FinalDivvyCloud

19.2 Release Notes

7 months ago by Chris DeRamus

19.2.8 Release Notes

Divvy Software Release Notice - 19.2.8 Maintenance Release (07/17/2019).

Bug Fixes

  • DV2019-1942 Fixed an issue with the Compliance Scorecard, where compliance packs containing custom insights were failing with Attribute Error.
  • DV2019-1914 Fixed an issue that caused pack subscription emails to be sent out more than once during the scheduled hour.
  • DV2019-1893 Fixed an issue that would not let a user with "viewer" permissions see Insight Violations.
  • DV2019-1669 Fixed a UI edge case that would vertically stretch integration logos when viewing the integrations page

19.2.7 Release Notes

Divvy Software Release Notice - 19.2.7 Maintenance Release (07/11/2019).

Bug Fixes

  • DV2019-1895 Expanded support for the following filters to work for Alibaba Cloud compute instances: Instance Exposing All Ports, Instance Exposing Public SSH, Instance Exposing Specific Port/Protocols, Instance Exposing Specific Ports
  • DV2019-1874 Fixed a UI issue with long usernames not properly fitting in the login box
  • DV2019-1870 Properly identify the Windows platform for GCP Instances in the platform column of the resources page
  • DV2019-1862 Updated available badges in scorecard dropdown based on the currently selected clouds, rather than all badges across all clouds
  • DV2019-1861 Fixed a bug that showed some distributed tables as erroneously coming back as unencrypted
  • DV2019-1834 GCP access key harvesting no longer pulls down Google managed API keys to mirror what the GCP console displays for Service Accounts
  • DV2019-1823 Fixed an issue that prevented the stop/start machine learning instance actions from executing via a Bot
  • DV2019-1773 Fixed issue that allowed a user to select "Skip previously identified resources" without using the action "Mark Resource Noncompliant"
  • DV2019-1752 Fixed an edge case that prevented you to expand the scope of a saved insight
  • DV2019-1673 Cleaned up multi-select and filtering interactions such that de/select-all should only effect the filtered items. Anything that is de/selected but not filtered will not be changed. This helps when scoping down from hundreds of accounts to a handful.
  • DV2019-1614 Modified the Retention Days input field on the Activity Log Retention Below Threshold query filter to not allow allow an input value greater than 365

Enhancements

  • DV2019-1876 GCP firewall instance associations using target tags and service accounts are now supported
  • DV2019-1850 Added a new filter to identify AWS S3 buckets which do/do not have global or policy encryption for objects enabled: Storage Container With Global/Policy Encryption (AWS Only) and Storage Container Without Global/Policy Encryption (AWS Only)
  • DV2019-1848 Added new filter REST API With Application Firewall Protection for AWS that will match REST APIs with an attached Web Application Firewall
  • DV2019-1843 Increased the maximum character count for usernames and user emails to 128.
  • DV2019-1841 Fixed the scorecard columns (insight) to only display scores for their supported cloud types and N/A for the unsupported
  • DV2019-1835 When viewing resources and selecting explicit clouds, only filters that can be used for that cloud will be made available
  • DV2019-1812 Added a new filter to identify AWS Payer accounts that have one or more accounts not loaded into DivvyCloud Cloud Master Account With Child Not Interconnected
  • DV2019-1781 Allow the badges filter on the Compliance Scorecard to be AND'ed as well as OR'ed via a UI toggle

19.2.6 Release Notes

Divvy Software Release Notice - 19.2.6 Maintenance Release (06/27/2019).

Urgent

We have added VPC Endpoint support, those who want this visibility will need to add ec2:DescribeVpcEndpoints if you aren't already whitelisting ec2:Describe* or ec2:* to your AWS Policies .

Bug Fixes

  • DV2019-1638 Fixed an issue with the dropdown filter functionality of the Compliance Scorecard where it previously wouldn't reset after selecting/deselecting items
  • DV2019-1651 Fixed an issue with the scheduled export functionality of the Compliance Scorecard that prevented the export from actually occurring
  • DV2019-1667 Fixed an issue with the Compliance Scorecard that incorrectly displayed the number of cloud accounts per row in the Y axis
  • DV2019-1674 Fixed an issue with the Compliance Scorecard that incorrectly displayed the scoped cloud account when clicking on the green tiles with zero impacted resources
  • DV2019-1745 Fixed an edge case where pagination counts were not being respected when viewing instances and select other resource types while search was enabled

Enhancements

  • DV2019-1730 Improved the query filter logic for the Instance Exposing Specific Ports filter to better support range entries and more complex look ups. As an example, filtering for instances with TCP 1-79, 81-442 or 444-65535 will yield additional results
  • DV2019-1750 Improved the reconfiguration process of a Bot's conditions to prevent conditions from being deleted accidentally
  • DV2019-1751 Improved the display of tag keys that have leading/trailing whitespace
  • DV2019-1682 Added visibility for AWS VPC Network Endpoints and their associated IAM policies

19.2.5 Release Notes

Divvy Software Release Notice - 19.2.5 Maintenance Release (06/20/2019).

Bug Fixes

  • DV2019-1671 Fixed an issue with using Data Collections for tag filters where the data collection contained more than 500 possible values
  • DV2019-1646 Fixed an issue with the password reset link
  • DV2019-1622 Fixed an issue where users would be directed to the legacy Compliance section rather than current Compliance Scorecard section
  • DV2019-1675 Fixed an issue where the downloaded CSV report of Insights still included results that had been filtered out
  • DV2019-1670 Fixed a UI issue where the Azure Access List Rule resource tooltip was missing
  • DV2019-1637 Fixed an issue where the Instance counts were not refreshing when removing a Filter from scoped resources
  • DV2019-1627 Fixed an issue where users could not edit the subscriptions in the Compliance Scorecard

Enhancements

  • DV2019-1649 Added the functionality for Organization admins to create and manage users within their organization
  • DV2019-1663 Added filters to detect service roles with or without federated access and ML instances using those roles
  • DV2019-1653 Added AWS FSx/Shared File System support in newly announced AWS regions
  • DV2019-1645 Applied tag value of AWS VPCs tagged with key = Name to VPC property Name
  • DV2019-1576 Improved error reporting when trying to harvest nonexistent Azure Subscriptions
  • DV2019-1553 Improved logging for SQL database migration failures
  • DV2019-1657 Improved visibility of inline policies, users can now view inline policies from Resource Details like other policy types instead of only from Resource Listing
  • DV2019-1656 Improved surfacing of Azure "authorization failed" errors due to client_secret in the api credentials being wrong, expired, or deleted

19.2.4 Release Notes

Divvy Software Release Notice - 19.2.4 Maintenance Release (06/12/2019).

Bug Fixes

  • DV2019-1566 Fixed issues where Network Has Instances filter wouldn't detect instances on GCP
  • DV2019-1592 Fixed duplicate-checking for Kubernetes clouds
  • DV2019-1572 Fixed Resource Name Regular Expression filter for Database Cluster resources
  • DV2019-1560 Fixed harvester issue where permissions harvesting was incorrectly case-sensitive
  • DV2019-1559 Fixed Compliance Scorecard UI issue where compliance packs would incorrectly show filtered-out clouds
  • DV2019-1558 Fixed Compliance Scorecard UI issue where the grid would only display one account when multiple were selected

Enhancements

  • DV2019-1557 Added Cloud User is Not Root filter to exclude AWS root accounts from listed Cloud User resources
  • DV2019-1437 Added resource:* filtering to Identity Resource Contains Invalid Actions filter
  • DV2019-1588 Added a negative match to the Resource Matches Tag Key/Value Regular Expression filter
  • DV2019-1585 Added Resource Meeting or Exceeding Tag Count filter to allow filtering resources with N tags or more
  • DV2019-1584 Added Exclude Inactive option to Cloud User With API Credentials Access Key Age Exceeds Threshold filter
  • DV2019-1583 Added environment variable harvesting to AWS Lambdas and GCP Serverless Functions
  • DV2019-1595 Added categories to BotFactory Actions and Filters for improved usability
  • DV2019-1451 Added ability to bulk clone custom Insights
  • DV2019-1596 Reordered and renamed columns in Insights view to improve table clarity
  • DV2019-1594 Changed bot editing behavior so editing a bot no longer pauses it
  • DV2019-1593 Renamed "Featured Packs" to "Compliance Packs" in UI
  • DV2019-1574 Surfaced error response when Post to URL Bot action fails
  • DV2019-1552 Surfaced improved error when adding a Kubernetes cluster with invalid credentials
  • DV2019-1548 Surfaced improved error when unlinking an Insight from a Bot

19.2.3 Release Notes

Divvy Software Release Notice - 19.2.3 Maintenance Release (06/05/2019).

AWS Missing Permissions Need to be Updated

As of 19.2, tags are now retrieved via the Resource Groups Tagging API for the resource types below. Please reconfigure your AWS cloud accounts by adding the tag:GetResources to your cloud role. Until you do so, tags will not be harvested for the following resources:

  • Elasticache
  • DynamoDB
  • RDS
  • Redshift
  • Elastic Container Registry
  • Route53
  • Kinesis
  • S3

Bug Fixes

  • DV2019-1523 Fixed a UI issue where the left navigation sidebar could not be used after clicking a link in a right-side informational overlay
  • DV2019-1520 Re-enabled standard browser right-click menu on left navigation sidebar items
  • DV2019-1519 Fixed a longstanding filter issue where bots using Instance Has Unencrypted Volumes Associated, Instance Has Unencrypted Data Volume Associated, and Instance Has Unencrypted Root Volume Associated could flag and display noncompliant resources multiple times if they had more than one volume attached
  • DV2019-1509 Fixed a UI issue where metrics charts percentage axis could go over 100%
  • DV2019-1499 Fixed a typo in the Export Scorecard screen displayed when there are no configured exports
  • DV2019-1485 Fixed bugs that prevented harvesting of Container Instance resources if their hostname address was too long, Notification Subscription resources if their endpoint name was too long, and SSL Certificate resources if their certificate ID was too long
  • DV2019-1483 Fixed a harvester edge-case bug that prevented harvesting of Azure Web App resources that have not been modified since their creation
  • DV2019-1534 Updated the text on BotFactory Actions header to clarify that all actions will trigger immediately unless a timer is specified in the action

19.2.2 Release Notes

Divvy Software Release Notice - 19.2.2 Maintenance Release (05/30/2019).

AWS Missing Permissions Need to be Updated

As of 19.2, tags are now retrieved via the Resource Groups Tagging API for the resource types below. Please reconfigure your AWS cloud accounts by adding the tag:GetResources to your cloud role. Until you do so, tags will not be harvested for the following resources:

  • Elasticache
  • DynamoDB
  • RDS
  • Redshift
  • Elastic Container Registry
  • Route53
  • Kinesis
  • S3

Bug Fixes

  • DV2019-1412 Fixed UnboundLocalError in Bot Factory when interacting with route tables
  • DV2019-1420 Fixed KeyError: 'disk_size_gb' in Azure unmanaged disk harvesting
  • DV2019-1422 Fixed UnboundLocalError in Azure Advisor harvesting
  • DV2019-1423 Fixed AttributeError: 'str' object has no attribute 'iteritems' in AWS harvesting by improving handling of missing IAM permissions
  • DV2019-1424 Fixed AssertionError in harvesting AWS RouteTables that use VPC Endpoints
  • DV2019-1465 Fixed edge case in Azure container harvesting
  • DV2019-1122 Fixed permissions errors in exporting data to S3 under an assumed Role
  • DV2019-1488 Fixed TypeError: 'NoneType' object is not iterable in Slack Preview Message
  • DV2019-1401 Fixed a Scorecard display bug that caused some cloud accounts to not be filtered out when clicking individual Insight cells
  • DV2019-1414 Fixed a UI error where Scorecard tooltips on compliant insights were sometimes wrong
  • DV2019-1477 Fixed 'Download Excel Report' from Scorecard in Firefox
  • DV2019-1220 Fixed double-listing of some harvesting jobs on Clouds page
  • DV2019-1403 Fixed a UI error where custom insights with empty username string (such as those created via the API) wouldn't be displayed
  • DV2019-1417 Fixed a UI error where storage accounts had no cloud UI tooltip
  • DV2019-1462 Fixed right-clicking to open new tabs in left sidebar

Enhancements

  • DV2019-1344 Improved navigation experience in Scorecard subscription
  • DV2019-1374 Improved error messages about incorrect Scorecard subscription and upload configurations
  • DV2019-1349 Improved description of Cloud User Has Attached Policies filter
  • DV2019-1396 Added a confirmation dialog and improved messaging when administrators attempt to clear system logs
  • DV2019-1398 Improved visibility of where data collections are used

19.2 Release Notes

Compliance Scorecard

We are thrilled to introduce our beta release of the Compliance Scorecard. Over the past few months the team has been working hard on improving the user experience and reporting capabilities of our Insight Packs; the Compliance Scorecard is the end result. This feature surfaces a visual representation of compliance in the form of an interactive heat map, aggregating compliance results across all cloud accounts and services. Results can be downloaded as a stylized Excel spreadsheet, emailed on a daily or weekly cadence, or even exported to S3/Google Cloud Storage for long term storage. You can read more about this feature here.

Data Collections

Data Collections simplify resource filtering, Insight analysis, and Bot configuration. This new enhancement of the product allows administrators to build out reusable data definitions. These data definitions can be used for auditing purposes and most importantly, they are associated with the hundreds of filters in the product. As an example, let's say that an end-user wants to define all trusted third party AWS and GCP accounts. They then want to run an Insight to identify cross-account access from an unknown third party. Data Collections allows for precisely this. We strongly suggest you read up on the feature here for deeper analysis and example use cases.

A Collection of Trusted Third Party Accounts

A Collection of Trusted Third Party Accounts

Accessing Your Collection While Filtering Resources

Accessing Your Collection While Filtering Resources

Permissions Entitlements

Entitlements is a new feature that allows Domain Admins (a type of user) to determine what permissions other types of users can have across the following features/functionality: BotFactory, Tag Explorer, Insights, and Scheduled Events. The permission levels include: "disabled", "viewer", "editor", and "admin". Learn more

Basic User

By default, all basic users (new and current) will be given "Viewer" level access, meaning they will be able to see and navigate to all sections of the tool, but they will not be able to make any edits or deletes. Please make sure you read this doc on how to change this for your basic users.

Cloud Permission Visibility

Customers using AWS, GCP, or Microsoft Azure now will get improved visibility on missing permissions for their installation. This new feature makes it much easier to identify what permissions are missing and what the impact of those missing permissions has on visibility into that cloud account. As shown in the image below, when viewing cloud permissions, you will now see a display clearly identifying the missing permission(s) for each service supported by DivvyCloud.

BotFactory Improvements

BotFactory has undergone Spring Cleaning this year, and there are several enhancements that make it easier than ever to build and maintain your Bots.

First, on-demand scans can be generated at any time, by all Bots. This improvement eliminates the need to toggle on a specific option to support retroactive scanning of your installation. The improvement also removes complexity during the Bot creation process.

Second, we've enhanced the Bot scopes screen in two ways:
1) When using badges, summary data is displayed to show the total number of accounts. For larger customers, this makes it easier to identify the number of clouds in scope based on the badge selection.
2) With 'Select All Clouds', the global badge is used to scope all clouds in the entire installation. Note that this is an Admin only function.

Badge selection summary view.

Badge selection summary view.

Lastly, logs are now available at the Bot Level, allowing users to quickly understand the reason behind bot failures.

Azure GovCloud Support

Azure GovCloud subscriptions can now be connected to DivvyCloud. This enables customers to gain visibility into their compliance and security posture for workloads hosted in both Amazon and Azure GovCloud. Check out the instructions on how to connect Azure GovCloud to DivvyCloud.

Tenable.io Integration

DivvyCloud now has support for monitoring agent deployments and status within the platform. To configure this, simply head to the Integrations section of the product and add API credentials to your Tenable.io installation. We will be enhancing this integration with support for Tenable.sc as well as several additional filters to inspect installed packages, security vulnerabilities, and more. Check out the instructions on how to connect Tenable.io to DivvyCloud.

Additional Cloud Support/Enhancements

Following are the additional services which DivvyCloud supports with Release 19.2. For a complete listing of supported services, follow the links provided to the specific cloud service provider.

Amazon Web Services

* Support for Shield
* Support for Route53 Domains
* Support for DirectConnect
* Support for the Resource Group Tagging API
* Visibility to SageMaker lifecycle and root access configuration
* Visibility to EKS Public/Private Endpoints
* Visibility into Elasticsearch Node-to-Node Encryption
"guardduty:GetFindings",
"guardduty:ListDetectors",
"guardduty:ListFindings",
"pricing:GetProducts",
"route53domains:GetDomainDetail",
"route53domains:ListDomains",
"shield:DescribeEmergencyContactSettings",
"shield:ListAttacks",
"shield:ListProtections"

Amazon Web Service Update

In our 19.1 release notes we called out an additional permission to add in place. This permission was given ahead of time in preparation for a change that we were planning to make in 19.2. As of 19.2, tags are now retrieved via the Resource Groups Tagging API for the resource types below. Please note that without the IAM permission tag:GetResources, tags will not be harvested for these resources.

  • Elasticache
  • DynamoDB
  • RDS
  • Redshift
  • Elastic Container Registry
  • Route53
  • Kinesis
  • S3

Complete list of DivvyCloud-supported AWS services.

Google Cloud Platform

* Support for Interconnects
* Support for Preemptible Instances

Complete list of DivvyCloud-supported GCP services.

Microsoft Azure

* Storage Accounts
* Azure Database for MariaDB
* Key Vault
* Load Balancers
* Express Route
* Advisor
* Security Center
* Route Tables
* Unmanaged Disks
* Enhanced tag visibility

Complete list of DivvyCloud-support Azure services.

// For the read-only Standard User role
Microsoft.Advisor/recommendations/read
Microsoft.DBforMariaDB/locations/performanceTiers/read
Microsoft.DBforMariaDB/performanceTiers/read
Microsoft.DBforMariaDB/servers/configurations/read
Microsoft.DBforMariaDB/servers/firewallRules/read
Microsoft.DBforMariaDB/servers/read
Microsoft.DBforMariaDB/servers/virtualNetworkRules/read
Microsoft.KeyVault/vaults/read
Microsoft.Network/expressRouteCircuits/*/read
Microsoft.Network/loadBalancers/*/read
Microsoft.Network/routeTables/*/read
Microsoft.Security/*/read

// For the Power User role
Microsoft.Advisor/*
Microsoft.DBforMariaDB/*
Microsoft.KeyVault/*

General Enhancements

  • CloudFormation Templates and Docker containers had their base OS updated to Ubuntu 18.04.
  • Customers can now leverage AssumeRole with AWS GovCloud.
  • Customers can now send diagnostic information back to DivvyCloud via System Administration.
  • Microsoft Azure Network Security Groups ingress/egress security group rules are now surfaced.
  • Slack and Email actions now support message preview to validate Jinja templating.
  • The filter Identity Resource Contains Invalid Actions now supports wildcard searching.
  • Storage Container size values are now stored and surfaced as GB for improved readability.
  • We've added the ability to dynamically suspend/resume Autoscaling Groups based on tag values.
  • The Insights home screen has been removed; selecting Insights on the navigation menu will open the Insight Library view by default. Featured Packs and Custom Packs have been broken out into their own sections.
  • Insight Pack visibility can now be toggled by administrators to hide unsupported compliance frameworks from the installation.
  • We've added tag visibility and life-cycle support for DNS Zones.
  • We've added the ability to obtain the last events for a resource within BotFactory notification actions.
  • We've dramatically reduced the number of API calls required to store and harvest Instance Types across AWS, Google, and Microsoft Azure.
  • AssumeRole credentials are now monitored and refreshed using a centralized process which improves database performance and system notification.