For the compliance updates for this month we have made the following enhancements to our compliance module:

1. Added New Bundles

2. Added new rules to existing bundles

3. Updated existing PCI and HIPAA bundles with new controls mappings

New Bundles

AWS ISO 27001:2013 – Automated Validation of ISO 27001:2013 Requirements for AWS
Azure ISO 27001:2013 – Automated Validation of ISO 27001:2013 Requirements for Azure
GCP ISO 27001:2013 – Automated Validation of ISO 27001:2013 Requirements for GCP

Please take a look at our blog –  Get ISO 27001 Ready with Dome9!

New Rules:

D9.AWS.LOG.13 – ELB is created with Access logs enabled

D9.AWS.NET.30 – ECS Cluster should have active services

D9.AWS.NET.31 – ECS Cluster should not have services without running tasks

D9.AWS.NET.32 – ECS Cluster instances must be placed in a VPC

D9.AWS.NET.33 – ECS Cluster should not have running container instances with unconnected agents

D9.AWS.CRY.19 – ElastiCache At-Rest Encryption

D9.AWS.NET.34 – Ensure that at least one instance is registered with an ECS Cluster

Rules Updated:

§164.308(a)(4)(i) section mapping added to  AWS HIPAA bundle to the following rules:

– Ensure IAM policies that allow full “*:*” administrative privileges are not created

– S3 bucket should not allow all actions from all principals

– S3 bucket should not allow delete actions from all principals

– S3 bucket should not allow get actions from all principals

S3 bucket should not allow list actions from all principals

– S3 bucket should not allow put actions from all principals

– S3 bucket should not allow put or restore actions from all principals

– S3 bucket should not be world-listable

– IAM Users – with Inline IAM Policies applied

– S3 bucket should not be world-listable from anonymous users

– S3 bucket should not be world-writable

– S3 bucket should not be world-writable from anonymous users

– S3 bucket should not have world-readable permissions

– S3 bucket should not have world-readable permissions from anonymous users

– S3 bucket should not have world-writable permissions

– S3 bucket should not have writable permissions from anonymous users

AWS PCI-DSS 3.2 sections mappings updates:

D9.AWS.IAM.16 – Ensure no root account access key exists – A1.2.a and 10.2 controls mapping added to  AWS PCI-DSS 3.2 bundle

D9.AWS.IAM.17 – Ensure VIRTUAL MFA is enabled for the “root” account – 10.2.2 control mapping added to  AWS PCI-DSS 3.2 bundle

D9.AWS.IAM.18 – Ensure HARDWARE MFA is enabled for the ‘root’ account – 10.2.2 control mapping added to  AWS PCI-DSS 3.2 bundle

D9.AWS.LOG.02 – Ensure CloudTrail log file validation is enabled – 10.2.3 control mapping added to  AWS PCI-DSS 3.2 bundle

D9.AWS.LOG.01 – Ensure CloudTrail is enabled in all regions – 10.2.1, 10.2.4, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6 controls mapping added to  AWS PCI-DSS 3.2 bundle

D9.AWS.MON.05 – Ensure a log metric filter and alarm exist for CloudTrail configuration – 10.2.6 controls mapping added to  AWS PCI-DSS 3.2 bundle

For more details, you can check out the Dome9 Helpcenter 

Stay tuned for further compliance updates!