Release 18.3 adds support for several services within Amazon Web Services and enriches cloud compliance, security and governance across these areas. Several compliance packs, including NIST 800-53 and NIST CSF, have had over a dozen Insights associated based on the new cloud support and filters included in this release.
The release also focuses on surfacing additional information and context around system diagnostics and harvesting information. Notifications are now sent via Email and Slack when harvesting is in an impaired state. The cloud listing now includes the ability to drilldown and identify visibility gaps into impacted resource type(s) based on the associated policy.
Amazon Web Services
- Support for Dynamo DB
- Support for Dynamo DB Accelerator (DAX)
- Support for Workspaces
- Support for Simple Queueing Service (SQS)
- External ID can now be associated with Instance Assume Role authentication
The Insight Library now has additional sorting, filtering and direct linking capabilities which make it easier than ever to consume and report on Insight data.
When harvesting is in an impaired state, a notification is now sent to all Domain Administrators within the installation. This notification triggers when harvesting has not run across any organization within an installation for an extended period of time.
Missing permissions are now surfaced via the Clouds section of the tool. This new capability improves product usability and makes it easier to chase down missing permissions which impact cloud visibility.
The timeseries graph in both the Insight and Insight Pack views can now be customized with date ranges to explore counts up to 90 days in the past.
Domain Administrators now have fine-grained control over the navigation menu options which are visible within the tool. This capability enables customers to show/hide sections of the product that they do/do not want exposed to specific user communities.
Filter categorization is now included in the Resources section making it easier to navigate the hundreds of filters contained within the product.
Email, Slack and Splunk actions which leverage Jinja2 templating are now passed through template validation to ensure the integrity of the contents.
The harvest information view within Clouds Overview has been updated to make it easier to navigate and identify the last time specific resource types have been successfully harvested within a particular region.
Permanently delete a table cluster such as AWS DynamoDB Accelerator. This action will remove the cluster and all associated nodes from the account.
Reboot one or more nodes associated with a distributed table cluster. This can be useful when changes to the underlying parameter group are applied.
Create a point-in-time, on-demand backup for a distributed table, e.g., AWS DynamoDB.
Permanently delete a distributed table, e.g., AWS DynamoDB. This action will remove the table and all associated records from the account.
When creating a private image/backup of an instance within the tool, the tags associated with the parent instance can be mirrored and kept in sync. This is similar to how tags are mirrored betwween Instances/Volumes and Volumes/Snapshots.
Permanently destroy a message queue (e.g. AWS SQS). This action will remove the queue from the account.
Send a message to a particular queue. This action allows the user to create and send a message to the selected queue.
Identify clusters with an attached security group that expose access to the cluster from the world (0.0.0.0/0).
Identify distributed tables such as AWS DynamoDB which have encryption at rest enabled or disabled.
Identify distributed tables which do not have automated backups enabled.
Identify distributed tables which are geo-replicated and accessible from regions around the globe.
Identify distributed tables in a particular lifecycle status, e.g,. creating, updating, active, etc.
Identify distributed tables whose size exceeds the given threshold in bytes.
Identify distributed tables which have stream specification enabled or disabled.
Identify delayed message queues with a queue count that exceeds a user-defined threshold.
Identify message queue resources which are/are not encrypted at rest.
Identify message queue resources with a queue count that exceeds a user-defined threshold.
Identify message queue resources based on their type (standard vs first-in, first-out [FIFO]).
Identify service roles which have a max session duration that exceeds a user-defined threshold.
Identify AWS Workspace resources based on the last time they were used. This can be useful for identifying idle/orphaned Workspace resources which may no longer be required.
Identify AWS Workspace resources based upon their bundle ID, whic identifies the bundle, e.g, Standard with Windows 10 (English), used by the Workspace.
Identify AWS Workspace resources which have been in a particular state for a user-defined threshold.
Identify Workspace resources based on the associated user account.
Identify AWS Workspaces without a root volume encrypted at rest.
Identify AWS Workspaces without secondary user volumes encrypted at rest.
Identify AWS Workspaces by lifecycle state (i.e. “pending”, “unhealthy”, “starting”, etc.)
Identify AWS Workspaces by Running Mode (Auto-Stop or Always On).
Identify AWS Workspaces by operating system (i.e. Windows 10)
Identify AWS Workspaces by compute type (i.e. standard, power, graphics)
For Amazon Web Service customers, the role/user policy associated with each connected account will need to be adjusted to include the permissions below. Without these permissions, visibility into these services will not be possible.
"dynamodb:DescribeTable", "dynamodb:DescribeGlobalTable", "dynamodb:ListBackups", "dynamodb:ListTables", "dynamodb:ListGlobalTables", "dynamodb:ListTagsOfResource", "dax:DescribeClusters", "dax:DescribeTable", "dax:ListTables", "dax:ListTags", "kms:GetKeyPolicy", "sqs:GetQueueAttributes", "sqs:ListQueues", "sqs:ListQueueTags", "workspaces:DescribeTags", "workspaces:DescribeWorkspaces", "workspaces:DescribeWorkspaceBundles", "workspaces:DescribeWorkspacesConnectionStatus", "workspaces:DescribeWorkspaceDirectories"
Customers not running Docker will need to run the following command prior to upgrading. It must be run 1) within the DivvyCloud virtual environment 2) on each node.
pip install --upgrade setuptools==39.1.0