18.4 Release Notes¶
18.4, our last release of the spring, brings loads of added functionality into the product. It adds support for Alibaba Cloud, an additional Insight Pack (Azure CIS Benchmark), tracking of Cloud Limits, a global Tag Explorer and more. All customers are encouraged to take this upgrade. For more information on the release, please contact us at email@example.com.
Additional Cloud Support/Enhancements¶
- Support for Elastic Compute Service
- Support for Object Storage Service
- Support for AsparaDB for RDS
- Support for AsparaDB for Redis
- Support for Virtual Private Cloud
- Support for Remote Access Management
Amazon Web Services
- Support for Trusted Advisor
- Support for Cloud Limits
- Support for Autoscaling Launch Configurations
- Identify encryption configuration for Redshift/RDS Snapshots
- Improved support for private vs shared images (AMIs)
- Tagging support for VPC Connection Peers and Network Interfaces
- Identify resources associated with IAM/ACM SSL certificates
Google Cloud Platform
- Support for MemoryStore
- Support for Cloud Limits
- Support for Storage Accounts, Blob and Files
- Support for Security Center
- Support for Cloud Limits
Alibaba Cloud Support¶
We’ve had a number of customers request the ability to expand the reach of the platform so they can apply Insights and Bot automation to other clouds/workloads. We’re pleased to announce that as of 18.4, Alibaba Cloud support is now included in the tool and that over 80 of our core Insights and Bots can now be used to inspect and enforce policy. Simply get API credentials and connect your Alibaba Cloud workloads into the tool just as you’ve done with AWS, Azure and Google Cloud Platform. For additional instructions, see our Alibaba Cloud support page.
Azure CIS Compliance¶
In February 2018, the CIS Microsoft Azure Foundations Security Benchmark was released. This compliance framework provides fantastic guidelines and best practices to secure Microsoft Azure workloads. We’re introducing support for this benchmark with coverage across many of the sections and checks. Access this new Compliance Pack by navigating to the Insights section of the tool. Note that this pack will only run against Microsoft Azure cloud accounts.
AWS Trusted Advisor Checks¶
AWS Trusted Advisor contains a wealth of information that aids in identifying improvements within your AWS account in security, fault tolerance and cost optimization. DivvyCloud now aggregates this data across all of your AWS accounts and, when coupled with our flexible filter system, users can now create powerful Insights and Bot automation to take action against this data.
Exploring tags across your entire cloud footprint is now effortless using the Tag Explorer. This new application can be accessed from the lefthand navigation menu. To get started, simply specify one or more tag keys that you’d like to explore. Users can tailor their view to see all resources or only those resources that contain the specified tag keys. Users can even further customize their view by specifying cloud scope and/or resource types. In any view, users export the data to CSV for reporting/distribution purposes.
Scaling applications and workloads today can often be challenging if operators are not keeping close tabs on their service limits. With the addition of Cloud Limit support in 18.4, administrators can now set up policy checks and automation to keep a watchful eye and receive alerts of potential scale limitations due to nearing or exceeding a threshold for a particular service.
Insights can now be customized and tweaked to fine tune the severity score and metadata. This brings additional context and improved reporting capabilities into Insight Packs/Subscriptions and makes Custom Compliance Packs easier to maintain.
Jira tickets can now be automatically created when problems are identified by Bots. For information on how to configure and use Jira integration, visit our integrations page.
Native SAML Support¶
We’ve seen such an uptick in customers leveraging our SAML plugin that we’ve added native SAML support into the product. SAML providers can now be linked and configured within the Authentication Servers section of the tool.
Migrate Clouds between Organizations¶
Customers leveraging Organizations within the product can now migrate cloud accounts between Organizations. This provides greater flexibility to customers as they are no longer locked into the organizational structure they began with. Note that only Domain Administrators can migrate cloud accounts to new Organizations.
API Activity Tracking¶
Domain administrators can now access API activity from within the tool. These events are captured when users make modifications from within the tool and also within the web interface. To access the logs click on System Administration > API Activity. You should see output similar to the image below:
Domain Admin Promotion/Demotion¶
Basic User/Organization Admin accounts can now be promoted to Domain Administrator. Conversely, Domain Administrators can be demoted to a lower role. These actions are available within the Identity Management section of the tool.
Pagination Setting Retention¶
The rows per page selection that users choose is now retained in local storage and will remain the default selection within that section of the tool.
Authentication Global Scope¶
External authentication servers such as Active Diretory, LDAP and SAML can now be set as global and will be used throughout the entire installation. This improvement removes the need to copy the configuration between each organization within the install.
Cloud Policy Improvements¶
Cloud policies are now broken out into two separate resource types, Cloud Policies and Cloud Managed Policies. The latter is only harvested one time for each cloud provider, which reduces data duplication and improves load times.
Bulk Email With CSV¶
Consumers who leverage the Bulk Email action will be happy to know that CSV attachments can now be included with the Email report. For customers with thousands of impacted resources, this new action is invaluable. The CSV will include information about the identified/noncompliant resources including the name, ID, region and account.
HTML Email Support¶
Email messages can now include HTML formatting and styling. Simply enable the HTML Message option when configuring your Email message and the body of Email messages will be styled appropriately.
Tag Network Interfaces¶
The existing tag assignment actions have been expanded to include auto-tagging support for network interfaces.
Enable/Disable Storage Container Versioning¶
Bots can now take action on AWS S3 versioning and enable/disable it based on your policy.
Identity Resource Has Policy¶
Administrators can now inspect the permissions that users, groups and roles have across associated policies. This filter allows specific permissions to be searched to identify users who are in breach of least privilege access.
Role Trust Relationship to Unknown Account¶
Audit roles across AWS clouds to quickly identify those which have established trust relationships with unknown/suspicious accounts.
Role Trust Relationship From Root¶
Identify roles with a trust relationship with root access from the connected account. Roles with this configuration present potential security violations and lack the specificity to best secure the account interconnection.
Role Trust Relationship Without External ID¶
Identify roles with a trust relationship that allows accounts to assume a role without the additional layer of security provided by an external ID. Roles without this option are less secure and are more exposed to malicious users.
Resource Age Filter Improvement¶
When filtering for resources based on age, the unit of measurement has been expanded to allow filtering by minute, hour and day.
Resource Tag Email Validation¶
Inspect tags whose value should contain a valid Email address with ease. Email validation uses regular expressions to identify tag values based on user input. Examples of tags that would benefit from the addition of this filter include Owner, POC or contact-email.
Resource Tag Regular Expression¶
Inspect the value of particular tag key/value pairs using regular expressions. This new filter makes it easier to identify tags that do not conform to a required pattern.
Identify Resources In Network¶
Supply one or more network IDs to this filter to identify resources running within the network(s). This can make it easy to identify the size/scope of a network across all cloud services.
- Resolved an issue with the Resource Tags Do Not Mirror Parent filter to no longer include cloud provider reserved tags in the comparison
- Non-numeric characters are no longer accepted in the “Access List Rule Open Ports” filter
- Resolved issue where appending bucket policies failed in some cases
- Resolved an issue with setting key values to numbers on GCP
- Resolved an issue with displaying encryption keys associated with Lambda functions in AWS
- Resolved an issue with creating new users via an external AD server
- Resolved an issue with downloading CSV for custom insight packs in some cases
- Resolves an issue with viewing noncompliance counts by bot on the dashboard
- Resolved an issue with filtering database engines for “Aurora MySQL” and “Aurora PostgreSQL”
- Resolved an issue with creating an instance backup if there was a name collision
- Resolved an issue with displaying details for Access List Rules in some cases
- Resolved an issue with harvesting data for MySQL and PostgreSQL databases in Azure ARM
- Resolved an issue with displaying access list rules in Azure
- Resolves an issue where Azure Redis (memcache) doesn’t display encryption-in-transit in some cases
- Improved handling of rate limiting due to authentication failures
- Improved AWS pagination support across services such as IAM, Redshift and EFS
For Amazon Web Service customers, the role/user policy associated with each connected account will need to be adjusted to include the permissions below. Without these permissions, visibility into Trusted Advisor and Cloud Limits will not be functional.
iam:GenerateCredentialReport iam:GetCredentialReport support:*
The following API endpoints have been updated:
/diagnostics/harvesting/status/get has been renamed to /diagnostics/system/status/get /<int:insight_id>/<source>/insight-history/<start>/<end> has an optional query parameter 'cloud_id' /<int:insight_id>/<source>/pack-insight-history/<start>/<end> has an optional query parameter 'cloud_id'
The following list API calls have updated response data:
Insights : Add meta_data Backoffice-insights : Add meta_data, custom_severity
Customers not running the software via Docker will need to remove the following deprecated dependency from the virtual environment on each node.
source bin/activate ; pip uninstall hybrid-crypto pycrypto
Finally, in order to focus harvesting on more dynamic resources, the cadence for harvesting Service Users and Policies has been changed to 2 hours from 30 minutes.