Updated in PCS-24.6.1

CHANGELOG.md

@@ -1,5 +1,99 @@
 # Changelog
 
+## PCS-24.6.1 - 2024-6-09
+
+### Added
+
+#### 23 new config policies
+
+- AWS AppSync GraphQL API is authenticated with API key
+- AWS Aurora MySQL DB cluster does not publish audit logs to CloudWatch Logs
+- AWS EC2 Client VPN endpoints client connection logging disabled
+- AWS ECS task definition logging configuration disabled
+- AWS EventBridge event bus with no resource-based policy attached
+- AWS Network Firewall is not configured with logging configuration
+- AWS Secrets Manager secret not used for more than 90 days
+- AWS Security Hub is not enabled
+- AWS Step Function state machines logging disabled
+- AWS WAF Rule Group CloudWatch metrics disabled
+- Azure Activity log alert for Create or update public IP address rule does not exist
+- Azure Activity log alert for Delete public IP address rule does not exist
+- Azure Application Insights configured with overly permissive network access
+- Azure Application Insights not configured with Azure Active Directory (Azure AD) authentication
+- Azure Log Analytics workspace configured with overly permissive network access
+- Azure storage account infrastructure encryption is disabled
+- GCP Cloud Run service revision is using default service account with editor role
+- GCP Vertex AI Workbench user-managed notebook auto-upgrade is disabled
+- GCP Vertex AI Workbench user-managed notebook has Integrity monitoring disabled
+- GCP Vertex AI Workbench user-managed notebook has vTPM disabled
+- GCP Vertex AI Workbench user-managed notebook’s JupyterLab interface access mode is set to single user
+- OCI boot volume is not encrypted with Customer Managed Key (CMK)
+- OCI Cloud Guard is not enabled in the root compartment of the tenancy
+
+#### 35 new policies for the IAM Security module
+
+- AWS Compute Instance (EC2/Lambda) Assigned CloudFormation Creation Permissions Which Could Lead to Privilege Escalation
+- AWS Compute Instance (EC2/Lambda) Assigned Glue DevEndpoint Creation Permissions Which Could Lead to Privilege Escalation
+- AWS Compute Instance (EC2/Lambda) Assigned IAM Policy Management Permissions Which Could Lead to Privilege Escalation
+- AWS Compute Instance (EC2/Lambda) Assigned Lambda Creation Permissions Which Could Lead to Privilege Escalation
+- AWS Compute Instance (EC2/Lambda) Assigned Permissions to Run EC2 Instances Which Could Lead to Privilege Escalation
+- AWS Role With Administrative Permissions Can Be Assumed By All Users
+- Azure Compute Resource Assigned Managed Identity Assignment Permissions Which Could Lead to Privilege Escalation
+- Azure Compute Resource Assigned Role & Role Assignment Related Permissions Which Could Lead to Privilege Escalation
+- GCP App Engine Web Service Assigned Cloud Function Creation Permissions Which Could Lead to Privilege Escalation
+- GCP App Engine Web Service Assigned Cloud Function IAM Policy Edit Permissions Which Could Lead to Privilege Escalation
+- GCP App Engine Web Service Assigned Cloud Run Creation Which Could Lead to Privilege Escalation
+- GCP App Engine Web Service Assigned Cloud Run IAM Policy Edit Permissions Which Could Lead to Privilege Escalation
+- GCP App Engine Web Service Assigned Cloud Run Jobs IAM Policy Edit Permissions Which Could Lead to Privilege Escalation
+- GCP App Engine Web Service Assigned IAM Role Update Permissions Which Could Lead to Privilege Escalation
+- GCP App Engine Web Service Assigned Permissions to Edit IAM Policy for Service Accounts Which Could Lead to Privilege Escalation
+- GCP App Engine Web Service Assigned Permissions to Retrieve Service Account Tokens Which Could Lead to Privilege Escalation
+- GCP App Engine Web Service Assigned Resource Manager Permissions Which Could Lead to Privilege Escalation
+- GCP Cloud Run Instance Assigned Cloud Function Creation Permissions Which Could Lead to Privilege Escalation
+- GCP Cloud Run Instance Assigned Cloud Function IAM Policy Edit Permissions Which Could Lead to Privilege Escalation
+- GCP Cloud Run Instance Assigned Cloud Run Creation Which Could Lead to Privilege Escalation
+- GCP Cloud Run Instance Assigned Cloud Run IAM Policy Edit Permissions Which Could Lead to Privilege Escalation
+- GCP Cloud Run Instance Assigned Cloud Run Jobs IAM Policy Edit Permissions Which Could Lead to Privilege Escalation
+- GCP Cloud Run Instance Assigned IAM Role Update Permissions Which Could Lead to Privilege Escalation
+- GCP Cloud Run Instance Assigned Permissions to Edit IAM Policy for Service Accounts Which Could Lead to Privilege Escalation
+- GCP Cloud Run Instance Assigned Permissions to Retrieve Service Account Tokens Which Could Lead to Privilege Escalation
+- GCP Cloud Run Instance Assigned Resource Manager Permissions Which Could Lead to Privilege Escalation
+- GCP Compute Instance (VM/Cloud Function) Assigned Cloud Function Creation Permissions Which Could Lead to Privilege Escalation
+- GCP Compute Instance (VM/Cloud Function) Assigned Cloud Function IAM Policy Edit Permissions Which Could Lead to Privilege Escalation
+- GCP Compute Instance (VM/Cloud Function) Assigned Cloud Run Creation Permissions Which Could Lead to Privilege Escalation
+- GCP Compute Instance (VM/Cloud Function) Assigned Cloud Run IAM Policy Edit Permissions Which Could Lead to Privilege Escalation
+- GCP Compute Instance (VM/Cloud Function) Assigned Cloud Run Jobs IAM Policy Edit Permissions Which Could Lead to Privilege Escalation
+- GCP Compute Instance (VM/Cloud Function) Assigned IAM Role Update Permissions Which Could Lead to Privilege Escalation
+- GCP Compute Instance (VM/Cloud Function) Assigned Permissions to Edit IAM Policy for Service Accounts Which Could Lead to Privilege Escalation
+- GCP Compute Instance (VM/Cloud Function) Assigned Permissions to Retrieve Service Account Tokens Which Could Lead to Privilege Escalation
+- GCP Compute Instance (VM/Cloud Function) Assigned Resource Manager Permissions Which Could Lead to Privilege Escalation
+
+#### 4 new compliance standards
+
+- CIS AWS 3.0
+- CIS Azure 2.1
+- CIS GKE 1.5
+- CIS OCI 2.0
+
+### Changed
+
+#### 1 config policy updated
+
+- AWS AppSync has field-level logging disabled
+
+#### 1 policy updated for the IAM Security module
+
+- AWS IAM Groups and Roles with IAM Metadata Write permissions are unused for 90 days
+
+#### 5 legacy versions of compliance standards deprecated
+
+- HITRUST CSF v9.3
+- HITRUST v.9.4.2
+- MITRE ATT&CK v10.0
+- MITRE ATT&CK v6.3
+- MITRE ATT&CK v8.2
+
+
 ## PCS-24.5.2 - 2024-5-23
 
 ### Added

policies/AWS-ACM-Certificate-with-wildcard-domain-name.json

@@ -30,7 +30,7 @@
     "FFIEC",
     "Fedramp (Moderate)",
     "HITRUST CSF v.9.6.0",
-    "HITRUST v.9.4.2",
+    "HITRUST v.9.4.2 [Deprecated]",
     "ISO 27002:2022",
     "ISO/IEC 27001:2022",
     "ISO/IEC 27002:2013",

policies/AWS-API-Gateway-endpoints-without-client-certificate-authentication.json

@@ -32,8 +32,8 @@
     "HIPAA",
     "HITRUST CSF v.11.2.0",
     "HITRUST CSF v.9.6.0",
-    "HITRUST CSF v9.3",
-    "HITRUST v.9.4.2",
+    "HITRUST CSF v9.3 [Deprecated]",
+    "HITRUST v.9.4.2 [Deprecated]",
     "ISO 27001:2013",
     "ISO 27002:2022",
     "ISO/IEC 27001:2022",

policies/AWS-API-gateway-request-authorisation-is-not-set.json

@@ -27,7 +27,7 @@
     "HIPAA",
     "HITRUST CSF v.11.2.0",
     "HITRUST CSF v.9.6.0",
-    "HITRUST v.9.4.2",
+    "HITRUST v.9.4.2 [Deprecated]",
     "ISO/IEC 27002:2013",
     "ISO/IEC 27017:2015",
     "ISO/IEC 27018:2019",

policies/AWS-API-gateway-request-parameter-is-not-validated.json

@@ -18,7 +18,7 @@
     "Brazilian Data Protection Law (LGPD)",
     "CSA CCM v.4.0.1",
     "Cybersecurity Maturity Model Certification (CMMC) v.1.02",
-    "HITRUST v.9.4.2",
+    "HITRUST v.9.4.2 [Deprecated]",
     "ISO/IEC 27002:2013",
     "ISO/IEC 27017:2015",
     "ISO/IEC 27018:2019",

policies/AWS-Access-key-enabled-on-root-account.json

@@ -29,6 +29,7 @@
     "CIS v1.4.0 (AWS)",
     "CIS v1.5.0 (AWS) - Level 1",
     "CIS v2.0.0 (AWS) - Level 1",
+    "CIS v3.0.0 (AWS) Level 1",
     "CRI Profile v1.2.1",
     "CRI Profile v2.0",
     "CSA CCM v.4.0.6",
@@ -44,18 +45,18 @@
     "HIPAA",
     "HITRUST CSF v.11.2.0",
     "HITRUST CSF v.9.6.0",
-    "HITRUST CSF v9.3",
+    "HITRUST CSF v9.3 [Deprecated]",
     "ISO 27001:2013",
     "ISO 27002:2022",
     "ISO/IEC 27001:2022",
     "Korea – Information Security Management System (ISMS)",
     "MAS TRM 2021",
-    "MITRE ATT&CK v10.0",
+    "MITRE ATT&CK v10.0 [Deprecated]",
     "MITRE ATT&CK v12",
     "MITRE ATT&CK v13.0 Cloud IaaS for Enterprise",
     "MITRE ATT&CK v14.0 Cloud IaaS for Enterprise",
-    "MITRE ATT&CK v6.3",
-    "MITRE ATT&CK v8.2",
+    "MITRE ATT&CK v6.3 [Deprecated]",
+    "MITRE ATT&CK v8.2 [Deprecated]",
     "MLPS 2.0",
     "MLPS 2.0 (Level 2)",
     "MLPS 2.0 (Level 3)",

policies/AWS-Access-logging-not-enabled-on-S3-buckets.json

@@ -32,17 +32,17 @@
     "HIPAA",
     "HITRUST CSF v.11.2.0",
     "HITRUST CSF v.9.6.0",
-    "HITRUST CSF v9.3",
+    "HITRUST CSF v9.3 [Deprecated]",
     "ISO 27002:2022",
     "ISO/IEC 27001:2022",
     "Korea – Information Security Management System (ISMS)",
     "MAS TRM 2021",
-    "MITRE ATT&CK v10.0",
+    "MITRE ATT&CK v10.0 [Deprecated]",
     "MITRE ATT&CK v12",
     "MITRE ATT&CK v13.0 Cloud IaaS for Enterprise",
     "MITRE ATT&CK v14.0 Cloud IaaS for Enterprise",
-    "MITRE ATT&CK v6.3",
-    "MITRE ATT&CK v8.2",
+    "MITRE ATT&CK v6.3 [Deprecated]",
+    "MITRE ATT&CK v8.2 [Deprecated]",
     "MLPS 2.0",
     "MLPS 2.0 (Level 2)",
     "MLPS 2.0 (Level 3)",

policies/AWS-Amazon-Machine-Image-AMI-infected-with-mining-malware.json

@@ -22,7 +22,7 @@
     "HITRUST CSF v.11.2.0",
     "HITRUST CSF v.9.6.0",
     "MAS TRM 2021",
-    "MITRE ATT&CK v10.0",
+    "MITRE ATT&CK v10.0 [Deprecated]",
     "MITRE ATT&CK v12",
     "MITRE ATT&CK v13.0 Cloud IaaS for Enterprise",
     "MITRE ATT&CK v14.0 Cloud IaaS for Enterprise",

policies/AWS-Amazon-Machine-Image-AMI-is-publicly-accessible.json

@@ -31,18 +31,18 @@
     "HIPAA",
     "HITRUST CSF v.11.2.0",
     "HITRUST CSF v.9.6.0",
-    "HITRUST CSF v9.3",
-    "HITRUST v.9.4.2",
+    "HITRUST CSF v9.3 [Deprecated]",
+    "HITRUST v.9.4.2 [Deprecated]",
     "ISO 27001:2013",
     "ISO 27002:2022",
     "ISO/IEC 27001:2022",
     "MAS TRM 2021",
-    "MITRE ATT&CK v10.0",
+    "MITRE ATT&CK v10.0 [Deprecated]",
     "MITRE ATT&CK v12",
     "MITRE ATT&CK v13.0 Cloud IaaS for Enterprise",
     "MITRE ATT&CK v14.0 Cloud IaaS for Enterprise",
-    "MITRE ATT&CK v6.3",
-    "MITRE ATT&CK v8.2",
+    "MITRE ATT&CK v6.3 [Deprecated]",
+    "MITRE ATT&CK v8.2 [Deprecated]",
     "MLPS 2.0",
     "MLPS 2.0 (Level 2)",
     "MLPS 2.0 (Level 3)",

policies/AWS-AppSync-GraphQL-API-is-authenticated-with-API-key.json

@@ -0,0 +1,17 @@
+{
+  "policyUpi": "PC-AWS-ASY-1180",
+  "policyId": "a0862fa8-256a-458f-9a63-192add13a53f",
+  "policyType": "config",
+  "cloudType": "aws",
+  "severity": "informational",
+  "name": "AWS AppSync GraphQL API is authenticated with API key",
+  "description": "This policy identifies the AWS AppSync Graphql API using API key for primary or additional authentication methods.\n\nAWS AppSync GraphQL API is a fully managed service by Amazon Web Services for building scalable and secure GraphQL APIs. An API key is a hard-coded value in your application generated by the AWS AppSync service when you create an unauthenticated GraphQL endpoint. Using API keys for authentication can pose security risks such as exposure to unauthorized access and limited control over access privileges, potentially compromising sensitive data and system integrity.\n\nIt is recommended to use authentication methods other than API Keys like IAM, Amazon Cognito User Pools, or OpenID Connect providers for securing AWS AppSync GraphQL APIs, to ensure enhanced security and access control.",
+  "rule.criteria": "b5b1d9bb-1d61-45e3-961e-3a417aba7e40",
+  "searchModel.query": "config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-appsync-graphql-api' AND json.rule = authenticationType equals \"API_KEY\" or additionalAuthenticationProviders[?any( authenticationType equals \"API_KEY\" )] exists",
+  "recommendation": "Note: Changing the API authorization mode from API key to other methods could cause potential disruptions to existing clients or applications relying on API key authentication. It may require updates to client configurations and authentication workflows for your applications.\n\nTo update the Primary authorization mode option for your AWS AppSync GraphQL API, perform the following actions:\n\n1. Sign in to the AWS Management Console\n2. Select the specific region from the region drop-down in the top right corner, for which the alert is generated\n3. In the Navigation Panel on the left, Select 'All services' and under 'Front-end Web & Mobile', select 'AWS AppSync'\n4. Under the 'APIs' section, select the AppSync API that is reported\n5. Navigate to the 'Settings page' from the left panel, Click 'Edit' on the 'Primary authorization mode' section\n6. In the 'Primary authorization mode' window, change the 'Authorization mode' from 'API key' to other authentication methods and configure it according to your business requirements\n7. Click 'Save'\n\nTo update the Additional authorization modes for your AWS AppSync GraphQL API, perform the following actions:\n\n1. Sign in to the AWS Management Console\n2. Select the specific region from the region drop-down in the top right corner, for which the alert is generated\n3. In the Navigation Panel on the left, Select 'All services' and under 'Front-end Web & Mobile', select 'AWS AppSync'\n4. Under the 'APIs' section, select the AppSync API that is reported\n5. Navigate to the 'Settings page' from the left panel, and click 'Add' in the 'Additional authorization modes' section.\n6. In the 'Additional authorization mode' window, select any 'Authorization mode' except 'API key' and configure according to your business requirements, and click 'Add'\n7. Navigate to the 'Settings page' from the left panel, select the 'API key' in the 'Authorization mode' column from the 'Additional authorization modes' section, and click 'Delete' to remove the API key authorization mode",
+  "remediable": false,
+  "remediation.cliScriptTemplate": "",
+  "remediation.description": "",
+  "remediation.impact": "",
+  "compliance.standard": ""
+}

policies/AWS-AppSync-has-field-level-logging-disabled.json

@@ -5,7 +5,7 @@
   "cloudType": "aws",
   "severity": "informational",
   "name": "AWS AppSync has field-level logging disabled",
-  "description": "This policy identifies an AWS AppSync GraphQL API not configured with field-level logging.\n\nAWS AppSync is a managed GraphQL service that simplifies the development of scalable APIs. \\\"field-level\\\" security offers a fine-grained approach to defining permissions and access control for individual fields within a GraphQL schema. It allows precisely regulate which users or clients can read or modify specific fields in an API. This level of control ensures that sensitive data is protected and that access is restricted only to those with appropriate authorization.\n\nWithout field-level security, control over specific fields within the schema is lost, causing the risk of sensitive data exposure. Additionally, the absence of this feature limits the implementation of fine-grained access control policies based on user roles or contextual information, thereby undermining the overall security of the application.\n\nIt is recommended to enable field-level security to mitigate the risks by enforcing access control at a granular level, ensuring that only authorized users can access or modify specific fields based on your defined policies and requirements.",
+  "description": "This policy identifies an AWS AppSync GraphQL API not configured with field-level logging with either 'ERROR' or 'ALL'.\n\nAWS AppSync is a managed GraphQL service that simplifies the development of scalable APIs. Field-level logging in AWS AppSync lets you capture detailed logs for specific fields in your GraphQL API. Without enabling field-level logging, the security monitoring and debugging capabilities may be compromised, increasing the risk of undetected threats and vulnerabilities.\n\nIt is recommended to enable field-level logging to ensure granular visibility into API requests, aiding in security, and compliance with regulatory requirements.",
   "rule.criteria": "bffc2f87-93bd-44fe-b73a-be84220fa8eb",
   "searchModel.query": "config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-appsync-graphql-api' AND json.rule = logConfig.fieldLogLevel is not member of ('ERROR','ALL')",
   "recommendation": "To turn on field-level logging on an AWS AppSync GraphQL API,\n\n1. Sign in to the AWS Management Console.\n2. In the console, select the specific region from the region drop-down on the top right corner, for which the alert is generated\n3. In the navigation pane, choose 'AWS AppSync' under the 'Front-end Web & Mobile' section.\n4. On the APIs page, choose the name of a reported GraphQL API.\n5. On your API's homepage, in the navigation pane, choose Settings.\n6. Under Logging, Turn on Enable Logs.\n7. Under Field resolver log level, choose your preferred field-level logging level Error or All according to your business requirements.\n8. Under Create or use an existing role, choose New role to create a new AWS Identity and Access Management (IAM) that allows AWS AppSync to write logs to CloudWatch. Or, choose the Existing role to select the Amazon Resource Name (ARN) of an existing IAM role in your AWS account.\n9. Choose Save.",

policies/AWS-Application-Load-Balancer-ALB-is-not-using-the-latest-predefined-security-policy.json

@@ -20,7 +20,7 @@
     "CSA CCM v.4.0.1",
     "Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 2)",
     "HITRUST CSF v.9.6.0",
-    "HITRUST v.9.4.2",
+    "HITRUST v.9.4.2 [Deprecated]",
     "ISO/IEC 27002:2013",
     "ISO/IEC 27017:2015",
     "ISO/IEC 27018:2019",