Our first release of the Fall introduces three new compliance packs, expanded Microsoft Azure, Google Cloud Platform and Amazon Web Services support and introduces a new Event Driven Harvesting (EDH) model which improves detection and remediation times, as well as provides additional context on lifecycle actions and changes to cloud footprints.
To see comparisons of what has changed in 18.6, please see What’s New.
Before upgrading your DivvyCloud installation, please take a moment to view our Administrator and Developer Notes at the bottom of this page, or contact email@example.com for questions.
Amazon Web Services
- Support for Simple Notification Service (SNS)
- Support for Simple Email Service (SES)
- Support for CloudFront
- Support for visibility into GuardDuty
- Support for visibility into Lambda account limits
- Store the boolean property for automatic minor upgrades for RDS instances
- Store and surface the VPC ID that’s associated with an Elasticache cluster
- Support for harvesting of IAM SAML providers
- Ability to view and modify IAM Role assume role policies
- Visibility into cross account private images
Google Cloud Platform
- Support for Pub/Sub
- Support for Service Account Keys
- Support for tracking VPC flow logging and Google Private Access at the subnet level
- Support for identifying legacy networks
- Support for KMS
- Enhanced GKE visibility and configuration checks
- Enhanced visibility into GCP Storage buckets
- Support for Azure Kubernetes Service (AKS)
- Support for CosmosDB
- Support for Databases
- Support for File Storage
- Support for IAM
- Support for HDInsight
- Support for Network Peers
- Visibility into network limits/usage
- Support for using certificate credentials for subscription authentication
- Support for proxy servers
The Cloud Security Alliance maintains an industry standard matrix known as the Cloud Compliance Matrix (CCM). This framework contains controls to harden and secure cloud technology and aligns them against other security regimes such as NIST-800.53, HIPAA and ISO 27001. With 18.6, this compliance standard is now supported within the product.
In early September, the Center for Internet Security (CIS) published a new benchmark for security cloud workloads on Google Cloud Platform (GCP). This benchmark contains dozens of security recommendations across Identity & Access Management, Logging/Monitoring, Networking, Storage, Compute and Kubernetes.
With release 18.5, we first introduced support for the CIS Benchmarks for Azure, and with 18.6 we’ve added over 25 new Insights and checks against this compliance framework.
Event-driven Harvesting (EDH) is a more intelligent and scalable approach to data collection that is being introduced with this release in Beta and, by default, disabled. Customers can enable EDH if they are are interested in test driving functionality and providing feedback. General Availability is expected in 18.7.
EDH allows customers to get near real-time visibility into changes. As an example, if a user makes a change to the access control list of an S3 bucket, EDH will detect the change within 90 seconds, log the change, and trigger the appropriate automation Bots to remediate the event. More information on EDH can be found under AWS Cloud Support.
The Cloud Compliance view enables users to get quick visibility into how they stand for one or more compliance frameworks. It provides a top level view into the number of failed checks based on the selected compliance pack criteria. Badges can be leverage to tailor the view to specific risk profiles, environments, owners and more.
A dedicated view for listing and searching system-wide badges has been long overdue. With 18.6 release, domain admins are now able to navigate to Badges tab found in System Administration page. Within the view include top 10 most used badges by associated clouds counts and an exhaustive table listing all the badges across the system.
A top-level view reserved for the filters. Filters are one of the key ingredients in how we manage insights and bots. With the 18.6 release, users will now have access to an exhaustive list of all filters employed in our system. This will be the one stop location to check when a filter was created, modified, or deprecated. For those who want to see how the filter functions, this page will also let users open and see the source code of the filter definition.
- Insight Pack emails now list Insights and Compliance Rules in different columns
- Now in Insight Pack emails, clicking the title of the pack will navigate to the Pack within the tool.
- AWS Organization listing of accounts now display account status within the view
- BotFactory actions like ‘Send Email Summary With CSV’ which allow multiple email entry, now do basic validation on input.
- AWS EMRs now harvest with pagination, allowing for harvesting of vastly larger sets of MapReduce Clusters.
- The account ID of Amazon, Azure and Google cloud accounts are surfaced in the tool.
- Badge keys and values are now case sensitive.
- Added ability to modify the New Account email text via the system settings. Also, it now supports HTML and Jinja2.
- Added Cloud Roles’ trusted accounts to Resource section view
- Failed scheduled events run by bots (in last 24 hours) are counted every 30 minute and exposed to Bot listing.
- Limited resources for Resource Has No Owner filter to Instances only.
- Tags can now be included in the Email Summary CSV action that is used by Bots
- Admins can now manually remove the active job scheduler from the Redis queue and view in active schedulers via the system settings.
- Custom Insights now support badges to persist scope over time
Enable server access logging to a specific bucket in. Access log records keep detailed accounts about access requests.
Update the assume role policy associated with a IAM role.
Identify cloud accounts which contain or are missing a specific identity resource. This filter takes in user input which defines the identity resource type (user, group, role or policy) and the required name. A common use case for this filter would be to identify cloud accounts which are missing a required Security audit role that must exist across each and every cloud account.
Identify mapreduce clusters in a particular lifecycle status.
Identify clusters with a total node count greater than the specified number of total nodes.
Identify clusters with a total node count less than the specified number of total nodes.
Identify MapReduce Clusters which have at least one instance which has an attached security which allows access from the World (0.0.0.0/0).
Identify security group, NACL and firewall rules which contain a public IPv4 address. This filter is effective to identify entry points from the Internet.
Identify AWS S3 buckets which do not have the MFA Delete feature enabled.
Identify database instances based on the value of the automatic minor upgrades boolean value.
Identify cloud users within Google Cloud Platform which have IAM access from an unapproved domain. This filter can help identify gmail.com and other GSuite users who may have unauthorized/unapproved access into the domain.
Identify instances running on a shared image owned outside of the DivvyCloud organization. This filter will be helpful in detecting potential risk of running on foreign machine images that come from untrusted sources. Another side effect would be detection of cloud accounts that are indeed trusted, but not yet added to the system for DivvyCloud coverage.
Identify identity providers based on the provider type. This filter leverages customer supplied regular expressions to identify IDP matches based on entity ID.
Identify cloud accounts who are leveraging Identity Providers for console based authentication.
Identify storage containers that are logging to a specific target bucket.
Identify instances that have project wide SSH keys enabled or disabled.
Identify instances that do and do not enable connecting to serial ports.
Identify instances that have ip forwarding enabled or disabled. IP forwarding allows sending and receiving with destination and source IPs that do not match.
Identifies clouds which do not have an activity log profile.
Identifies clouds which have an activity log retention period below a set threshold.
Identify database instances that have auditing enabled.
Identify database instances that have auditing disabled.
Identify database instances that have an auditing retention less than the supplied threshold.
Match database instances that have threat detection enabled.
Match database instances that have threat detection disabled.
Match database instances that have a threat detection retention period that is below the supplied threshold.
Match database instances that do not have threat detection configured to detect all types.
Identify database instances that do not have any email recipients set for receiving threat detection alerts.
Identify database instances that are not configured to send threat detection alerts to service and co-administrators.
Identify database instances that are not configured to use an Azure Active Directory user account for administration.
Identify databases that have auditing enabled.
Identify databases that have auditing disabled.
Identify databases that have an auditing retention less than the supplied threshold.
Identify databases that do not have encryption enabled.
Match databases that have threat detection enabled.
Match databases that have threat detection disabled.
Match databases that have a threat detection retention period that is below the supplied threshold.
Match databases that do not have threat detection configured to detect all types.
Identify databases that do not have any email recipients set for receiving threat detection alerts.
Identify databases that are not configured to send threat detection alerts to service and co-administrators.
Identify instances that do not have a monitoring agent extension installed.
Identify instances that have extensions installed which are not in a pre-approved list.
Identify instances having a data volume attached which is not encrypted.
Identify instances having a root volume attached which is not encrypted.
Identify instances that do not have an endpoint protection extension installed
Identifies clouds which do not have Network Watcher enabled for all supported regions.
Identify custom cloud policies which have ownership access to the subscription.
Match cloud users that are guest accounts.
- More harvesting permissions exception surface properly in the Clouds listing.
- Insight Pack emails sometimes render tables past the bottom of the email, and out of frame.
- AWS GovCloud clouds were failing to harvest account number. Now successfully harvests.
- Some DNS records were missing ‘time-to-live’ value and were failing to type cast. Now None value is supported.
- Public access evaluation diagnosed false-negatives for S3 and Elasticsearch resources in a very specific condition.
- Estimated Monthly Savings for Cloud Advisor Check resource now consistently display currency format.
- Fixed a bug where toggling resource groups in the Insights scope would cause cloud badges to not behave properly.
For Amazon Web Service customers, the role/user policy associated with each connected account will need to be adjusted to include the permissions below. Without these permissions, visibility into the newly supported AWS services will not be possible.
cloudfront:ListDistributions, cloudfront:ListStreamingDistributions, cloudfront:ListTagsForResource, cloudfront:TagResource, cloudfront:DeleteDistribution, cloudfront:DeleteStreamingDistribution, guardduty:GetDetector, guardduty:GetMasterAccount, guardduty:ListDetectors, guardduty:ListMembers, iam:GetSAMLProvider, iam:ListSAMLProviders, lambda:GetAccountSettings, ses:GetIdentityVerificationAttributes, ses:GetIdentityMailFromDomainAttributes, ses:GetIdentityDkimAttributes, ses:GetIdentityNotificationAttributes, ses:ListIdentities, sns:ListTopics, sns:GetTopicAttributes, sns:DeleteTopic, sns:ListSubscriptions, sns:GetSubscriptionAttributes, sns:DeleteSubscription
For customers interested in leveraging the new supported actions within the tool, the following AWS permissions are required.
For Microsoft Azure customers, the App registration for each account will need to be adjusted to include the “Read directory data” application permission for the Windows Azure Active Directory API. These permissions are required to support the new Azure IAM functionality.
For all cloud accounts, DivvyCloud will no longer support non-matched bot actions in order to facilitate improved bot performance. For release 18.6 we will have reverse compatibility for users that have bots which use non-matched actions. However, moving into release 18.7 all non-matched support will be removed.