Product announcements and release notes

Hint: Subscribe at the top to stay notified when new releases are published!

3 years ago

December 8, 2021 - CIS Benchmark updates, Best Practice Check updates, and more

Updated AWS CIS Benchmark report to v1.4

We have updated our CIS Benchmark report to version 1.4.  This update required several changes to our existing report, including re-ordering and re-numbering most of the controls. Additionally, we've changed the Scored/Not Scored column to Manual/Automated.

Check out the docs

Updated Best Practice Checks

We have updated the Stale IAM Users best practice check to identify any IAM user who has not signed in within the last 45 days. Previously, this check identified users who had not signed in within 90 days.

We have also added the following best practice checks:

  • Regions Not Enforcing EBS Volumes Encryption Upon Creation
  • S3 Buckets Not Configured to Block Public Access
  • RDS Instances Without Encryption Enabled
  • IAM Users With Multiple Access Keys
  • Expired SSL/TLS Certificates Stored in IAM
  • Regions Without IAM Access Analyzer Enabled
  • IAM Users in Multi-Account Environments Not Being Managed via Identify Federation or AWS Organizations
  • S3 Buckets Without MFA Delete Enabled
  • S3 Buckets Not Logging Object-Level Write Events
  • S3 Buckets Not Logging Object-Level Read Events
  • S3 Buckets with data not Discovered, Classified, and Secured
  • Log Metric Filter and Alarm Do Not Exist for Changes to AWS Organizations
  • Network ACLs Allowing Ingress from 0.0.0.0/0 to Administration Ports

Note: The IAM policy associated with your AWS account will need the following new permissions to fully support these updates:
     "s3:GetBucketPublicAccessBlock"
     "s3:GetBucketVersioning"
     "ec2:GetEbsEncryptionByDefault"

Bug Fixes and Improvements

  • Improved the CloudTrail Aggregate S3 Bucket Credential process to require S3 bucket region. improvement 
  • Improved the load times for the AWS RI Amortization report in Multi-Account Views. improvement 
  • Fixed an issue that prevented some custom inventory emails from sending. fix 
  • Fixed an issue that prevented the get_resources_ec2_details_V4 API call from returning data. fix 
  • Fixed an issue that prevented the Best Practice Email from sending when AWS Trusted Advisor checks were not available. fix 
  • Removed the EC2 Security Group Connections and VPC Flow Log Connections reports due to reduced customer interest and to streamline our navigation and interface. Additionally, we have deprecated the Legacy Azure RI Configuration page in preparation for our new Azure RI Configuration setup solution, which will be released in the coming weeks.  improvement