18.3 Release Notes

Release 18.3 adds support for several services within Amazon Web Services and enriches cloud compliance, security and governance across these areas. Several compliance packs, including NIST 800-53 and NIST CSF, have had over a dozen Insights associated based on the new cloud support and filters included in this release.

The release also focuses on surfacing additional information and context around system diagnostics and harvesting information. Notifications are now sent via Email and Slack when harvesting is in an impaired state. The cloud listing now includes the ability to drilldown and identify visibility gaps into impacted resource type(s) based on the associated policy.

Release Highlights

Additional Cloud Support

Amazon Web Services

  • Support for Dynamo DB
  • Support for Dynamo DB Accelerator (DAX)
  • Support for Workspaces
  • Support for Simple Queueing Service (SQS)
  • External ID can now be associated with Instance Assume Role authentication

Improved Insight Library View

The Insight Library now has additional sorting, filtering and direct linking capabilities which make it easier than ever to consume and report on Insight data.

Harvester Diagnostics

When harvesting is in an impaired state, a notification is now sent to all Domain Administrators within the installation. This notification triggers when harvesting has not run across any organization within an installation for an extended period of time.

Invalid Permissions Context

Missing permissions are now surfaced via the Clouds section of the tool. This new capability improves product usability and makes it easier to chase down missing permissions which impact cloud visibility.

Insight Timeseries Explorer

The timeseries graph in both the Insight and Insight Pack views can now be customized with date ranges to explore counts up to 90 days in the past.

Custom Navigation Menus

Domain Administrators now have fine-grained control over the navigation menu options which are visible within the tool. This capability enables customers to show/hide sections of the product that they do/do not want exposed to specific user communities.

Filter Categories

Filter categorization is now included in the Resources section making it easier to navigate the hundreds of filters contained within the product.

Jinja Template Validation

Email, Slack and Splunk actions which leverage Jinja2 templating are now passed through template validation to ensure the integrity of the contents.

Harvest Info View

The harvest information view within Clouds Overview has been updated to make it easier to navigate and identify the last time specific resource types have been successfully harvested within a particular region.

New Automation Actions

Delete Distributed Table Cluster

Permanently delete a table cluster such as AWS DynamoDB Accelerator. This action will remove the cluster and all associated nodes from the account.

Reboot Distributed Table Cluster

Reboot one or more nodes associated with a distributed table cluster. This can be useful when changes to the underlying parameter group are applied.

Create Distributed Table Backup

Create a point-in-time, on-demand backup for a distributed table, e.g., AWS DynamoDB.

Delete Distributed Table

Permanently delete a distributed table, e.g., AWS DynamoDB. This action will remove the table and all associated records from the account.

Mirror Instance Tags To Backup AMI

When creating a private image/backup of an instance within the tool, the tags associated with the parent instance can be mirrored and kept in sync. This is similar to how tags are mirrored betwween Instances/Volumes and Volumes/Snapshots.

Delete Message Queue

Permanently destroy a message queue (e.g. AWS SQS). This action will remove the queue from the account.

Send Message To Queue

Send a message to a particular queue. This action allows the user to create and send a message to the selected queue.

New Filters

Distributed Table Cluster Is World Accessible

Identify clusters with an attached security group that expose access to the cluster from the world (0.0.0.0/0).

Distributed Table At Rest Encryption

Identify distributed tables such as AWS DynamoDB which have encryption at rest enabled or disabled.

Distributed Table Automated Backups

Identify distributed tables which do not have automated backups enabled.

Distributed Table Is Global

Identify distributed tables which are geo-replicated and accessible from regions around the globe.

Distributed Table Lifecycle Status

Identify distributed tables in a particular lifecycle status, e.g,. creating, updating, active, etc.

Distributed Table Size Exceeds

Identify distributed tables whose size exceeds the given threshold in bytes.

Distributed Table Stream Specification

Identify distributed tables which have stream specification enabled or disabled.

Message Queue Delayed Message Count Exceeds

Identify delayed message queues with a queue count that exceeds a user-defined threshold.

Message Queue Encrypted At Rest

Identify message queue resources which are/are not encrypted at rest.

Message Queue Message Count Exceeds

Identify message queue resources with a queue count that exceeds a user-defined threshold.

Message Queue Type

Identify message queue resources based on their type (standard vs first-in, first-out [FIFO]).

Cloud Role Max Session Duration Exceeds

Identify service roles which have a max session duration that exceeds a user-defined threshold.

Workspace Last Connection

Identify AWS Workspace resources based on the last time they were used. This can be useful for identifying idle/orphaned Workspace resources which may no longer be required.

Workspace By Bundle ID

Identify AWS Workspace resources based upon their bundle ID, whic identifies the bundle, e.g, Standard with Windows 10 (English), used by the Workspace.

Workspace Lifecycle Exceeds Threshold

Identify AWS Workspace resources which have been in a particular state for a user-defined threshold.

Workspace User Association

Identify Workspace resources based on the associated user account.

Workspace Without Root Volume Encryption

Identify AWS Workspaces without a root volume encrypted at rest.

Workspace Without User Volume Encryption

Identify AWS Workspaces without secondary user volumes encrypted at rest.

Workspace Lifecycle State

Identify AWS Workspaces by lifecycle state (i.e. “pending”, “unhealthy”, “starting”, etc.)

Workspace By Running Mode

Identify AWS Workspaces by Running Mode (Auto-Stop or Always On).

Workspace Operating System

Identify AWS Workspaces by operating system (i.e. Windows 10)

Workspace Compute Type

Identify AWS Workspaces by compute type (i.e. standard, power, graphics)

Developer/Administrator Notes

Important

For Amazon Web Service customers, the role/user policy associated with each connected account will need to be adjusted to include the permissions below. Without these permissions, visibility into these services will not be possible.

"dynamodb:DescribeTable",
"dynamodb:DescribeGlobalTable",
"dynamodb:ListBackups",
"dynamodb:ListTables",
"dynamodb:ListGlobalTables",
"dynamodb:ListTagsOfResource",
"dax:DescribeClusters",
"dax:DescribeTable",
"dax:ListTables",
"dax:ListTags",
"kms:GetKeyPolicy",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ListQueueTags",
"workspaces:DescribeTags",
"workspaces:DescribeWorkspaces",
"workspaces:DescribeWorkspaceBundles",
"workspaces:DescribeWorkspacesConnectionStatus",
"workspaces:DescribeWorkspaceDirectories"

Customers not running Docker will need to run the following command prior to upgrading. It must be run 1) within the DivvyCloud virtual environment 2) on each node.

pip install --upgrade setuptools==39.1.0