What’s New in 18.6¶
Newly Added Support¶
- Please visit our Cloud Support Matrix to understand DivvyCloud standard naming conventions for newly supported services. We abstract and normalize common cloud services for consistent naming across different cloud providers.
- We have added support for AWS China region, please contact DivvyCloud Support if you are interested in using this region.
- Please review the Administrator and Developer Notes to see the AWS permissions required to enable new and expanded AWS services.
Expansion of Amazon Web Services Support
In 18.6, DivvyCloud expands its support of Amazon Web Services to include Simple Notification Service (SNS), Simple Email Service (SES), CloudFront, and GuardDuty. In addition to these newly supported AWS services, we’ve broadened services already in the platform. We have added visibility into Lambda account limits, cross-account private images, and harvesting of Identity & Access Management (IAM) Security Assertion Markup Language (SAML) providers. We have also provided the ability to view and modify IAM Role assume role policies and more.
Added Support for AWS China
Based on customer requests, support for AWS China has been added. This is our first pass at this region, but coverage is quite extensive. Services added include:
- AMIs (Public, Shared and Private), Autoscaling Groups and Launch Configurations, AWS Config, CloudFormation Templates, CloudFront, CloudTrail, CloudWatch Alarms, DynamoDB, EC2 Instances and Snapshots, ECS, Elasticache Instances and Snapshots, Elastic IP, Elastic MapReduce, Elasticsearch Instances, Hypervisors, Internet Gateways, IAM API Access Keys, IAM/ACM SSL Certificates, IAM Users, Groups, Roles and Policies, Kinesis and Firehose, Lambda Functions, Load Balancers (ELB/ALB/NLB), NAT Gateways, Network Flog Logs, Network Interfaces, Network Peers, RDS Instances and Snapshots, Redshift Instances and Snapshots, Region, Resource Limits, Routes, Route Tables, Security Groups and NACLs, SES, SSH Key Pairs, SNS and S3 Buckets.
Expansion of Google Cloud Platform Support
Google Cloud Platform is another key focus in 18.6. We have added support for GCP Services including Pub/Sub, Service Account Keys, and Key Management Service (KMS). We have added the ability to identify legacy networks, track VPC flow logging, and surface Google Private Access at the subnet level. In 18.6, we have expanded visibility into Google Kubernetes Engine (GKE), GKE configuration checks, and Storage Buckets.
Expansion of Microsoft Azure Support
Release 18.6 focuses heavily on Microsoft Azure. We have added support for new services such as Azure Kubernetes Service (AKS), CosmosDB, Databases, File Storage, IAM, HDInsight, and Network Peers.
We have also added visibility into network limits/usage.
New Compliance Views and Packs¶
New Compliance Packs
Release 18.6 enriches cloud compliance, security, and governance across multiple Cloud Providers. Several more compliance packs are now in DivvyCloud, specifically:
- Center for Internet Security (CIS) Benchmarks for Azure
- Cloud Security Alliance Cloud Compliance Matrix (CSA CCM)
- Center for Internet Security (CIS) Benchmarks for GCP
These compliance packs contain dozens of security recommendations across IAM, Logging/Monitoring, Networking, Storage, Compute, and Containers to support compliance within Public Cloud.
New Compliance Section
The new Compliance section of the tool gives users quick visibility into their compliance with one or more frameworks. It provides a straight-forward, top-level view into the number of failed checks based on the selected compliance pack criteria. Badges can be leveraged to tailor the view to specific risk profiles, environments, owners, and other factors.
Event-Driven Harvesting (EDH)¶
Event-driven Harvesting (EDH) is an exciting new feature that is available in Beta version in the 18.6 release. This feature is available to be enabled if customers are interested in test driving functionality and providing feedback. General Availability is expected in 18.7.
EDH is an intelligent and scalable approach to data collection. This feature allows users to get near real-time visibility into changes. As an example, if a user makes a change to the access control list of an S3 bucket, EDH will detect the change within 90 seconds, log the change, and trigger the appropriate automation Bots to remediate the event. (See EDH documentation for an explanation of how EDH works and the role of Consumer and Producer accounts.)
Configuring EDH – Under Configuration, users begin by identifying 1 or 2 Consumer accounts. These accounts aggregate harvesting data from the Producer accounts. After configuring EDH for a Consumer account, it will be listed in the Event Consumers section. After configuring EDH for a Producer account, its Status in the cloud listing will be enabled.
Events – The Events tab displays a powerful, searchable audit tool that lists harvested cloud events by cloud, provider id, date, user, action, and source IP. The list can be scoped by cloud, badge, or date.
Analytics – The Analytics tab graphs a summary of time-series data of up to 90 days. You can scope the graph by cloud or time period.
Badge management is now possible through a unified view. This Domain Admin-only view graphs top badges in use, lists all badges in use across the installation, and tabulates their use by cloud, organization, and bot.
Previous 18.5 Badge Management
New 18.6 Badge Management
The new Filters section provides a searchable list of all DivvyCloud filters, which are now approaching 600 in count. Users can view filters by release and see which filters are new, which have been modified, and which have been deprecated. Users are also able to scope filters by Cloud Provider.
Finally, users can open and view a filter’s source code to better understand its definition.