Policy sets

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Policy sets

    The Cloud Configuration Governance policy sets provide automated security and compliance policies designed to help ServiceNow customers manage and govern cloud configurations effectively. These policy sets cover major cloud platforms, including Amazon Web Services (AWS) and Microsoft Azure, to ensure best practices in identity and access management, encryption, logging, and network security are followed.

    Show full answer Show less

    Key Features

    • AWS Policy Set (v1.4.0): Includes automated policies like enforcing IAM user permissions only through groups, enabling multi-factor authentication (MFA) for root and all IAM users, rotating access keys every 90 days, blocking public access on S3 buckets, and removing expired SSL/TLS certificates. It also features the Amazon Web Services Foundations Benchmark to ensure a comprehensive security baseline.
    • Azure Policy Set (v1.4.0): Provides automated policies to enable logging for Azure KeyVault, enforce the latest TLS versions on web apps, enable vulnerability assessments on SQL servers, configure diagnostic settings correctly, and ensure encryption with customer-managed keys (CMK) for disks and SQL servers. It also ensures HTTP traffic is redirected to HTTPS and specifies security contacts for alert notifications, following the Microsoft Azure Foundations Benchmark.

    Key Outcomes

    • Enhanced security posture through automated enforcement of cloud security best practices on AWS and Azure environments.
    • Improved governance with consistent application of identity, access, encryption, and logging policies.
    • Reduction of risk by eliminating insecure configurations such as unrestricted network access, unused credentials, and use of root accounts.
    • Support for compliance initiatives by adhering to recognized cloud security benchmarks and standards.

    The Cloud Configuration Governance policy sets and its policies are listed for your reference.

    Table 1. Cloud Configuration Governance policy sets
    Policy Set Name Policies Description
    AWS 1.4.0

    Ensure IAM Users Receive Permissions Only Through Groups (Automated)

    Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)

    Ensure IAM password policy requires minimum length of 14 or greater (Automated)

    Ensure a support role has been created to manage incidents with AWS Support (Automated)

    Eliminate use of the 'root' user for administrative and daily tasks (Automated)

    Ensure hardware MFA is enabled for the 'root' user account (Automated)

    Ensure that Object-level logging for write events is enabled for S3 bucket (Automated)

    Ensure access keys are rotated every 90 days or less (automated)

    Ensure there is only one active access key available for any single IAM user (automated)

    Ensure IAM policies that allow full "*:*" administrative privileges are not attached (Automated)

    Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed (Automated)

    Ensure IAM password policy prevents password reuse (Automated)

    Ensure that IAM Access analyzer is enabled for all regions (Automated)

    Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Automated)

    Ensure credentials unused for 45 days or greater are disabled (Automated)

    Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'

    Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)

    Ensure no 'root' user account access key exists (Automated)

    Ensure MFA is enabled for the 'root' user account (Automated)

    Ensure that Object-level logging for read events is enabled for S3 bucket (Automated)

    		 Amazon Web Services Foundations Benchmark (Automated) v1.4.0 - 05-28-2021
    Azure 1.4.0

    Ensure that logging for Azure KeyVault is 'Enabled' (Automated)

    Ensure Web App is using the latest version of TLS encryption (Automated)

    Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account (Automated)

    Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests (Automated)

    Ensure Diagnostic Setting captures appropriate categories (Automated)

    Ensure that VA setting 'Send scan reports to' is configured for a SQL server (Automated)

    Ensure That 'Notify about alerts with the following severity' is Set to 'High' (Automated)

    Ensure 'Additional email addresses' is Configured with a Security Contact Email (Automated)

    Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service (Automated)

    Ensure That 'All users with the following roles' is set to 'Owner' (Automated)

    Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests (Automated)

    Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests (Automated)

    Ensure that 'Unattached disks' are encrypted with CMK (Automated)

    Ensure that VA setting 'Periodic recurring scans' to 'on' for each SQL server (Automated)

    Ensure SQL server's TDE protector is encrypted with Customermanaged key (Automated)

    Ensure the key vault is recoverable (Automated)

    		 Microsoft Azure Foundations Benchmark v1.4.0 - 11-26-2021