ZCSPM
Release Upgrade Summary (2021)
This article provides a summary of all new features and enhancements for Zscaler Cloud Security Posture Management (ZCSPM), formely known as Cloudneeti.
The following service updates were deployed to app.cloudneeti.com on the following dates.
- Release Available
ZCSPM Security Policy Additions
Security Policies & Benchmark Updates
Added 10 new security policy for Amazon Web Services (AWS).
Security Policy Category Security Policy Title AWS - Data Protection Ensure that Amazon Backup vaults are using AWS CMKs for encryption of backup data AWS - Data Protection Ensure data at rest encryption is enabled for AWS EFS file systems AWS - Data Protection Ensure that encryption is done with KMS CMKs for each AWS Windows FSx AWS - Data Protection Ensure that node-to-node encryption is enabled for AWS Elasticsearch Domain AWS - Data Protection Ensure that data-at-rest encryption is enabled for AWS Elasticsearch Domain AWS - Data Protection Ensure Amazon Kinesis Firehose delivery streams have Server-Side Encryption (SSE) enabled AWS - Data Protection Ensure that in-transit encryption is enabled for AWS ElastiCache clusters AWS - Data Protection Ensure that at-rest encryption is enabled for AWS ElastiCache clusters AWS - Data Protection Ensure that Amazon Glue Data Catalogs enforce data-at-rest encryption using KMS CMKs AWS - Data Protection Ensure that Amazon Glue Data Catalog objects and connection passwords are encrypted
- Release Available
ZCSPM Viewer Roles and Enhancements
New Features & Enhancements
ZCSPM now offers two new user roles:
- License Viewer: License Viewers can view all ZCSPM features and configurations for a license but cannot make any changes.
- Account Viewer: Account Readers can view all ZCSPM features and settings for a single cloud account but cannot make any changes.
Security Policies & Benchmark Updates
Added one new security policy for Amazon Web Services (AWS).
Security Policy Category Security Policy Title AWS - Identity and Access Management Ensure that there are no IAM users in the AWS account
- Release Available
ZCSPM Release 3.16.0 Enhancements and Fixes
Security Policies & Benchmark Updates
Added 49 security policies for Google Cloud Platform across the following services:
- Cloud FunctionsClose
Security Policy Category Security Policy Title GCP - Compute (PaaS and Serverless) Ensure that maximum instances in autoscaling is set for Cloud Functions GCP - Networking Ensure that 'Route all traffic through the VPC connector' is enabled for the Cloud Functions - Cloud Key Management ServiceClose
Security Policy Category Security Policy Title GCP - Key Management Ensure that Asymmetric Key is signed with RSA_SIGN_PSS_3072_SHA256 or EC_SIGN_P256_SHA256 algorithm GCP - Key Management Ensure that Asymmetric Key is encrypted with RSA_DECRYPT_OAEP_3072_SHA256 algorithm - Cloud SQLClose
Security Policy Category Security Policy Title GCP - Storage and Database Ensure that maintenance window is set for Cloud SQL MySQL instance - Cloud TPUClose
Security Policy Category Security Policy Title GCP - Data Analytics Ensure that Cloud TPU Node is not created within default VPC GCP - Data Analytics Ensure that Cloud TPU Node is not configured to use the default service account - Compute Engine - Backend BucketClose
Security Policy Category Security Policy Title GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 4505 (SaltStack Master) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 4506 (SaltStack Master) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 9090 - Compute Engine - FirewallClose
Security Policy Category Security Policy Title GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 4505 (SaltStack Master) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 4506 (SaltStack Master) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 9090 GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 636 (LDAP SSL) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 27018 (Mongo Web Portal) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 139 (NetBios Session Service) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 8140 (Puppet Master) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 2383 (SQL Server Analysis Services) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 9042 (Cassandra Client) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 7000 (Cassandra Internode Communication) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 1434 (MSSQL) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 7199 (Cassandra Monitoring) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 61620 (Cassandra OpsCenter Monitoring) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 8888 (Cassandra OpsCenter Website) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 9160 (Cassandra Thrift) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 2483 (Oracle DB) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 2483 (Oracle DB) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 1434 (MSSQL) - Compute Engine - Forwarding RuleClose
Security Policy Category Security Policy Title GCP - Networking Ensure that Internal UDP load balancers are not created within default VPC Network GCP - Networking Ensure that Packet Mirroring is enabled for TCP load balancer GCP - Networking Ensure that Internal HTTP(S) load balancer is not created within default VPC GCP - Networking Ensure Packet Mirroring is enabled for Internal UDP load balancer Forwarding Rule GCP - Networking Ensure that Internal TCP load balancers are not launched within default VPC GCP - Networking Ensure that the regional HTTP(S) load balancer forwarding rule accepts only HTTPS traffic - Compute Engine - Global Forwarding RuleClose
Security Policy Category Security Policy Title GCP - Networking Ensure that the global HTTP(S) load balancer forwarding rule accepts only HTTPS traffic - Compute Engine - Node GroupClose
Security Policy Category Security Policy Title GCP - Data Analytics Ensure that autoscaling enabled for Sole-tenant Node Group - Compute Engine - Target HTTPS ProxyClose
Security Policy Category Security Policy Title GCP - Networking Ensure that global HTTP(S) load balancer target proxy is using QUIC protocol - Compute Engine - VPN TunnelClose
Security Policy Category Security Policy Title GCP - Data in Transit Ensure that VPN tunnel is configured with IKEv2 - DataprocClose
Security Policy Category Security Policy Title GCP - Data Analytics Ensure that 'Delete on a fixed time schedule' is enabled for Dataproc Cluster GCP - Data Analytics Ensure that 'Delete after a cluster idle time period without submitted jobs' is selected for Dataproc Cluster GCP - Data Analytics Ensure that Secure Multi Tenancy is enabled for Dataproc Cluster - Google Kubernetes EngineClose
Security Policy Category Security Policy Title GCP - Kubernetes and Container Ensure that Alpha clusters are not used for production workloads GCP - Kubernetes and Container Ensure that Workload Identity is enabled on Kubernetes Engine Clusters GCP - Kubernetes and Container Ensure to automate GKE version management using Release Channels on Kubernetes Engine Clusters GCP - Kubernetes and Container Ensure that Binary Authorization is enabled on the Kubernetes Engine Clusters GCP - Kubernetes and Container Consider GKE Sandbox for running untrusted workloads GCP - Kubernetes and Container Ensure the GKE Metadata Server is Enabled - Memory StoreClose
Security Policy Category Security Policy Title GCP - Networking Ensure that Redis instance uses private services access using a dedicated VPC network - Secret ManagerClose
Security Policy Category Security Policy Title GCP - Business Continuity Ensure that replication policy for Secrets is set to Automatic
Added the Cloud Security Alliance's Cloud Control Matrix benchmark for all cloud service providers.
- Cloud Functions
- Release Available
ZCSPM Release 3.15.0 Enhancements and Fixes
New Features & Enhancements
- Custom Security Policies Enhancement: You can now map a custom security policy to a any compliance benchmark, including private benchmarks.To learn more, see Creating Custom Policies.
- Cloud Accounts Enhancement: You can now delete a cloud account from your ZCSPM License. To learn more, see About Cloud Accounts.
- ZCSPM now supports version 2.2 of the Kubernetes agents for all cloud service providers. To learn how to upgrade your agent, see Configuring the ZCSPM Agent for Google Kubernetes Engine.
Security Policies & Benchmark Updates
- Added 51 new security policies for Google Cloud Platform.Close
Security Policy Category Security Policy Title GCP - Compute Ensure that static contents are cached for Backend Bucket GCP - Compute Ensure that 'stale content' serving is set to 1 day period for Backend Bucket GCP - Compute Ensure that security patches for Red Hat Enterprise Linux (RHEL) and Centos are configured in Patch Deployment GCP - Compute Ensure that security patches for Windows are configured in Patch Deployment GCP - Compute Ensure that reboot is enabled for OS Patch Deployment GCP - Compute Ensure that security patches for SUSE Linux Enterprise Server (SLES) are configured in Patch Deployment GCP - Compute Ensure that HTTPs Target Proxy configured with Google-managed SSL certificate GCP - Compute Ensure that SSL Target Proxy configured with Google-managed SSL certificate GCP - Compute Ensure that Health Checks for autohealing in managed instance groups have unhealthy-threshold value more than 1 GCP - Compute Ensure that regional forwarding rule is created with reserved IP address GCP - Compute Ensure that global forwarding rule is created with reserved IP address GCP - Compute Ensure no HTTPS proxy load balancers permit SSL policies with weak cipher suites GCP - Compute Ensure no SSL proxy load balancers permit SSL policies with weak cipher suites GCP - Compute (PaaS and Serverless) Ensure that Secret is used for Cloud Run Revisions GCP - Compute (PaaS and Serverless) Ensure that Boot disk for Instance Templates are encrypted with Customer-Managed Encryption Keys GCP - Compute (PaaS and Serverless) Ensure that Instance Templates are not configured to use the default service account GCP - Data Analytics Ensure that Component Gateway is enabled for Dataproc Clusters GCP - Data Analytics Ensure that Dataproc Clusters have minimum 1TB storage capacity for PD-Standard without local SSDs GCP - Data in Transit Ensure that Instance Templates have Confidential Computing enabled GCP - Governance Ensure that Cloud PubSub Topics are allowed to store messages in any region GCP - Identity and Access Management Ensure that Forest trust type is used when creating a relationship trust with Active directory GCP - Identity and Access Management Ensure that Selective authentication is enabled on outbound trusts in the resource forest of Active directory GCP - Identity and Access Management Ensure that Managed Service for Microsoft Active Directory Domain is not launched within default VPC Network GCP - Kubernetes and Container Ensure legacy Compute Engine instance metadata APIs are Disabled GCP - Kubernetes and Container Enable VPC Flow Logs and Intranode Visibility GCP - Kubernetes and Container Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled GCP - Kubernetes and Container Ensure authentication using Client Certificates is Disabled GCP - Kubernetes and Container Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS GCP - Kubernetes and Container Ensure Secure Boot for Shielded GKE Nodes is Enabled GCP - Kubernetes and Container Ensure Shielded GKE Nodes are Enabled GCP - Logging and Monitoring Ensure that Query Insights are enabled for Cloud SQL PostgreSQL instance GCP - Logging and Monitoring Ensure that 'pgaudit.log_catalog' database flag for Cloud SQL PostgreSQL instance is set to 'off' GCP - Logging and Monitoring Ensure that 'Store client IP addresses' is enabled for Cloud SQL PostgreSQL instance GCP - Logging and Monitoring Ensure that 'Store application tags' is enabled for Cloud SQL PostgreSQL instance GCP - Networking Ensure that 'Allow internal traffic and traffic from Cloud Load Balancing' is selected for Cloud Function GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to port 9300 (Elasticsearch) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 389 (LDAP) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 11211 (Memcached) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 11211 (Memcached) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 6379 (Redis) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 11214 (Memcached SSL) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 11214 (Memcached SSL) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 11215 (Memcached SSL) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 11215 (Memcached SSL) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 137 (NetBIOS) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 138 (NetBIOS Datagram Service) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 139 (NetBios Session Service) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 2484 (Oracle DB SSL) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 2484 (Oracle DB SSL) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 5432 (PostgreSQL) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 2382 (SQL Server Analysis Service browser) - Deprecated 1 security policy for Google Cloud Platform.Close
Security Policy Title Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites - Added 11 new security policies for Microsoft 365.Close
Security Policy Category Security Policy Title M365-Identity Ensure Security Defaults is disabled on Azure Active Directory M365-Identity Ensure that collaboration invitations are sent to allowed domains only M365-Identity Ensure that 'Expiration' settings are configured for temporary groups M365-Identity Ensure that LinkedIn contact synchronization is disabled M365 - Application Permissions Ensure user consent to apps accessing company data on their behalf is not allowed M365 - Application Permissions Ensure the admin consent workflow is enabled M365 - Application Permissions Ensure users installing Outlook add-ins is not allowed M365 - Application Permissions Ensure users installing Word, Excel, and PowerPoint add-ins is not allowed M365 - Application Permissions Ensure internal phishing protection for Forms is enabled M365 - Application Permissions Ensure that Sways cannot be shared with people outside of your organization M365 - Email Security / Exchange Online Ensure automatic forwarding options are disabled
- Release Available
ZCSPM Release 3.14.0 Enhancements and Fixes
New Features and Enhancements
- ServiceNow Incident Management Enhancement: ZCSPM now sends the cloud account name and ID when creating ServiceNow tickets.
- SAML based Single-Sign-On (SSO) Enhancement: ZCSPM now supports updating role for exisiting ZCSPM users via Just in Time (JIT) provisioning.
- Custom Security Policies Enhancement: You can now delete custom security policies for all cloud service providers.
- End User Subscription Agreement (EUSA): ZCSPM now requires you to accept the EUSA before activating a ZCSPM license.
- SIEM Integration with Splunk: You can now configure ZCSPM to send asset metadata for all failed assets or high risk failed assets to Splunk.
Security Policy & Benchmark Updates
- Added 36 new security policies for Microsoft Azure.Close
Security Policy Category Security Policy Title Ensure that VHD's are encrypted Azure - Compute (IaaS) Ensure FTP deployments are disabled for Web app Azure - Compute (PaaS and Serverless) Ensure FTP deployments are disabled for Function app Azure - Compute (PaaS and Serverless) Ensure FTP deployments are disabled for API app Azure - Compute (PaaS and Serverless) Ensure FTP deployments are disabled for Mobile app Azure - Compute (PaaS and Serverless) Ensure that '.Net Framework' version is the latest, if used as a part of the web app Azure - Compute (PaaS and Serverless) Ensure that 'PHP version' is the latest, if used to run the web app Azure - Compute (PaaS and Serverless) Ensure that 'Python version' is the latest, if used to run the web app Azure - Compute (PaaS and Serverless) Ensure that 'Java version' is the latest, if used to run the web app Azure - Compute (PaaS and Serverless) Ensure Azure Keyvaults are used to store secrets Azure - Compute (PaaS and Serverless) Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' Azure - Identity and Access Ensure Security Defaults is enabled on Azure Active Directory Azure - Identity and Access Ensure Custom Role is assigned for Administering Resource Locks Azure - Identity and Access Ensure that multi-factor authentication is enabled for all non-privileged users Azure - Identity and Access Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' Azure - Identity and Access Ensure Diagnostic Setting captures appropriate categories Azure - Logging and Auditing Ensure that Activity Log Alert exists for Delete Policy Assignment Azure - Logging and Auditing Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' Azure - Networking Ensure that UDP Services are restricted from the Internet Azure - Networking Ensure that Azure Defender is set to On for Servers Azure - Security Center Ensure that Azure Defender is set to On for App Service Azure - Security Center Ensure that Azure Defender is set to On for Azure SQL database servers Azure - Security Center Ensure that Azure Defender is set to On for Storage Azure - Security Center Ensure that Azure Defender is set to On for Kubernetes Azure - Security Center Ensure that Azure Defender is set to On for Key Vault Azure - Security Center Ensure that Azure Defender is set to On for SQL servers on machines Azure - Security Center Ensure that Azure Defender is set to On for Container Registries Azure - Security Center Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected Azure - Security Center Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected Azure - Security Center Ensure any of the ASC Default policy setting is not set to "Disabled" Azure - Security Center Ensure that ADS - Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account Azure - Storage and Databases Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Azure - Storage and Databases Ensure soft delete is enabled for Azure Storage Azure - Storage and Databases Ensure storage for critical data are encrypted with Customer Managed Key Azure - Storage and Databases Ensure Storage logging is enabled for Table service for read, write, and delete requests Azure - Storage and Databases Ensure Storage logging is enabled for Blob service for read, write, and delete requests Azure - Storage and Databases - Added 41 security policies for Google Cloud Platform.Close
Security Policy Category Security Policy Title Ensure that Restriced profile is selected for SSL Policy GCP - Compute Ensure that the latest TLS version is in use for SSL Policy GCP - Compute Ensure that Health Check is configured for Target Pool GCP - Compute Ensure that 'session affinity' is configured for Target Pool GCP - Compute Ensure that Compute Disks are attached with 'Snapshot Schedule' for automated backups GCP - Compute Ensure that 'Require HTTPS' is selected for HTTP Cloud Functions GCP - Compute (PaaS and Serverless) Ensure that Cloud Run Service uses Customer-managed encryption key (CMEK) for encryption GCP - Compute (PaaS and Serverless) Ensure that HTTP/2 connections for cloud run revision is enabled GCP - Compute (PaaS and Serverless) Ensure that 'Verify container deployment with Binary Authorization' configuration is enbaled for Cloud Run Service GCP - Compute (PaaS and Serverless) Ensure that ingress setting is not set to 'Allow all traffic' for Cloud Run Service GCP - Compute (PaaS and Serverless) Ensure that Dataproc Cluster Nodes have Shielded VM enabled GCP - Data Analytics Ensure that OS Login is enabled while creating a Dataproc cluster GCP - Data Analytics Ensure that Kerberos and Hadoop Secure Mode for a cluster are enabled GCP - Data Analytics Ensure that "Personal Cluster Authentication" for Dataproc cluster should be enabled GCP - Data Analytics Ensure that Dataproc Clusters are not configured to use the default service account with full access to all Cloud APIs GCP - Data Analytics Ensure that in-transit encryption is enabled for Redis instance GCP - Data in Transit Ensure that 'Disable Source Code Download' constraint is set to enforce GCP - Governance Ensure that 'Require VPC Connector (Cloud Functions)' constraint is set to enforce GCP - Governance Ensure that 'Disable Guest Attributes of Compute Engine metadata' constraint is set to enforce GCP - Governance Ensure that 'Disable Internet Network Endpoint Groups' constraint is set to enforce GCP - Governance Ensure that 'Disable VM nested virtualization' constraint is set to enforce GCP - Governance Ensure that 'Skip default network creation' constraint is set to enforce GCP - Governance Ensure that 'Disable Cloud Logging' constraint is set to enforce GCP - Governance Ensure that 'Disable Workload Identity Cluster Creation' constraint is set to enforce GCP - Governance Ensure that 'Restrict shared VPC project lien removal' constraint is set to enforce GCP - Governance Ensure that 'Disable Automatic IAM Grants for Default Service Accounts' constraint is set to enforce GCP - Governance Ensure that 'Google Cloud Platform - Detailed Audit Logging Mode' constraint is set to enforce GCP - Governance Ensure that 'Enforce uniform bucket-level access' constraint is set to enforce GCP - Governance Ensure that editor role is not assigned to Compute Engine Default Service Account GCP - Identity and Access Management Ensure that editor role is not assigned to App Engine Default Service Account GCP - Identity and Access Management Ensure that Cloud Functions Invoker role is not assigned to 'allUsers' for Cloud Function GCP - Identity and Access Management Ensure that Cloud Functions Viewer role is not assigned to 'allUsers' for Cloud Function GCP - Identity and Access Management Ensure that Cloud Functions Developer role is not assigned to 'allUsers' for Cloud Function GCP - Identity and Access Management Ensure that Cloud Functions Admin role is not assigned to 'allUsers' for Cloud Function GCP - Identity and Access Management Ensure that default VPC Network is not in use for Memorystore Memcached Instance GCP - Networking Ensure that 'Allow internal traffic and traffic from Cloud Load Balancing' configuration is enabled for Cloud Run Service GCP - Networking Ensure that 'Automatically distribute' or multiple zones are selected for Memorystore Memcached Instance GCP - Storage and Database Ensure that 'track_sizes' configuration for Memorystore Memcached Instance is set to 'false' GCP - Storage and Database Ensure that 'maxconns_fast' configuration for Memorystore Memcached Instance is set to 'false' GCP - Storage and Database Ensure that Standard Tier is selected for Redis instance GCP - Storage and Database Ensure that Enable AUTH is check marked for Redis instance GCP - Storage and Database - Added 12 security policies for Microsoft 365.Close
Security Policy Category Security Policy Title Ensure enable sign out inactive users M365 - Account / Authentication Ensure control access to SharePoint Online and OneDrive data based on network location M365 - Application Permissions Set default link permission to view-only when users get links for sharing at the site level M365 - Application Permissions Set default link permission to view-only when users get links for sharing M365 - Application Permissions Ensure set default link type to Internal when users get links for sharing at Organization level M365 - Application Permissions Ensure default link permission to view-only when users get links for sharing M365 - Application Permissions Ensure set default link type to Internal when users get links for sharing at Site level M365 - Application Permissions Permission to add and customize pages should be denied to all sites M365 - Application Permissions Sharing in SharePoint and OneDrive should be restricted at the tenant level to specific domains M365 - Data Ensure sharing in SharePoint and OneDrive should be restricted at the site level to specific domains M365 - Data Option to edit, copy, and paste files outside the browser for documents should be disabled at the tenant level M365 - Data Option to edit, copy and paste files outside the browser for documents should be disabled at the site level. M365 - Data - Added two new benchmark for Microsoft Azure.
Added the following benchmarks for Microsoft Azure:
- Center for Internet Security Microsoft Azure Foundations Benchmark v1.2.0
- Center for Internet Security Microsoft Azure Foundations Benchmark v1.3.1
- Release Available
ZCSPM Release 3.13.0 Enhancements and Fixes
New Features and Enhancements
- Cloud Identity Dashboard: You can now view all identities which are entitled to access to your cloud assets and services.
- Asset Details enhancement: You can now view an access graph for an asset. The access graph displays all identities which have access to a specific asset and the path taken by the identity to access the asset. To learn more, see About Asset Details.
- SAML based Single-Sign-On (SSO) enhancements:
- IdP initated SAML based SSO: ZCSPM now supports Identity Provider (IdP) initiated SAML based SSO. A guest user in your organization can now access ZCSPM once it is provisioned. To learn more, see About SAML.
- Just in Time (JIT) user provisioning: ZCSPM now supports JIT user provisioning to automatically retrieve user information such as first name or role name from the SAML response. To learn more, see Configuring SAML.
- IdP certificate expiry email notification: ZCSPM will now send out an email notification 15 days before your IdP certificate expires on ZCSPM.
- GCP organization auto-sync: ZCSPM will now automatically onboard new projects added to your GCP organization.
- Determine GCP resources in your organization: You can now estimate the number of resources in your GCP organization which are protected by ZCSPM. To learn more, see Estimating Assets Count.
- ZCSPM will now scan for the most recent 40,000 EBS snapshots for configuration metadata collection.
Security Policy & Benchmark Updates
- Added 9 new security policies for Amazon Web Services.Close
Security Policy Category Security Policy Title AWS - Networking Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 5500 (VNC Listener) AWS - Networking Ensure no AWS EC2 security group allows unrestricted inbound access to TCP port 5900 (VNC Server) AWS - Identity and Access Management Ensure there are no IAM users with full administrator permissions within your AWS account AWS - Identity and Access Management Ensure that the AWS Account does not have a single IAM Admin AWS - Identity and Access Management Ensure that custom IAM policies grant least privileges on the AWS Account AWS - Identity and Access Management Ensure credentials unused for 45 days or greater are disabled AWS - Networking Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (SSH Port: 22) AWS - Networking Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (RDP Port: 3389) AWS - Monitoring Ensure a log metric filter and alarm exists for AWS Organizations changes - Updated 10 security policies for Amazon Web Services.Close
Old Security Policy Title New Security Policy Title Ensure that data-tier security group(s) are configured for RDS Aurora Clusters Ensure that default security group(s) are not configured for RDS Aurora Clusters Ensure that data-tier security group(s) are configured for RDS Aurora SQL Instances Ensure that default security group(s) are not configured for RDS Aurora SQL Instances Ensure that data-tier security group(s) are configured for RDS Aurora MySQL Serverless Clusters Ensure that default security group(s) are not configured for RDS Aurora MySQL Serverless Clusters Ensure that data-tier security group(s) are configured for RDS Aurora PostgreSQL Serverless Clusters Ensure that default security group(s) are not configured for RDS Aurora PostgreSQL Serverless Clusters Ensure that data-tier security group(s) are configured for RDS MariaDB Instances Ensure that default security group(s) are not configured for RDS MariaDB Instances Ensure that data-tier security group(s) are configured for RDS MySQL Instances Ensure that default security group(s) are not configured for RDS MySQL Instances Ensure that data-tier security group(s) are configured for RDS Oracle Instances Ensure that default security group(s) are not configured for RDS Oracle Instances Ensure that data-tier security group(s) are configured for RDS PostgreSQL Instances Ensure that default security group(s) are not configured for RDS PostgreSQL Instances Ensure that data-tier security group(s) are configured for RDS SQL Server Instances Ensure that default security group(s) are not configured for RDS SQL Server Instances Ensure there are no running AWS EC2 instances older than 180 days available within your AWS account Ensure there are no running AWS EC2 instances older than 30 days available within your AWS account - Added 16 new security policies for Microsoft Azure.Close
Security Policy Category Security Policy Service Security Policy Title Azure - Networking Virtual Network (VNET) Ensure that ingress traffic to HTTPS (TCP:443) is restricted from the public internet on NSG's Azure - Networking Virtual Network (VNET) Ensure that ingress traffic to HTTP (TCP:80) is restricted from the public internet on NSG's Azure - Networking Virtual Network (VNET) Ensure that ingress traffic to CIFS (TCP:445) is restricted from the public internet on NSG's Azure - Networking Virtual Network (VNET) Ensure that ingress traffic to DNS (TCP:53) is restricted from the public internet on NSG's Azure - Networking Virtual Network (VNET) Ensure that ingress traffic to FTP (TCP:21) is restricted from the public internet on NSG's Azure - Networking Virtual Network (VNET) Ensure that ingress traffic to RPC (TCP:135) is restricted from the public internet on NSG's Azure - Networking Virtual Network (VNET) Ensure that ingress traffic to VNCListener (TCP:5500) is restricted from the public internet on NSG's Azure - Networking Virtual Network (VNET) Ensure that ingress traffic to VNCServer (TCP:5900) is restricted from the public internet on NSG's Azure - Security Center Azure Security Center (ASC) Ensure that Java version is the latest if used as a part of API App is enabled in ASC Azure - Security Center Azure Security Center (ASC) Ensure that Java version is the latest if used as a part of Function App is enabled in ASC Azure - Security Center Azure Security Center (ASC) Ensure that Java version is the latest if used as a part of Web App is enabled in ASC Azure - Security Center Azure Security Center (ASC) Ensure that PHP version is the latest if used as a part of API App is enabled in ASC Azure - Security Center Azure Security Center (ASC) Ensure that PHP version is the latest if used as a part of Web App is enabled in ASC Azure - Security Center Azure Security Center (ASC) Ensure that Python version is the latest if used as a part of API App is enabled in ASC Azure - Security Center Azure Security Center (ASC) Ensure that Python version is the latest if used as a part of Function App is enabled in ASC Azure - Security Center Azure Security Center (ASC) Ensure that Python version is the latest if used as a part of Web App is enabled in ASC - Added 23 security policies for Google Cloud Platform.Close
Security Policy Category Security Policy Service Security Policy Title GCP - Compute Cloud OS Config Ensure that OS Patch Deployment configured with a recurring schedule GCP - Compute Cloud OS Config Ensure that OS Patch Deployment not targeted to all VMs GCP - Business Continuity CloudSQL Ensure that Cloud SQL Mysql instances have 'point-in-time recovery' enabled GCP - Business Continuity CloudSQL Ensure that Cloud SQL PostgreSQL instances have 'point-in-time recovery' enabled GCP - Logging and Monitoring CloudSQL Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' GCP - Business Continuity Compute Engine - Disk Ensure that "Enable regional disk replication" feature is enabled for Compute Disk GCP - Networking Compute Engine - Firewall Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses GCP - Logging and Monitoring Compute Engine - Health Check Ensure that Cloud Logging is enabled for Compute Health Check GCP - Data in Transit Compute Engine - Instance Ensure that Compute instances have Confidential Computing enabled GCP - Compute Compute Engine - Instance Group Ensure that Instance Groups have 'Scale In Controls' enabled GCP - Data Analytics Compute Engine - TargetVpn Gateway Ensure that Classic VPN Gateway is not created within a default VPC Network GCP - Data Analytics Compute Engine - Vpn Gateway Ensure that High-availability VPN Gateway is not created within default VPC Network GCP - Networking DataFusion Ensure that Data Fusion Instances are not using default Dataproc service account GCP - Data Analytics DataFusion Ensure that Data Fusion Instances are not launched within default VPC Network GCP - Storage and Database DataFusion Ensure that Data Fusion Instances do not have public IP addresses. GCP - Business Continuity CloudSQL Ensure that Cloud SQL Mysql instances have 'point-in-time recovery' enabled GCP - Business Continuity CloudSQL Ensure that Cloud SQL PostgreSQL instances have 'point-in-time recovery' enabled GCP - Logging and Monitoring CloudSQL Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' GCP - Data in Transit Compute Engine - Instance Ensure that Compute instances have Confidential Computing enabled GCP - Networking Compute Engine - Firewall Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses GCP - Logging and Monitoring DNS Ensure that Cloud DNS logging is enabled for all VPC networks - Added 12 security policies for Microsoft 365.Close
Security Policy Category Security Policy Title M365 - Application Permissions Ensure BCC of external sharing invitations is enabled M365 - Application Permissions Ensure company-wide link sharing are disabled M365 - Application Permissions Ensure external services in SharePoint Online is diabled M365 - Application Permissions Ensure ShowAllUsersClaim to restrict users from broadly sharing within the organisation and to users with previously accepted sharing invitations is disabled M365 - Application Permissions Ensure disable ShowEveryoneClaim to restrict users from broadly sharing within the organisation and to external users M365 - Application Permissions Ensure disable ShowEveryoneExceptExternalUsersClaim to restrict users from broadly sharing within the organization M365 - Application Permissions Ensure users from downloading files that are detected as malicious is disabled M365 - Application Permissions Enable notifications in SharePoint Online. M365 - Application Permissions Enforce only OneDrive for Business owner for sharing. M365 - Application Permissions Ensure Limit access to SharePoint and OneDrive content at Organization level. M365 - Application Permissions Notify OneDrive for Business owner about anonymous access link creation or change M365 - Application Permissions Ensure anonymous links to expire after some days is enabled - Added two new benchmark for the following cloud service providers.Close
Cloud Service Provider Benchmark Title AWS Center for Internet Security AWS Foundations Benchmark v1.4.0, Center for Internet Security Kubernetes Benchmark [for EKS and EC2 Instance Hosted clusters] v1.6.1 Microsoft Azure Center for Internet Security Kubernetes Benchmark [for AKS, VM Hosted and AKS-Engine clusters] v1.6.1 GCP Center for Internet Security Google Cloud Platform Foundation Benchmark v1.2.0, Center for Internet Security Kubernetes Benchmark [for GKE] v1.6.1
- Release Available
ZCSPM Release 3.12.0 Enhancements and Fixes
New Features & Enhancements
ZCSPM Access Enhancements
- Zscaler Login: You can now log in to the ZCSPM Admin Portal using your Zscaler login credentials. To learn more, see Accessing ZCSPM.
- SAML based Single Sign-On (SSO): ZCSPM now supports Service Provider (SP) initiated SAML based SSO. To learn how to configure SAML for your organization, see Configuring SAML.
Security Policy & Benchmark Updates
- Added 4 new security policies for Amazon Web Services.
- IAMClose
Security Policy Category Security Policy Title AWS - Identity and Access Management Ensure that conditions for IAM role are in place to define how and when trusted entities can assume the role AWS - Identity and Access Management Ensure that there are no IAM roles in the account with Admin privileges - AccessAnalyzerClose
Security Policy Category Security Policy Title AWS - Identity and Access Management Ensure that IAM Access Analyzer is enabled and active - EC2Close
Security Policy Category Security Policy Title AWS - Compute Ensure that all EC2 instances in the AWS account are using Instance Metadata Service Version 2
- IAM
- Added 2 new security policies for Microsoft Azure.
- IAMClose
Security Policy Category Security Policy Title Azure - Identity and Access Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' - Virtual MachinesClose
Security Policy Category Security Policy Title Azure - Compute (IaaS) Ensure there are no running Azure Virtual Machine older than 30 days available within your Azure Subscription
- IAM
- Added 36 security policies for Google Cloud Platform.
- BigQuery DatasetClose
Security Policy Category Security Policy Title GCP - Storage and Database Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets - Cloud Key Management ServiceClose
Security Policy Category Security Policy Title GCP - Azure - Key Management Ensure that primary key version should be enabled for Symmetric Key GCP - Azure - Key Management Ensure that primary key version should be enabled for Symmetric Key - Cloud SpannerClose
Security Policy Category Security Policy Title GCP - Identity and Access Management Ensure that Cloud Spanner Database is encrypted using Customer Managed Encryption Key GCP - Networking Ensure that Cloud Spanner Database Backup is encrypted using Customer Managed Encryption Key - Cloud ArmorClose
Security Policy Category Security Policy Title GCP - Networking Ensure that no Cloud Armor Policy allows unrestricted access to internet GCP - Networking Ensure that Adaptive protection is enabled for Cloud Armor Policy - Cloud BigTableClose
Security Policy Category Security Policy Title GCP - Storage and Database Ensure that Bigtable Instance Cluster is encrypted using Customer Managed Encryption Key - Cloud RouterClose
Security Policy Category Security Policy Title GCP - Identity and Access Management Ensure that Cloud Router is created within non-default VPC Network - CloudSQLClose
Security Policy Category Security Policy Title GCP - Compute Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' GCP - Storage and Database Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' GCP - Storage and Database Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off' GCP - Storage and Database Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter GCP - Storage and Database Ensure 'log_error_verbosity' database flag for Cloud SQL PostgreSQL instance is set to 'DEFAULT' or stricter GCP - Storage and Database Ensure 'log_statement' database flag for Cloud SQL PostgreSQL instance is set appropriately GCP - Storage and Database Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately GCP - Storage and Database Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on' GCP - Storage and Database Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' GCP - Storage and Database Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate GCP - Storage and Database Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured GCP - Storage and Database Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off' GCP - Storage and Database Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off' GCP - Storage and Database Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on' - ComputeClose
Security Policy Category Security Policy Title GCP - Compute Ensure that Instance Templates are not configured to use the default service account with full access to all Cloud APIs GCP - Compute Ensure that Instance Templates are configured with Shielded VM GCP - Compute Ensure that “Block Project-wide SSH keys” is enabled for Instance Templates GCP - Compute Ensure that IP forwarding is not enabled on Instance Templates GCP - Compute Ensure "Enable connecting to serial ports" is not enabled for Instance Templates GCP - Compute Ensure that Instance Templates are not launched within default VPC GCP - Compute Ensure that Instance Templates do not have Public IP Addresses - Compute EngineClose
Security Policy Category Security Policy Title GCP - Storage and Database Ensure there are no running VM instances older than 180 days available within your GCP project - Container RegistryClose
Security Policy Category Security Policy Title GCP - Storage and Database Ensure that vulnerability scanning is enabled for Container Registry - DataprocClose
Security Policy Category Security Policy Title GCP - Data Analytics Ensure that Dataproc jobs will restart on failure - Identity and Access ManagementClose
Security Policy Category Security Policy Title GCP - Identity and Access Management Ensure that IAM users are restricted to use the KMS Admin permissions on a project GCP - Identity and Access Management Ensure that IAM users are restricted to use the Owner/ Writer/ Reader roles at project level
- BigQuery Dataset
- Added one benchmark for the following cloud service providers.
- Deprecated 3 security policies for Microsoft Azure.Close
Security Policy Category Security Policy Title Windows 2019 Windows 2019 - Ensure 'Specify the interval to check for definition updates' is set to 'Enabled:1' Ubuntu 18.04 Ubuntu 18.04 - Ensure rsyslog Service is enabled CentOS 7 CentOS 7 - Ensure rsyslog Service is enabled
- Release Available
ZCSPM Release 3.11.0 Enhancements and Fixes
New Features and Enhancements
- ServiceNow Integration Enhancements: You can now configure custom fields on ZCSPM to add additional parameters which ZCSPM sends to ServiceNow when creating tickets. To learn more, see Integrating with ServiceNow.
- The Risk Dashboard and Cloud Security Best Practices page now display widgets and information aggregated at all cloud accounts in your cloud deployment.
- ZCSPM now supports version 2.3 of the auto remediation framework. ZCSPM will no longer remediate AWS assets when you exclude assets from security policy evaluation. To learn more, see Auto Remediation of AWS Resources.
- ZCSPM now supports gathering Azure OS Baseline configuration metadata from multiple subscriptions on a shared log analytics workspace. To learn more, see Configuring OS Baselines for Azure.
- ZCSPM now supports version 1.8 of the IAM data collector agent which sends configuration metadata from multiple accounts in your tenant to ZCSPM. To learn how to upgrade your agent, see Advanced Security Configurations for Azure.
Security Policy & Benchmark Updates
- Added 14 new security policies for Google Cloud Platform across 2 services.
- Compute EngineClose
Security Policy Category Security Policy Title Compute Ensure that Compute Snapshot is created within multi-region Compute Ensure that Compute Disk is encrypted with Customer-managed key Compute Ensure that Compute Image is encrypted with Customer-managed key Compute Ensure that Compute Image is not publicly accessible Networking Ensure logging and monitoring is enabled for each global HTTPS load balancer Backend Service Networking Ensure that signed URLs are in use for global HTTP(S) load balancer Backend Service Networking Ensure cloud CDN is enabled for global HTTP(S) load balancer Backend Service Networking Ensure that Cloud Armor security policy is configured for each Backend Service of global HTTP(S) load balancer - Pub/Sub TopicClose
Security Policy Category Security Policy Title Data Analytics Ensure that Pub/Sub Topic is encrypted using Customer-Managed Encryption Key (CMEK) Identity and Access Management Ensure that 'allUsers' is not allowed to publish to Pub/Sub Topic Identity and Access Management Ensure that Pub/Sub Topic is not exposed to everyone Identity and Access Management Ensure that 'allUsers' is not allowed to subscribe to Pub/Sub Topic Identity and Access Management Ensure that 'allUsers' is not allowed to edit Pub/Sub Topic Identity and Access Management Ensure that Admin/Owner role is not assigned to 'allUsers' for Pub/Sub Topic
- Compute Engine
- Added 7 new security policies for Microsoft Azure for the SQL Server service.Close
Security Policy Category Security Policy Title Data in Transit Ensure that TLS version 1.2 should be enabled for SQL managed instance service Networking Ensure that public endpoint should be disabled for SQL managed instance service Networking Ensure that diagnostics setting should be enabled for SQL managed instance service Logging and Auditing Ensure that 'Also send email notification to admin and subscription owners' is enabled in Advanced Threat Protection Settings for SQL managed instance service Logging and Auditing Ensure that periodic recurring vulnerability scans is enabled for SQL managed instance service Logging and Auditing Ensure that 'Send scan reports to' is set for SQL managed instance service Storage and Databases Ensure SQL managed instance's TDE protector is encrypted with customer-managed key (BYOK) - Added two new benchmarks for the following cloud service providers.Close
Cloud Service Provider Benchmark Title Microsoft Azure Government of Canada Cloud Guardrails Microsoft Azure, AWS, GCP, Microsoft 365 NIST - National Institute of Standards and Technology SP 800-53 Rev. 5 - Deprecated 8 security policies for Microsoft Azure.Close
Security Policy Service Security Policy Title Windows 2016 Windows 2016 - Specify the interval to check for definition updates Ubuntu 18.04 Ubuntu 18.04 - Ensure cron daemon is enabled Ubuntu 18.04 Ubuntu 18.04 - Ensure logrotate is configured Ubuntu 18.04 Ubuntu 18.04 - Ensure IP forwarding is disabled CentOS 7 CentOS 7 - Ensure cron daemon is enabled CentOS 7 CentOS 7 - Ensure logrotate is configured CentOS 7 CentOS 7 - Ensure IP forwarding is disabled SQL Server Ensure no SQL Server allow ingress 0.0.0.0/0 (ANY IP) - Deprecated one security policy for Amazon Web Services.Close
Security Policy Service Security Policy Title Identity and Access Management Ensure IAM instance roles are used for AWS resource access from instances
- Release Available
ZCSPM Release 3.10.0 Enhancements and Fixes
New Features and Enhancements
- Asset Exclusion: ZCSPM now allows you to exclude assets from being evaluated by a specific set of security policies. To learn more, see Managing Assets.
- Alerts: ZCSPM now allows you to configure email alerts whenever ZCSPM notices a drift in your cloud deployment's risk posture. To learn more, see About Alerts.
- GCP Asset Metadata Collection: ZCSPM now collects and display the metadata for the following GCP Services:
- bigquery.googleapis.com/Dataset
- compute.googleapis.com/Network
- iam.googleapis.com/ServiceAccountKey
- sqladmin.googleapis.com/Instance
- storage.googleapis.com/Bucket
- compute.googleapis.com/Firewall
- compute.googleapis.com/Instance
- AWS Auto Remediation Framework Update:
- ZCSPM now supports version 2.2 of the auto remediation framework.
- ZCSPM remediation framework now allows you to easily deploy and configure AWS auto remediation for multiple accounts present in an AWS organization.
- ZCSPM remediation framework now allows you to opt-in or opt-out IAM policies from the auto remediation framework depending on your organization's compliance requirements.
Security Policy & Benchmark Updates
- Added 2 new security policies for Microsoft Office 365:
Security Policy Category Security Policy Title M365 - Device Create a Microsoft Endpoint Manager Compliance Policy for Windows 8.1 M365 - Device Create a Microsoft Endpoint Manager Configuration Profile for Windows 8.1 - Added a new Microsoft Office 365 Benchmark - Government of Canada Cloud Guardrails.
- Release Available
ZCSPM Release 3.09.0 Enhancements and Fixes
New Features and Enhancements
- Asset Exclusion: ZCSPM now allows you to exclude an asset from all current and future security policies.
- Reporting Enhancements:
- You can now schedule reports as PDF, Word, or CSV files.
- ZCSPM now sends scheduled report emails with deep links.
- AWS Asset Metadata Collection: ZCSPM will now collect and display the metadata for the following AWS services:
- AWS::EC2::Instance
- AWS::EC2::VPC
- AWS::ElasticLoadBalancing::LoadBalancer- Classic
- AWS::ElasticLoadBalancingV2::LoadBalancer App
- AWS::ElasticLoadBalancingV2::LoadBalancer Network
- AWS::KMS::Key
- AWS::IAM::User
Security Policy & Benchmark Updates
Added 72 new security policies for Google Cloud Platform across the following cloud services:
- Cloud FunctionsClose
Security Policy Category Security Policy Title GCP - Compute Ensure that Cloud Function is not using default service account GCP - Compute Ensure that ingress setting is not set to 'Allow all traffic' for Cloud Function GCP - Compute Ensure that access to VPC- PRIVATE RANGES ONLY is used for your Cloud Function GCP - Compute Ensure that all the deployed Cloud Functions are in 'active' mode - Cloud RunClose
Security Policy Category Security Policy Title GCP - Compute Ensure that Cloud Run revision is not configured to use the default service account - Cloud SQLClose
Security Policy Category Security Policy Title GCP - Storage and Database Ensure that the 'password history' database flag is configured for Cloud SQL MySQL instance GCP - Storage and Database Ensure that the 'password reuse interval' database flag is configured for Cloud SQL MySQL instance GCP - Storage and Database Ensure that IAM database authentication flag is configured for Cloud SQL PostgreSQL Instance GCP - Storage and Database Ensure that 'cloudsql.enable_pgaudit' database flag for Cloud SQL PostgreSQL instance is set to 'on' GCP - Storage and Database Ensure that 'ssl_min_protocol_version' flag for Cloud SQL PostgreSQL instance is configured to utilize latest version GCP - Storage and Database Ensure that 'remote login timeout (s)' database flag for CloudSQL SQL Server Instance is configured GCP - Storage and Database Ensure that Cloud SQL database instance is not using expired SSL/TLS server certificate(s) GCP - Storage and Database Ensure that Cloud SQL database instances are encrypted with Customer-Managed key GCP - Storage and Database Ensure that High Availability feature is enabled for CloudSQL Database Instance - Cloud StorageClose
Security Policy Category Security Policy Title GCP - Storage and Database Ensure that Storage Buckets are deployed in multi-region GCP - Storage and Database Ensure that Storage Bucket is encrypted with Customer-Managed Encryption Key GCP - Storage and Database Ensures that object versioning is enabled on Storage Buckets - Compute EngineClose
Security Policy Category Security Policy Title GCP - Compute Ensure that deletion protection is enabled for VM Instances GCP - Compute Ensure that Virtual Trusted Platform Module is enabled for VM Instance GCP - Compute Ensure that VM Instances are not launched within default VPC GCP - Networking Ensure that logging should be enabled on Firewall Rule GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 23 (Telnet) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 25 (SMTP) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP and UDP port 53 (DNS) GCP - Networking GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 139 and UDP ports 137 and 138 (NetBIOS) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 4333 or 3306 (MySQL) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 1521 (Oracle) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 5432 (PostgreSQL) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 445 (CIFS) GCP - Networking Ensure that no firewall Rule allows unrestricted ingress access to TCP port 5601 (Kibana) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 135 (RPC) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to port 443 (HTTPS) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 110 (Pop3 Database) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP ports 8332 and 8333 (Bitcoin) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 8545 (Ethereum) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to all UDP traffic GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to all TCP traffic GCP - Networking Ensure that no Firewall Rules allows unrestricted egress access GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP ports 20 and 21 (FTP) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 1433 (MSSQL) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to Internet Control Message Protocol (ICMP) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 27017 (MongoDB) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to port 80 (HTTP) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 445 (SMB) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to port 9200 (Elasticsearch) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 389 (LDAP) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 5500 (VNC Client) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 5900 (VNC Server) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 3020 (CIFS/SMB) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 61621 (Cassandra OpsCenter agent) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 7001 (Cassandra) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 9000 (Hadoop Name Node) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 8000 (Internal web port) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to TCP port 3000 (Prevalent known internal port) GCP - Networking Ensure that no Firewall Rules allows unrestricted ingress access to UDP port 161 (SNMP) - DataprocClose
Security Policy Category Security Policy Title GCP - Data Analytics Ensure that Admin role is not assigned to Default Service Account for Dataproc Cluster GCP - Data Analytics Ensure that Editor role is not assigned to Default Service Account for Dataproc Cluster - Google Kubernetes EngineClose
Security Policy Category Security Policy Title GCP - Kuberenetes Service Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters GCP - Kuberenetes Service Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters GCP - Kuberenetes Service Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters GCP - Kuberenetes Service Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters GCP - Kuberenetes Service Ensure Kubernetes Clusters are configured with Labels GCP - Kuberenetes Service Ensure Kubernetes web UI / Dashboard is disabled GCP - Kuberenetes Service Ensure 'Automatic node repair' is enabled for Kubernetes Clusters GCP - Kuberenetes Service Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes GCP - Kuberenetes Service Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image GCP - Kuberenetes Service Ensure Network policy is enabled on Kubernetes Engine Clusters GCP - Kuberenetes Service Ensure Kubernetes Cluster is created with Alias IP ranges enabled GCP - Kuberenetes Service Ensure Kubernetes Cluster is created with Private cluster enabled GCP - Kuberenetes Service Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets GCP - Kuberenetes Service Ensure default Service account is not used for Project access in Kubernetes Clusters GCP - Kuberenetes Service Ensure GKE Clusters use specific purpose-designed networks instead of the default network
Added 1 new security policy for Amazon Web Services for the AWS IAM service:
Security Policy Category Security Policy Title Identity and Access Management (IAM) Eliminate use of the root user for administrative and daily tasks [last 90 days]
- Release Available
ZCSPM Release 3.08.0 Enhancements and Fixes
New Features and Enhancements
- Scheduling Reports: ZCSPM now allows you to schedule and manage summary reports for all benchmarks. To learn more, see Scheduling Reports.
- Asset Security Dashboard Enhancements:
- ZCSPM now offers superior integration with Asset Inventory enabling you to easily secure your cloud deployment.
- You can now view the top regions where you have protected cloud assets and the regions with the highest risk.
- You can now view and manage the top 10 assets with highest failed security policies.
- Drift Notifications: ZCSPM now offers you the ability to configure email notifications for high or moderate drift in your cloud security posture. To learn more, see Drift Notifications.
- You can now provide AWS Config details when creating custom security policies for AWS. To learn more, see Creating Custom Security Policies for AWS.
- Azure Advanced Security Configurations agent's Active Directory (AD) scanning is now refined. Use the new version 1.5 when upgrading or creating the Azure Advanced Security Configurations agent. To learn more, see Advanced Security Configurations for Azure.
- M365 Advanced Security Configurations agent no longer scans the Active Directory (AD) for user information. Use the new version 1.9 when upgrading or creating the M365 Advanced Security Configurations agent. To learn more, see Upgrading the Microsoft 365 Advanced Security Configuration Agent.
Security Policy & Benchmark Updates
Added 14 new security policies for Google Cloud Platform across the following cloud services:
- BigQueryClose
Security Policy Category Security Policy Title GCP - Data Analytics Ensure that Customer-Managed Encryption Key (CMEK) is used for BigQuery Dataset Tables encryption GCP - Data Analytics Ensure that retention period is set on BigQuery tables - Cloud BigtableClose
Security Policy Category Security Policy Title GCP - Data Analytics Ensure that Cluster replication feature is enabled for Bigtable Instance GCP - Data Analytics Ensure that Backup is configured with expiration date for Bigtable Table - Cloud Data FusionClose
Security Policy Category Security Policy Title GCP - Data Analytics Ensure that Stackdriver Logging is enabled for Data Fusion instances GCP - Data Analytics Ensure that Stackdriver monitoring is enabled for Data Fusion instances - Cloud SpannerClose
Security Policy Category Security Policy Title GCP - Storage and Database Ensure that Cloud Spanner Instance is deployed with multi-region configuration GCP - Storage and Database Ensure that Backup is configured with expiration date for cloud Spanner Database - Compute EngineClose
Security Policy Category Security Policy Title GCP - Compute Ensure that instance groups have autoscale enabled for high availability GCP - Compute Ensure that instance groups have Health checks defined - DataprocClose
Security Policy Category Security Policy Title GCP - Data Analytics Ensure that Dataproc Cluster is not launched within default VPC Network GCP - Data Analytics Ensure that autoscaling policy is configured for Dataproc Clusters GCP - Data Analytics Ensure that Dataproc Cluster is encrypted using Customer-Supplied Encryption Keys GCP - Data Analytics Ensure that Dataproc Cluster is launched in High Availability mode
- Release Available
ZCSPM Release 3.07.0 Enhancements and Fixes
New Features and Enhancements
- Custom Security Policies for Google Cloud Platform (GCP): ZCSPM now allows you to create custom security policies for your GCP cloud deployment. You can use the GCP API explorer to simulate queries and build a custom policy, allowing you to protect all your GCP resources in your cloud environment. To learn more, see Creating Custom Security Policies for GCP.
- ZCSPM now supports API-based GCP Onboarding. To learn more, see Onboard Cloud Account API.
- ZCSPM GCP Organization onboarding now supports enhanced selection of projects and folders from your GCP Organization. To learn more, see Onboarding a GCP Organization Account.
- ZCSPM now supports GCP onboarding with ZCSPM scripts. To learn more, see Onboarding your GCP Organization using ZCSPM Scripts and Onboarding your GCP Projects using ZCSPM Scripts.
- Asset Inventory now has an enhanced filtering system to filter assets by their resource types, resource status, region, risk level, and tags.
Security Policy & Benchmark Updates
Added 2 new security policies for Microsoft Azure:
Security Policy Category Security Policy Title Azure - Business continuity and DR Ensure that Virtual network links should be configured in Private DNS Zone Azure - Business continuity and DR Ensure that Private Endpoint connection status should be in Approved state Automated 17 manual security policies for GCP:
Security Policy Category Security Policy Title Logging and Monitoring "Ensure log metric filter and alerts exist for project ownership assignments/changes" Logging and Monitoring Ensure that the log metric filter and alerts exist for Audit Configuration changes Logging and Monitoring Ensure that the log metric filter and alerts exist for Custom Role changes Logging and Monitoring "Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes" Logging and Monitoring Ensure that the log metric filter and alerts exist for VPC network route changes Logging and Monitoring Ensure that the log metric filter and alerts exist for VPC network changes Logging and Monitoring "Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes" Logging and Monitoring Ensure that the log metric filter and alerts exist for SQL instance configuration changes Logging and Monitoring Ensure that sinks are configured for all log entries IAM Ensure that corporate login credentials are used IAM(KMS) Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible IAM(KMS) Ensure KMS encryption keys are rotated within a period of 90 days Networking(LoadBalancer) Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites Storage IAM Ensure that Cloud Storage bucket is not anonymously or publicly accessible IAMAuditConfig(IAM) Ensure that Cloud Audit Logging is configured properly across all services and all users from a project Log sink Ensure that retention policies on log buckets are configured using Bucket Lock Storage Ensure that Cloud Storage buckets have uniform bucket-level access enabled Added 2 security policies for M365:
Security Policy Category Security Policy Title M365 - Device Ensure that users cannot connect from android devices that are jailbroken M365 - Device Ensure that users cannot connect from iOS devices that are jailbroken Deprecated 2 security policies for M365:
Security Policy Category Security Policy Title M365 - Device Enable Microsoft Intune Mobile Device Management M365 - Device Ensure that users cannot connect from devices that are jail broken or rooted