Merge pull request #114 from PaloAltoNetworks/PCS-24.10.1

Updated in PCS-24.10.1

CHANGELOG.md

@@ -1,5 +1,41 @@
 # Changelog
 
+## PCS-24.10.1 - 2024-9-30
+
+### Added
+
+#### 11 new config policies
+
+- AWS EMR Studio using the shadow resource bucket for workspace storage
+- AWS Glue Job using the shadow resource bucket for script location
+- Azure Machine Learning compute instance not configured inside virtual network
+- Azure Machine Learning compute instance with local authentication enabled
+- Azure Machine Learning workspace not encrypted with Customer Managed Key (CMK)
+- Azure Machine Learning workspace not enforced with Managed Virtual Network Isolation
+- GCP public-facing (external) global load balancer using HTTP protocol
+- GCP public-facing (external) regional load balancer using HTTP protocol
+- GCP Storage Buckets with publicly accessible GCP logs
+- GCP Vertex AI Workbench Instance has Integrity monitoring disabled
+- GCP Vertex AI Workbench Instance has vTPM disabled
+- GCP Vertex AI Workbench Instance is using default service account with the editor role
+
+#### 6 new compliance standards
+
+- CIS v2.0.0 (Azure) Level 2
+- CIS v2.1.0 (Azure) Level 2
+- CSA CCM v4.0.12
+- HITRUST CSF v.11.2.0
+- ITSG-33
+- Microsoft Cloud Security Benchmark v1
+
+### Changed
+
+#### 2 config policies updated
+
+- Azure Storage Account without Secure transfer enabled
+- GCP Cloud Function v1 is using unsecured HTTP trigger
+
+
 #### PCS-24.9.2 - 2024-9-26
 
 ### Added

policies/AWS-ACM-Certificate-with-wildcard-domain-name.json

@@ -25,6 +25,7 @@
     "CRI Profile v2.0",
     "CSA CCM v.4.0.1",
     "CSA CCM v.4.0.6",
+    "CSA CCM v4.0.12",
     "Cybersecurity Maturity Model Certification (CMMC) v.1.02",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 1)",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 2)",
@@ -39,8 +40,10 @@
     "ISO/IEC 27002:2013",
     "ISO/IEC 27017:2015",
     "ISO/IEC 27018:2019",
+    "ITSG-33",
     "MAS TRM 2021",
     "MLPS 2.0 (Level 2)",
+    "Microsoft Cloud Security Benchmark v1",
     "NIST 800-53 Rev 5",
     "NIST 800-53 Rev4",
     "NIST CSF",

policies/AWS-ALB-attached-WAFv2-WebACL-is-not-configured-with-AMR-for-Log4j-Vulnerability.json

@@ -25,6 +25,7 @@
     "CRI Profile v1.2.1",
     "CRI Profile v2.0",
     "CSA CCM v.4.0.6",
+    "CSA CCM v4.0.12",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 1)",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 2)",
     "DORA",
@@ -33,7 +34,9 @@
     "HITRUST CSF v.11.2.0",
     "ISO 27002:2022",
     "ISO/IEC 27001:2022",
+    "ITSG-33",
     "MLPS 2.0 (Level 2)",
+    "Microsoft Cloud Security Benchmark v1",
     "NIST CSF v2.0",
     "NYDFS 23 CRR-NY 500.0",
     "PCI DSS v4.0",

policies/AWS-API-Gateway-REST-API-execution-logging-disabled.json

@@ -14,6 +14,8 @@
   "remediation.description": "",
   "remediation.impact": "",
   "compliance.standard": [
+    "CSA CCM v4.0.12",
+    "Microsoft Cloud Security Benchmark v1",
     "NYDFS 23 CRR-NY 500.0"
   ]
 }

policies/AWS-API-Gateway-REST-API-not-configured-with-AWS-Web-Application-Firewall-v2-AWS-WAFv2.json

@@ -20,12 +20,14 @@
     "CIS Controls v8",
     "CIS Controls v8.1",
     "CRI Profile v2.0",
+    "CSA CCM v4.0.12",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 1)",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 2)",
     "ISO 27002:2022",
     "ISO/IEC 27001:2022",
     "Korea – Information Security Management System (ISMS)",
     "MLPS 2.0 (Level 2)",
+    "Microsoft Cloud Security Benchmark v1",
     "NIST CSF v2.0",
     "NYDFS 23 CRR-NY 500.0",
     "PCI DSS v4.0",

policies/AWS-API-Gateway-Rest-API-attached-WAFv2-WebACL-is-not-configured-with-AMR-for-Log4j-Vulnerability.json

@@ -25,6 +25,7 @@
     "CRI Profile v1.2.1",
     "CRI Profile v2.0",
     "CSA CCM v.4.0.6",
+    "CSA CCM v4.0.12",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 1)",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 2)",
     "DORA",
@@ -33,7 +34,9 @@
     "HITRUST CSF v.11.2.0",
     "ISO 27002:2022",
     "ISO/IEC 27001:2022",
+    "ITSG-33",
     "MLPS 2.0 (Level 2)",
+    "Microsoft Cloud Security Benchmark v1",
     "NIST CSF v2.0",
     "NYDFS 23 CRR-NY 500.0",
     "PCI DSS v4.0",

policies/AWS-API-Gateway-endpoints-without-client-certificate-authentication.json

@@ -29,6 +29,7 @@
     "CSA CCM v.4.0.1",
     "CSA CCM v.4.0.6",
     "CSA CCM v3.0.1",
+    "CSA CCM v4.0.12",
     "CyberSecurity Law of the People's Republic of China",
     "Cybersecurity Maturity Model Certification (CMMC) v.1.02",
     "DORA",
@@ -45,10 +46,12 @@
     "ISO/IEC 27002:2013",
     "ISO/IEC 27017:2015",
     "ISO/IEC 27018:2019",
+    "ITSG-33",
     "MAS TRM 2021",
     "MLPS 2.0",
     "MLPS 2.0 (Level 2)",
     "MLPS 2.0 (Level 3)",
+    "Microsoft Cloud Security Benchmark v1",
     "NIST 800-53 Rev 5",
     "NIST 800-53 Rev4",
     "NIST CSF",

policies/AWS-API-gateway-request-authorisation-is-not-set.json

@@ -23,6 +23,7 @@
     "CRI Profile v2.0",
     "CSA CCM v.4.0.1",
     "CSA CCM v.4.0.6",
+    "CSA CCM v4.0.12",
     "Cybersecurity Maturity Model Certification (CMMC) v.1.02",
     "FFIEC",
     "GDPR",
@@ -34,6 +35,7 @@
     "ISO/IEC 27002:2013",
     "ISO/IEC 27017:2015",
     "ISO/IEC 27018:2019",
+    "ITSG-33",
     "MAS TRM 2021",
     "MITRE ATT&CK v13.0 Cloud IaaS for Enterprise",
     "MITRE ATT&CK v14.0 Cloud IaaS for Enterprise",

policies/AWS-Access-key-enabled-on-root-account.json

@@ -38,6 +38,7 @@
     "CRI Profile v2.0",
     "CSA CCM v.4.0.6",
     "CSA CCM v3.0.1",
+    "CSA CCM v4.0.12",
     "CyberSecurity Law of the People's Republic of China",
     "Cybersecurity Maturity Model Certification (CMMC) v.1.02",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 1)",
@@ -54,6 +55,7 @@
     "ISO 27001:2013",
     "ISO 27002:2022",
     "ISO/IEC 27001:2022",
+    "ITSG-33",
     "Korea – Information Security Management System (ISMS)",
     "MAS TRM 2021",
     "MITRE ATT&CK v10.0 [Deprecated]",
@@ -65,6 +67,7 @@
     "MLPS 2.0",
     "MLPS 2.0 (Level 2)",
     "MLPS 2.0 (Level 3)",
+    "Microsoft Cloud Security Benchmark v1",
     "NIST 800-171 Rev1",
     "NIST 800-53 Rev 5",
     "NIST 800-53 Rev4",

policies/AWS-Access-logging-not-enabled-on-S3-buckets.json

@@ -26,6 +26,7 @@
     "CRI Profile v2.0",
     "CSA CCM v.4.0.6",
     "CSA CCM v3.0.1",
+    "CSA CCM v4.0.12",
     "CyberSecurity Law of the People's Republic of China",
     "DORA",
     "FFIEC",
@@ -37,6 +38,7 @@
     "HITRUST CSF v9.3 [Deprecated]",
     "ISO 27002:2022",
     "ISO/IEC 27001:2022",
+    "ITSG-33",
     "Korea – Information Security Management System (ISMS)",
     "MAS TRM 2021",
     "MITRE ATT&CK v10.0 [Deprecated]",
@@ -48,6 +50,7 @@
     "MLPS 2.0",
     "MLPS 2.0 (Level 2)",
     "MLPS 2.0 (Level 3)",
+    "Microsoft Cloud Security Benchmark v1",
     "NIST 800-171 Rev1",
     "NIST 800-53 Rev 5",
     "NIST 800-53 Rev4",

policies/AWS-Amazon-Machine-Image-AMI-infected-with-mining-malware.json

@@ -27,12 +27,14 @@
     "HITRUST CSF v.11.2.0",
     "HITRUST CSF v.9.6.0",
     "ISO/IEC 27001:2022",
+    "ITSG-33",
     "MAS TRM 2021",
     "MITRE ATT&CK v10.0 [Deprecated]",
     "MITRE ATT&CK v12",
     "MITRE ATT&CK v13.0 Cloud IaaS for Enterprise",
     "MITRE ATT&CK v14.0 Cloud IaaS for Enterprise",
     "MLPS 2.0 (Level 2)",
+    "Microsoft Cloud Security Benchmark v1",
     "NIST CSF v2.0",
     "RBI Baseline Cyber Security and Resilience Requirements",
     "SEBI - Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF)",

policies/AWS-Amazon-Machine-Image-AMI-is-publicly-accessible.json

@@ -37,6 +37,7 @@
     "ISO 27001:2013",
     "ISO 27002:2022",
     "ISO/IEC 27001:2022",
+    "ITSG-33",
     "MAS TRM 2021",
     "MITRE ATT&CK v10.0 [Deprecated]",
     "MITRE ATT&CK v12",

policies/AWS-AppSync-GraphQL-API-is-authenticated-with-API-key.json

@@ -14,6 +14,7 @@
   "remediation.description": "",
   "remediation.impact": "",
   "compliance.standard": [
+    "ITSG-33",
     "NYDFS 23 CRR-NY 500.0",
     "SOC 2",
     "Secure Controls Framework (SCF) - 2024.2",

policies/AWS-AppSync-attached-WAFv2-WebACL-is-not-configured-with-AMR-for-Log4j-Vulnerability.json

@@ -25,6 +25,7 @@
     "CRI Profile v1.2.1",
     "CRI Profile v2.0",
     "CSA CCM v.4.0.6",
+    "CSA CCM v4.0.12",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 1)",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 2)",
     "DORA",
@@ -33,7 +34,9 @@
     "HITRUST CSF v.11.2.0",
     "ISO 27002:2022",
     "ISO/IEC 27001:2022",
+    "ITSG-33",
     "MLPS 2.0 (Level 2)",
+    "Microsoft Cloud Security Benchmark v1",
     "NIST CSF v2.0",
     "NYDFS 23 CRR-NY 500.0",
     "PCI DSS v4.0",

policies/AWS-AppSync-has-field-level-logging-disabled.json

@@ -15,9 +15,12 @@
   "remediation.impact": "",
   "compliance.standard": [
     "CIS Controls v8.1",
+    "CSA CCM v4.0.12",
     "DORA",
     "GDPR",
     "ISO/IEC 27001:2022",
+    "ITSG-33",
+    "Microsoft Cloud Security Benchmark v1",
     "NYDFS 23 CRR-NY 500.0",
     "SOC 2",
     "Secure Controls Framework (SCF) - 2024.2",

policies/AWS-AppSync-not-configured-with-AWS-Web-Application-Firewall-v2-AWS-WAFv2.json

@@ -19,11 +19,13 @@
     "CIS Controls v8",
     "CIS Controls v8.1",
     "CRI Profile v2.0",
+    "CSA CCM v4.0.12",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 1)",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 2)",
     "ISO 27002:2022",
     "ISO/IEC 27001:2022",
     "MLPS 2.0 (Level 2)",
+    "Microsoft Cloud Security Benchmark v1",
     "NIST CSF v2.0",
     "PCI DSS v4.0",
     "RBI Baseline Cyber Security and Resilience Requirements",

policies/AWS-Application-Load-Balancer-ALB-is-not-configured-to-drop-HTTP-headers.json

@@ -16,6 +16,7 @@
   "compliance.standard": [
     "CIS Controls v8.1",
     "DORA",
+    "HITRUST CSF v.11.2.0",
     "SOC 2",
     "TX-RAMP Level 2"
   ]

policies/AWS-Application-Load-Balancer-ALB-is-not-using-the-latest-predefined-security-policy.json

@@ -28,8 +28,10 @@
     "ISO/IEC 27002:2013",
     "ISO/IEC 27017:2015",
     "ISO/IEC 27018:2019",
+    "ITSG-33",
     "MAS TRM 2021",
     "MLPS 2.0 (Level 2)",
+    "Microsoft Cloud Security Benchmark v1",
     "NIST CSF",
     "NIST SP 800-171 Revision 2",
     "NIST SP 800-171 Revision 3",

policies/AWS-Application-Load-Balancer-ALB-not-configured-with-AWS-Web-Application-Firewall-v2-AWS-WAFv2.json

@@ -20,12 +20,14 @@
     "CIS Controls v8",
     "CIS Controls v8.1",
     "CRI Profile v2.0",
+    "CSA CCM v4.0.12",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 1)",
     "ISO 27002:2022",
     "ISO/IEC 27001:2022",
     "Korea – Information Security Management System (ISMS)",
     "MAS TRM 2021",
     "MLPS 2.0 (Level 2)",
+    "Microsoft Cloud Security Benchmark v1",
     "NIST 800-53 Rev 5",
     "NIST CSF v2.0",
     "NYDFS 23 CRR-NY 500.0",

policies/AWS-Athena-Workgroup-data-encryption-at-rest-not-configured.json

@@ -14,10 +14,14 @@
   "remediation.description": "",
   "remediation.impact": "",
   "compliance.standard": [
+    "CSA CCM v4.0.12",
     "DORA",
     "GDPR",
     "HIPAA",
+    "HITRUST CSF v.11.2.0",
     "ISO/IEC 27001:2022",
+    "ITSG-33",
+    "Microsoft Cloud Security Benchmark v1",
     "NYDFS 23 CRR-NY 500.0",
     "SOC 2",
     "TX-RAMP Level 2"

policies/AWS-Aurora-MySQL-DB-cluster-does-not-publish-audit-logs-to-CloudWatch-Logs.json

@@ -15,8 +15,12 @@
   "remediation.impact": "",
   "compliance.standard": [
     "CIS Controls v8.1",
+    "CSA CCM v4.0.12",
     "DORA",
     "GDPR",
+    "HITRUST CSF v.11.2.0",
+    "ITSG-33",
+    "Microsoft Cloud Security Benchmark v1",
     "SOC 2",
     "Secure Controls Framework (SCF) - 2024.2",
     "TX-RAMP Level 1",

policies/AWS-Aurora-PostgreSQL-exposed-to-local-file-read-vulnerability.json

@@ -24,6 +24,7 @@
     "CRI Profile v1.2.1",
     "CRI Profile v2.0",
     "CSA CCM v.4.0.6",
+    "CSA CCM v4.0.12",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 1)",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 2)",
     "DORA",
@@ -32,7 +33,9 @@
     "HITRUST CSF v.11.2.0",
     "ISO 27002:2022",
     "ISO/IEC 27001:2022",
+    "ITSG-33",
     "MLPS 2.0 (Level 2)",
+    "Microsoft Cloud Security Benchmark v1",
     "NIST CSF v2.0",
     "NYDFS 23 CRR-NY 500.0",
     "PCI DSS v4.0",

policies/AWS-Auto-Scaling-group-launch-configuration-configured-with-Instance-Metadata-Service-hop-count-greater-than-1.json

@@ -15,6 +15,7 @@
   "remediation.impact": "",
   "compliance.standard": [
     "Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs)",
+    "ITSG-33",
     "MITRE ATT&CK v13.0 Cloud IaaS for Enterprise",
     "MITRE ATT&CK v14.0 Cloud IaaS for Enterprise",
     "NIST 800-53 Rev 5",

policies/AWS-Auto-Scaling-group-launch-configuration-has-public-IP-address-assignment-enabled.json

@@ -15,6 +15,7 @@
   "remediation.impact": "",
   "compliance.standard": [
     "Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs)",
+    "HITRUST CSF v.11.2.0",
     "TX-RAMP Level 2"
   ]
 }

policies/AWS-Auto-Scaling-group-launch-configuration-not-configured-with-Instance-Metadata-Service-v2-IMDSv2.json

@@ -16,6 +16,7 @@
   "compliance.standard": [
     "CIS Controls v8.1",
     "Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs)",
+    "ITSG-33",
     "MITRE ATT&CK v13.0 Cloud IaaS for Enterprise",
     "MITRE ATT&CK v14.0 Cloud IaaS for Enterprise",
     "NIST 800-53 Rev 5",

policies/AWS-Bedrock-Custom-model-encrypted-with-Customer-Managed-Key-CMK-is-not-enabled-for-regular-rotation.json

@@ -13,5 +13,8 @@
   "remediation.cliScriptTemplate": "",
   "remediation.description": "",
   "remediation.impact": "",
-  "compliance.standard": ""
+  "compliance.standard": [
+    "CSA CCM v4.0.12",
+    "Microsoft Cloud Security Benchmark v1"
+  ]
 }