Knowledge Base
Along with better visibility, compliance and faster remediation for your cloud infrastructure, Conformity also has a growing public library of 1000+ cloud infrastructure configuration best practices for your AWS™, Microsoft® Azure, Alibaba Cloud and Google Cloud™ environments. Providing simple, step-by-step resolutions to rectify any security vulnerabilities, performance, cost inefficiencies, and reliability risks. This catalogue of cloud guardrails is a core part of Conformity which automatically monitors and auto-remediates cloud infrastructure.
Please note: Alibaba Cloud is currently available only in Trend Vision One™ and not in Trend Cloud One™ – Conformity.
Below are the cloud, services and their associated best practice rules with clear instructions on how to perform the updates – made either through the console or via the Command Line Interface (CLI).
-
AWS Certificate Manager
To easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources
-
Amazon API Gateway
Create, maintain, and secure APIs at any scale
-
Amazon AccessAnalyzer
Start querying data instantly. Get results in seconds. Pay only for the queries you run.
-
Amazon AppFlow
Amazon AppFlow is a fully-managed integration service that enables you to securely exchange data between software as a service (SaaS) applications
-
AWS App Mesh
AWS App Mesh is a service mesh that makes it easy to monitor and control services.
-
Amazon Athena
Start querying data instantly. Get results in seconds. Pay only for the queries you run.
-
AWS Auto Scaling
Application scaling to optimize performance and costs
-
AWS Backup
Centrally manage and automate backups across AWS services
-
Amazon Bedrock
Amazon Bedrock is a fully managed service that offers a choice of high-performing foundation models (FMs) from leading AI companies like AI21 Labs, Anthropic, Cohere, Meta, Mistral AI, Stability AI, and Amazon through a single API, along with a broad set of capabilities you need to build generative AI applications with security, privacy, and responsible AI.
-
AWS Budgets
Set custom budgets that alert you when you exceed your budgeted thresholds.
-
AWS CloudFormation
Model and provision all your cloud infrastructure resources
-
Amazon CloudFront
Fast, highly secure and programmable content delivery network (CDN)
-
AWS CloudTrail
Track user activity and API usage
-
Amazon CloudWatch
Observability of your AWS resources and applications on AWS and on-premises
-
Amazon CloudWatch Events
Amazon CloudWatch Events delivers a near real-time stream of system events that describe changes in AWS resources
-
Amazon CloudWatch Logs
Monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, Route 53, and other sources
-
AWS CodeBuild
Build and test code with automatic scaling
-
Amazon Comprehend
Discover insights and relationships in text
-
AWS Compute Optimizer
Recommends optimal AWS resources to reduce costs and improve performance for your workloads
-
AWS Config
Record and evaluate configurations of your AWS resources
-
AWS ConfigService
AWS ConfigService is a fully managed service that provides you with a detailed inventory of your AWS resources and their current configurations.
-
AWS Cost Explorer
-
Amazon DynamoDB Accelerator
Fully managed, in-memory cache for DynamoDB
-
Amazon Data Lifecycle Manager
Manage the lifecycle of your AWS resources
-
AWS Database Migration Service
Migrate your databases to AWS with minimal downtim
-
Amazon DocumentDB
Fast, scalable, highly available MongoDB-compatible database service
-
Amazon DynamoDB
Fast and flexible NoSQL database service for any scale
-
Amazon Elastic Block Store (EBS)
Easy to use, high performance block storage at any scale
-
Amazon EC2
Secure and resizable compute capacity in the cloud. Launch applications when needed without upfront commitments
-
Amazon Elastic Container Registry
Easily store, manage, and deploy container images
-
Amazon Elastic Container Service (ECS)
Run containerized applications in production
-
Amazon Elastic File System (EFS)
Scalable, elastic, cloud-native file system for Linux
-
Amazon Elastic Kubernetes Service (EKS)
Highly available, scalable, and secure Kubernetes service
-
Elastic Load Balancing
Achieve fault tolerance for any application by ensuring scalability, performance, and security
-
Elastic Load Balancing V2
Achieve fault tolerance for any application by ensuring scalability, performance, and security
-
Amazon EMR
Easily Run and Scale Apache Spark, Hadoop, HBase, Presto, Hive, and other Big Data Frameworks
-
Amazon ElastiCache
Managed, Redis or Memcached-compatible in-memory data store
-
AWS Elastic Beanstalk
Easy to begin, Impossible to outgrow
-
Amazon Opensearch Service
Fully managed, scalable, and secure Opensearch service
-
Amazon FSx
Fully managed third-party file systems
-
Amazon Kinesis Data Firehose
Prepare and load real-time data streams into data stores and analytics tools
-
AWS Glue
Simple, flexible, and cost-effective ETL
-
Amazon GuardDuty
Protect your AWS accounts and workloads with intelligent threat detection and continuous monitoring
-
AWS Health
Provides ongoing visibility into the state of your AWS resources, services, and accounts
-
AWS Identity and Access Management (IAM)
Securely manage access to AWS services and resources
-
Amazon Inspector
Automated security assessment service to help improve the security and compliance of applications deployed on AWS
-
Amazon Inspector 2
The new version of Amazon Inspector has undergone a comprehensive rearchitecture, streamlining vulnerability management by automating processes and promptly delivering findings to swiftly detect emerging vulnerabilities. Once enabled, the new Inspector service diligently locates all your workloads and maintains a continuous cycle of vulnerability scans for both software and unintended network exposures.
-
AWS Key Management Service
Easily create and control the keys used to encrypt your data
-
Amazon Kinesis
Easily collect, process, and analyze video and data streams in real time
-
AWS Lambda
Run code without thinking about servers. Pay only for the compute time you consume
-
Amazon MQ
Managed message broker service for Apache ActiveMQ
-
Amazon Managed Streaming for Apache Kafka
Fully managed, highly available, and secure Apache Kafka service
-
Amazon Macie
A machine learning-powered security service to discover, classify, and protect sensitive data
-
AWS Macie v2
-
Compliance and Certifications
Ensure your AWS services are compliant towards certification classification.
-
Amazon Neptune
Fast, reliable graph database built for the cloud
-
AWS Network Firewall
-
AWS Organizations
Central governance and management across AWS accounts
-
Amazon Relational Database Service
Set up, operate, and scale a relational database in the cloud with just a few clicks
-
Conformity Real-Time Threat monitoring
A Real-time threat detection tool
-
Amazon Redshift
The most popular and fastest growing cloud data warehouse
-
AWS Resource Groups
Organize your AWS resources
-
Amazon Route 53
A reliable and cost-effective way to route end users to Internet applications
-
Amazon Route 53 Domains
A reliable and cost-effective way to manage domain names
-
Amazon S3
Object storage built to store and retrieve any amount of data from anywhere
-
Amazon Simple Email Service
Flexible, affordable, and highly-scalable email sending and receiving service for businesses and developers
-
Amazon Simple Notification Service (SNS)
Fully managed pub/sub messaging for microservices, distributed systems, and serverless applications
-
Amazon Simple Queue Service
Fully managed message queues for microservices, distributed systems, and serverless applications
-
AWS Systems Manager
Gain operational insights and take action on AWS resources
-
Amazon SageMaker
Machine learning for every developer and data scientist
-
AWS Secrets Manager
Easily rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle
-
AWS Security Hub
Centrally view and manage security alerts and automate compliance checks
-
Service Quotas
Service Quotas enables you to view and manage your quotas for AWS services from a central location.
-
AWS Shield
Managed DDoS protection
-
AWS Storage Gateway
Hybrid cloud storage with local caching
-
AWS Support
AWS Support
-
AWS Transfer
Fully managed SFTP service
-
AWS Trusted Advisor
Reduce Costs, Increase Performance, and Improve Security
-
Amazon Virtual Private Cloud (VPC)
Provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define
-
AWS WAF - Web Application Firewall
Protect your web applications from common web exploits
-
AWS Well-Architected
Learn, measure, and build using architectural best practices
-
AWS WorkDocs
Secure content collaboration, simplified
-
Amazon WorkSpaces
Access your desktop anywhere, anytime, from any device
-
AWS X-Ray
Analyze and debug production, distributed applications
-
AI Services
Azure AI services help developers and organizations rapidly create intelligent, cutting-edge, market-ready, and responsible applications with out-of-the-box and prebuilt and customizable APIs and models.
-
AKS
Microsoft AKS allows you to quickly deploy a production ready Kubernetes cluster in Azure
-
API Management
Microsoft Azure API Management is a hybrid, multicloud management platform for APIs across all environments. As a platform-as-a-service, API Management supports the complete API lifecycle.
-
Access Control
Microsoft Entra ID Access Control (also known as Access Control Service or ACS) is a cloud-based service that provides an easy way of authenticating and authorizing users to gain access to your web applications and services
-
Microsoft Entra ID
Microsoft Entra ID provides an identity platform with enhanced security, access management, scalability, and reliability for connecting users with all the apps they need.
-
Activity Log
The Azure Activity Log provides insight into subscription-level events that have occurred in Azure
-
Advisor
Azure Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments.
-
AppService
Azure AppService
-
Container Apps
Run modern apps and microservices using serverless containers.
-
Container Registry
Azure Container Registry is a managed registry service based on the open-source Docker Registry 2.0. Create and maintain Azure container registries to store and manage your container images and related artifacts.
-
CosmosDB
Microsoft Cosmos DB enables you to elastically and independently scale throughput and storage across any number of Azure regions worldwide.
-
Front Door
Azure Front Door is Microsoft’s modern cloud Content Delivery Network (CDN) that provides fast, reliable, and secure access between your users and your applications’ static and dynamic web content across the globe.
-
Azure Functions
Azure Functions is a serverless solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running.
-
KeyVault
Microsoft Azure Key Vault enables you to securely store and access secrets within your Azure cloud environment
-
Locks
Microsoft Azure Locks provide a way for administrators to lock down resources to prevent deletion or changing of a resource
-
Machine Learning
Use an enterprise-grade AI service for the end-to-end machine learning (ML) lifecycle.
-
Monitor
Monitor your applications and infrastructure
-
MySQL
Azure Database for MySQL servers
-
Network
Network
-
Policy
Policy
-
PostgreSQL
Azure Database for PostgreSQL servers
-
Recovery Services
Azure Recovery Services provides multiple backup solutions based on the backup requirement and infrastructure topology
-
Redis Cache
-
Resources
-
Search
-
Defender
Security posture management for cloud workloads
-
Service Bus
Azure Service Bus is a fully managed enterprise message broker with message queues and publish-subscribe topics.
-
Sql
Azure Database for SQL servers
-
Storage Accounts
An Azure storage account contains all of your Azure Storage data objects
-
Subscriptions
-
Synapse
Azure Synapse is a limitless analytics service that brings together enterprise data warehousing and Big Data analytics.
-
Virtual Machines
VirtualMachines your applications and infrastructure
-
GCP APIGateway
-
GCP ArtifactRegistry
Artifact Registry enables you to centrally store artifacts and build dependencies as part of an integrated Google Cloud experience.
-
GCP BigQuery
BigQuery's serverless architecture lets you use SQL queries to analyze your data. You can store and analyze your data within BigQuery or use BigQuery to assess your data where it lives. To test how it works for yourself, query data—without a credit card—using the BigQuery sandbox.
-
GCP CertificateManager
Certificate Manager securely stores and deploys certificates to your selected proxies, which lets you provision certificates in advance and helps ensure zero downtime during migrations.
-
GCP API
Google Cloud APIs are programmatic interfaces to Google Cloud Platform services. They are a key part of Google Cloud Platform, allowing you to easily add the power of everything from computing to networking to storage to machine-learning-based data analysis to your applications.
-
GCP CloudCDN
Cloud CDN works with the global external Application Load Balancer or the classic Application Load Balancer to deliver content to your users. The external Application Load Balancer provides the frontend IP addresses and ports that receive requests and the backends that respond to the requests.
-
GCP Domain Name System (DNS)
Cloud DNS offers both public zones and private managed DNS zones. A public zone is visible to the public internet, while a private zone is visible only from one or more Virtual Private Cloud (VPC) networks that you specify.
-
GCP Cloud Function
Cloud Function is a serverless execution environment for building and connecting cloud services. With Cloud Functions you write simple, single-purpose functions that are attached to events emitted from your cloud infrastructure and services. Your function is triggered when an event being watched is fired, or by an HTTP request.
-
GCP Identity and Access Management (IAM)
With IAM, you manage access control by defining who (identity) has what access (role) for which resource. For example, Compute Engine virtual machine instances, Google Kubernetes Engine (GKE) clusters, and Cloud Storage buckets are all Google Cloud resources. The organizations, folders, and projects that you use to organize your resources are also resources.
-
GCP Cloud Key Management Service (KMS)
Cloud Key Management Service allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service. You can use these keys and perform these operations by using Cloud KMS directly, by using Cloud HSM or Cloud External Key Manager, or by using Customer-Managed Encryption Keys (CMEK) integrations within other Google Cloud services.
-
GCP Cloud Load Balancing
A load balancer distributes user traffic across multiple instances of your applications. By spreading the load, load balancing reduces the risk that your applications experience performance issues. Google's Cloud Load Balancing is built on reliable, high-performing technologies such as Maglev, Andromeda, Google Front Ends, and Envoy—the same technologies that power Google's own products.
-
GCP Cloud Logging
Cloud Logging is a fully managed service that allows you to store, search, analyze, monitor, and alert on logging data and events from Google Cloud and Amazon Web Services. Using BindPlane, you can also collect this data from over 50 common application components, on-premise systems, and hybrid cloud systems.
-
GCP Cloud Pub/Sub Service
Pub/Sub is an asynchronous and scalable messaging service that decouples services producing messages from services processing those messages.
-
GCP Cloud Run
Cloud Run is a fully managed platform that enables you to run your code directly on top of Google’s scalable infrastructure. Cloud Run is simple, automated, and designed to make you more productive.
-
GCP Cloud SQL
Cloud SQL manages your databases so you don't have to, so your business can run without disruption. It automates all your backups, replication, patches, encryption, and storage capacity increases to give your applications the reliability, scalability, and security they need.
-
GCP Cloud Storage
Cloud Storage's nearline storage provides fast, low-cost, highly durable storage for data accessed less than once a month, reducing the cost of backups and archives while still retaining immediate access. Backup data in Cloud Storage can be used for more than just recovery because all storage classes have ms latency and are accessed through a single API.
-
GCP VPC
Google Cloud Virtual Private Cloud (VPC) provides networking functionality to Compute Engine virtual machine (VM) instances, Google Kubernetes Engine (GKE) containers, and serverless workloads. VPC provides networking for your cloud-based services that is global, scalable, and flexible.
-
GCP Compute Engine
Compute Engine is a computing and hosting service that lets you create and run virtual machines on Google infrastructure, comparable to Amazon EC2 and Azure Virtual Machines. Compute Engine offers scale, performance, and value that lets you easily launch large compute clusters with no up-front investment.
-
GCP Dataproc Service
Use Dataproc Serverless to run Spark batch workloads without provisioning and managing your own cluster. Specify workload parameters, and then submit the workload to the Dataproc Serverless service. The service will run the workload on a managed compute infrastructure, autoscaling resources as needed. Dataproc Serverless charges apply only to the time when the workload is executing.
-
GCP Google Kubernetes Engine Service
A GKE cluster has a control plane and machines called nodes. Nodes run the services supporting the containers that make up your workload. The control plane decides what runs on those nodes, including scheduling and scaling. Autopilot mode manages this complexity; you simply deploy and run your apps.
-
GCP IAM
Identity and Access Management (IAM) lets you create and manage permissions for Google Cloud resources. IAM unifies access control for Google Cloud services into a single system and presents a consistent set of operations.
-
GCP Resource Manager
Google Cloud provides resource containers such as organizations, folders, and projects that allow you to group and hierarchically organize other Google Cloud resources. This hierarchical organization lets you easily manage common aspects of your resources such as access control and configuration settings. Resource Manager enables you to programmatically manage these resource containers.
-
GCP VPC
Google Cloud Virtual Private Cloud (VPC) provides networking functionality to Compute Engine virtual machine (VM) instances, Google Kubernetes Engine (GKE) containers, and serverless workloads. VPC provides networking for your cloud-based services that is global, scalable, and flexible.
-
GCP VertexAI
Vertex AI combines data engineering, data science, and ML engineering workflows, enabling your teams to collaborate using a common toolset and scale your applications using the benefits of Google Cloud.
-
Alibaba Cloud ACK
A Kubernetes-based service that ensures high efficiency for enterprises by running containerized applications on the cloud
-
Alibaba Cloud ActionTrail
ActionTrail tracks your Alibaba Cloud account actions and records them as events to facilitate auditing. ActionTrail allows you to deliver these events to the specified Log Service Logstores and Object Storage Service (OSS) buckets. You can also query and download the recorded events. Then, you can perform behavior analysis, security analysis, and compliance auditing and track resource changes based on the events.
-
Alibaba Cloud ECS
Elastic Compute Service (ECS) is a high-performance, stable, reliable, and scalable IaaS-level service provided by Alibaba Cloud. ECS eliminates the need for upfront investments in IT hardware and allows you to scale computing resources on demand.
-
Alibaba Cloud OSS
Alibaba Cloud Object Storage Service (OSS) provides industry-leading scalability, durability and performance. Customers of all sizes and industries can use it to store and protect any amount of data for use cases, such as backup and restore, content distribution, data lakes, websites, mobile applications ,data archive and IoT devices.
-
Alibaba Cloud RAM
Alibaba Cloud Resource Access Management (RAM) is an identity and access control service which enables you to centrally manage your users (including employees, systems or applications) and securely control their access to your resources through permission levels. RAM thereby allows you to securely grant access permissions for Alibaba Cloud resources to only your selected high-privileged users, enterprise personnel and partners.
-
Alibaba Cloud RDS
ApsaraDB RDS is a stable, reliable, cost-effective, and scalable online database service. ApsaraDB RDS supports most mainstream database engines, including MySQL, SQL Server, PostgreSQL, and MariaDB. ApsaraDB RDS provides a comprehensive portfolio of solutions for disaster recovery, backup, restoration, monitoring, and migration to facilitate database O&M.
-
Alibaba Cloud SLS
Simple Log Service is a cloud-native observation and analysis platform that provides large-scale, low-cost, and real-time services to process multiple types of data such as logs, metrics, and traces.Simple Log Service allows you to collect, transform, query, analyze, visualize, ship, and consume data.SLS helps enterprises improve their digital capabilities in terms of R&D, O&M, and data security.
-
Alibaba Cloud Security Center
Security Center is a centralized security management system that dynamically identifies and analyzes security threats, and generates alerts when threats are detected. Security Center provides multiple features to ensure the security of cloud resources and servers in data centers. The features include anti-ransomware, antivirus, web tamper proofing, container image scan, and compliance check.
-
Alibaba Cloud VPC
VPC helps you build an isolated network environment based on Alibaba Cloud including customizing the IP address range, network segment, route table, and gateway. In addition, you can connect VPC and a traditional IDC through a leased line, VPN, or GRE to provide hybrid cloud services.