18.1 Release Notes¶
The first release of the year, 18.1, dives deeper into industry compliance standards, provides greater Google Cloud Platform and VMware support, and enhances badge capabilities within the tool.
Insights have grown since their introduction late last year. Now, Insights suggest actions to resolve findings, show how enabled bots have taken action to enforce compliance and can flag issues as resolved.
Next, DivvyCloud expands and enhances its cloud coverage across Google and VMware by adding support for additional resources as well as server provisioning capabilities and lifecycle actions.
Lastly, you can now do more with Badges, a DivvyCloud feature that allows you to add and use global metadata to manage your cloud infrastructure. You can now dynamically scope Bots using and/or logic, add Badges to new or existing cloud accounts and leverage them to simplify role based access at scale.
Insights and Industry Compliance Standard Support¶
- Tighter compliance context surrounding various frameworks.
- Recommendations for automated correction, monitoring and enforcement using Bots
- Visualize results of corrective actions taken by Bots to keep infrastructure in compliance with Insight Packs
Additional Cloud Support¶
- Provision virtual machines
- Resize virtual machines
- Virtual machine snapshots
- Support for vApps
Google Cloud Platform
- Added support for Google Cloud Storage
- Exteded support for Google Cloud SQL
- Added support for Google Cloud Functions
Amazon Web Services
- Support for ACM (Certificate Manager)
- S3 bucket website configuration
- S3 bucket lifecycle configuration
Enhanced Badge Support¶
- Dynamically scope Bots using AND/OR logic for Bot scope
- Automatically add System Badges to existing and future cloud accounts
- Associate badge key/value scopes with a role for identity management
Improved Cloud Listing¶
The Clouds view now shows additional data about connected cloud accounts and now allows sorting on a variety of key properties. Visual status indictators are now included when one or more cloud accounts are in an impaired state.
Global Health Check¶
18.1 now includes a global health check. If the system has not harvested anything across the whole organization in four hours, Customers will see an alert at the top of the screen when they login, regardless of which page they are re-directed to on login. This message can be dismissed and won’t show again unless the client is reloaded. * Note: If you see this as a developer, it’s because you haven’t harvested in four hours. Don’t panic! ;)
New Automation Actions¶
Disable User Account¶
Prevent a user from accessing the account resources for a certain time. This is helpful if someone has left the company, if they’ve disabled multifactor authentication or if their key is too old and/or hasn’t been used in a specific amount of time.
Disable API Key¶
Disabling an API key means it cannot be used for API calls. You can do this for when rotating keys, or even revoking user/application access all together.
Set Minimum/Maximum Autoscaling Group Size¶
Ensure your autoscaling groups never go over or under a certain amount can help with cost allocations and availability.
Enable/Disable Encryption Key Rotation¶
Automatically toggle the key rotation property for encryption keys such as AWS KMS.
New Insights, Filters, & Bots¶
Load Balancer Type¶
Filtering for specific load balancer types, i.e, classic, application, or network, will allow you to find orphaned load balancers, which is good for cost and containment.
Load Balancer Has Impaired Instances¶
Works across all three types of Load Balancers. We surface any unhealthy hosts which can help with cost and ensure your load balancers are functioning correctly.
Instances in/not in Autoscaling Group¶
Filter for instance participating or not participating in Autoscaling groups.
Autoscaling Group Subnet Count¶
Filter to determine the number of subnets an Autoscaling Group is using.
Autoscaling Does/Does Not Support Multiple Availablity Zones¶
Filter to identify autoscaling groups that are or are not in multiple Availability Zones
Cloud User With Multiple API Keys¶
Filtering to find users with multiple API keys ensures least-access network privilege is enforced, aiding in policy and regulatory complaiance.
Encryption Keys Without Key Rotation¶
Rotating encryption keys reduces the blast radius of material leaked by a single key compromise. Finding and ensuring rotation can help strengthen security measures.
Exposed Elasticsearch Instances¶
Finding access, and locking down Elasticsearch Instances will protect sensitive data and adheres to industry best practices.
Database Instances Without Automatic Backups¶
Database Instances are used to persist important data which is necessary to back up in case of any unforseen issues.
Cloud User API Key Active/Inactive¶
Filtering to find users with active or inactive API keys ensures least-access network privilege is enforced, aiding in policy and regulatory complaiance.
Database Instances Not Enforcing Transit Encryption¶
Enforcing transit encryption helps ensure the authenticity, integrity, and privacy of data in transit.
Resource Access List Rule Source Network¶
Filter to find potentially malicious/unapproved IP ranges within rule definitions
Big Data Instance Security Group Exposed¶
Expansion of Database Instance Security Group Exposed filter, which finds instances with Security Groupss permitting public access.
Security Group With Non-RFC 1918 IP Addresses¶
Now customers can identify rules to find Security Groups that use public IP addresses, not private IP addresses, specifically important for highly regulated customers who cannot have public facing compute capacity.
Network Peers connected to unknown accounts¶
Identify networking peering across account IDs not connected to the DivvyCloud platform/in your AWS Organization.
Compute Instance Source Image Exceeds Age¶
Filtering to find instances whose underlying image exceeds a given age. Older images are likely to have out of date packages or system errata.
Compute Instances With Unencrypted Volumes¶
This is helpful if you have to adhere to specific regulatory frameworks such as HIPAA that mandates that such data must be encrypted.
Storage Container Default Storage Class¶
Filter to find storage containers by storage class type. This information can help you understand the cost, availablility per region, and monthly uptime percentage for your storage containers.
Storage Container Is/Is Not Website¶
Find storage containers that have/have not been configured to serve as websites so they’re not being pulled as exposed to the world and help remove false positives.
Storage Container With/Without Lifecycle Policy¶
Filter to find storage containers that have lifecycle policies, e.g., archive objects older than X, in place. This helps with cost containment/control.
For Amazon Web Service customers, the role/user policy associated with each connected account will need to be adjusted to include the following permisisons:
"acm:ListCertificates", "acm:DescribeCertificate", "acm:ListTagsForCertificate", "acm:RemoveTagsFromCertificate", "acm:AddTagsToCertificate"