18.3 Release Notes¶
Release 18.3 adds support for several services within Amazon Web Services and enriches cloud compliance, security and governance across these areas. Several compliance packs, including NIST 800-53 and NIST CSF, have had over a dozen Insights associated based on the new cloud support and filters included in this release.
The release also focuses on surfacing additional information and context around system diagnostics and harvesting information. Notifications are now sent via Email and Slack when harvesting is in an impaired state. The cloud listing now includes the ability to drilldown and identify visibility gaps into impacted resource type(s) based on the associated policy.
Additional Cloud Support¶
Amazon Web Services
- Support for Dynamo DB
- Support for Dynamo DB Accelerator (DAX)
- Support for Workspaces
- Support for Simple Queueing Service (SQS)
- External ID can now be associated with Instance Assume Role authentication
Improved Insight Library View¶
The Insight Library now has additional sorting, filtering and direct linking capabilities which make it easier than ever to consume and report on Insight data.
When harvesting is in an impaired state, a notification is now sent to all Domain Administrators within the installation. This notification triggers when harvesting has not run across any organization within an installation for an extended period of time.
Invalid Permissions Context¶
Missing permissions are now surfaced via the Clouds section of the tool. This new capability improves product usability and makes it easier to chase down missing permissions which impact cloud visibility.
Insight Timeseries Explorer¶
The timeseries graph in both the Insight and Insight Pack views can now be customized with date ranges to explore counts up to 90 days in the past.
Filter categorization is now included in the Resources section making it easier to navigate the hundreds of filters contained within the product.
Jinja Template Validation¶
Email, Slack and Splunk actions which leverage Jinja2 templating are now passed through template validation to ensure the integrity of the contents.
Harvest Info View¶
The harvest information view within Clouds Overview has been updated to make it easier to navigate and identify the last time specific resource types have been successfully harvested within a particular region.
New Automation Actions¶
Delete Distributed Table Cluster¶
Permanently delete a table cluster such as AWS DynamoDB Accelerator. This action will remove the cluster and all associated nodes from the account.
Reboot Distributed Table Cluster¶
Reboot one or more nodes associated with a distributed table cluster. This can be useful when changes to the underlying parameter group are applied.
Create Distributed Table Backup¶
Create a point-in-time, on-demand backup for a distributed table, e.g., AWS DynamoDB.
Delete Distributed Table¶
Permanently delete a distributed table, e.g., AWS DynamoDB. This action will remove the table and all associated records from the account.
Delete Message Queue¶
Permanently destroy a message queue (e.g. AWS SQS). This action will remove the queue from the account.
Send Message To Queue¶
Send a message to a particular queue. This action allows the user to create and send a message to the selected queue.
Distributed Table Cluster Is World Accessible¶
Identify clusters with an attached security group that expose access to the cluster from the world (0.0.0.0/0).
Distributed Table At Rest Encryption¶
Identify distributed tables such as AWS DynamoDB which have encryption at rest enabled or disabled.
Distributed Table Automated Backups¶
Identify distributed tables which do not have automated backups enabled.
Distributed Table Is Global¶
Identify distributed tables which are geo-replicated and accessible from regions around the globe.
Distributed Table Lifecycle Status¶
Identify distributed tables in a particular lifecycle status, e.g,. creating, updating, active, etc.
Distributed Table Size Exceeds¶
Identify distributed tables whose size exceeds the given threshold in bytes.
Distributed Table Stream Specification¶
Identify distributed tables which have stream specification enabled or disabled.
Message Queue Delayed Message Count Exceeds¶
Identify delayed message queues with a queue count that exceeds a user-defined threshold.
Message Queue Encrypted At Rest¶
Identify message queue resources which are/are not encrypted at rest.
Message Queue Message Count Exceeds¶
Identify message queue resources with a queue count that exceeds a user-defined threshold.
Message Queue Type¶
Identify message queue resources based on their type (standard vs first-in, first-out [FIFO]).
Cloud Role Max Session Duration Exceeds¶
Identify service roles which have a max session duration that exceeds a user-defined threshold.
Workspace Last Connection¶
Identify AWS Workspace resources based on the last time they were used. This can be useful for identifying idle/orphaned Workspace resources which may no longer be required.
Workspace By Bundle ID¶
Identify AWS Workspace resources based upon their bundle ID, whic identifies the bundle, e.g, Standard with Windows 10 (English), used by the Workspace.
Workspace Lifecycle Exceeds Threshold¶
Identify AWS Workspace resources which have been in a particular state for a user-defined threshold.
Workspace User Association¶
Identify Workspace resources based on the associated user account.
Workspace Without Root Volume Encryption¶
Identify AWS Workspaces without a root volume encrypted at rest.
Workspace Without User Volume Encryption¶
Identify AWS Workspaces without secondary user volumes encrypted at rest.
Workspace Lifecycle State¶
Identify AWS Workspaces by lifecycle state (i.e. “pending”, “unhealthy”, “starting”, etc.)
Workspace By Running Mode¶
Identify AWS Workspaces by Running Mode (Auto-Stop or Always On).
Workspace Operating System¶
Identify AWS Workspaces by operating system (i.e. Windows 10)
Workspace Compute Type¶
Identify AWS Workspaces by compute type (i.e. standard, power, graphics)
For Amazon Web Service customers, the role/user policy associated with each connected account will need to be adjusted to include the permissions below. Without these permissions, visibility into these services will not be possible.
"dynamodb:DescribeTable", "dynamodb:DescribeGlobalTable", "dynamodb:ListBackups", "dynamodb:ListTables", "dynamodb:ListGlobalTables", "dynamodb:ListTagsOfResource", "dax:DescribeClusters", "dax:DescribeTable", "dax:ListTables", "dax:ListTags", "kms:GetKeyPolicy", "sqs:GetQueueAttributes", "sqs:ListQueues", "sqs:ListQueueTags", "workspaces:DescribeTags", "workspaces:DescribeWorkspaces", "workspaces:DescribeWorkspaceBundles", "workspaces:DescribeWorkspacesConnectionStatus", "workspaces:DescribeWorkspaceDirectories"
Customers not running Docker will need to run the following command prior to upgrading. It must be run 1) within the DivvyCloud virtual environment 2) on each node.
pip install --upgrade setuptools==39.1.0