Release 2.12
August 30, 2024
What’s New?
TotalCloud 2.12.0 brings updates to the cloud inventory.
Amazon Web Service
Added New Resources to the Cloud Inventory
With this release, we have included support for new resources on the AWS Inventory. The cloud inventory ensures these new resources are assessed against the best global compliance standards supported by Qualys, such as NIST, PCI DSS, HIPAA, GDPR, etc.
New Resources Introduced
The following are the newly introduced resources in the TotalCloud app.
-
Route53 Hosted Zones
-
Route53 Domains
-
Redshift
Google Cloud Platform
Added New Resources to the Cloud Inventory
With this release, we have included support for new resources on the GCP Inventory. The cloud inventory ensures these new resources are assessed against the best global compliance standards supported by Qualys, such as NIST, PCI DSS, HIPAA, GDPR, etc.
New Resources Introduced
The following are the newly introduced resources in the TotalCloud app.
- Cloud Load Balancing
- Cloud CDN
Oracle Cloud Infrastructure
Added New Resources to the Cloud Inventory
With this release, we have included support for a new resource on the OCI Inventory. The cloud inventory ensures these new resources are assessed against the best global compliance standards supported by Qualys, such as NIST, PCI DSS, HIPAA, GDPR, etc.
New Resource Introduced
The following is the newly introduced resource in the TotalCloud app.
Load Balancer
New Tokens
With this release, we have introduced support for new tokens.
AWS Resource Tokens
Route53 Hosted Zones
Tokens introduced in the Route53 Hosted Zones resource.
|
Name |
Description |
Example |
|---|---|---|
|
name |
Find Route 53 resources with the specified hosted zone name. | name: example.com |
|
route53.hostedZone.recordname |
Find Route 53 hosted zones with the specified record name. | route53.hostedZone.recordname: www.example.com |
|
route53.hostedZone.isPrivateZone |
Find Route 53 hosted zones based on whether they are private or public | route53.hostedZone.isPrivateZone: true |
| route53.hostedZone.arn | Find Route 53 hosted zones with the specified Amazon Resource Name (ARN) | route53.hostedZone.arn: arn:aws:route53:::hostedzone/Z1PA6795UKMFR9 |
Route53 Domains
Tokens introduced in the Route53 Domains resource.
|
Name |
Description |
Example |
|---|---|---|
|
name |
Find Route 53 resources with the specified Route 53 Domain name. | name: example.com |
| route53.domain.autorenew | Find Route 53 domains based on their auto-renewal status. | route53.domain.autorenew: true |
Redshift
Tokens introduced in the Redshift resource.
|
Name |
Description |
Example |
|---|---|---|
| redshift.clusteridentifier | Find Redshift clusters with the specified cluster identifier. | redshift.clusteridentifier: my-redshift-cluster |
| redshift.clusterstatus | Find Redshift clusters with the specified status (e.g., available, creating, deleting, final-snapshot, modifying, rebooting, renaming, resizing). | redshift.clusterstatus: available |
| redshift.clusternamespacearn | Find Redshift clusters with the specified namespace ARN. | redshift.clusternamespacearn: arn:aws:redshift:us-west-2:123456789012:namespace:my-namespace |
| redshift.kmskeyid | Find Redshift clusters using the specified KMS (Key Management Service) key ID for encryption. | redshift.kmskeyid: 1234abcd-12ab-34cd-56ef-1234567890ab |
GCP Resource Tokens
Cloud Load Balancing
Tokens introduced in the Cloud Load Balancing resource.
|
Name |
Description |
Example |
|---|---|---|
|
name |
Find load balancers with the specified name. | name: web-lb |
| region | Find load balancers in the specified region. | region: us-west-2 |
| loadBalancing.IpAddress | Find load balancers associated with the specified IP address. | loadBalancing.IpAddress: 203.0.113.1 |
| loadBalancing.scheme | Find load balancers with the specified scheme (INTERNAL, EXTERNAL, INTERNAL_MANAGED,INTERNAL_SELF_MANAGED, EXTERNAL_MANAGED). | loadBalancing.scheme: INTERNAL |
| loadBalancing.forwardingRuleTarget | Find load balancers with the specified forwarding rule target. This could be an instance group, IP address, or another resource. | loadBalancing.forwardingRuleTarget: projects/my-project/regions/us-central1/instanceGroups/my-instance-group |
Cloud CDN
Tokens introduced in the Cloud CDN resource.
|
Name |
Description |
Example |
|---|---|---|
| cdn.name | Find CDNs with the specified name. | cdn.name: example |
OCI Resource Tokens
Load Balancer
Tokens introduced in the Load Balancer resource.
|
Name |
Description |
Example |
|---|---|---|
|
name |
Find load balancers with the specified name. | name: web-lb |
|
id |
Find load balancers with the specified id. | id: 12345 |
| compartmentId | Find load balancers with the specified compartment id. | compartmentId: ocid1.compartment.oc1..aaaaaaaax3oie |
| loadbalancer.isPrivate | Find load balancers that are set to private. | loadbalancer.isPrivate: true |
| loadbalancer.isIpPublic | Find load balancers that are set to public. | loadbalancer.isIpPublic: true |
| loadbalancer.shapeName | Find load balancers with the specified shape name. | loadbalancer.shapeName: flexible |
| loadbalancer.lifecycleState | Find load balancers with the specified lifecycle state. |
loadbalancer.lifecycleState: ACTIVE |
Control Changes
Changes introduced to controls in this release.
AWS
New Controls in CIS Amazon Web Services Foundations Benchmark
|
CID |
Title |
Service |
Resource |
|---|---|---|---|
|
537 |
Ensure security contact information is registered |
ACCOUNT |
ACCOUNT |
|
538 |
Ensure that Images (AMIs) are not older than 90 days |
EC2 |
EC2_IMAGES |
New Controls in AWS Best Practices Policy
|
CID |
Title |
Service |
Resource |
|---|---|---|---|
|
539 |
Ensure that Images (AMIs) are not unused more than 90 days |
EC2 |
EC2_IMAGES |
Migrated controls from Amazon Web Services Best Practices Policy to AWS Identity Access Management Best Practices Policy
|
CID |
Title |
|---|---|
|
3 |
Ensure access keys unused for 90 days or greater are disabled |
|
6 |
Ensure that custom IAM Password Policy is Defined |
|
7 |
Ensure that custom IAM password policy requires at least one uppercase letter |
|
8 |
Ensure that custom IAM password policy requires at least one lowercase letter |
|
9 |
Ensure that custom IAM password policy requires at least one symbol |
|
10 |
Ensure that custom IAM password policy requires at least one number |
|
13 |
Ensure that custom IAM password policy expires passwords within 90 days or less |
|
17 |
Ensure IAM policies are attached only to groups or roles |
|
399 |
Ensure that all IAM users are members of at least one IAM group |
|
400 |
Ensure an IAM User does not have access to the console |
|
448 |
Ensure that all your SSL/TLS IAM certificates are using 2048 or higher bit RSA keys |
Azure
New control in CIS Microsoft Azure Foundations Benchmark
|
CID |
Title |
Service |
Resource |
|---|---|---|---|
|
50233 |
PHP version' is the Latest, If Used to Run the Web App |
APP_SERVICE |
WEB_APP |
|
50235 |
Java version' is the latest, if used to run the Web App |
APP_SERVICE |
WEB_APP |
|
50470 |
Ensure that Private Endpoints are Used for Azure Key Vault |
KEY_VAULT |
KEY_VAULT |
|
50471 |
Ensure Private Endpoints are used to access Storage Accounts |
STORAGE_ACCOUNT |
STORAGE_ACCOUNT |
|
50234 |
Python version' is the Latest Stable Version, if Used to Run the Web App |
APP_SERVICE |
WEB_APP |
OCI
New Controls in OCI Best Practices Policy
|
CID |
Title |
Service |
Resource |
|---|---|---|---|
|
40055 |
Ensure Delete Protection is enabled for Loadbalancers |
LOAD_BALANCER |
LOADBALANCER |
Issues Addressed
- We updated the detection logic of the following controls to resolve false positive cases- CID 388, 50036, 52008.
- We have updated the control logic of CID 19 to support AWS Advanced Event Selectors and prevent scenarios of evaluations failures.
- We have updated the control logic of CID 253 to ensure that 'Region' column in the CSV report shows accurate data.