CloudGuard Dome9 Compliance Content Updates- July 2018 - July 2019
- 1 July 21 2019 - Compliance Updates
- 2 June 04 2019 - Compliance Updates
- 2.1 New Rules
- 2.2 Rules Changes
- 3 May 23 2019 - Compliance Updates
- 3.1 New Rules
- 3.2 Rules Changes
- 3.3 Rules Removed
- 4 May 01 2019 - Compliance Updates
- 4.1 New Rules
- 4.2 Compliance Tags Removed
- 5 March 07 2019 - Compliance Updates
- 6 March 07 rule changes - click here
- 7 January 3 2019 - Compliance Updates
- 8 December 3 - Compliance Updates
- 8.1 New Rules
- 8.2 Rules Removed
- 8.3 Changes to existing Rules
- 9 November 25 - Compliance Updates
- 9.1 New Bundles
- 9.2 New Rules
- 9.3 Changes to existing Rules
- 10 September 27 - Compliance Updates
- 10.1 New Bundles
- 10.2 New Rules
- 10.3 Deleted Rules
- 10.4 Changes to existing Rules
- 11 September 03 - Compliance Updates
- 11.1 New Rules
- 11.2 Deleted Rules
- 11.3 Changes to existing Rules
- 12 August 06 - Compliance Updates
- 12.1 New Bundles
- 12.2 New Rules
- 12.3 Changes to existing Rules
- 13 July 01 - Compliance Updates
- 13.1 New Rules
- 13.2 Changes to existing Rules
July 21 2019 - Compliance Updates
New Rules
Rule ID | Rule Name | Severity | Affected Bundles |
D9.AWS.IAM.48 | ECS Cluster should not have empty roles for service task definitions | Medium | AWS Dome9 Best Practices |
D9.AWS.OPE.04 | Ensure there is at least one task in the deployment in RUNNING status | Medium | AWS Dome9 Best Practices |
D9.AWS.NET.38 | Ensure that at least one Load Balancer is attached to the service | High | AWS Dome9 Best Practices |
D9.AWS.NET.37 | Ensure no ECS Services allow ingress from 0.0.0.0/0 to ALL ports and protocols | High | AWS Dome9 Best Practices |
D9.AWS.IAM.49 | ECS Service with Admin Roles | High | AWS Dome9 Best Practices |
D9.AWS.IAM.47 | Ensure there are no inline policies attached to the ECS service | High | AWS Dome9 Best Practices |
Rules Removed
Rule ID | Rule Name | Severity | Affected Bundles |
D9.AZU.NET.09 | Ensure that 'Public access level' is set to Private for blob containers | High | Azure HIPAA Azure ISO 27001:2013 Azure Dome9 SOC2 based on AICPA TSC 2017 Azure PCI-DSS 3.2 Azure NIST CSF v1.1 Azure NIST 800-53 Rev 4 Azure Dome9 Network Alerts Azure Dome9 Best Practices |
June 19 2019 - Compliance Updates
New Rules
Rule ID | Rule Name | Severity | Affected Bundles |
D9.AZU.AKS.01 | Ensure that admin user is disabled in properties in the Azure ContainerRegistry | High | Azure Dome9 Best Practices |
D9.AZU.AS.02 | Ensure that Cosmos DB Account has an associated tag | Medium | Azure Dome9 Best Practices |
D9.AZU.DR.04 | Ensure that Geo Redundant Backups is enabled on PostgreSQL | Medium | Azure Dome9 Best Practices |
D9.AZU.NET.23 | Ensure to filter source Ips for Cosmos DB Account | High | Azure Dome9 Best Practices |
D9.AWS.CRY.35 | Ensure SageMaker Notebook Instance Data Encryption is enabled | High | AWS Dome9 Best Practices |
D9.AWS.CRY.36 | Ensure that SageMaker Notebook Instance Data Encryption with KMS CMKs is enabled | High | AWS Dome9 Best Practices |
D9.AWS.NET.48 | Ensure that SageMaker is placed in VPC | High | AWS Dome9 Best Practices |
D9.AWS.NET.49 | Ensure that SageMaker Notebook does not have direct internet access | Medium | AWS Dome9 Best Practices |
Rules Changes
Rule ID | Rule Name | Severity | Updated Fields | Affected Bundles |
D9.AWS.LOG.08 | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | High | description | AWS Dome9 Serverless Architectures Security |
D9.AWS.IAM.08 | Ensure IAM password policy requires at least one uppercase letter | Medium | description | AWS CIS Foundations v. 1.1.0 |
D9.AWS.IAM.09 | Ensure IAM password policy require at least one lowercase letter | Medium | description | AWS CIS Foundations v. 1.1.0 |
D9.AWS.IAM.10 | Ensure IAM password policy require at least one symbol | Medium | description | AWS CIS Foundations v. 1.1.0 |
D9.AWS.IAM.12 | Ensure IAM password policy requires minimum length of 14 or greater | Medium | description | AWS CIS Foundations v. 1.1.0 |
D9.AWS.IAM.14 | Ensure IAM password policy prevents password reuse | Low | description | AWS CIS Foundations v. 1.1.0 |
D9.AWS.IAM.15 | Ensure IAM password policy expires passwords within 90 days or less | Low | description | AWS CIS Foundations v. 1.1.0 |
D9.AWS.MON.05 | Ensure a log metric filter and alarm exist for CloudTrail configuration changes | Low | description | AWS CIS Foundations v. 1.1.0 |
D9.AWS.NET.04 | Ensure the default security group restricts all traffic | High | description | AWS CIS Foundations v. 1.1.0 |
D9.AWS.NET.43 | Ensure AWS CloudFront web distributions use custom (and not default) SSL certificates | High | name | AWS Dome9 Best Practices |
D9.AWS.NET.45 | Ensure AWS EC2 instances with public IP addresses block unrestricted traffic (0.0.0.0/0) to their subnets | High | name | AWS Dome9 Best Practices |
Remediation Steps updated for the following rules
CheckID | Name |
D9.AWS.IAM.01 | Avoid the use of the 'root' account |
D9.AWS.IAM.02 | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password |
D9.AWS.IAM.03 | Credentials (with first activated accessKey) unused for 90 days or more should be disabled |
D9.AWS.IAM.04 | Credentials (with password enabled) unused for 90 days or more should be disabled |
D9.AWS.IAM.05 | Credentials (with second activated accessKey) unused for 90 days or more should be disabled |
D9.AWS.IAM.06 | Ensure first access key is rotated every 90 days or less |
D9.AWS.IAM.07 | Ensure second access key is rotated every 90 days or less |
D9.AWS.IAM.11 | Password Policy must require at least one number |
D9.AWS.IAM.16 | Ensure no root account access key exists |
D9.AWS.IAM.17 | Ensure VIRTUAL MFA is enabled for the "root" account |
D9.AWS.IAM.18 | Ensure HARDWARE MFA is enabled for the 'root' account |
D9.AWS.IAM.20 | Ensure IAM policies are attached only to groups or roles |
D9.AWS.IAM.25 | Ensure a support role has been created to manage incidents with AWS Support |
D9.AWS.IAM.27 | Ensure IAM policies that allow full "*:*" administrative privileges are not created |
D9.AWS.LOG.01 | Ensure multi-regions trail exists for each AWS CloudTrail |
D9.AWS.LOG.03 | Ensure CloudTrail trails are integrated with CloudWatch |
D9.AWS.LOG.04 | Ensure AWS Config is enabled in all regions |
D9.AWS.LOG.05 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket |
D9.AWS.LOG.06 | Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
D9.AWS.LOG.07 | Ensure CloudTrail is enabled in all regions |
D9.AWS.LOG.09 | Ensure rotation for customer created CMKs is enabled |
D9.AWS.MON.01 | Ensure a log metric filter and alarm exist for unauthorized API calls |
D9.AWS.MON.02 | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA |
D9.AWS.MON.03 | Ensure a log metric filter and alarm exist for usage of 'root' account |
D9.AWS.MON.04 | Ensure a log metric filter and alarm exist for IAM policy changes |
D9.AWS.MON.06 | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures |
D9.AWS.MON.07 | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs |
D9.AWS.MON.08 | Ensure a log metric filter and alarm exist for S3 bucket policy changes |
D9.AWS.MON.09 | Ensure a log metric filter and alarm exist for AWS Config configuration changes |
D9.AWS.MON.10 | Ensure a log metric filter and alarm exist for security group changes |
D9.AWS.MON.11 | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) |
D9.AWS.MON.12 | Ensure a log metric filter and alarm exist for changes to network gateways |
D9.AWS.MON.13 | Ensure a log metric filter and alarm exist for route table changes |
D9.AWS.MON.14 | Ensure a log metric filter and alarm exist for VPC changes |
D9.AWS.NET.01 | Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22) |
D9.AWS.NET.02 | Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP:3389) |
D9.AWS.NET.03 | Ensure VPC flow logging is enabled in all VPCs |
D9.AWS.PRE.01 | Credentials report was generated in the last 24 hours |
D9.AWS.PRE.02 | Enforce Password Policy |
Rules Removed
Rule ID | Rule Name | Severity | Affected Bundles |
D9.AZU.CRY.03 | Ensure that the expiry date is set on all SQL Database keys | Medium | Azure CSA CCM v.3.0.1 |
D9.AWS.IAM.49 | ECS Service with Admin Roles | High | AWS Dome9 SOC2 based on AICPA TSC 2017 |
D9.AWS.IAM.50 | Ensure AWS ElastiCache Redis clusters have Redis AUTH feature enabled | Medium | AWS Dome9 Best Practices |
June 04 2019 - Compliance Updates
New Rules
Rule ID | Rule Name | Severity | Affected Bundles |
D9.GCP.GKE.18 | Ensure Kubernetes Engine Clusters legacy compute engine metadata endpoints are disabled | Medium | GCP Dome9 Best Practices |
D9.GCP.IAM.10 | Ensure IAM users have minimum necessary permissions | Medium | GCP Dome9 Best Practices |
D9.AZU.NET.22 | Ensure that outbound traffic is restricted to only that which is necessary, and all other traffic denied | High | Azure Dome9 Best Practices |
D9.AWS.OPE.01 | Invalid CPU or Memory Value Specified | Low | AWS Dome9 Best Practices |
D9.AWS.OPE.02 | Container metadata | Low | AWS Dome9 Best Practices |
D9.AWS.OPE.03 | Enable container's health checks | Low | AWS Dome9 Best Practices |
D9.AWS.NET.41 | Ensure AWS CloudFront distribution with access logging is enabled | Medium | AWS Dome9 Best Practices |
D9.AWS.NET.42 | Ensure AWS CloudFront web distribution with geo restriction is enabled | Low | AWS Dome9 Best Practices |
D9.AWS.NET.43 | Ensure that AWS Elastic Load Balancers (ELB) have no inbound rules in their security groups | Medium | AWS Dome9 Best Practices |
D9.AWS.CRY.30 | Ensure that AWS DynamoDB is encrypted using customer managed CMKs (Customer Master Key) instead of AWS-owned CMK's | High | AWS Dome9 Best Practices |
D9.AWS.CRY.31 | Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled | High | AWS Dome9 Best Practices |
D9.AWS.IAM.50 | Ensure AWS ElastiCache Redis clusters have Redis AUTH feature enabled | Medium | AWS Dome9 Best Practices |
D9.AWS.CRY.32 | Ensure AWS ElastiCache Redis clusters have in-transit encryption enabled | High | AWS Dome9 Best Practices |
D9.AWS.NET.44 | Ensure that AWS Elastic Load Balancers (ELB) have no outbound rules in their security groups | Medium | AWS Dome9 Best Practices |
D9.AWS.IAM.51 | Ensure AWS IAM users have no more than one active Access Key | Medium | AWS Dome9 Best Practices |
D9.AWS.IAM.52 | Ensure AWS IAM policies allow only the required privileges for each role | Low | AWS Dome9 Best Practices |
D9.AWS.IAM.53 | Ensure AWS IAM policies do not grant 'assume role' permission across all services | high | AWS Dome9 Best Practices |
D9.AWS.IAM.54 | Ensure AWS EC2 Instances use IAM Roles to control access | Medium | AWS Dome9 Best Practices |
D9.AWS.OPE.05 | Ensure AWS EBS Volumes are attached to instances | Medium | AWS Dome9 Best Practices |
D9.AWS.NET.45 | Ensure AWS Redshift clusters are not publicly accessible | Medium | AWS Dome9 Best Practices |
D9.AWS.OPE.06 | Ensure only usable Customer Managed Keys are in the AWS KMS | Medium | AWS Dome9 Best Practices |
D9.AWS.OPE.07 | Ensure AWS Lambda functions have tracing enabled | Medium | AWS Dome9 Best Practices |
D9.AWS.LOG.15 | Enable ALB Elastic Load Balancer v2 (ELBv2) access log | Medium | AWS Dome9 Best Practices |
D9.AWS.CRY.33 | Ensures that AWS RDS databases are encrypted using Customer Managed Keys | Medium | AWS Dome9 Best Practices |
D9.AWS.DR.01 | Ensure AWS RDS instances have Automatic Backup set up | Low | AWS Dome9 Best Practices |
D9.AWS.DR.02 | Ensure AWS RDS instances have Multi-Availability Zone enabled | Medium | AWS Dome9 Best Practices |
D9.AWS.OPE.08 | Ensure AWS RDS automatic minor upgrades are enabled | Medium | AWS Dome9 Best Practices |
D9.AWS.DR.03 | Ensure AWS RDS retention policy is at least 7 days | Medium | AWS Dome9 Best Practices |
D9.AWS.CRY.34 | Ensure AWS Redshift instances are encrypted | high | AWS Dome9 Best Practices |
D9.AWS.NET.46 | Ensure AWS NAT Gateways are not being utilized for the default route | Medium | AWS Dome9 Best Practices |
D9.AWS.LOG.16 | Ensure that your AWS CloudTrail logging bucket has MFA enabled | High | AWS Dome9 Best Practices |
D9.AWS.OPE.09 | Ensure the number of private gateways is within the AWS limit for each region | Low | AWS Dome9 Best Practices |
D9.AWS.OPE.10 | Identifies unused AWS VPCs | Low | AWS Dome9 Best Practices |
D9.AWS.NET.47 | Ensure AWS VPC subnets have automatic public IP assignment disabled | High | AWS Dome9 Best Practices |
Rules Changes
Rule ID | Rule Name | Severity | Updated Fields | Affected Bundles |
D9.AWS.CRY.17 | Use encrypted connection between CloudFront and origin server | High | description | AWS Dome9 Best Practices - Sample |
D9.GCP.GKE.15 | Ensure GKE Cluster HTTP load balancing is enabled | Medium | complianceTag | GCP Dome9 Best Practices |
D9.GCP.GKE.16 | Ensure the GKE Cluster alpha cluster feature is disabled | Medium | complianceTag | GCP Dome9 Best Practices |
D9.GCP.GKE.17 | Ensure GKE Clusters use specific purpose-designed networks instead of the default network | Medium | name | GCP Dome9 Best Practice |
June 04 Rules Changes - click here
May 23 2019 - Compliance Updates
New Rules
Rule ID | Rule Name | Severity | Affected Bundles |
D9.AWS.CRY.26 | Ensure expired certificates are removed from the AWS Certificate Manager (ACM) | Medium | AWS Dome9 Best Practices |
D9.AWS.CRY.27 | Ensure ACM only has certificates with single domain names, and none with wildcard domain names | Low | AWS Dome9 Best Practices |
D9.AWS.CRY.28 | Ensure the AWS Certificate Manager (ACM) has no unused certificates | Medium | AWS Dome9 Best Practices |
D9.AWS.CRY.29 | Ensure invalid or failed certificates are removed from ACM | Low | AWS Dome9 Best Practices |
D9.AWS.NET.40 | Ensure AWS Application Load Balancer (ALB) listeners block connection requests over HTTP | Medium | AWS Dome9 Best Practices |
D9.AZU.DR.03 | Ensure that Azure Virtual Machine is assigned to an availability set | Medium | Azure Dome9 Best Practices |
D9.AZU.NET.18 | Ensure Azure Application Gateway Web application firewall (WAF) is enabled | Medium | Azure Dome9 Best Practices |
D9.AZU.NET.19 | Ensure that Azure Virtual Network subnet is configured with a Network Security Group | Medium | Azure Dome9 Best Practices |
D9.AZU.NET.20 | Ensure that Azure Resource Group has resource lock enabled | Low | Azure Dome9 Best Practices |
D9.AZU.NET.21 | Ensure that Azure Virtual network peering is connected | Low | Azure Dome9 Best Practices |
D9.GCP.AS.01 | Ensure GCP VM Instances have Labels | Low | GCP Dome9 Best Practices |
D9.GCP.AS.02 | Ensure GCP VM Instances have Custom metadata information | Low | GCP Dome9 Best Practices |
D9.GCP.GKE.15 | Ensure GKE Cluster HTTP load balancing is enabled | Medium | GCP Dome9 Best Practices |
D9.GCP.GKE.16 | Ensure the GKE Cluster alpha cluster feature is disabled | Medium | GCP Dome9 Best Practices |
D9.GCP.GKE.17 | Ensure GKE Clusters use specific purspose-designed networks instead of the default network | Medium | GCP Dome9 Best Practices |
D9.GCP.NET.15 | Ensure VPC Flow logs is enabled for every subnet in VPC Network | Medium | GCP CIS Foundations v. 1.0.0 |
D9.AWS.NET.AG10.ApplicationLoadBalancer.110.TCP | ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a small network scope | Low | AWS Dome9 Network Alerts |
D9.AWS.NET.AG10.ApplicationLoadBalancer.25.TCP | ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small network scope | Low | AWS Dome9 Network Alerts |
D9.AWS.NET.AG10.ELB.110.TCP | ELB with service 'POP3' (TCP:110) is exposed to a small network scope | Low | AWS Dome9 Network Alerts |
D9.AWS.NET.AG10.ELB.25.TCP | ELB with service 'SMTP' (TCP:25) is exposed to a small network scope | Low | AWS Dome9 Network Alerts |
D9.AWS.NET.AG10.Instance.110.TCP | Instance with service 'POP3' (TCP:110) is exposed to a small network scope | Low | AWS Dome9 Network Alerts |
D9.AWS.NET.AG10.Instance.25.TCP | Instance with service 'SMTP' (TCP:25) is exposed to a small network scope | Low | AWS Dome9 Network Alerts |
D9.AWS.NET.AG10.NetworkLoadBalancer.110.TCP | NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a small network scope | Low | AWS Dome9 Network Alerts |
D9.AWS.NET.AG10.NetworkLoadBalancer.25.TCP | NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small network scope | Low | AWS Dome9 Network Alerts |
D9.AWS.NET.AG6.ApplicationLoadBalancer.110.TCP | Public ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to the entire internet | High | AWS Dome9 Network Alerts |
D9.AWS.NET.AG6.ApplicationLoadBalancer.25.TCP | Public ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to the entire internet | High | AWS Dome9 Network Alerts |
D9.AWS.NET.AG6.ELB.110.TCP | Public ELB with service 'POP3' (TCP:110) is exposed to the entire internet | High | AWS Dome9 Network Alerts |
D9.AWS.NET.AG6.ELB.25.TCP | Public ELB with service 'SMTP' (TCP:25) is exposed to the entire internet | High | AWS Dome9 Network Alerts |
D9.AWS.NET.AG6.Instance.110.TCP | Public Instance with service 'POP3' (TCP:110) is exposed to the entire internet | High | AWS Dome9 Network Alerts |
D9.AWS.NET.AG6.Instance.25.TCP | Public Instance with service 'SMTP' (TCP:25) is exposed to the entire internet | High | AWS Dome9 Network Alerts |
D9.AWS.NET.AG6.NetworkLoadBalancer.110.TCP | Public NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to the entire internet | High | AWS Dome9 Network Alerts |
D9.AWS.NET.AG6.NetworkLoadBalancer.25.TCP | Public NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to the entire internet | High | AWS Dome9 Network Alerts |
D9.AWS.NET.AG7.ApplicationLoadBalancer.110.TCP | Public ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a wide public network | High | AWS Dome9 Network Alerts |
D9.AWS.NET.AG7.ApplicationLoadBalancer.25.TCP | Public ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a wide public network | High | AWS Dome9 Network Alerts |
D9.AWS.NET.AG7.ELB.110.TCP | Public ELB with service 'POP3' (TCP:110) is exposed to a wide public network | High | AWS Dome9 Network Alerts |
D9.AWS.NET.AG7.ELB.25.TCP | Public ELB with service 'SMTP' (TCP:25) is exposed to a wide public network | High | AWS Dome9 Network Alerts |
D9.AWS.NET.AG7.Instance.110.TCP | Public Instance with service 'POP3' (TCP:110) is exposed to a wide public network | High | AWS Dome9 Network Alerts |
D9.AWS.NET.AG7.Instance.25.TCP | Public Instance with service 'SMTP' (TCP:25) is exposed to a wide public network | High | AWS Dome9 Network Alerts |
D9.AWS.NET.AG7.NetworkLoadBalancer.110.TCP | Public NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a wide public network | High | AWS Dome9 Network Alerts |
D9.AWS.NET.AG7.NetworkLoadBalancer.25.TCP | Public NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a wide public network | High | AWS Dome9 Network Alerts |
D9.AWS.NET.AG8.ApplicationLoadBalancer.110.TCP | Public ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a small public network | Medium | AWS Dome9 Network Alerts |
D9.AWS.NET.AG8.ApplicationLoadBalancer.25.TCP | Public ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small public network | Medium | AWS Dome9 Network Alerts |
D9.AWS.NET.AG8.ELB.110.TCP | Public ELB with service 'POP3' (TCP:110) is exposed to a small public network | Medium | AWS Dome9 Network Alerts |
D9.AWS.NET.AG8.ELB.25.TCP | Public ELB with service 'SMTP' (TCP:25) is exposed to a small public network | Medium | AWS Dome9 Network Alerts |
D9.AWS.NET.AG8.Instance.110.TCP | Public Instance with service 'POP3' (TCP:110) is exposed to a small public network | Medium | AWS Dome9 Network Alerts |
D9.AWS.NET.AG8.Instance.25.TCP | Public Instance with service 'SMTP' (TCP:25) is exposed to a small public network | Medium | AWS Dome9 Network Alerts |
D9.AWS.NET.AG8.NetworkLoadBalancer.110.TCP | Public NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a small public network | Medium | AWS Dome9 Network Alerts |
D9.AWS.NET.AG8.NetworkLoadBalancer.25.TCP | Public NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a small public network | Medium | AWS Dome9 Network Alerts |
D9.AWS.NET.AG9.ApplicationLoadBalancer.110.TCP | ApplicationLoadBalancer with service 'POP3' (TCP:110) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts |
D9.AWS.NET.AG9.ApplicationLoadBalancer.25.TCP | ApplicationLoadBalancer with service 'SMTP' (TCP:25) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts |
D9.AWS.NET.AG9.ELB.110.TCP | ELB with service 'POP3' (TCP:110) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts |
D9.AWS.NET.AG9.ELB.25.TCP | ELB with service 'SMTP' (TCP:25) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts |
D9.AWS.NET.AG9.Instance.110.TCP | Instance with service 'POP3' (TCP:110) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts |
D9.AWS.NET.AG9.Instance.25.TCP | Instance with service 'SMTP' (TCP:25) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts |
D9.AWS.NET.AG9.NetworkLoadBalancer.110.TCP | NetworkLoadBalancer with service 'POP3' (TCP:110) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts |
D9.AWS.NET.AG9.NetworkLoadBalancer.25.TCP | NetworkLoadBalancer with service 'SMTP' (TCP:25) is exposed to a wide network scope | Medium | AWS Dome9 Network Alerts |
D9.AZU.NET.AG10.VirtualMachine.110.TCP | VirtualMachine with service 'POP3' (TCP:110) is exposed to a small network scope | Low | Azure Dome9 Network Alerts |
D9.AZU.NET.AG10.VirtualMachine.25.TCP | VirtualMachine with service 'SMTP' (TCP:25) is exposed to a small network scope | Low | Azure Dome9 Network Alerts |
D9.AZU.NET.AG6.VirtualMachine.110.TCP | VirtualMachine with service 'POP3' (TCP:110) is exposed to the entire internet | High | Azure Dome9 Network Alerts |
D9.AZU.NET.AG6.VirtualMachine.25.TCP | VirtualMachine with service 'SMTP' (TCP:25) is exposed to the entire internet | High | Azure Dome9 Network Alerts |
D9.AZU.NET.AG7.VirtualMachine.110.TCP | VirtualMachine with service 'POP3' (TCP:110) is exposed to a wide public network | High | Azure Dome9 Network Alerts |
D9.AZU.NET.AG7.VirtualMachine.25.TCP | VirtualMachine with service 'SMTP' (TCP:25) is exposed to a wide public network | High | Azure Dome9 Network Alerts |
D9.AZU.NET.AG8.VirtualMachine.110.TCP | VirtualMachine with service 'POP3' (TCP:110) is exposed to a small public network | Medium | Azure Dome9 Network Alerts |
D9.AZU.NET.AG8.VirtualMachine.25.TCP | VirtualMachine with service 'SMTP' (TCP:25) is exposed to a small public network | Medium | Azure Dome9 Network Alerts |
D9.AZU.NET.AG9.VirtualMachine.110.TCP | VirtualMachine with service POP3 (TCP:110) is exposed to a wide network scope | Medium | Azure Dome9 Network Alerts |
D9.AZU.NET.AG9.VirtualMachine.25.TCP | VirtualMachine with service SMTP (TCP:25) is exposed to a wide network scope | Medium | Azure Dome9 Network Alerts |
D9.GCP.NET.AG10.VMInstance.110.TCP | VMInstance with service POP3(TCP:110) is exposed to a small network scope | Low | GCP Dome9 Network Alerts |
D9.GCP.NET.AG10.VMInstance.25.TCP | VMInstance with service SMTP(TCP:25) is exposed to a small network scope | Low | GCP Dome9 Network Alerts |
D9.GCP.NET.AG6.VMInstance.110.TCP | Public VMInstance with service POP3(TCP:110) is exposed to the entire internet | High | GCP Dome9 Network Alerts |
D9.GCP.NET.AG6.VMInstance.25.TCP | Public VMInstance with service SMTP(TCP:25) is exposed to the entire internet | High | GCP Dome9 Network Alerts |
D9.GCP.NET.AG7.VMInstance.110.TCP | Public VMInstance with service POP3(TCP:110) is exposed to a wide public network | High | GCP Dome9 Network Alerts |
D9.GCP.NET.AG7.VMInstance.25.TCP | Public VMInstance with service SMTP(TCP:25) is exposed to a wide public network | High | GCP Dome9 Network Alerts |
D9.GCP.NET.AG8.VMInstance.110.TCP | Public VMInstance with service POP3(TCP:110) is exposed to a small public network | Medium | GCP Dome9 Network Alerts |
D9.GCP.NET.AG8.VMInstance.25.TCP | Public VMInstance with service SMTP(TCP:25) is exposed to a small public network | Medium | GCP Dome9 Network Alerts |
D9.GCP.NET.AG9.VMInstance.110.TCP | VMInstance with service POP3(TCP:110) is exposed to a wide network scope | Medium | GCP Dome9 Network Alerts |
D9.GCP.NET.AG9.VMInstance.25.TCP | VMInstance with service SMTP(TCP:25) is exposed to a wide network scope | Medium | GCP Dome9 Network Alerts |
Rules Changes
Rule ID | Rule Name | Severity | Updated Fields | Affected Bundles |
D9.AZU.CRY.12 | Ensure that the expiry date is set on all keys | High | logic | Azure HIPAA |
D9.AZU.CRY.13 | Ensure that the expiry date is set on all secrets | High | logic | Azure HIPAA |
D9.AWS.IAM.45 | Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role | Medium | logic | AWS Dome9 Serverless Architectures Security |
D9.GCP.CRY.01 | Ensure VM disks are encrypted with Customer-Supplied Encryption Keys (CSEK) | High | logic | GCP Dome9 Best Practices - Sample |
D9.GCP.NET.14 | Ensure Private Google Access is enabled for all subnetworks in VPC Network | High | name | GCP CIS Foundations v. 1.0.0 |
D9.GCP.CRY.02 | Ensure "Block Project-wide SSH keys" enabled for non-windows VM instances | High | name | GCP CIS Foundations v. 1.0.0 |
D9.GCP.GKE.04 | Ensure Kubernetes web UI / Dashboard is disabled | High | description | GCP CIS Foundations v. 1.0.0 |
D9.GCP.GKE.07 | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | High | logic | GCP CIS Foundations v. 1.0.0 |
68 rules starting with D9.AWS.NET.AG1.XXX.XXX | Added "potentially" in all the descriptions to adjust the test name | High | name | AWS NIST 800-53 Rev 4 |
May 23 Rules Changes - click here
Rules Removed
Rule ID | Rule Name | Severity | Description | Affected Bundles |
D9.GCP.IAM.03 | Ensure that multi-factor authentication is enabled for all non-service accounts | High | Setup multi-factor authentication for Google Cloud Platform accounts. Multi-factor authentication requires more than one mechanism to authenticate a user. This secures your logins from attackers exploiting stolen or weak credentials. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.IAM.07 | Ensure user-managed/external keys for service accounts are rotated every 90 days or less | High | Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. | GCP CIS Foundations v. 1.0.0 |
May 01 2019 - Compliance Updates
New Rules
Rule ID | Rule Name | Severity | Description | Affected Bundles |
D9.GCP.IAM.03 | Ensure that multi-factor authentication is enabled for all non-service accounts | High | Setup multi-factor authentication for Google Cloud Platform accounts. Multi-factor authentication requires more than one mechanism to authenticate a user. This secures your logins from attackers exploiting stolen or weak credentials. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.IAM.04 | Ensure that there are only GCP-managed service account keys for each service account | High | User managed service account should not have user managed keys. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.IAM.05 | Ensure that ServiceAccount has no Admin privileges | High | A service account is a special Google account that belongs to your application or a VM, instead of to an individual end user. Your application uses the service account to call the Google API of a service , so that the users aren't directly involved It's recommended not to use admin access for ServiceAccount. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.IAM.06 | Ensure that IAM users are not assigned Service Account User role at project level | High | It is recommended to assign Service Account User (iam.serviceAccountUser) role to a user for a specific service account rather than assigning the role to a user at project level. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.IAM.07 | Ensure user-managed/external keys for service accounts are rotated every 90 days or less | High | Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests that you make to Google cloud services accessible to that particular Service account. It is recommended that all Service Account keys are regularly rotated. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.IAM.08 | Ensure that Separation of duties is enforced while assigning service account related roles to users | High | It is recommended that the principle of 'Separation of Duties' is enforced while assigning service account related roles to users. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.IAM.09 | Ensure that Separation of duties is enforced while assigning KMS related roles to users | High | It is recommended that principle of Separation of duties is enforced while assigning KMS related roles to users | GCP CIS Foundations v. 1.0.0 |
D9.GCP.GKE.01 | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | High | In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.GKE.02 | Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters | High | Authorized networks are a way of specifying a restricted range of IP addresses that are permitted to access your container cluster's Kubernetes master endpoint. Kubernetes Engine uses both Transport Layer Security (TLS) and authentication to provide secure access to your container cluster's Kubernetes master endpoint from the public internet. This provides you the flexibility to administer your cluster from anywhere; however, you might want to further restrict access to a set of IP addresses that you control. You can set this restriction by specifying an authorized network. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.GKE.03 | Ensure Kubernetes Clusters are configured with Labels | High | A cluster label is a key-value pair that helps you organize your Google Cloud Platform resources, such as clusters. You can attach a label to each resource, then filter the resources based on their labels. Information about labels is forwarded to the billing system, so you can break down your billing charges by the label. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.GKE.04 | Ensure Kubernetes web UI / Dashboard is disabled | High | Dashboard is a web-based Kubernetes user interface. You can use Dashboard to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster itself along with its attendant resources. You can use Dashboard to get an overview of applications running on your cluster, as well as for creating or modifying individual Kubernetes resources (such as Deployments, Jobs, DaemonSets, etc). For example, you can scale a Deployment, initiate a rolling update, restart a pod or deploy new applications using a deploy wizard. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.GKE.05 | Ensure `Automatic node repair` is enabled for Kubernetes Clusters | High | Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.GKE.06 | Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes | High | Node auto-upgrades help you keep the nodes in your cluster or node pool up to date with the latest stable version of Kubernetes. Auto-Upgrades use the same update mechanism as manual node upgrades. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.GKE.07 | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | High | Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.GKE.08 | Ensure Basic Authentication is disabled on Kubernetes Engine Clusters | High | Basic authentication allows a user to authenticate to the cluster with a username and password and it is stored in plain text without any encryption. Disabling Basic authentication will prevent attacks like brute force. Its recommended to use either client certificate or IAM for authentication. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.GKE.09 | Ensure Network policy is enabled on Kubernetes Engine Clusters | High | A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.GKE.10 | Ensure Kubernetes Cluster is created with Client Certificate enabled | High | A client certificate is a base64-encoded public certificate used by clients to authenticate to the cluster endpoint. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.GKE.11 | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | High | Google Cloud Platform Alias IP Ranges lets you assign ranges of internal IP addresses as aliases to a virtual machine's network interfaces. This is useful if you have multiple services running on a VM and you want to assign each service a different IP address. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.GKE.12 | Ensure Kubernetes Cluster is created with Private cluster enabled | High | A private cluster is a cluster that makes your master inaccessible from the public internet. In a private cluster, nodes do not have public IP addresses, so your workloads run in an environment that is isolated from the internet. Nodes have addressed only in the private RFC 1918 address space. Nodes and masters communicate with each other privately using VPC peering. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.GKE.13 | Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets | High | Private Google Access enables your cluster hosts, which have only private IP addresses, to communicate with Google APIs and services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google Access to allow VMs without Internet access to reach Google APIs, services, and properties that are accessible over HTTP/HTTPS. | GCP CIS Foundations v. 1.0.0 |
D9.GCP.GKE.14 | Ensure default Service account is not used for Project access in Kubernetes Clusters | High | A service account is an identity that an instance or an application can use to run API requests on your behalf. This identity is used to identify applications running on your virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes are given the Compute Engine default service account. This account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. | GCP CIS Foundations v. 1.0.0 |
Compliance Tags Removed
Rule ID | Rule Name | Severity | Description | Affected Bundles |
D9.AWS.IAM.12.PCI | Password Policy must require minimal length of 7 | Medium | Verify that password policy is enabled for the account. PCI-DSS Section 8.2, 8.3 Verify that PCI-DSS password policy requirements are configured and enforced. | AWS ISO 27001:2013 |
D9.AWS.IAM.14.PCI | Password policy must prevent reuse of previously used passwords | Low | IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. Preventing password reuse increases account resiliency against brute force login attempts. | AWS ISO 27001:2013 |
March 07 2019 - Compliance Updates
New Compliance Frameworks (Bundles)
Bundle ID | Bundle Name |
D9_AZU_HIPAA | Azure HIPAA |
D9_AZU_SOC2 | Azure Dome9 SOC2 based on AICPA TSC 2017 |
D9_GCP_SOC2 | GCP Dome9 SOC2 based on AICPA TSC 2017 |
D9_AWS_SOC2 | AWS Dome9 SOC2 based on AICPA TSC 2017 |
New Rules
Rule ID | Rule Name | Severity | Description | Affected Bundles |
D9.AWS.CRY.25.PCI | Ensure ElastiCache for Memcached is not in use in AWS PCI DSS environments | High | Amazon ElastiCache for Memcached is not included in this AWS PCI DSS Compliance program and therefore is not compliance with PCI requrements. | AWS PCI-DSS 3.2 |
D9.AWS.CRY.26.PCI | Ensure that ElastiCache for Redis version is compliant with AWS PCI DSS requirements | High | Amazon ElastiCache for Memcached is not included in this AWS PCI DSS Compliance program and therefore is not compliance with PCI requirements. | AWS PCI-DSS 3.2 |
March 07 rule changes - click here
January 3 2019 - Compliance Updates
Rules Removed
Rule ID | Rule Name | Severity | Description | Affected Bundles |
D9.AWS.CRY.18 | DynamoDB data at rest has server side encryption (SSE) | High | Verify that AWS DynamoDB storage at rest is encrypted using Server-Side Encryption (SSE). | AWS Dome9 Serverless Architectures Security |
Changes to existing Rules
Rule ID | Rule Name | Severity | Updated Fields | Affected Bundles |
D9.GCP.NET.AG4.VMInstance.22.TCP | VMInstance with administrative service: SSH (TCP:22) is too exposed to the public internet | High | description | GCP NIST 800-53 Rev 4 |
D9.GCP.NET.AG4.VMInstance.3389.TCP | VMInstance with administrative service: Remote Desktop (TCP:3389) is too exposed to the public internet | High | description | GCP NIST 800-53 Rev 4 |
D9.GCP.NET.AG4.VMInstance.9090.TCP | VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet | High | description | GCP NIST 800-53 Rev 4 |
D9.GCP.NET.AG5.VMInstance.22.TCP | VMInstance with administrative service: SSH (TCP:22) is exposed to a wide network scope | Medium | description | GCP Dome9 Best Practices - Sample |
D9.GCP.NET.AG5.VMInstance.3389.TCP | VMInstance with administrative service: Remote Desktop (TCP:3389) is exposed to a wide network scope | Medium | description | GCP Dome9 Best Practices - Sample |
D9.GCP.NET.AG5.VMInstance.9090.TCP | VMInstance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope | Medium | description | GCP Dome9 Best Practices - Sample |
D9.AWS.CRY.16 | Use secure ciphers in CloudFront distribution | High | logic | AWS HIPAA |
December 3 - Compliance Updates
New Rules
Rule ID | Rule Name | Severity | Affected Bundles |
D9.AWS.VLN.03 | Amazon GuardDuty service is enabled | Medium | AWS Dome9 Best Practices |
Rules Removed
Rule ID | Rule Name | Severity | Affected Bundles |
D9.AZU.CRY.07 | Ensure that 'Storage service encryption' is enabled for the Blob Service | High | Azure NIST 800-53 Rev 4 |
D9.AZU.CRY.08 | Ensure that 'Storage service encryption' is enabled for the File Service | High | Azure NIST 800-53 Rev 4 |
Changes to existing Rules
December 03 rule changes - click here
November 25 - Compliance Updates
New Bundles
Bundle Name | Description |
D9_GCP_CIS100 | GCP CIS Foundations v. 1.0.0 |
D9_AWS_SERVERLESS | AWS Dome9 Serverless Architectures Security |
New Rules
Rule ID | Rule Name | Severity | Affected Bundles |
D9.GCP.NET.11 | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | High | GCP Dome9 Best Practices - Sample |
D9.GCP.IAM.02 | Ensure that corporate login credentials are used instead of Gmail accounts | High | GCP Dome9 Best Practices - Sample |
D9.GCP.CRY.02 | Ensure "Block Project-wide SSH keys" enabled for VM instances | High | GCP PCI-DSS 3.2 |
D9.GCP.CRY.03 | Ensure oslogin is enabled for a Project | High | GCP PCI-DSS 3.2 |
D9.GCP.CRY.04 | Ensure oslogin is enabled for a Virtual Machine | High | GCP PCI-DSS 3.2 |
D9.GCP.IAM.01 | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | High | GCP PCI-DSS 3.2 |
D9.GCP.NET.12 | Ensure that SSH access is restricted from the internet | High | GCP PCI-DSS 3.2 |
D9.GCP.NET.13 | Ensure that RDP access is restricted from the internet | High | GCP PCI-DSS 3.2 |
D9.GCP.NET.14 | Ensure Private Google Access is enabled for all subnetwork in VPC Network | High | GCP PCI-DSS 3.2 |
D9.AWS.IAM.43 | S3 bucket should have versioning MFA delete enabled | High | AWS CSA CCM v.3.0.1 |
D9.AWS.CRY.24 | AWS Kinesis Server data at rest has server side encryption (SSE) | High | AWS CSA CCM v.3.0.1 |
D9.AWS.CRY.21 | AWS Kinesis streams are encrypted with KMS customer master keys | High | AWS CSA CCM v.3.0.1 |
D9.AWS.CRY.20 | AWS Kinesis Streams Keys are rotated | Meduim | AWS CSA CCM v.3.0.1 |
D9.AWS.IAM.46 | Lambda Functions with Admin Privileges are not created | High | AWS CSA CCM v.3.0.1 |
D9.AWS.CRY.22 | Ensure that your Amazon EFS file systems are encrypted | High | AWS CSA CCM v.3.0.1 |
D9.AWS.CRY.23 | Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys | High | AWS CSA CCM v.3.0.1 |
D9.AWS.IAM.45 | Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role | Medium | AWS HIPAA |
D9.AWS.AS.03 | Lambda Functions must have an associated tag | Medium | AWS Dome9 Best Practices - Sample |
D9.AWS.AS.04 | Amazon EFS must have an associated tag | Low | AWS ISO 27001:2013 |
Changes to existing Rules
November 25, 2018 Rules Changes - click here
September 27 - Compliance Updates
New Bundles
Bundle Name | Description |
AWS NIST CSF v1.1 | Automated Validation of NIST CSF V1.1 for AWS |
GCP NIST CSF v1.1 | Automated Validation of NIST CSF V1.1 for GCP |
Azure NIST CSF v1.1 | Automated Validation of NIST CSF V1.1 for Azure |
New Rules
Rule ID | Rule Name | Severity | Affected Bundles |
D9.AZU.CRY.02 | Ensure that logging for Azure KeyVault is 'Enabled' | High | Azure CIS Foundations v. 1.0.0 |
D9.AZU.CRY.12 | Ensure that the expiry date is set on all Keys | High | Azure CIS Foundations v. 1.0.0 |
D9.AZU.CRY.13 | Ensure that the expiry date is set on all Secrets | High | Azure CIS Foundations v. 1.0.0 |
D9.AZU.CRY.01 | Ensure that KeyVault is in Use | Low | Azure NIST 800-53 Rev 4 |
D9.AWS.LOG.14 | Ensure VPC Flow Logging is Enabled in all Applicable Regions | High | AWS HIPAA |
D9.GCP.LOG.01 | Bucket should have logging enabled | High | GCP NIST 800-53 Rev 4 |
D9.GCP.NET.09 | Ensure that Cloud Storage bucket is not anonymously and/or publicly accessible | High | GCP NIST 800-53 Rev 4 |
D9.GCP.NET.10 | Ensure that there are no publicly accessible objects in storage buckets | High | GCP NIST 800-53 Rev 4 |
Deleted Rules
Rule ID | Rule Name | Severity | Affected Bundles |
D9.AZU.MON.04 | Ensure that 'Threat Detection types' is set to 'All' | Medium | Azure CIS Foundations v. 1.0.0 |
D9.AWS.NET.21 | Ensure VPC Flow Logging is Enabled in all Applicable Regions | High | AWS GDPR Readiness |
D9.GCP.NET.02 | Asset is not labeled | Medium | GCP Dome9 Network Alerts |
Changes to existing Rules
September 27, 2018 Rules Changes - click here
September 03 - Compliance Updates
New Rules
Rule ID | Rule Name | Severity | Affected Bundles |
D9.GCP.NET.06 | Unused firewall rules | Medium | GCP PCI-DSS 3.2 |
D9.GCP.NET.07 | Global Firewall rule that allows all traffic | High | GCP PCI-DSS 3.2 |
D9.GCP.CRY.01 | Ensure VM disks are encrypted with Customer-Supplied Encryption Keys (CSEK) | High | GCP PCI-DSS 3.2 |
D9.AWS.IAM.17.HIPAA | Ensure MFA is enabled for the 'root' account | High | AWS HIPAA |
D9.GCP.NET.08 | Disable IP forwarding while creating instances | High | GCP Dome9 Best Practices |
D9.AWS.CRY.19 | ECS Cluster At-Rest Encryption | High | AWS PCI-DSS 3.2 |
D9.AWS.NET.31 | ECS Cluster should not have services without running tasks | Medium | AWS Dome9 Network Alerts |
D9.AWS.NET.33 | ECS Cluster should not have running container instances with unconnected agents | High | AWS Dome9 Network Alerts |
D9.AWS.NET.34 | Ensure that at least one instance is registered with an ECS Cluster | Medium | AWS Dome9 Network Alerts |
Deleted Rules
Rule ID | Rule Name | Severity | Affected Bundles |
D9.AZU.CRY.01 | Ensure that 'SQL Encryption' is set to 'On' | High | Azure CIS Foundations v. 1.0.0 |
D9.AZU.MON.01 | Ensure that 'SQL auditing & Threat detection' is set to 'On' | Medium | Azure CIS Foundations v. 1.0.0 |
D9.AWS.IAM.17 | Ensure VIRTUAL MFA is enabled for the "root" account | High | AWS HIPAA |
D9.AWS.NET.22 | Process for Security Group Management - Detection of new Security Groups | Medium | AWS NIST 800-53 Rev 4 |
Changes to existing Rules
September 03, 2018 Rules Changes - Click Here
August 06 - Compliance Updates
New Bundles
AWS ISO 27001:2013 | Automated Validation of ISO 27001:2013 Requirements for AWS |
Azure ISO 27001:2013 | Automated Validation of ISO 27001:2013 Requirements for Azure |
GCP ISO 27001:2013 | Automated Validation of ISO 27001:2013 Requirements for GCP |
New Rules
Ruleid | Rule Name | Affected Bundles |
D9.AWS.LOG.13 | ELB is created with Access logs enabled | AWS NIST 800-53 |
D9.AWS.NET.30 | ECS Cluster should have active services | AWS NIST 800-53 |
D9.AWS.NET.31 | ECS Cluster should not have services without running tasks | AWS NIST 800-53 |
D9.AWS.NET.32 | ECS Cluster instances must be placed in a VPC | AWS NIST 800-53 |
D9.AWS.NET.33 | ECS Cluster should not have running container instances with unconnected agents | AWS NIST 800-53 |
D9.AWS.CRY.19 | ElastiCache At-Rest Encryption | AWS NIST 800-53 |
D9.AWS.NET.34 | Ensure that at least one instance is registered with an ECS Cluster | AWS NIST 800-53 |
Changes to existing Rules
Ruleid/Bundle ID | Rule Name | Change Description |
D9.AWS.IAM.16 | Ensure no root account access key exists | A1.2.a and 10.2 controls mapping added to PCI bundle |
D9.AWS.IAM.17 | Ensure VIRTUAL MFA is enabled for the "root" account | 10.2.2 control mapping added to PCI bundle |
D9.AWS.IAM.18 | Ensure HARDWARE MFA is enabled for the 'root' account | 10.2.2 control mapping added to PCI bundle |
D9.AWS.LOG.02 | Ensure CloudTrail log file validation is enabled | 10.2.3 control mapping added to PCI bundle |
D9.AWS.LOG.01 | Ensure CloudTrail is enabled in all regions | 10.2.1, 10.2.4, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6 controls mapping added to PCI bundle |
D9.AWS.MON.05 | Ensure a log metric filter and alarm exist for CloudTrail configuration | 10.2.6 controls mapping added to PCI bundle |
D9.AWS.IAM.27 | Ensure IAM policies that allow full "*:*" administrative privileges are not created | §164.308(a)(4)(i) controls mapping added to HIPAA bundle |
D9.AZU.IAM.01 | SQL Server Active Directory Administrators | Security Group upated to Network Security Group |
D9.AWS.NET.29 | Public AMI | D9.AZU.NET.29 ID changed to D9.AWS.NET.29 |
D9.AWS.CRY.01 | Use encrypted storage for instances that might host a database. | Wording Changes Updated Rule Names, Description and Remediation Fields |
D9.AWS.IAM.43 | S3 bucket should have versioning MFA delete enabled, updated GSL to: S3Bucket should have versioning.mfaDelete=true | GSL Bug FIx |
D9.AWS.CRY.16 | GSL updated to: CloudFront should have distributionConfig.viewerCertificate.minimumProtocolVersion like 'TLSv1.1%' | GSL Bug FIx |
D9.AWS.MON.02 | GSL Updated to: List<CloudTrail> should have items with [ hasSNSSubscriber='true' and metricFilters with [filterPattern isFilterPatternEqual('{ ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != Yes) }') or filterPattern isFilterPatternEqual('{ $.userIdentity.sessionContext.attributes.mfaAuthenticated != true }')] ] length() > 0] | GSL Bug FIx |
July 01 - Compliance Updates
New Rules
D9.AWS.CRY.18 | DynamoDB - Server Side Encryption | High | AWS NIST 800-53 |
D9.AWS.OPE.01 | Lambda Functions must have an associated tag | Medium | AWS Dome9 Best Practices |
D9.AZU.AS.01 | Instances outside of Europe | High | Azure GDPR Readiness |
D9.AZU.NET.29 | Public AMI | Medium | AWS Dome9 Best Practices |
D9.AWS.AS.02 | S3 Buckets outside of Europe | High | AWS GDPR Readiness |
D9.AWS.NET.AG4. ApplicationLoadBalancer. 9090.TCP | ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet | High | AWS PCI-DSS 3.2 |
D9.AWS.NET.AG4.ELB. 9090.TCP | ELB with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet | High | AWS PCI-DSS 3.2 |
D9.AWS.NET.AG4.Instance. 9090.TCP | Instance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet | High | AWS PCI-DSS 3.2 |
D9.AWS.NET.AG4. NetworkLoadBalancer. 9090.TCP | NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet | High | AWS PCI-DSS 3.2 |
D9.AWS.NET.AG5. ApplicationLoadBalancer. 9090.TCP | ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope | Medium | AWS Dome9 Best Practices |
D9.AWS.NET.AG5.ELB. 9090.TCP | ELB with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope | Medium | AWS Dome9 Best Practices |
D9.AWS.NET.AG5.Instance. 9090.TCP | Instance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope | Medium | AWS Dome9 Best Practices |
D9.AWS.NET.AG5. NetworkLoadBalancer. 9090.TCP | NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope | Medium | AWS Dome9 Best Practices |
Changes to existing Rules
Ruleid/Bundle ID | Change Description | Updated Field | Bundles Affected |
D9_AWS_NIST800534 | Bundle Titles and Descriptions update: | AWS NIST 800-53 Rev 4 (FedRAMP) | AWS NIST 800-53 Rev 4 |
D9.AWS.LOG.12 | Change to Description | Update title to "S3 bucket should have server access logging enabled" | AWS Dome9 Best Practices |
D9.GCP.NET.02 | Changed Compliance tag to - 'Operational' |
| GCP Dome9 Best Practices |
D9.AWS.NET.AG protocol | Multiple Network Security Rules-URLs updated to Zendesk |
| AWS Dome9 Best Practices |
D9.AWS.CRY.04 | Update to GSL | Rule Name: S3 Bucket should have encryption in transit for read actions NEW GSL: S3Bucket should not have policy.Statement contain [Effect='Deny' and Condition.Bool.aws:SecureTransport='false'] | AWS Dome9 S3 Bucket Security |
D9.AWS.CRY.14 | Update to GSL | Rule Name: S3 Bucket should have encryption in transit for write actions NEW GSL: S3Bucket should not have policy.Statement contain [Effect='Deny' and Condition.Bool.aws:SecureTransport='false'] | AWS Dome9 S3 Bucket Security |