TotalCloud Release 2.25
June 29, 2026
This release introduces enhanced policy management with in-place editing, expanded cloud inventory visibility, and new AI security capabilities. It also includes improvements to Cloud Detection and Response (CDR), new tokens and security controls across AWS, Azure, and GCP, along with usability enhancements and key issue fixes to improve accuracy and performance.
Edit Policy Details Directly from Policy Page
Applicable for:
You can now modify Policy Information, Controls, and Tags/Connectors, etc., directly from the Policy Details page. An Edit button is introduced to help you update policies more quickly. This enhancement reduces the number of navigation steps and provides a more streamlined and user-friendly editing experience.
For User Defined policies: Edit is available on the Policy Information, Controls, and Tags/Connectors tabs.

For System Defined policies: Edit is available on the Tags/Connectors tab.

- You must have edit (CRUD) permissions to edit policies.
- Edit is not available for System-Defined policies on the Policy Information tab and the Controls tab.
- Build-Time policies do not support the Tags/Connectors tab
Enhanced Inventory Export with Lambda Runtime Details
Applicable for:
The download option available on the Inventory listing page is now enriched with Lambda Runtime details for the Lambda Function resource type, enabling more efficient offline review and management.
To download the enriched CSV file, navigate to Inventory > Cloud > Lambda Function, and click Download.

You can view the Lambda RUNTIME Details in the downloaded CSV file.

Unified View for GCP Firewall Rules and Source Ranges
Applicable for:
You can now view Source Ranges and Firewall Rules together in a consolidated view for GCP Firewall Rules in TotalCloud Inventory. This eliminates the need to switch between tabs to correlate source IP ranges with their corresponding firewall rules.
You can also view up to 5,000 source IP ranges for a firewall rule.
To view the Source Ranges and Firewall Rules, navigate to Inventory > Cloud > GCP > Firewall Rules, then click any entry from the list. The Firewall Rules tab displays the Source Ranges details.
Expanded Visibility of AWS Account Tags in Inventory
Applicable for:
This release introduces support for Account Tags across all AWS inventory types. A new Account Tags sub-tab under the Tags section displays the Key-Value pairs for all account-level tags associated with an AWS resource. Account Tags are also available via APIs, and for resources with detailed inventory support, tag information is displayed in the UI.
To view AWS Account Tags, navigate to Inventory, click on any resource of AWS inventory type, and then go to Tags > Account Tags.

You can also search for resources by using the existing aws.account.tag.key token in QQL queries and in the Connectors application.
AI Security Controls for Cloud Posture Management
Applicable for:
Added support for inventory and assessment of select AI services in the cloud, along with a new set of security controls to strengthen posture management for AI workloads. These controls help identify misconfigurations and risks, improving visibility and compliance for AI resources. See the full list of controls here.
Expanded Azure CIEM Inventory Coverage
Applicable for:
You can now view eight additional Azure Cloud Infrastructure Entitlement Management (CIEM) resource types at both tenant and subscription levels. This update gives you better visibility into identity and access management resources.
Tenant-level resources: Entra ID Users, Entra ID Groups, Service Principals, App Registrations. These use delta-based synchronization to capture incremental updates. A full inventory synchronization occurs approximately every 30 days from the last full connector run.
Any connector run triggered within this 30-day period will perform only delta synchronization. Full inventory is not executed until the 30-day interval has passed.

Subscription-level resources: Role Assignments, Role Definitions, Deny Assignments, and Managed Identities. These are refreshed through a full sync every 24 hours.

- When no subscription filter is applied, both tenant-level and subscription-level resources are displayed.
- When a subscription is selected, only subscription-level resources are shown.
Extended Default Time Filter (7 Days)
Applicable for:
The default time filter on the TotalCloud UI has been updated from Last 24 hours to Last 7 days. This change enhances visibility into a broader set of resources and findings without requiring manual filter adjustments.
The updated default time filter applies to the following TotalCloud sections:
- Dashboard
- Inventory
- Posture
- Insights
- Report Creation

You can still customize the time filter as needed.
GCP Vertex AI Resource Inventory Support
Applicable for:
With this release, we have added support for Google Cloud Vertex AI in TotalCloud, enabling you to better understand and manage your AI/ML assets within your GCP environment.
You can now discover and inventory Vertex AI Model Registry resources, along with related details such as model deployments and associated labels. This helps bring structure and visibility to resources that are often distributed across projects and teams.

CDR Enhancements and Updates
The following sections describe the enhancements made to the Cloud Detection and Response (CDR) environment in the upcoming CDR release.
FedRAMP High Support for CDR Appliance Deployment
The CDR Appliance now supports deployment in FedRAMP High environments, with enhancements to configuration and registration workflows to meet stricter security and compliance requirements.
FedRAMP High support is fully enabled when the CDR Appliance (version 3.7.0) is used with Network Passive Sensor (NPS) Release 2.4 or later.
Cloud Activity-Based Alerting for AWS
Applicable for:
This release introduces rule-based alerting for cloud activity events across AWS environment. The feature ingests AWS CloudTrail activity logs and generates alerts only for events that match predefined detection rules, reducing noise and highlighting critical actions.
The release includes 13 predefined rules that detect key security and operational changes, such as IAM/user and policy updates, security group modifications, storage changes (e.g., S3), resource lifecycle events (start/stop), and others.
Select Cloud Events from the source drop-down to view CloudTrail-related events.
New Tokens
The following section describes the new tokens introduced as part of TotalCloud 2.25.0
Common Tokens
Applicable for:
| Token Type | Resource Type | Name | Description | Example |
|---|---|---|---|---|
| Inventory | AWS:EC2, S3, LB, IAM User, Lambda Azure: VM GCP: VM, Load Balancing Forwarding Rules, Cloud Run Service |
cloud.resource.hasAttackPath | Use this to find cloud resources with attack path enabled. | cloud.resource.hasAttackPath: true |
Inventory Tokens
Applicable for:
| Platform | Resource Type | Name | Description | Example |
|---|---|---|---|---|
| AWS | All supported, except Directory, MQ Broker, KMS, Route 53 Record, API Gateway, Launch Configuration, Bedrock Custom Model Bedrock, Provisioned Throughput |
cloud.resource.isDeleted | Use this token to find cloud resources based on their deletion status | cloud.resource.isDeleted: true |
| Azure | Entra ID User | azure.entraIdUser.userType | Use this to find Microsoft Entra ID users by user type. | azure.entraIdUser. |
| Azure | Entra ID User | azure.entraIdUser.userPrincipalName | Use this to find Microsoft Entra ID users by user principal name. | azure.entraIdUser. |
| Azure | Entra ID User | azure.entraIdUser.name | Use this to find Microsoft Entra ID users by name. | azure.entraIdUser.name: John Doe |
| Azure | Entra ID User | azure.entraIdUser.groupName | Use this to find Microsoft Entra ID users by group name. | azure.entraIdUser.groupName: Developers |
| Azure | Entra ID Group | azure.entraIdGroup.name | Use this to find Microsoft Entra ID groups by name. | azure.entraIdGroup.name: Developers |
| Azure | Entra ID Group | azure.entraIdGroup.groupName | Use this to find Microsoft Entra ID groups by group name. | azure.entraIdGroup.groupName: Security Team |
| Azure | Entra ID Service Principals | azure.entraIdServicePrincipal. applicationId |
Use this to find Microsoft Entra ID service principals by application ID. | azure.entraIdServicePrincipal. |
| Azure | Entra ID Service Principals | azure.entraIdServicePrincipal.name | Use this to find Microsoft Entra ID service principals by name. | azure.entraIdServicePrincipal. |
| Azure | Entra ID Service Principals | azure.entraIdServicePrincipal. appOwnerOrganizationId |
Use this to find Microsoft Entra ID service principals by application owner organization ID. | azure.entraIdServicePrincipal. |
| Azure | Entra ID Service Principals | azure.entraIdServicePrincipal. servicePrincipalType |
Use this to find Microsoft Entra ID service principals by service principal type. | azure.entraIdServicePrincipal. |
| Azure | Entra ID Service Principals | azure.entraIdServicePrincipal. groupName |
Use this to find Microsoft Entra ID service principals by group name. | azure.entraIdServicePrincipal. |
| Azure | Entra ID App Registrations | azure.entraIdAppRegistration. applicationId |
Use this to find Microsoft Entra ID app registrations by application ID. | azure.entraIdAppRegistration. |
| Azure | Entra ID App Registrations | azure.entraIdAppRegistration.name | Use this to find Microsoft Entra ID app registrations by name. | azure.entraIdAppRegistration. |
| Azure | Managed Identities | azure.managedidentities.tenantId | Use this to find Azure managed identities by tenant ID. | azure.managedidentities. |
| Azure | Managed Identities | azure.managedidentities.principalId | Use this to find Azure managed identities by principal ID. | azure.managedidentities. |
| Azure | Role Definitions | azure.roledefinitions.roleName | Use this to find Azure role definitions by role name. | azure.roledefinitions.roleName: Contributor |
| Azure | Role Definitions | azure.roledefinitions.roleType | Use this to find Azure role definitions by role type. | azure.roledefinitions.roleType: CustomRole |
| Azure | Role Assignment | azure.roleAssignment.principalType | Use this to find Azure role assignments by principal type. | azure.roleAssignment. |
| Azure | Role Assignment | azure.roleAssignment.principalId | Use this to find Azure role assignments by principal ID. | azure.roleAssignment. |
| Azure | Role Assignment | azure.roleAssignment.roleDefinitionId | Use this to find Azure role assignments by role definition ID. | azure.roleAssignment. |
| Azure | Role Assignment | azure.roleAssignment.scope | Use this to find Azure role assignments by scope. | azure.roleAssignment.scope: /subscriptions/12345678-abcd-1234-abcd-1234567890ab |
| Azure | Role Assignment | azure.roleAssignment.conditionVersion | Use this to find Azure role assignments by condition version. | azure.roleAssignment. |
| Azure | Deny Assignment | azure.denyAssignment.scope | Use this to find Azure deny assignments by scope. | azure.denyAssignment.scope: /subscriptions/12345678-abcd-1234567890ab |
| Azure | Deny Assignment | azure.denyAssignment. isSystemProtected |
Use this to find Azure deny assignments by system protected status. | azure.denyAssignment. |
| Azure | Deny Assignment | azure.denyAssignment. doNotApplyToChildScopes |
Use this to find Azure deny assignments by child scope applicability. | azure.denyAssignment. |
| Azure | Deny Assignment | azure.denyAssignment.conditionVersion | Use this to find Azure deny assignments by condition version. | azure.denyAssignment. |
| GCP | Model Registry (Vertex AI) | gcp.vertexaimodel.id | Use this to find GCP Vertex AI models with a certain model ID. | gcp.vertexaimodel.id: 1234567890123456789 |
| GCP | Model Registry (Vertex AI) | gcp.vertexaimodel.source | Use this to find GCP Vertex AI models with a certain source. | gcp.vertexaimodel.source: MODEL_GARDEN |
Posture Tokens
Applicable for:
| Platform | Name | Description | Example |
|---|---|---|---|
| AWS | cloud.resource.isDeleted | Use this token to find cloud resources based on their deletion status | cloud.resource.isDeleted: true |
Control Updates
New AWS IaC Build-Time Controls
Applicable for:
| Platform | CID | Title | Service | Resource | Criticality | Policy |
|---|---|---|---|---|---|---|
| AWS | 672 | Ensure ECS Cluster enables logging of ECS Exec | ECS | ECS Cluster | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 674 | Ensure that GuardDuty detector is enabled | Guard Duty | Guard Duty | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 675 | Ensure DAX cluster endpoint is using TLS | Dynamo DB | DAX Cluster | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 676 | Ensure replicated backups are encrypted at rest using KMS CMKs | RDS | RDS | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 677 | Ensure RDS Cluster activity streams are encrypted using KMS CMKs | RDS | RDS Cluster | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 678 | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Elastisearch Service | ES Domain | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 679 | Ensure that Elasticsearch is not using the default Security Group | Elastisearch Service | ES Domain | Medium | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 680 | Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions | ECS | ECS Task Definition | Medium | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 681 | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension | RDS | RDS Cluster | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 682 | Ensure CloudTrail logging is enabled | Cloud Trail | Cloud Trail | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 683 | Ensure CloudTrail defines an SNS Topic | Cloud Trail | Cloud Trail | Medium | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 684 | Ensure DLM cross region events are encrypted | EC2 | Lifecycle Manager | Medium | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 685 | Ensure DLM cross region events are encrypted with Customer Managed Key | EC2 | Lifecycle Manager | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 686 | Ensure Kinesis Firehose delivery stream is encrypted | Kinesis | Firehose | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 687 | Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK | Kinesis | Firehose | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 688 | Ensure MWAA environment has scheduler logs enabled | MWAA | MWAA Environment | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 689 | Ensure MWAA environment has worker logs enabled | MWAA | MWAA Environment | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 690 | Ensure MWAA environment has webserver logs enabled | MWAA | MWAA Environment | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 691 | Ensure DLM cross region schedules are encrypted | EC2 | EBS | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 692 | Ensure DLM cross region schedules are encrypted using a Customer Managed Key | EC2 | EBS | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 693 | Ensure CodeCommit branch changes have at least 2 approvals | Code Commit | Code Commit Repository | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 694 | Ensure that Lambda function URLs AuthType is not None | Lambda | Lambda | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 695 | Ensure CloudFront response header policy enforces Strict Transport Security | Cloud Front | CloudFront Distribution | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 696 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | VPC | VPC Security Group | High | AWS Infrastructure as Code Security Best Practices Policy |
| AWS | 698 | Ensure HTTP HTTPS Target group defines Healthcheck | EC2 | Load Balancer | High | AWS Infrastructure as Code Security Best Practices Policy |
New AWS Runtime Controls
Applicable for:
| Platform | CID | Title | Service | Resource | Criticality | Policy |
|---|---|---|---|---|---|---|
| AWS | 668 | Ensure access to AWSCloudShellFullAccess is restricted | IAM | IAM Policy | High | CIS Amazon Web Services Foundations Benchmark |
| AWS | 699 | Ensure access keys are rotated every 90 days or less | IAM | IAM User | High | CIS Amazon Web Services Foundations Benchmark |
New AWS Controls (Without Policy Attachment)
Applicable for:
| Platform | CID | Title | Service | Resource | Criticality |
|---|---|---|---|---|---|
| AWS | 662 | Ensure CloudFront logging is enabled | CLOUD_FRONT | CLOUDFRONT_DISTRIBUTION | High |
| AWS | 663 | Ensure Elastic Beanstalk environments do not use container-based platform | ELASTIC_BEANSTALK | ELASTIC_BEANSTALK_ ENVIRONMENT |
Medium |
| AWS | 664 | Ensure AWS Systems Manager (SSM) documents are not publicly shared | SYSTEM_MANAGER | SSM_DOCUMENT | High |
| AWS | 665 | Ensure Network Firewalls are deployed in multiple Availability Zones | VPC | NETWORK_FIREWALL | High |
| AWS | 666 | Ensure Network Firewall policies are associated with stateful or stateless rule groups | VPC | NETWORK_FIREWALL_POLICY | High |
| AWS | 667 | Ensure MSK cluster should not be publicly accessible | MSK | MSK_CLUSTER | High |
| AWS | 670 | AWS Cognito identity pool must not allow unauthenticated guest access | AMAZON_COGNITO | IDENTITY_POOL | High |
| AWS | 671 | Ensure that a Cloud Formation stack actual configuration does not differ or drift from the expected configuration | CLOUDFORMATION | CLOUDFORMATION_STACK | Medium |
| AWS | 673 | Amazon EC2 Auto Scaling group must cover multiple Availability Zones | EC2 | AUTO_SCALING_GROUP | High |
New Controls in CIS Microsoft Azure Compute Services Benchmark
Applicable for:
| Platform | Control ID | Title | Service Type | Resource Type | Criticality | Policy Name |
|---|---|---|---|---|---|---|
| Azure | 50619 | Ensure Remote debugging is set to Off for deployment slots of API Apps | App Service | API App | HIGH | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50620 | Ensure Remote debugging is set to Off for deployment slots of Standard Logic Apps | Logic App | Logic App | HIGH | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50621 | Ensure Client Certificates (Incoming client certificates) set to On for deployment slots of API Apps | App Service | API App | HIGH | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50622 | Ensure Client Certificates (Incoming client certificates) set to On for deployment slots of Standard Logic Apps | Logic App | Logic App | HIGH | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50623 | Ensure managed identities are configured for deployment slots of API Apps | App Service | API App | HIGH | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50624 | Ensure managed identities are configured for deployment slots of Standard Logic Apps | Logic App | Logic App | HIGH | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50625 | Ensure public network access is disabled for deployment slots of API Apps | App Service | API App | HIGH | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50626 | Ensure public network access is disabled for deployment slots of Standard Logic Apps | Logic App | Logic App | HIGH | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50627 | Ensure virtual network integration for deployment slots of API Apps | App Service | API App | MEDIUM | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50628 | Ensure virtual network integration for deployment slots of Standard Logic Apps | Logic App | Logic App | MEDIUM | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50629 | Ensure configuration is routed through the virtual network integration for deployment slots of API Apps | App Service | API App | MEDIUM | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50630 | Ensure configuration is routed through the virtual network integration for deployment slots of Standard Logic Apps | Logic App | Logic App | MEDIUM | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50631 | Ensure all traffic is routed through the virtual network for deployment slots of API Apps | App Service | API App | HIGH | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50632 | Ensure all traffic is routed through the virtual network for deployment slots of Standard Logic Apps | Logic App | Logic App | HIGH | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50633 | Ensure cross-origin resource sharing does not allow all origins for deployment slots of API Apps | App Service | API App | HIGH | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50634 | Ensure cross-origin resource sharing does not allow all origins for deployment slots of Standard Logic Apps | Logic App | Logic App | HIGH | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50635 | Ensure configuration is routed through the virtual network integration for API Apps | App Service | API App | MEDIUM | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
| Azure | 50636 | Ensure configuration is routed through the virtual network integration for Standard Logic Apps | Logic App | Logic App | MEDIUM | CIS Microsoft Azure Compute Services Benchmark v2.0.0 |
New controls in CIS Oracle Cloud Infrastructure Foundation Benchmark Policy
Applicable for:
| Platform | CID | Title | Service | Resource | Criticality | Policy |
|---|---|---|---|---|---|---|
| OCI | 40102 | Ensure no resources are created in the root compartment | IAM | COMPARTMENT | High | Oracle Infrastructure Foundation Benchmark Policy |
New Controls in AWS for AI SPM (Without Policy Attachment)
Applicable for:
| Platform | CID | Title | Service | Resource | Criticality |
|---|---|---|---|---|---|
| AWS | 648 | Comprehend Entity Recognizer model should be encrypted with a customer-managed key | COMPREHEND | COMPREHEND_ENTITY_ RECOGNIZER_MODEL |
High |
| AWS | 649 | Comprehend Entity Recognizer volume should be encrypted with a customer-managed key | COMPREHEND | COMPREHEND_ENTITY_ RECOGNIZER_MODEL |
High |
| AWS | 650 | Ensure AWS Bedrock Guardrails have PII detection filters configured | BEDROCK | BEDROCK_GUARDRAILS | High |
| AWS | 651 | Ensure AWS Bedrock Guardrail has prompt injection protection enabled and input strength set to HIGH | BEDROCK | BEDROCK_GUARDRAILS | High |
| AWS | 652 | Ensure AWS Bedrock Guardrails have contextual grounding policy enabled for agent response validation | BEDROCK | BEDROCK_GUARDRAILS | Medium |
| AWS | 653 | Ensure Amazon Lex V2 bots have Child Directed setting enabled for COPPA compliance | LEX | LEX_BOT | High |
| AWS | 654 | Ensure Amazon Kendra index is encrypted using a customer-managed KMS key | KENDRA | KENDRA_INDEX | High |
| AWS | 655 | Ensure Amazon Kendra index enforces user-level access control | KENDRA | KENDRA_INDEX | High |
| AWS | 656 | Ensure Amazon Translate custom terminology is encrypted using a customer-managed KMS key | TRANSLATE | TRANSLATE_CUSTOM_ TERMINOLOGY |
High |
| AWS | 657 | Ensure policy enforcement is enabled for AWS Bedrock AgentCore gateways | BEDROCK_AGENTCORE | BEDROCK_AGENTCORE_ GATEWAYS |
Medium |
| AWS | 658 | Ensure AWS Bedrock AgentCore memory is encrypted using a customer-managed KMS key | BEDROCK_AGENTCORE | BEDROCK_AGENTCORE_ MEMORY |
High |
| AWS | 659 | Ensure Amazon Personalize dataset groups are encrypted using a customer-managed KMS key | PERSONALIZE | PERSONALIZE_DATASET_ GROUP |
High |
| AWS | 660 | Ensure AWS Bedrock Guardrails have profanity filtering enabled | BEDROCK | BEDROCK_GUARDRAILS | Medium |
| AWS | 661 | Ensure AWS Bedrock Guardrails have denied topics configured | BEDROCK | BEDROCK_GUARDRAILS | Medium |
New Controls in Azure for AI SPM (Without Policy Attachment)
Applicable for:
| Platform | CID | Title | Service | Resource | Criticality |
|---|---|---|---|---|---|
| AZURE | 50637 | Ensure Azure AI Search has public network access disabled | COGNITIVE_SEARCH | COGNITIVE_SEARCH | High |
| AZURE | 50638 | Ensure Azure AI Search uses a private endpoint (Private Link) | COGNITIVE_SEARCH | COGNITIVE_SEARCH | High |
| AZURE | 50639 | Ensure Azure AI Search with public network access enabled has firewall rules configured | COGNITIVE_SEARCH | COGNITIVE_SEARCH | High |
| AZURE | 50640 | Ensure Azure OpenAI Service has public network access disabled | COGNITIVE_SERVICES | AZURE_OPEN_AI | High |
| AZURE | 50641 | Ensure Azure OpenAI Service public network access is restricted | COGNITIVE_SERVICES | AZURE_OPEN_AI | High |
| AZURE | 50642 | Ensure Azure OpenAI Service is encrypted using a customer-managed key | COGNITIVE_SERVICES | AZURE_OPEN_AI | High |
| AZURE | 50643 | Ensure Azure OpenAI Service uses a private endpoint (Private Link) | COGNITIVE_SERVICES | AZURE_OPEN_AI | High |
| AZURE | 50644 | Ensure Azure AI Search SKU supports private endpoint (Private Link) | COGNITIVE_SEARCH | COGNITIVE_SEARCH | High |
New Controls in GCP for AI SPM (Without Policy Attachment)
Applicable for:
| Platform | CID | Title | Service | Resource | Criticality |
|---|---|---|---|---|---|
| GCP | 52200 | Ensure Vertex AI Workbench instances have integrity monitoring enabled | WORKBENCH | WORKBENCH_INSTANCE | Medium |
| GCP | 52201 | Ensure Vertex AI Workbench instances have Secure Boot enabled | WORKBENCH | WORKBENCH_INSTANCE | High |
| GCP | 52202 | Ensure Vertex AI Colab Enterprise Runtime Template should have internet access disabled | COLAB_ENTERPRISE | RUNTIME_TEMPLATES | High |
| GCP | 52203 | Ensure Vertex AI Colab Enterprise Runtime Template should have idle shutdown enabled | COLAB_ENTERPRISE | RUNTIME_TEMPLATES | Low |
| GCP | 52204 | Ensure Vertex AI Workbench instances have Vtpm enabled | WORKBENCH | WORKBENCH_INSTANCE | High |
| GCP | 52205 | Ensure Vertex AI Endpoints are not publicly accessible | VERTEX_AI | VERTEX_AI_ENDPOINT | High |
| GCP | 52206 | Ensure Vertex AI Endpoints use Customer-Managed Encryption Key | VERTEX_AI | VERTEX_AI_ENDPOINT | High |
| GCP | 52207 | Ensure Vertex AI Workbench instances should have internet access disabled | WORKBENCH | WORKBENCH_INSTANCE | High |
Control Removed from Policy
Applicable for:
| Platform | CID | Title | Policy |
|---|---|---|---|
| Azure | 50134 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | CIS Azure Foundations Policy |
Control Title Changes
Applicable for:
| Platform | CID | Old Title | New Title |
|---|---|---|---|
| Azure | 50016 | Ensure that Access through Internet facing endpoint should be restricted is set to On | Ensure that All network ports should be restricted on network security groups associated to your virtual machine |
Controls Deprecated
Applicable for:
| Platform | CID | Description | Control Type | Policy Name |
|---|---|---|---|---|
| Azure | 50006 | Ensure that Vulnerabilities in security configuration on your machines should be remediated is set to On | RUN_TIME | Azure Best Practices Policy |
| Azure | 50008 | Ensure that Disk encryption should be applied on virtual machines is set to On | RUN_TIME | Azure Best Practices Policy |
Control Migration
Applicable for:
| Platform | CID | Title | Old Policy | New Policy |
|---|---|---|---|---|
| Azure | 50016 | Ensure that All network ports should be restricted on network security groups associated to your virtual machine | CIS Azure Foundations Policy | Azure Best Practices Policy |
Control Enhancements
Applicable for:
| Platform | CID | Title |
|---|---|---|
| Azure | 562 | Ensure that Network Load Balancer(s) Listeners uses SSL certificates provided by AWS Certificate Manager |
Issues Addressed
Applicable for:
We fixed the following important and notable issue in this release.
| Category/Component | Issue |
|---|---|
| TotalCloud-UI | We have resolved the issue where IAM User Access Key controls (CID-4 and CID-5) caused false positives due to AWS reassigning Access Key 2 to Access Key 1 after deletion, which also prevented CID-5 evaluation. To address this without impacting existing customer configurations or exceptions, both controls have been retained and a new control (CID 699) has been introduced to handle this scenario effectively.
We have resolved the issue where the GCP controls 52062, 52072, 52071 were giving false positives and logical errors. |
| CV-ControlEnhancement | We have resolved the issue for CID-351 and CID-562 where certain resources were not being evaluated due to changes in the AWS response format. To address this, the JSONPath in the predicate logic has been updated to align with the latest response structure, ensuring accurate evaluation going forward. |
| CV - False Positive, CV-ControlEnhancement | We have resolved the issue raised regarding controls CID 50008 and CID 50006 due to parameter deprecation in Azure Microsoft Defender for Cloud’s Microsoft Cloud Security Benchmark. CID 50008 has been deprecated as its parameter is no longer supported, while CID 50016 has been updated with the revised parameter name along with necessary predicate enhancements and evidence additions to ensure correct evaluation. |
| CV-IaC | We have resolved the issue where IaC scanning was stuck in SUBMITTED state. |
| CV - Reports, CV - UI | We have resolved the issue where CIS references were missing in the UI and reports. |
| CV-Monitor | We have resolved the issue of inconsistent evaluations of AWS controls related to EBS snapshots, caused by limitations in the DCEF-based implementation handling large volumes of snapshots across accounts. The controls (CID 127, 146, 204) have been migrated to an annotation-based approach, enabling consistent evaluation in a single call and ensuring expected performance. |
| CV-Connectors | We have resolved the issue where incorrect pagination handling for AWS Bedrock Agents and Knowledge Bases caused repeated data retrieval due to misconfigured token injection. The pagination logic has been corrected to align with API requirements, ensuring proper data collection and preventing infinite loops. |