TotalCloud Release 2.25

June 29, 2026

This release introduces enhanced policy management with in-place editing, expanded cloud inventory visibility, and new AI security capabilities. It also includes improvements to Cloud Detection and Response (CDR), new tokens and security controls across AWS, Azure, and GCP, along with usability enhancements and key issue fixes to improve accuracy and performance.

Edit Policy Details Directly from Policy Page

Applicable for:  aws azure gcp oci

You can now modify Policy Information, Controls, and Tags/Connectors, etc., directly from the Policy Details page. An Edit button is introduced to help you update policies more quickly. This enhancement reduces the number of navigation steps and provides a more streamlined and user-friendly editing experience.

For User Defined policies: Edit is available on the Policy Information, Controls, and Tags/Connectors tabs.

Edit button

For System Defined policies: Edit is available on the Tags/Connectors tab.

Edit button for system defined

  • You must have edit (CRUD) permissions to edit policies.
  • Edit is not available for System-Defined policies on the Policy Information tab and the Controls tab.
  • Build-Time policies do not support the Tags/Connectors tab

Enhanced Inventory Export with Lambda Runtime Details

Applicable for:  aws

The download option available on the Inventory listing page is now enriched with Lambda Runtime details for the Lambda Function resource type, enabling more efficient offline review and management. 

To download the enriched CSV file, navigate to Inventory > Cloud > Lambda Functionand click Download.

csv inventory download

You can view the Lambda RUNTIME Details in the downloaded CSV file. 

csv inventory report

Unified View for GCP Firewall Rules and Source Ranges

Applicable for:  gcp

You can now view Source Ranges and Firewall Rules together in a consolidated view for GCP Firewall Rules in TotalCloud Inventory. This eliminates the need to switch between tabs to correlate source IP ranges with their corresponding firewall rules.

You can also view up to 5,000 source IP ranges for a firewall rule.

To view the Source Ranges and Firewall Rules, navigate to Inventory > Cloud > GCP > Firewall Rules, then click any entry from the list. The Firewall Rules tab displays the Source Ranges details. 

 

Expanded Visibility of AWS Account Tags in Inventory

Applicable for:  aws 

This release introduces support for Account Tags across all AWS inventory types. A new Account Tags sub-tab under the Tags section displays the Key-Value pairs for all account-level tags associated with an AWS resource. Account Tags are also available via APIs, and for resources with detailed inventory support, tag information is displayed in the UI.

To view AWS Account Tags, navigate to Inventory, click on any resource of AWS inventory type, and then go to Tags > Account Tags.

You can also search for resources by using the existing aws.account.tag.key token in QQL queries and in the Connectors application.

AI Security Controls for Cloud Posture Management

Applicable for:  aws azure gcp

Added support for inventory and assessment of select AI services in the cloud, along with a new set of security controls to strengthen posture management for AI workloads. These controls help identify misconfigurations and risks, improving visibility and compliance for AI resources. See the full list of controls here.

Expanded Azure CIEM Inventory Coverage

Applicable for:  azure

You can now view eight additional Azure Cloud Infrastructure Entitlement Management (CIEM) resource types at both tenant and subscription levels. This update gives you better visibility into identity and access management resources.

Tenant-level resources: Entra ID Users, Entra ID Groups, Service Principals, App Registrations. These use delta-based synchronization to capture incremental updates. A full inventory synchronization occurs approximately every 30 days from the last full connector run.

 Any connector run triggered within this 30-day period will perform only delta synchronization. Full inventory is not executed until the 30-day interval has passed.

tenant_level_resources

Subscription-level resources: Role Assignments, Role Definitions, Deny Assignments, and Managed Identities. These are refreshed through a full sync every 24 hours.

subscription_level_resources

  • When no subscription filter is applied, both tenant-level and subscription-level resources are displayed.
  • When a subscription is selected, only subscription-level resources are shown.

Extended Default Time Filter (7 Days)

Applicable for:  aws azure gcp oci

The default time filter on the TotalCloud UI has been updated from Last 24 hours to Last 7 days. This change enhances visibility into a broader set of resources and findings without requiring manual filter adjustments.

The updated default time filter applies to the following TotalCloud sections:

  • Dashboard
  • Inventory
  • Posture
  • Insights
  • Report Creation

seven_days_default

 You can still customize the time filter as needed.

GCP Vertex AI Resource Inventory Support

Applicable for: gcp 

With this release, we have added support for Google Cloud Vertex AI in TotalCloud, enabling you to better understand and manage your AI/ML assets within your GCP environment.

You can now discover and inventory Vertex AI Model Registry resources, along with related details such as model deployments and associated labels. This helps bring structure and visibility to resources that are often distributed across projects and teams.

vertex_ai

CDR Enhancements and Updates

The following sections describe the enhancements made to the Cloud Detection and Response (CDR) environment in the upcoming CDR release.

FedRAMP High Support for CDR Appliance Deployment

The CDR Appliance now supports deployment in FedRAMP High environments, with enhancements to configuration and registration workflows to meet stricter security and compliance requirements.

 FedRAMP High support is fully enabled when the CDR Appliance (version 3.7.0) is used with Network Passive Sensor (NPS) Release 2.4 or later.

Cloud Activity-Based Alerting for AWS

Applicable for:  aws 

This release introduces rule-based alerting for cloud activity events across AWS environment. The feature ingests AWS CloudTrail activity logs and generates alerts only for events that match predefined detection rules, reducing noise and highlighting critical actions.

The release includes 13 predefined rules that detect key security and operational changes, such as IAM/user and policy updates, security group modifications, storage changes (e.g., S3), resource lifecycle events (start/stop), and others.

Select Cloud Events from the source drop-down to view CloudTrail-related events.

CDR cloudtrail events 

New Tokens

The following section describes the new tokens introduced as part of TotalCloud 2.25.0

Common Tokens

Applicable for:  aws azure gcp 

Token Type Resource Type Name Description Example
Inventory AWS:EC2, S3, LB, IAM User, Lambda

Azure: VM

GCP: VM, Load Balancing Forwarding Rules, Cloud Run Service
cloud.resource.hasAttackPath Use this to find cloud resources with attack path enabled. cloud.resource.hasAttackPath: true

Inventory Tokens

Applicable for:  aws azure gcp 

Platform Resource Type Name Description Example
AWS All supported,
except Directory, MQ Broker, KMS, Route 53 Record, API Gateway, Launch Configuration, Bedrock Custom Model
Bedrock, Provisioned Throughput
cloud.resource.isDeleted Use this token to find cloud resources based on their deletion status cloud.resource.isDeleted: true
Azure Entra ID User azure.entraIdUser.userType Use this to find Microsoft Entra ID users by user type. azure.entraIdUser.
userType: Guest
Azure Entra ID User azure.entraIdUser.userPrincipalName Use this to find Microsoft Entra ID users by user principal name. azure.entraIdUser.
userPrincipalName: [email protected]
Azure Entra ID User azure.entraIdUser.name Use this to find Microsoft Entra ID users by name. azure.entraIdUser.name: John Doe
Azure Entra ID User azure.entraIdUser.groupName Use this to find Microsoft Entra ID users by group name. azure.entraIdUser.groupName: Developers
Azure Entra ID Group azure.entraIdGroup.name Use this to find Microsoft Entra ID groups by name. azure.entraIdGroup.name: Developers
Azure Entra ID Group azure.entraIdGroup.groupName Use this to find Microsoft Entra ID groups by group name. azure.entraIdGroup.groupName: Security Team
Azure Entra ID Service Principals azure.entraIdServicePrincipal.
applicationId
Use this to find Microsoft Entra ID service principals by application ID. azure.entraIdServicePrincipal.
applicationId:
12345678-abcd-1234567890ab
Azure Entra ID Service Principals azure.entraIdServicePrincipal.name Use this to find Microsoft Entra ID service principals by name. azure.entraIdServicePrincipal.
name: MyServicePrincipal
Azure Entra ID Service Principals azure.entraIdServicePrincipal.
appOwnerOrganizationId
Use this to find Microsoft Entra ID service principals by application owner organization ID. azure.entraIdServicePrincipal.
appOwnerOrganizationId:
12345678-abcd-1234567890ab
Azure Entra ID Service Principals azure.entraIdServicePrincipal.
servicePrincipalType
Use this to find Microsoft Entra ID service principals by service principal type. azure.entraIdServicePrincipal.
servicePrincipalType: ManagedIdentity
Azure Entra ID Service Principals azure.entraIdServicePrincipal.
groupName
Use this to find Microsoft Entra ID service principals by group name. azure.entraIdServicePrincipal.
groupName: Operations Team
Azure Entra ID App Registrations azure.entraIdAppRegistration.
applicationId
Use this to find Microsoft Entra ID app registrations by application ID. azure.entraIdAppRegistration.
applicationId: 12345678-abcd-1234567890ab
Azure Entra ID App Registrations azure.entraIdAppRegistration.name Use this to find Microsoft Entra ID app registrations by name. azure.entraIdAppRegistration.
name: MyApplication
Azure Managed Identities azure.managedidentities.tenantId Use this to find Azure managed identities by tenant ID. azure.managedidentities.
tenantId: 12345678-abcd-1234-abcd-1234567890ab
Azure Managed Identities azure.managedidentities.principalId Use this to find Azure managed identities by principal ID. azure.managedidentities.
principalId: 12345678-abcd-1234-abcd-1234567890ab
Azure Role Definitions azure.roledefinitions.roleName Use this to find Azure role definitions by role name. azure.roledefinitions.roleName: Contributor
Azure Role Definitions azure.roledefinitions.roleType Use this to find Azure role definitions by role type. azure.roledefinitions.roleType: CustomRole
Azure Role Assignment azure.roleAssignment.principalType Use this to find Azure role assignments by principal type. azure.roleAssignment.
principalType: User
Azure Role Assignment azure.roleAssignment.principalId Use this to find Azure role assignments by principal ID. azure.roleAssignment.
principalId: 12345678-abcd-1234-abcd-1234567890ab
Azure Role Assignment azure.roleAssignment.roleDefinitionId Use this to find Azure role assignments by role definition ID. azure.roleAssignment.
roleDefinitionId: 12345678-abcd-1234-abcd-1234567890ab
Azure Role Assignment azure.roleAssignment.scope Use this to find Azure role assignments by scope. azure.roleAssignment.scope: /subscriptions/12345678-abcd-1234-abcd-1234567890ab
Azure Role Assignment azure.roleAssignment.conditionVersion Use this to find Azure role assignments by condition version. azure.roleAssignment.
conditionVersion: 2.0
Azure Deny Assignment azure.denyAssignment.scope Use this to find Azure deny assignments by scope. azure.denyAssignment.scope: /subscriptions/12345678-abcd-1234567890ab
Azure Deny Assignment azure.denyAssignment.
isSystemProtected
Use this to find Azure deny assignments by system protected status. azure.denyAssignment.
isSystemProtected: true
Azure Deny Assignment azure.denyAssignment.
doNotApplyToChildScopes
Use this to find Azure deny assignments by child scope applicability. azure.denyAssignment.
doNotApplyToChildScopes: true
Azure Deny Assignment azure.denyAssignment.conditionVersion Use this to find Azure deny assignments by condition version. azure.denyAssignment.
conditionVersion: 2.0
GCP Model Registry (Vertex AI) gcp.vertexaimodel.id Use this to find GCP Vertex AI models with a certain model ID. gcp.vertexaimodel.id: 1234567890123456789
GCP Model Registry (Vertex AI) gcp.vertexaimodel.source Use this to find GCP Vertex AI models with a certain source. gcp.vertexaimodel.source: MODEL_GARDEN

Posture Tokens

Applicable for:  aws 

Platform Name Description Example
AWS cloud.resource.isDeleted Use this token to find cloud resources based on their deletion status cloud.resource.isDeleted: true

Control Updates

New AWS IaC Build-Time Controls

Applicable for:  aws 

Platform CID Title Service Resource Criticality Policy
AWS 672 Ensure ECS Cluster enables logging of ECS Exec ECS  ECS Cluster High AWS Infrastructure as Code Security Best Practices Policy
AWS 674 Ensure that GuardDuty detector is enabled Guard Duty Guard Duty High AWS Infrastructure as Code Security Best Practices Policy
AWS 675 Ensure DAX cluster endpoint is using TLS Dynamo DB DAX Cluster High AWS Infrastructure as Code Security Best Practices Policy
AWS 676 Ensure replicated backups are encrypted at rest using KMS CMKs RDS RDS High AWS Infrastructure as Code Security Best Practices Policy
AWS 677 Ensure RDS Cluster activity streams are encrypted using KMS CMKs  RDS RDS Cluster High AWS Infrastructure as Code Security Best Practices Policy
AWS 678 Ensure all data stored in the Elasticsearch is encrypted with a CMK Elastisearch Service ES Domain High AWS Infrastructure as Code Security Best Practices Policy
AWS 679 Ensure that Elasticsearch is not using the default Security Group Elastisearch Service ES Domain Medium AWS Infrastructure as Code Security Best Practices Policy
AWS 680 Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions ECS ECS Task Definition Medium AWS Infrastructure as Code Security Best Practices Policy
AWS 681 Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension  RDS RDS Cluster High  AWS Infrastructure as Code Security Best Practices Policy
AWS 682 Ensure CloudTrail logging is enabled Cloud Trail Cloud Trail High AWS Infrastructure as Code Security Best Practices Policy
AWS 683 Ensure CloudTrail defines an SNS Topic Cloud Trail Cloud Trail Medium AWS Infrastructure as Code Security Best Practices Policy
AWS 684 Ensure DLM cross region events are encrypted EC2  Lifecycle Manager Medium AWS Infrastructure as Code Security Best Practices Policy
AWS 685 Ensure DLM cross region events are encrypted with Customer Managed Key EC2 Lifecycle Manager High AWS Infrastructure as Code Security Best Practices Policy
AWS 686 Ensure Kinesis Firehose delivery stream is encrypted Kinesis Firehose High AWS Infrastructure as Code Security Best Practices Policy
AWS 687 Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK Kinesis Firehose High AWS Infrastructure as Code Security Best Practices Policy
AWS 688 Ensure MWAA environment has scheduler logs enabled MWAA MWAA Environment High AWS Infrastructure as Code Security Best Practices Policy
AWS 689 Ensure MWAA environment has worker logs enabled MWAA MWAA Environment High AWS Infrastructure as Code Security Best Practices Policy
AWS 690 Ensure MWAA environment has webserver logs enabled MWAA MWAA Environment High AWS Infrastructure as Code Security Best Practices Policy
AWS 691 Ensure DLM cross region schedules are encrypted EC2 EBS High AWS Infrastructure as Code Security Best Practices Policy
AWS 692 Ensure DLM cross region schedules are encrypted using a Customer Managed Key EC2 EBS High AWS Infrastructure as Code Security Best Practices Policy
AWS 693 Ensure CodeCommit branch changes have at least 2 approvals Code Commit Code Commit Repository High AWS Infrastructure as Code Security Best Practices Policy
AWS 694 Ensure that Lambda function URLs AuthType is not None Lambda Lambda High AWS Infrastructure as Code Security Best Practices Policy
AWS 695 Ensure CloudFront response header policy enforces Strict Transport Security Cloud Front CloudFront Distribution High AWS Infrastructure as Code Security Best Practices Policy
AWS 696 Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 VPC VPC Security Group High AWS Infrastructure as Code Security Best Practices Policy
AWS 698 Ensure HTTP HTTPS Target group defines Healthcheck EC2 Load Balancer High AWS Infrastructure as Code Security Best Practices Policy

New AWS Runtime Controls

Applicable for:  aws 

Platform CID Title Service Resource Criticality Policy
AWS 668 Ensure access to AWSCloudShellFullAccess is restricted IAM IAM Policy High CIS Amazon Web Services Foundations Benchmark
AWS 699 Ensure access keys are rotated every 90 days or less IAM IAM User High CIS Amazon Web Services Foundations Benchmark

New AWS Controls (Without Policy Attachment)

Applicable for:  aws 

Platform CID Title Service Resource Criticality
AWS 662 Ensure CloudFront logging is enabled CLOUD_FRONT CLOUDFRONT_DISTRIBUTION High
AWS 663 Ensure Elastic Beanstalk environments do not use container-based platform ELASTIC_BEANSTALK ELASTIC_BEANSTALK_
ENVIRONMENT
Medium
AWS 664 Ensure AWS Systems Manager (SSM) documents are not publicly shared SYSTEM_MANAGER SSM_DOCUMENT High
AWS 665 Ensure Network Firewalls are deployed in multiple Availability Zones VPC NETWORK_FIREWALL High
AWS 666 Ensure Network Firewall policies are associated with stateful or stateless rule groups VPC NETWORK_FIREWALL_POLICY High
AWS 667 Ensure MSK cluster should not be publicly accessible MSK MSK_CLUSTER High
AWS 670 AWS Cognito identity pool must not allow unauthenticated guest access AMAZON_COGNITO IDENTITY_POOL High
AWS 671 Ensure that a Cloud Formation stack actual configuration does not differ or drift from the expected configuration CLOUDFORMATION CLOUDFORMATION_STACK Medium
AWS 673 Amazon EC2 Auto Scaling group must cover multiple Availability Zones EC2 AUTO_SCALING_GROUP High

New Controls in CIS Microsoft Azure Compute Services Benchmark

Applicable for:  azure 

Platform Control ID Title Service Type Resource Type Criticality Policy Name
Azure 50619 Ensure Remote debugging is set to Off for deployment slots of API Apps App Service API App HIGH CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50620 Ensure Remote debugging is set to Off for deployment slots of Standard Logic Apps Logic App Logic App HIGH CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50621 Ensure Client Certificates (Incoming client certificates) set to On for deployment slots of API Apps App Service API App HIGH CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50622 Ensure Client Certificates (Incoming client certificates) set to On for deployment slots of Standard Logic Apps Logic App Logic App HIGH CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50623 Ensure managed identities are configured for deployment slots of API Apps App Service API App HIGH CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50624 Ensure managed identities are configured for deployment slots of Standard Logic Apps Logic App Logic App HIGH CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50625 Ensure public network access is disabled for deployment slots of API Apps App Service API App HIGH CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50626 Ensure public network access is disabled for deployment slots of Standard Logic Apps Logic App Logic App  HIGH CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50627 Ensure virtual network integration for deployment slots of API Apps App Service API App MEDIUM CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50628 Ensure virtual network integration for deployment slots of Standard Logic Apps Logic App Logic App MEDIUM CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50629 Ensure configuration is routed through the virtual network integration for deployment slots of API Apps App Service API App MEDIUM CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50630 Ensure configuration is routed through the virtual network integration for deployment slots of Standard Logic Apps Logic App Logic App MEDIUM CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50631 Ensure all traffic is routed through the virtual network for deployment slots of API Apps App Service API App HIGH CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50632 Ensure all traffic is routed through the virtual network for deployment slots of Standard Logic Apps Logic App Logic App HIGH CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50633 Ensure cross-origin resource sharing does not allow all origins for deployment slots of API Apps App Service API App HIGH CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50634 Ensure cross-origin resource sharing does not allow all origins for deployment slots of Standard Logic Apps Logic App Logic App HIGH CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50635 Ensure configuration is routed through the virtual network integration for API Apps App Service API App MEDIUM CIS Microsoft Azure Compute Services Benchmark v2.0.0
Azure 50636 Ensure configuration is routed through the virtual network integration for Standard Logic Apps Logic App Logic App MEDIUM CIS Microsoft Azure Compute Services Benchmark v2.0.0

New controls in CIS Oracle Cloud Infrastructure Foundation Benchmark Policy

Applicable for:  oci 

Platform CID Title Service  Resource  Criticality Policy
OCI 40102 Ensure no resources are created in the root compartment IAM COMPARTMENT High Oracle Infrastructure Foundation Benchmark Policy

New Controls in AWS for AI SPM (Without Policy Attachment)

Applicable for:  aws 

Platform CID Title Service Resource Criticality
AWS 648 Comprehend Entity Recognizer model should be encrypted with a customer-managed key COMPREHEND COMPREHEND_ENTITY_
RECOGNIZER_MODEL
High
AWS 649 Comprehend Entity Recognizer volume should be encrypted with a customer-managed key COMPREHEND COMPREHEND_ENTITY_
RECOGNIZER_MODEL
High
AWS 650 Ensure AWS Bedrock Guardrails have PII detection filters configured BEDROCK BEDROCK_GUARDRAILS High
AWS 651 Ensure AWS Bedrock Guardrail has prompt injection protection enabled and input strength set to HIGH BEDROCK BEDROCK_GUARDRAILS High
AWS 652 Ensure AWS Bedrock Guardrails have contextual grounding policy enabled for agent response validation BEDROCK BEDROCK_GUARDRAILS Medium
AWS 653 Ensure Amazon Lex V2 bots have Child Directed setting enabled for COPPA compliance LEX LEX_BOT High
AWS 654 Ensure Amazon Kendra index is encrypted using a customer-managed KMS key KENDRA KENDRA_INDEX High
AWS 655 Ensure Amazon Kendra index enforces user-level access control KENDRA KENDRA_INDEX High
AWS 656 Ensure Amazon Translate custom terminology is encrypted using a customer-managed KMS key TRANSLATE TRANSLATE_CUSTOM_
TERMINOLOGY
High
AWS 657 Ensure policy enforcement is enabled for AWS Bedrock AgentCore gateways BEDROCK_AGENTCORE BEDROCK_AGENTCORE_
GATEWAYS
Medium
AWS 658 Ensure AWS Bedrock AgentCore memory is encrypted using a customer-managed KMS key BEDROCK_AGENTCORE BEDROCK_AGENTCORE_
MEMORY
High
AWS 659 Ensure Amazon Personalize dataset groups are encrypted using a customer-managed KMS key PERSONALIZE PERSONALIZE_DATASET_
GROUP
High
AWS 660 Ensure AWS Bedrock Guardrails have profanity filtering enabled BEDROCK BEDROCK_GUARDRAILS Medium
AWS 661 Ensure AWS Bedrock Guardrails have denied topics configured BEDROCK BEDROCK_GUARDRAILS Medium

New Controls in Azure for AI SPM (Without Policy Attachment)

Applicable for: azure

Platform CID Title Service Resource Criticality
AZURE 50637 Ensure Azure AI Search has public network access disabled COGNITIVE_SEARCH COGNITIVE_SEARCH High
AZURE 50638 Ensure Azure AI Search uses a private endpoint (Private Link) COGNITIVE_SEARCH COGNITIVE_SEARCH High
AZURE 50639 Ensure Azure AI Search with public network access enabled has firewall rules configured COGNITIVE_SEARCH COGNITIVE_SEARCH High
AZURE 50640 Ensure Azure OpenAI Service has public network access disabled COGNITIVE_SERVICES AZURE_OPEN_AI High
AZURE 50641 Ensure Azure OpenAI Service public network access is restricted COGNITIVE_SERVICES AZURE_OPEN_AI High
AZURE 50642 Ensure Azure OpenAI Service is encrypted using a customer-managed key COGNITIVE_SERVICES AZURE_OPEN_AI High
AZURE 50643 Ensure Azure OpenAI Service uses a private endpoint (Private Link) COGNITIVE_SERVICES AZURE_OPEN_AI High
AZURE 50644  Ensure Azure AI Search SKU supports private endpoint (Private Link) COGNITIVE_SEARCH COGNITIVE_SEARCH High

New Controls in GCP for AI SPM (Without Policy Attachment)

Applicable for: gcp 

Platform CID Title Service Resource Criticality
GCP 52200 Ensure Vertex AI Workbench instances have integrity monitoring enabled WORKBENCH WORKBENCH_INSTANCE Medium
GCP 52201 Ensure Vertex AI Workbench instances have Secure Boot enabled WORKBENCH WORKBENCH_INSTANCE High
GCP 52202 Ensure Vertex AI Colab Enterprise Runtime Template should have internet access disabled COLAB_ENTERPRISE RUNTIME_TEMPLATES High
GCP 52203 Ensure Vertex AI Colab Enterprise Runtime Template should have idle shutdown enabled COLAB_ENTERPRISE RUNTIME_TEMPLATES Low
GCP 52204 Ensure Vertex AI Workbench instances have Vtpm enabled WORKBENCH WORKBENCH_INSTANCE High
GCP 52205 Ensure Vertex AI Endpoints are not publicly accessible VERTEX_AI VERTEX_AI_ENDPOINT High
GCP 52206 Ensure Vertex AI Endpoints use Customer-Managed Encryption Key VERTEX_AI VERTEX_AI_ENDPOINT High
GCP 52207 Ensure Vertex AI Workbench instances should have internet access disabled WORKBENCH WORKBENCH_INSTANCE High

Control Removed from Policy

Applicable for: azure

Platform CID Title Policy
Azure 50134 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys CIS Azure Foundations Policy

Control Title Changes

Applicable for: azure

Platform CID Old Title New Title  
Azure 50016 Ensure that Access through Internet facing endpoint should be restricted is set to On Ensure that All network ports should be restricted on network security groups associated to your virtual machine

Controls Deprecated

Applicable for:  azure

Platform CID Description Control Type Policy Name 
Azure  50006 Ensure that Vulnerabilities in security configuration on your machines should be remediated is set to On RUN_TIME Azure Best Practices Policy
Azure 50008 Ensure that Disk encryption should be applied on virtual machines is set to On RUN_TIME Azure Best Practices Policy

Control Migration

Applicable for: azure

Platform CID Title Old Policy New Policy
Azure 50016 Ensure that All network ports should be restricted on network security groups associated to your virtual machine CIS Azure Foundations Policy Azure Best Practices Policy

Control Enhancements

Applicable for: azure

Platform CID Title
Azure 562 Ensure that Network Load Balancer(s) Listeners uses SSL certificates provided by AWS Certificate Manager

Issues Addressed

Applicable for:  aws azure gcp oci

We fixed the following important and notable issue in this release.

Category/Component Issue
TotalCloud-UI We have resolved the issue where IAM User Access Key controls (CID-4 and CID-5) caused false positives due to AWS reassigning Access Key 2 to Access Key 1 after deletion, which also prevented CID-5 evaluation. To address this without impacting existing customer configurations or exceptions, both controls have been retained and a new control (CID 699) has been introduced to handle this scenario effectively.
We have resolved the issue where the GCP controls 52062, 52072, 52071 were giving false positives and logical errors.
CV-ControlEnhancement We have resolved the issue for CID-351 and CID-562 where certain resources were not being evaluated due to changes in the AWS response format. To address this, the JSONPath in the predicate logic has been updated to align with the latest response structure, ensuring accurate evaluation going forward.
CV - False Positive, CV-ControlEnhancement We have resolved the issue raised regarding controls CID 50008 and CID 50006 due to parameter deprecation in Azure Microsoft Defender for Cloud’s Microsoft Cloud Security Benchmark. CID 50008 has been deprecated as its parameter is no longer supported, while CID 50016 has been updated with the revised parameter name along with necessary predicate enhancements and evidence additions to ensure correct evaluation.
CV-IaC We have resolved the issue where IaC scanning was stuck in SUBMITTED state.
CV - Reports, CV - UI We have resolved the issue where CIS references were missing in the UI and reports.
CV-Monitor We have resolved the issue of inconsistent evaluations of AWS controls related to EBS snapshots, caused by limitations in the DCEF-based implementation handling large volumes of snapshots across accounts. The controls (CID 127, 146, 204) have been migrated to an annotation-based approach, enabling consistent evaluation in a single call and ensuring expected performance.
CV-Connectors We have resolved the issue where incorrect pagination handling for AWS Bedrock Agents and Knowledge Bases caused repeated data retrieval due to misconfigured token injection. The pagination logic has been corrected to align with API requirements, ensuring proper data collection and preventing infinite loops.