Views:

September 15, 2025, Conformity: A summary of Trend Cloud One Conformity Updates for the week ending on 12 September 2025.

Updated Compliance Standards - CIS Foundations Benchmarks

We've updated our compliance standards to meet the Center of Internet Security (CIS) Foundations Benchmarks. You can now filter Checks and download Compliance Reports to ensure your cloud environment complies with the latest CIS Foundations Benchmarks.
  • CIS Alibaba Foundations Benchmarkv2.0.0
  • CIS AWS Foundations Benchmark v5.0.0
  • CIS Azure Foundations Benchmark v3.0.0
  • CIS GCP Foundations Benchmark v4.0.0
  • CIS OCI Foundations Benchmark v3.0.0
You can view the CIS certifications awarded to Trend Micro Vision One - Cloud Posture on the CIS partner website and learn more about Compliance and Conformity.

New GCP Rules

  • CloudRun-002: Use Labels for Resource Management: This rule ensures that user-defined labels are being used to tag, collect, and organize Cloud Run services within your Google Cloud Platform (GCP) projects.
  • CloudRun-004: Enable End-to-End HTTP/2 for Cloud Run Services: This rule ensures that end-to-end HTTP/2 support is enabled for your Cloud Run services.
  • CloudSQL-034: Allow SSL/TLS Connections Only: This rule ensures that all incoming connections to your Cloud SQL database instances are encrypted with SSL/TLS.
  • CloudFunction-008: Use Customer-Managed Encryption Keys for Functions Encryption: This rule ensures that your Google Cloud functions use Customer-Managed Encryption Keys (CMEK) instead of Google-managed encryption keys.
  • CloudRun-008: Use Customer-Managed Encryption Keys for Services Encryption: This rule ensures that your Cloud Run services use Customer-Managed Encryption Keys (CMEK) instead of Google-managed encryption keys.
  • SecretManager-004: Use Customer-Managed Encryption Keys for Secret Manager Secret Encryption: This rule ensures that your Google Cloud Secret Manager secrets are encrypted using Cloud KMS Customer-Managed Encryption Keys (CMEKs).
  • CloudRun-006: Enable Binary Authorization This rule ensures that Binary Authorization is enabled for Google Cloud Run services.
  • SecretManager-002: Enable Destruction Delay for Secret Versions: This rule ensures that a delayed destruction policy is configured for Google Secret Manager secrets.
  • CloudRun-007: Cloud Run Services with Inactive Service Accounts: This rule ensures that your Cloud Run services are referencing existing, active service accounts in order to prevent execution failures and operational disruptions.
  • CloudSQL-038: Enable Cloud SQL Instance Encryption with Customer-Managed Keys: This rule ensures that your Google Cloud SQL database instances are encrypted with Customer-Managed Keys (CMKs).
  • CloudRun-009: Enable Cloud SQL Instance Encryption with Customer-Managed Keys: This rule ensures that Google Cloud Run services are not publicly accessible.
  • CloudLogging-010: Configure Retention Policies with Bucket Lock: This rule ensures that all the retention policies attached to your Google Cloud log sink buckets are configured with the Bucket Lock feature.
  • CloudFunction-011: Cloud Logging Permissions for Google Cloud Functions: This rule ensures that Cloud Logging API has sufficient permissions to write logs for your Google Cloud functions.
  • NetworkConnectivity-001: Enable Cloud NAT for Private Subnets: This rule ensures that Cloud NAT is enabled for all private VPC subnets that require outbound access.
  • ResourceManager-011: Prevent Service Account Creation for Google Cloud Organizations: This rule ensure that the creation of Cloud IAM service accounts is prevented within your Google Cloud organization through the "Disable Service Account Creation" organization policy
  • ResourceManager-008: Require OS Login: This rule ensure that "Require OS Login" constraint policy is enforced at the GCP organization level in order to enable OS Login feature on all newly created Google Cloud projects within your organization. The OS Login provides you with centralized and automated SSH key pair management.
  • ResourceManager-013: Enforce Detailed Audit Logging Mode: This rule checks that "Google Cloud Platform - Detailed Audit Logging Mode" policy is enforced at the organization level in order to enable Detailed Audit Logging feature for the supported Cloud Storage resources available within your GCP organization.

New Azure Rules

  • CosmosDB-012: Enable Microsoft Defender for Azure Cosmos DB Accounts: This rule ensures that Microsoft Defender for Azure Cosmos DB is enabled at the resource level.
  • RedisCache-006: Configure Update Channel: This rule ensure that your Microsoft Azure Cache for Redis servers are using the "Stable" update channel.
  • RedisCache-008: Disable Access Keys Authentication for Azure Cache for Redis Servers: This rule ensure that your Microsoft Azure Cache for Redis servers are configured to use Microsoft Entra ID for authentication rather than access keys.
  • ResourceManager-012: Disable Serial Port Access Support at Organization Level: This rule checks that "Disable VM serial port access" constraint policy is enabled for your Google Cloud Platform (GCP) organizations.
  • RedisCache-005: Enable Data Persistence for Azure Cache for Redis Servers: This rule checks that data persistence is enabled for your Microsoft Azure Cache for Redis servers to ensure resilience against unexpected cache node failures.