Cloud Optix Latest IAM Security Controls and More

Now identify and correct over-privileged AWS IAM users, groups and roles with Cloud Optix, plus much more with the latest Sophos Cloud Optix updates.

January 2021

  • Azure inventory enhancement: App Service Plans: The Cloud Optix inventory now provides visibility of Azure App Services (Inventory > Serverless > Azure). The inventory provides details of the App Service Plan, app type, state information and more. Additional security rules have also been added for Azure App Services (see further information below).

  • New security assessment rules for Azure: The following security rules have been added for Azure environments. You may notice new alerts in Cloud Optix, generated by these new rules.

    • AZ-3006: Ensure all Azure functions have RemoteDebugging Disabled
    • AZ-3007: Ensure Azure functions CORS is not set to allow all resources
    • AZ-3011: Ensure all Azure Api Apps that are using FTP services have FTPS only enabled
    • AZ-3012: Ensure all Azure Api Apps have https only enabled
    • AZ-3013: Ensure all Azure Api Apps have RemoteDebugging Disabled
    • AZ-3014: Ensure all Azure Api Apps CORS is not set to allow all resources
    • AZ-3021: Ensure all Azure Web Apps that are using FTP services have FTPS only enabled
    • AZ-3022: Ensure all Azure Web Apps have https only enabled
    • AZ-3023: Ensure all Azure Web Apps have RemoteDebugging Disabled
    • AZ-3024: Ensure all Azure Web Apps CORS is not set to allow all resources
  • New security assessment rules for AWS: The following security rules have been added for AWS environments. You may notice new alerts in Cloud Optix, generated by these new rules.

    • AR-1061: Ensure IAM Users Receive Permissions Only Through Groups
    • AR-1071: Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
    • AR-1062: Ensure that S3 Buckets are configured with 'Block public access' bucket settings
    • AR-1063: Ensure that IAM Access analyzer is enabled
    • AR-1064: Ensure S3 Bucket Policy allows HTTPS requests
    • AR-1065: Ensure that Object-level logging for write events is enabled for S3 bucket
    • AR-1066: Ensure that Object-level logging for read events is enabled for S3 bucket
    • AR-1067: Ensure a log metric filter and alarm exists for AWS Organizations changes
    • AR-1068: Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

  • CIS Certification for AWS benchmark v1.3.0: Cloud Optix has now achieved CIS (Center for Internet Security) certification for the following benchmarks. A new policy template for version 1.3.0 is now available in Cloud Optix.

    • CIS Benchmark for Amazon Web Services Foundations v1.3.0 Level 1
    • CIS Benchmark for Amazon Web Services Foundations v1.3.0 Level 2


December 2020

  • Discover Sophos Cloud Workload Protection agents (Intercept X for Server): Cloud Optix now allows you to discover AWS and Microsoft Azure hosts with Sophos Intercept X for Server agents deployed. Sophos Intercept X for Server protects virtual machines from the latest threats, including ransomware, fileless attacks, and cloud-specific malware. While EDR takes threat hunting and IT security operations to the next level with powerful querying and remote response capabilities.

    • Filter the host inventory to identify EC2 instances and Azure VMs with Sophos agents installed, and see the security health reported by the agents.
    • See EC2 instances and Azure VMs with Sophos agents installed, on the Cloud Optix network visualization.
    • In Activity logs > Host, see EC2 instances in each AWS region with Sophos agents installed, and the security health reported by the agents.
    • https://community.sophos.com/sophos-cloud-optix/b/blog/posts/identify-sophos-firewalls-and-workload-protection-on-aws
    • Note: This integration is available in Cloud Optix accounts that are managed via Sophos Central management with a Sophos Server Protection or Intercept X for Server license.

  • IAM remediation recommendations: Cloud Optix can now provide 'right-sized' IAM policies for over-privileged AWS IAM users, groups and roles.

    • From the IAM Visualization in Cloud Optix, selecting a specific IAM entity now enables administrators to see full details of the services that the IAM entity has access to, and when they last accessed each service. The administrator can then choose services to revoke access to, and create a replacement IAM policy with that access removed. Cloud Optix provides a policy document JSON download, and instructions to apply the policy in AWS.

  • Filter alerts using AWS resource tags: Administrators can now filter alerts for specific resources using resource tags in the Cloud Optix Search box. By using "tags." in the search (e.g. "tags.CostCenter:Production") Cloud Optix will return alerts for affected resources with the corresponding tags.

  • Deprecated Azure security benchmark rules: Disk encryption security rules have been updated in line with updated CIS benchmark recommendations. The following Azure security rules have been deprecated:

    • AZ-2352 - Ensure that OS Disk is encrypted
    • AZ-2353 - Ensure that Data Disks are encrypted
    • AZ-2354 - Ensure that 'Unattached disks' are encrypted

  • Replacement Azure security benchmark rules: Replacement disk encryption rules have been added, as follows:

    • AZ-2359 - Ensure that OS Disk is encrypted with 'Customer-managed' or 'Platform-managed and customer-managed' keys (Severity: Medium)
    • AZ-2360 - Ensure that Data Disks are encrypted with 'Customer-managed' or 'Platform-managed and customer-managed' keys (Severity: Medium)
    • AZ-2358 - Ensure that 'Unattached disks' are encrypted with 'Customer-managed' or 'Platform-managed and customer-managed' keys (Severity: Medium)

  • New AWS rule: Amazon Elastic File System (EFS) service

    • AR-1072: Ensure that Amazon EFS file systems are encrypted (Severity: High). This new rule has been added to the Sophos Best Practices policy template for AWS.

  • Filter alert trend graph by alert type: The alert trend graph (optix.sophos.com/#/alerts/trend) can now be filtered to show information for a specific alert type (Spend monitoring alerts, Anomaly (AI) alerts, Security monitoring alerts, IaC alerts, Amazon GuardDuty alerts).

  • Alert improvements:

    • Alerts for AWS Security Groups now include the region that the Security Group is in, to enable administrators to more efficiently locate the issue for resolution.
    • Alerts for AWS EBS volumes now identify volumes that are not attached to EC2 instances. Unattached volumes are listed in yellow in the list of affected resources in the alert details. When instances are attached to an EBS volume, the instance IDs are listed in the alert details.
    • The 'Last Seen' label in alerts has been changed to 'Last Updated'. This refers to when the alert was last updated with additional information, for example when new resources are affected by the same issue and added to the alert.

New customers can signup for a free trial of Sophos Cloud Optix here: https://www.sophos.com/cloud-optix 

Anonymous