurity Framework (CSF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure Dashboard System Ruleset Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1]
D9.AZU.MON.79	[LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'	High	Modification	Name	Ensure That Microsoft Defender for DNS Is Set To 'On'	[LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'	Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 AZURE MLPS 2.0 Azure Cyber Risk Institute (CRI) Profile Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure SWIFT Customer Security Programme CSCF Azure U. S. FFIEC Cybersecurity Assessment Tool (CAT) Azure Secure Controls Framework (SCF) Azure New Zealand Information Security Manual (NZ ISM) v3.6 Azure CIS Foundations v.2.1.0 Azure NIST Cybersecurity Framework (CSF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1]
D9.AWS.NET.05	Ensure no security groups allow unrestricted ingress (from either IPv4 or IPv6 source IP addresses) to commonly used remote server administration ports	Critical	New				CloudGuard AWS All Rules Ruleset

February 14 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.NET.66	Ensure that 'Public access level' is Disabled for Storage Accounts with Blob Containers	Critical	Modification	Name Logic	Ensure Public (Anonymous) Access is disabled for Microsoft Azure Storage Accounts StorageAccount should have allowBlobPublicAccess=false and publicNetworkAccessAsDisplayedInPortal like 'Disabled'	Ensure that 'Public access level' is Disabled for Storage Accounts with Blob Containers StorageAccount should have publicNetworkAccessAsDisplayedInPortal like 'Disabled'	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST Special Publication 800-53 (Rev. 5) Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 CloudGuard Azure Default Ruleset Azure Cybersecurity Maturity Model Certification (CMMC) 2.0 Azure Cyber Risk Institute Profile Azure Risk Management in Technology (RMiT) Azure Australian Cyber Security Centre (ACSC) Information Security Manual Azure CIS Critical Security Controls v8 Azure NIST Special Publication 800-172 Azure Secure Controls Framework (SCF) Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1]
D9.AWS.IAM.175	Ensure that Multi-Factor Authentication is Enabled for All IAM Users	High	Modification	Name	MFA should be Active for All IAM Users	Ensure that Multi-Factor Authentication is Enabled for All IAM Users	AWS Security Risk Management AWS NIST Special Publication 800-53 (Rev. 5) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard AWS All Rules Ruleset AWS Australian Signals Directorate (ASD) Essential Eight AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-171 (Rev. 2) AWS NY Department of Financial Services (DFS) 23 CRR 500 AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS SWIFT Customer Security Programme CSCF AWS Secure Controls Framework (SCF) AWS NIST Cybersecurity Framework (CSF) AWS Dashboard System Ruleset
D9.AWS.IAM.154	Ensure that Lambda functions should not have IAM roles with permissions for destructive actions on Amazon RDS databases	High	Modification	Logic	Lambda should not have roles contain [ combinedPolicies contain [ policyDocument.Statement contain [ Action contain [ $ in( 'rds:DeleteDBInstance', 'rds:DeleteDBSnapshot', 'rds:DeleteDBClusterSnapshot', 'rds:DeleteGlobalCluster' ) ] ] ] ]	Lambda should not have executionRole.combinedPolicies contain [ policyDocument.Statement contain [ Action contain [ $ in( 'rds:DeleteDBInstance', 'rds:DeleteDBSnapshot', 'rds:DeleteDBClusterSnapshot', 'rds:DeleteGlobalCluster' ) ] ] ]	AWS NIST Special Publication 800-53 (Rev. 5) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS Australian Signals Directorate (ASD) Essential Eight AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-171 (Rev. 2) AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS NIST Cybersecurity Framework (CSF)
D9.AWS.IAM.157	Ensure that AWS Lambda function should not have org write access level	High	Modification	Logic	Lambda should not have roles contain [ combinedPolicies contain [ policyDocument.Statement contain [ Action contain [ $ in($AWS_Org_Write_Permissions) ] ] ] ]	Lambda should not have executionRole.combinedPolicies contain [ policyDocument.Statement contain [ Action contain [ $ in($AWS_Org_Write_Permissions) ] ] ]	AWS NIST Special Publication 800-53 (Rev. 5) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard AWS All Rules Ruleset AWS Australian Signals Directorate (ASD) Essential Eight AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-171 (Rev. 2) AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS NIST Cybersecurity Framework (CSF)
D9.AWS.IAM.158	Ensure that AWS Lambda function should not have IAM write access level	High	Modification	Logic	Lambda should not have roles contain [ combinedPolicies contain [ policyDocument.Statement contain [ Action contain [ $ in($AWS_IAM_Write_Permissions) ] ] ] ]	Lambda should not have executionRole.combinedPolicies contain [ policyDocument.Statement contain [ Action contain [ $ in($AWS_IAM_Write_Permissions) ] ] ]	AWS NIST Special Publication 800-53 (Rev. 5) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS Australian Signals Directorate (ASD) Essential Eight AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-171 (Rev. 2) AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS NIST Cybersecurity Framework (CSF)
D9.AWS.IAM.167	Ensure that AWS Lambda IAM policy should not be overly permissive to all traffic	High	Modification	Logic	Lambda should not have roles contain [ combinedPolicies contain [ policyDocument.Statement contain [ Effect='Allow' and Action ='*' ] ] ]	Lambda should not have executionRole.combinedPolicies contain [ policyDocument.Statement contain [ Effect='Allow' and Action contain ['*'] ] ]	AWS NIST Special Publication 800-53 (Rev. 5) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS Australian Signals Directorate (ASD) Essential Eight AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-171 (Rev. 2) AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS NIST Cybersecurity Framework (CSF)
D9.AWS.VLN.16	Ensure that Shield Advanced is in Use	High	New				CloudGuard AWS All Rules Ruleset
D9.AZU.AS.18	Ensure that a Virtual WAN P2s VPN Gateway has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.20	Ensure that VMware Solution has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.84	Ensure that Azure VMware Solution has encryption enabled	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.IAM.73	Ensure Anonymous Access is Not Turned On for Blob Containers in Microsoft Azure Storage Accounts	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.114	Ensure that all Virtual WAN P2s VPN Gateway Connection Configurations have Internet Security enabled	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.65	Ensure that DevTest Lab has Tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.69	Ensure that a Virtual WAN P2s VPN Gateway is not in a 'Failed' state	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.70	Ensure that all Virtual WAN P2s VPN Gateway Connection Configurations are not in a 'Failed' state	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.76	Ensure that VMware Solution's status is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.77	Ensure that Virtual WAN VPN Server has Tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.78	Ensure that Provisioning Status of Configuration Policy Group for Virtual WAN VPN Server is not Failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.79	Ensure that P2S VPN Gateways's Provisioning Status for Virtual WAN VPN Server is not Failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.80	Ensure that Provisioning Status of P2S Connection Configuration for Virtual WAN VPN Server is not Failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.81	Ensure that Virtual WAN VPN Server's Status is not Failed	High	New				CloudGuard Azure All Rules Ruleset

February 07 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.77	Ensure rotation for customer-created symmetric CMKs is enabled	High	Modification	Name	Ensure rotation for customer created symmetric CMKs is enabled	Ensure rotation for customer-created symmetric CMKs is enabled	AWS Health Insurance Portability and Accountability Act (U. S. HIPAA) AWS NIST Special Publication 800-53 (Rev. 5) AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 AWS CIS Foundations v. 2.0.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS APRA 234 AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-171 (Rev. 2) AWS NY Department of Financial Services (DFS) 23 CRR 500 AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS SWIFT Customer Security Programme CSCF AWS NIST Special Publication 800-172 AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS CIS Benchmark 3.0.0 AWS NIST Cybersecurity Framework (CSF) AWS CloudGuard Best Practices
D9.AWS.CRY.12	ALB secured listener certificate expires in one week	High	Modification	Logic	ApplicationLoadBalancer where region unlike 'cn%' should not have listeners contain [ certificates contain [ expiration before(7, 'days') ] ]	ApplicationLoadBalancer should not have listeners contain [ certificates contain [ expiration before(7, 'days') ] ]	AWS NIST Special Publication 800-53 (Rev. 5) AWS MITRE ATT&CK Framework v11.3 AWS HITRUST v11.0.0 AWS NIST 800-53 Rev 4 AWS CSA CCM v.4.0.1 CloudGuard AWS All Rules Ruleset AWS ISO27001:2022 AWS APRA 234 AWS ENS 2022 AWS MLPS 2.0 AWS PCI-DSS 3.2 AWS NIST Special Publication 800-171 (Rev. 2) AWS CSA CCM v.3.0.1 AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS ISO 27001:2013 AWS NIST Cybersecurity Framework (CSF) AWS CloudGuard Well Architected Framework AWS CloudGuard Best Practices AWS MAS TRM Framework AWS NIST 800-171 AWS HITRUST AWS ITSG-33 AWS MITRE ATT&CK Framework v10
D9.AWS.LOG.24	Ensure that Object-level logging for read events is Enabled for S3 bucket	High	Modification	Name	Ensure Object-level Logging of Read Events is Enabled for S3 Buckets	Ensure that Object-level logging for read events is Enabled for S3 bucket	AWS NIST Special Publication 800-53 (Rev. 5) AWS CIS Foundations v. 1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 AWS HITRUST v11.0.0 AWS CSA CCM v.4.0.1 AWS CIS Foundations v. 2.0.0 CloudGuard AWS All Rules Ruleset AWS ISO27001:2022 AWS APRA 234 AWS ENS 2022 AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-171 (Rev. 2) AWS NY Department of Financial Services (DFS) 23 CRR 500 AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS CIS Benchmark 3.0.0 AWS CloudGuard Best Practices AWS CIS Foundations v. 1.3.0 AWS CIS Foundations v. 1.4.0
D9.AWS.LOG.45	Ensure usage of 'root' account is monitored	High	Modification	Name	Ensure Root Account Usage is being monitored using CloudWatch alarms	Ensure usage of 'root' account is monitored	AWS NIST Special Publication 800-53 (Rev. 5) CloudGuard AWS All Rules Ruleset AWS APRA 234 AWS Australian Signals Directorate (ASD) Essential Eight AWS Cybersecurity Maturity Model Certification (CMMC) 2.0 AWS NIST Special Publication 800-172 AWS Secure Controls Framework (SCF) AWS CIS Benchmark 3.0.0
D9.AWS.NET.141	Ensure no security groups allow ingress from ::/0 to remote server administration ports	Critical	New				AWS NIST Special Publication 800-53 (Rev. 5) AWS CIS Foundations v. 1.5.0 AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 AWS HITRUST v11.0.0 CloudGuard AWS Default Ruleset AWS CIS Critical Security Controls v8 AWS CIS Foundations v. 2.0.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO27001:2022 AWS APRA 234 AWS ENS 2022 AWS Cyber Risk Institute Profile AWS NIST Special Publication 800-171 (Rev. 2) AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Risk Management in Technology (RMiT) AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS CIS Benchmark 3.0.0 AWS NIST Cybersecurity Framework (CSF) AWS CloudGuard Best Practices
D9.AWS.NET.91	Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports	Critical	Modification	Name Logic	Ensure no security groups allow unrestricted ingress to commonly used remote server administration ports SecurityGroup should not have inboundRules with [ (scope='::/0' or scope='0.0.0.0/0') and ( ( port<=22 and portTo>=22) or ( port<=3389 and portTo>=3389 ) ) ]	Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports SecurityGroup should not have inboundRules with [ scope='0.0.0.0/0' and ( ( port<=22 and portTo>=22) or ( port<=3389 and portTo>=3389 ) ) ]	AWS NIST Special Publication 800-53 (Rev. 5) AWS CIS Foundations v. 1.5.0 AWS Payment Card Industry Data Security Standard (PCI DSS) v4.0 AWS HITRUST v11.0.0 CloudGuard AWS Default Ruleset AWS CIS Critical Security Controls v8 AWS CIS Foundations v. 2.0.0 CloudGuard AWS All Rules Ruleset AWS EU GDPR AWS ISO27001:2022 AWS APRA 234 AWS ENS 2022 AWS Cyber Risk Institute Profile AWS NIST Special Publication 800-171 (Rev. 2) AWS New Zealand Information Security Manual (NZ ISM) v3.6 AWS Risk Management in Technology (RMiT) AWS Australian Cyber Security Centre (ACSC) Information Security Manual AWS US FedRAMP (moderate) AWS ISO 27017:2015 AWS U. S. FFIEC Cybersecurity Assessment Tool (CAT) AWS Secure Controls Framework (SCF) AWS ISO 27002:2022 AWS CIS Benchmark 3.0.0 AWS NIST Cybersecurity Framework (CSF) AWS CloudGuard Best Practices
D9.AZU.CRY.59	Ensure Azure Container Instance should use Secure Values for environment variables	Low	Modification	Name	Ensure Azure Container Instance environment variable	Ensure Azure Container Instance should use Secure Values for environment variables	Azure NIST Special Publication 800-53 (Rev. 5) Azure Payment Card Industry Data Security Standard (PCI DSS) v4.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 Azure APRA 234 Azure ISO 27001:2022 AZURE MLPS 2.0 Azure ENS 2022 Azure Cybersecurity Maturity Model Certification (CMMC) 2.0 Azure NIST Special Publication 800-171 (Rev. 2) Azure FedRAMP R5 (moderate) Azure Secure Controls Framework (SCF) Azure ISO 27002:2022 Azure Health Insurance Portability and Accountability Act (U. S. HIPAA)
D9.AWS.CRY.151	Ensure that Log groups in AWS Cloud Watch are encrypted using Customer Managed Keys	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.LOG.30	Ensure CloudWatch Logs is enabled for Prometheus Workspace	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.120	Ensure that Log groups in AWS Cloud Watch should have tags	Informational	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.121	Ensure that Prometheus Workspace should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.123	Ensure that Grafana Workspace should have tags	Low	New				CloudGuard AWS All Rules Ruleset
D9.AZU.AS.19	Ensure that Azure Virtual Desktop App Group has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.73	Ensure that Azure Virtual Desktop App Group has locks	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.74	Ensure that Azure Private Link Service's status is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.75	Ensure that Azure Private Link Service has tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.GCP.NET.75	Ensure Public Cloud NAT Gateway should have automatic NAT IP address allocation enabled	Informational	New				CloudGuard GCP All Rules Ruleset
D9.GCP.NET.76	Ensure Public NAT Gateway should have dynamic port allocation enabled	Informational	New				CloudGuard GCP All Rules Ruleset
D9.OCI.CRY.07	Ensure Encryption in Transit is Enabled for Custom Images in Oracle Cloud	High	New				CloudGuard OCI All Rules Ruleset
D9.OCI.DR.01	Ensure Automated Backups are Enabled for MySQL Database Systems	Low	New				CloudGuard OCI All Rules Ruleset
D9.OCI.DR.02	Ensure that Backup Retention Period is Set for Oracle MySQL Database	Low	New				CloudGuard OCI All Rules Ruleset
D9.OCI.NET.29	Ensure Load Balancer should have Delete Protection Enabled	Low	New				CloudGuard OCI All Rules Ruleset
D9.OCI.OPE.04	Ensure that Custom Images in Oracle Cloud should have Tags	Low	New				CloudGuard OCI All Rules Ruleset
D9.OCI.VLN.01	Ensure Detector Recipe should contain Detector's Rules	Low	New				CloudGuard OCI All Rules Ruleset
D9.OCI.VLN.02	Ensure Responder Recipe should contain Responder's Rules	Low	New				CloudGuard OCI All Rules Ruleset

January 31 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.NET.66	Ensure Public (Anonymous) Access is disabled for Microsoft Azure Storage Accounts	Critical	Modification	Name Logic	Ensure that 'Public access level' is disabled for storage accounts with blob containers StorageAccount should have allowBlobPublicAccess=false and publicNetworkAccess like 'Disabled'	Ensure Public (Anonymous) Access is disabled for Microsoft Azure Storage Accounts StorageAccount should have allowBlobPublicAccess=false and publicNetworkAccessAsDisplayedInPortal like 'Disabled'	Azure CIS Foundations v. 1.4.0 Azure CIS Foundations v. 1.5.0 Azure NIST 800-53 Rev 5 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 CloudGuard Azure Default Ruleset Azure Cybersecurity Capability Maturity Model (CMMC 2.0) Azure Cyber Risk Institute Profile Azure NIST Special Publication 800-171 Azure Risk Management in Technology (RMiT) Azure NIST Cybersecurity Framework v1.1 Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure HIPAA Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1]
D9.AWS.CRY.150	Ensure that Bedrock Custom Model is encrypted using CMK	Low	New				CloudGuard AWS All Rules Ruleset AWS US FedRAMP (moderate) AWS ISO 27017:2015
D9.AWS.NET.1028	Ensure that Bedrock Model Customization Job is using a VPC	Low	New				CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.139	Ensure that Bedrock Custom Model has tags	Low	New				CloudGuard AWS All Rules Ruleset AWS ISO 27017:2015
D9.AWS.OPE.140	Ensure that Bedrock Model Customization Job has tags	Low	New				CloudGuard AWS All Rules Ruleset AWS ISO 27017:2015
D9.AZU.AS.17	Ensure that Azure Confidential Ledger has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.16	Ensure that Video Indexer has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.83	Ensure that Azure Confidential Ledger certificate exists and is attached	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.DR.07	Ensure Azure Event Hub Namespace is zone redundant	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.IAM.72	Ensure Azure cognitive services (AI Service) should use managed identity	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.118	Ensure that 'Public network access' is set to 'Disabled' for Event Hubs Namespace	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.115	Ensure Azure Route Table does not utilise default route	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.116	Ensure that Azure Cognitive Service (AI Service), does not allow public network access	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.67	Ensure that the status of Azure Confidential Ledger is healthy	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.68	Ensure that Azure Confidential Ledger has locks	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.66	Ensure that Video Indexer Experiment's status is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.71	Ensure that Route Table should have tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.72	Ensure that Event Hubs Namespace should have tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.K8S.IA.UN.3	Container Image - Malware	High	Modification	Name Logic Severity	Container Image - Malware of Critical Severity Malware where scannedAsset.entityType in('KubernetesImage', 'ContainerRegistryImage', 'ShiftLeftImage', 'EcsImage') should not have severity='Critical' Critical	Container Image - Malware Malware where scannedAsset.entityType in('KubernetesImage', 'ContainerRegistryImage', 'ShiftLeftImage', 'EcsImage') should fail High	Workload Vulnerability Default 2.0
D9.K8S.IA.UN.4	Container Image – Insecure Content	Low	Modification	Name Logic Severity	Container Image - Malware of High Severity Malware where scannedAsset.entityType in('KubernetesImage', 'ContainerRegistryImage', 'ShiftLeftImage', 'EcsImage') should not have severity='High' High	Container Image – Insecure Content InsecureContent where scannedAsset.entityType in('KubernetesImage', 'ContainerRegistryImage', 'ShiftLeftImage', 'EcsImage') should fail Low	Workload Vulnerability Default 2.0
D9.K8S.IA.UN.5	Container Image - Insecure Content of Critical Severity	Critical	Removal				Workload Vulnerability Default 2.0
D9.K8S.IA.UN.6	Container Image - Insecure Content of High Severity	High	Removal				Workload Vulnerability Default 2.0

January 24 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.NET.62	Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks	High	Modification	Name	Ensure that public network access to Cosmos DB accounts is disabled	Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks	Azure CIS Foundations v. 1.5.0 Azure NIST 800-53 Rev 5 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 CloudGuard Azure Default Ruleset Azure Cybersecurity Capability Maturity Model (CMMC 2.0) Azure Cyber Risk Institute Profile Azure NIST Special Publication 800-171 Azure NY - Cybersecurity Requirements for Financial Services Companies Azure Risk Management in Technology (RMiT) Azure NIST Cybersecurity Framework v1.1 Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure HITRUST v9.5.0
D9.AZU.AS.14	Ensure that Azure Cassandra Cluster has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.15	Ensure that Azure DDoS Protection Plan has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.LOG.21	Ensure that Logs are enabled for Azure Cassandra Cluster	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.61	Ensure that the status of Azure Cassandra Cluster is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.62	Ensure that Azure Cassandra Cluster is authenticated properly	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.63	Ensure that Azure DDoS Protection Plan has locks	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.64	Ensure that the status of Azure DDoS Protection Plan is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.GCP.NET.62	Ensure GCP Private Service Connect Network Attachment only accept allowed connections	High	New				CloudGuard GCP All Rules Ruleset
D9.GCP.NET.74	Ensure that Google Cloud VPN tunnels use IKE version 2 protocol	Low	New				CloudGuard GCP All Rules Ruleset
D9.GCP.OPE.16	Ensure Google Folder is not unused in last 180 days	Low	New				CloudGuard GCP All Rules Ruleset
D9.K8S.IA.UN.1	Container Image - Package of Critical Severity	Critical	New				Workload Vulnerability Default 2.0
D9.K8S.IA.UN.2	Container Image - Package of High Severity	High	New				Workload Vulnerability Default 2.0
D9.K8S.IA.UN.3	Container Image - Malware of Critical Severity	Critical	New				Workload Vulnerability Default 2.0
D9.K8S.IA.UN.4	Container Image - Malware of High Severity	High	New				Workload Vulnerability Default 2.0
D9.K8S.IA.UN.5	Container Image - Insecure Content of Critical Severity	Critical	New				Workload Vulnerability Default 2.0
D9.K8S.IA.UN.6	Container Image - Insecure Content of High Severity	High	New				Workload Vulnerability Default 2.0

January 17 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.OCI.IAM.05	Ensure user API keys rotate within 90 days	High	Modification	Name	Ensure user API keys rotate within 90 days or less	Ensure user API keys rotate within 90 days	OCI Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CIS Foundations v2.0.0
D9.OCI.IAM.06	Ensure user customer secret keys rotate every 90 days or less	Low	Modification	Name	Ensure user customer secret keys rotate within 90 days or less	Ensure user customer secret keys rotate every 90 days or less	OCI Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CIS Foundations v2.0.0
D9.OCI.LOG.13	Ensure a notification is configured for network security group changes	Low	Modification	Name	Ensure a notification is configured for network security group changes	Ensure a notification is configured for network security group changes	OCI Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CIS Foundations v2.0.0
D9.OCI.LOG.14	Ensure a notification is configured for changes to network gateways	Low	Modification	Name	Ensure a notification is configured for changes to network gateways	Ensure a notification is configured for changes to network gateways	OCI Foundations Benchmark v1.2.0 CloudGuard OCI All Rules Ruleset OCI CIS Foundations v2.0.0
D9.AWS.AS.11	Identify and remove any unused AWS DynamoDB tables to optimize AWS costs	High	Modification	Logic	DynamoDBTable should not have itemCount=0	DynamoDbTable should not have itemCount=0	CloudGuard AWS All Rules Ruleset
D9.AWS.OPE.88	Ensure that Nimble Studio status is healthy	High	Modification	Logic	NimbleStudio should not have status code in ('DELETE_FAILED','CREATE_FAILED','UPDATE_FAILED')	NimbleStudio should not have statusCode in ('DELETE_FAILED','CREATE_FAILED','UPDATE_FAILED')	CloudGuard AWS All Rules Ruleset
D9.AZU.AS.09	Ensure that Data Migration has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.10	Ensure that Data Migration Classic has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.08	Ensure that Virtual WAN has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.11	Ensure that Static Web App Site has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.13	Ensure that a DNS Zone has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.81	Ensure that Virtual WAN should have VPN encryption	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.82	Ensure that HPC Cache rotates to latest key version	Medium	New				CloudGuard Azure All Rules Ruleset
D9.AZU.IAM.71	Ensure that Static Web App Site template properties are private	Medium	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.113	Ensure that Static Web App Site is limited to use selected networks based on trust instead of all networks	Medium	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.46	Ensure that Data Migration's status is not failed	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.47	Ensure that Data Migration Classic's status is not failed	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.44	Ensure that Virtual WAN Experiment's status is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.45	Ensure that Static Web App Site config file cannot be updated	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.48	Ensure that Static Web App Site private endpoint connections have no errors	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.49	Ensure that Static Web App Site Enterprise Grade CDN Status is Enabled	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.52	Ensure that HPC Cache's state is healthy	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.53	Ensure that HPC Cache's provisioning state is healthy	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.54	Ensure that HPC Cache has tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.55	Ensure LoadTest has tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.57	Ensure Load Test is in healthy state	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.58	Ensure that Azure Email Communication has tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.59	Ensure that Azure Email Communication Domain has tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.60	Ensure that Azure Virtual Machine Image Template has tags	Low	New				CloudGuard Azure All Rules Ruleset

January 10 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.03	Ensure that S3 Buckets are encrypted with CMK	Medium	Modification	Severity	High	Medium	CloudGuard AWS Dashboards AWS LGPD regulation AWS CloudGuard S3 Bucket Security AWS NIST 800-53 Rev 5 AWS CIS Foundations v. 1.5.0 AWS MITRE ATT&CK Framework v11.3 AWS PCI-DSS 4.0 AWS HITRUST v11.0.0 AWS NIST 800-53 Rev 4 AWS CSA CCM v.4.0.1 CloudGuard AWS All Rules Ruleset AWS GDPR Readiness AWS ISO27001:2022 AWS APRA 234 AWS ENS 2022 AWS MLPS 2.0 AWS PCI-DSS 3.2 AWS CSA CCM v.3.0.1 AWS ISO 27001:2013 AWS CloudGuard Well Architected Framework AWS CloudGuard Best Practices AWS Dashboard System Ruleset AWS CCPA Framework AWS MAS TRM Framework AWS NIST 800-171 AWS CIS Foundations v. 1.3.0 AWS HITRUST AWS ITSG-33 AWS CIS Foundations v. 1.4.0 AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.50	Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs	High	Modification	Logic	SecretManager should not have kmsKeyId isEmpty()	SecretManager should have encryptionKey.isCustomerManaged=true	AWS NIST 800-53 Rev 5 AWS MITRE ATT&CK Framework v11.3 AWS PCI-DSS 4.0 AWS HITRUST v11.0.0 AWS CIS Controls V 8 AWS CSA CCM v.4.0.1 CloudGuard AWS All Rules Ruleset AWS ISO27001:2022 AWS APRA 234 AWS ENS 2022 AWS Cyber Risk Institute Profile AWS NIST Cybersecurity Framework v1.1 AWS CloudGuard Best Practices AWS HITRUST AWS ITSG-33 AWS MITRE ATT&CK Framework v10
D9.AZU.NET.62	Ensure that public network access to Cosmos DB accounts is disabled	High	Modification	Name	Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks	Ensure that public network access to Cosmos DB accounts is disabled	Azure CIS Foundations v. 1.5.0 Azure NIST 800-53 Rev 5 Azure CIS Foundations v.2.0 CloudGuard Azure All Rules Ruleset Azure CSA CCM v.4.0.1 CloudGuard Azure Default Ruleset Azure Cybersecurity Capability Maturity Model (CMMC 2.0) Azure Cyber Risk Institute Profile Azure NIST Special Publication 800-171 Azure NY - Cybersecurity Requirements for Financial Services Companies Azure NIST Cybersecurity Framework v1.1 Azure CloudGuard SOC 2 based on AICPA TSC 2017 Azure CloudGuard Best Practices Microsoft Cloud Security Benchmark [earlier, the Azure Security Benchmark v3, now MCSB v1] Azure HITRUST v9.5.0
D9.AWS.DR.23	Ensure Termination Protection feature is enabled for CloudFormation Stack	High	New				CloudGuard AWS All Rules Ruleset
D9.AZU.AS.12	Ensure that Storage Mover has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.07	Ensure that Azure Elastic Monitor has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.AS.06	Ensure that Elastic SAN has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.76	Ensure that the encryption key for the batch account comes from Microsoft KeyVault	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.80	Ensure that Elastic SAN volume is encrypted with Customer Managed Key (CMK)	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.IAM.70	Ensure that the authentication mode for the batch account is set to 'AAD' and no other modes are allowed	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.111	Ensure that public network access is disabled for batch account	Medium	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.112	Ensure that public IP addresses are not assigned to batch pools	Medium	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.34	Ensure that Azure Batch Account is in a healthy state	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.35	Ensure that Azure Batch Account has tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.50	Ensure that the status of Azure Storage Mover is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.51	Ensure that the status of Azure Storage Mover's Endpoint is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.42	Ensure that the status of Azure Elastic Monitor is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.43	Ensure that the monitoring status of Azure Elastic Monitor is not disabled	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.39	Ensure that Elastic SAN is in operational state	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.40	Ensure that Elastic SAN volumes do not have failed network ACL rules	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.41	Ensure that Elastic SAN volumes are operational	High	New				CloudGuard Azure All Rules Ruleset

January 03 2024

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Rule Name	Severity	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.CRY.12	ALB secured listener certificate expires in one week	High	Modification	Logic	ApplicationLoadBalancer should not have listeners contain [ certificates contain [ expiration before(7, 'days') ] ]	ApplicationLoadBalancer where region unlike 'cn%' should not have listeners contain [ certificates contain [ expiration before(7, 'days') ] ]	AWS NIST 800-53 Rev 5 AWS MITRE ATT&CK Framework v11.3 AWS PCI-DSS 4.0 AWS HITRUST v11.0.0 AWS NIST 800-53 Rev 4 AWS CSA CCM v.4.0.1 CloudGuard AWS All Rules Ruleset AWS ISO27001:2022 AWS APRA 234 AWS ENS 2022 AWS MLPS 2.0 AWS PCI-DSS 3.2 AWS CSA CCM v.3.0.1 AWS ISO 27001:2013 AWS CloudGuard SOC2 based on AICPA TSC 2017 AWS CloudGuard Well Architected Framework AWS CloudGuard Best Practices AWS MAS TRM Framework AWS NIST 800-171 AWS HITRUST AWS ITSG-33 AWS MITRE ATT&CK Framework v10
D9.AWS.CRY.93	Ensure that ECR Registry-level configuration is enabled for image scanning	High	Modification	Logic	EcrRegistryScanningConfig should have scanningConfiguration.rules contain-all [ scanFrequency.value like 'CONTINUOUS_SCAN'] and scanningConfiguration.scanType.value='ENHANCED'	EcrRegistryScanningConfig where scanningConfiguration.rules should have scanningConfiguration.rules contain-all [ scanFrequency.value like 'CONTINUOUS_SCAN'] and scanningConfiguration.scanType.value='ENHANCED'	CloudGuard AWS All Rules Ruleset AWS APRA 234
D9.AZU.AS.05	Ensure that Virtual Machine Image has an associated tag	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.77	Ensure that Azure Cognitive Search, or Azure AI Search Service, is enforcing encryption with Customer Managed Key (CMK)	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.78	Ensure that Virtual Machine Image is using hyper-V Generation V2	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.CRY.79	Ensure that Virtual Machine Image OS Disk is encrypted with Customer Managed Key (CMK)	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.DR.06	Ensure that Virtual Machine Image is zone resilient	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.NET.110	Ensure that Cognitive Search, or AI Search Service, does not allow public network access	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.30	Ensure that Azure Cognitive Search, or Azure AI Search Service, has tags	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.31	Ensure that Azure Cognitive Search, or Azure AI Search Service, has locks	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.32	Ensure that the status of Azure Cognitive Search, or Azure AI Search Service, is not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.33	Ensure statuses for Azure Cognitive Search, or Azure AI Search, Service's privateEndpointConnections and sharedPrivateLinks are not failed	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.36	Ensure that Virtual Machine Image is in succeeded state	High	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.37	Ensure that Virtual Machine Image OS Disk caching is enabled	Low	New				CloudGuard Azure All Rules Ruleset
D9.AZU.OPE.38	Ensure that Virtual Machine Image Data Disk caching is enabled	Low	New				CloudGuard Azure All Rules Ruleset

CloudGuard Dome9 Release Notes

CloudGuard Compliance Updates

April 17 2024

April 10 2024

April 04 2024

April 03 2024

March 27 2024

March 20 2024

March 13 2024

March 06 2024

February 28 2024

February 21 2024

February 14 2024

February 07 2024

January 31 2024

January 24 2024

January 17 2024

January 10 2024

January 03 2024