DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

19.3 Release Notes

about a year ago by Matthew Presser

19.3.3 Release Notes

Divvy Software Release Notice - 19.3.3 Minor Release (09/19/2019)

📘

New Filters

  • Network With Overlapping Network
  • Serverless Function Contains Specific Environment Variables (Regex)
  • Instance Security Group Associations (Regular Expression)
  • Resource Exposing Specific Ports
  • Stream Instance Version

Bugs

  • ENG-618 Fixed UI issue on the entitlements page where the users image and name were not updating correctly.
  • ENG-606 Increased the accuracy of the 'Resource Does Not Contain Tag Key/Value Pair' filter and improved performance of other tag filters.
  • ENG-566 Fixed bug that reset entitlements after processor job ran.
  • ENG-556 Include the author of an Insight as a column in the Insight Library section of the tool.
  • ENG-518 Enhance the filters page by allowing users to navigate to a filtered list of Insights/Bots which are using a specific filter.
  • ENG-371 Decreased the number of badges that load to improve performance when interacting with the Clouds, Resources, and Insight pages.

Enhancements

  • ENG-619 Added a new filter to identify AWS VPC networks with overlapping CIDR blocks in the same account/region.
  • ENG-607 Added the ability to delete VPCs within AWS using on-demand lifecycle calls as well as via Bots.
  • ENG-597 Added a new action “Update Serverless Function Runtime” that enables customers to automate runtime upgrades for their AWS Lambda functions via BotFactory.
  • ENG-577 Added a new API endpoint to pull scorecard data by date using a single query across multiple resource types.
  • ENG-555 Surfaced the primary subnet ID that AWS EC2 instances are associated with in the Resources view and via the API.
  • ENG-554 Added a new filter to identify Serverless Functions such as AWS Lambda with one or more environment variables that match a supplied regular expression.
  • ENG-553 Added a new filter to identify instances with associated security groups by name using regular expressions.
  • ENG-525 Add a new filter to identify resources with user supplied ports/protocols exposed to the the Internet (0.0.0.0/0)
  • ENG-524 Only show cloud types interconnected to the software in the Cloud listing section of the tool.
  • ENG-446 On the Compliance Scorecard. when an insight has no impacted resources we now display either 'No Applicable Resources' or 'Unsupported Cloud Type' instead of the generic N/A
  • ENG-318 Added Trusted Advisor support for AWS GovCloud and AWS China
  • ENG-317 On the Compliance Scorecard export. when an insight has no impacted resources we now display either 'No Applicable Resources' or 'Unsupported Cloud Type' instead of an empty cell
  • ENG-300 Added a new filter to identify Stream Instances by the running version
  • ENG-114 Extended support for AWS Distributed Table actions to AWS GovCloud/China
  • ENG-104 Added a new silent mode option for bots to reduce noise when testing new/updated bots

19.3.2 Release Notes

Divvy Software Release Notice - 19.3.2 Minor Release (09/04/2019)

🚧

DivvyCloud S3 bucket evaluation change!

There have been some fundamental changes to the way S3 buckets, and their underlying policies, are evaluated inside of DivvyCloud. Click here for more information.

Bugs

  • ENG-491 Customers using AWS will now have improved visibility warnings if an S3 bucket’s properties are unable to be harvested due to an overly restrictive bucket policy. For more information click here
  • ENG-488 NACLs will now display subnet associations in the dependencies tab of their resource details
  • ENG-445 Added a help link to articulate how to send direct mentions via Slack
  • ENG-440 Add support for removing Azure Virtual Networks via the Resources page and Bots
  • ENG-439 Filter to find ASGs with long-running instances.
  • ENG-438 User is notified that EDH must be enabled to see resource-specific events in the cloud events history
  • ENG-437 Added the ability to leverage Jinja templating for tag values within the Assign Tag To Resource action
  • ENG-401 Added support for revoking egress security rules and fixed an issue with the filter Access List Rule Not Open To World
  • ENG-398 Fixed an issue with the filter Network Has No Instances that would not display results across Alibaba and AWS clouds
  • ENG-385 Handle the removal of exempt resources from scheduled events when they are added to a resource group that is leveraged for automation exemptions
  • ENG-372 Fixed an issue preventing transit gateway harvesting when "Default route table association" was disabled
  • ENG-371 Decreased the number of badges that load to improve performance when interacting with the Clouds, Resources, and Insight pages
  • ENG-327 Added support for Network Interfaces for the Resource Is in Subnet filter
  • ENG-322 Add IPv6 support into filter that look for public access
  • ENG-226 This update changes rounding precision in scorecard export to 2 decimal places

Enhancements

  • ENG-406 Added the ability to see when a resource was first marked as noncompliant by a bot. Navigate to the Noncompliance page to view the date the resource became noncompliant
  • ENG-389 Enhanced action that allows Bot authors to specify conditions to flag removal of a security group from an Instance and assign a fallback security group
  • ENG-383 The bot description field is now optional, and can be created without one
  • ENG-380 Added a filter (Storage Container With Override Public Access Policies) to identify S3 buckets which enable bucket level public access settings which supersede the account level configuration and an opt-in column to view the settings
  • ENG-358 On the tag explorer summary page, checkboxes for the Contains All | Missing All values have been replaced by the more semantic radio button form control. Now labeled Contains all tags | Missing all tags
  • ENG-335 When applying filters that involve Resource Groups the Resource Group field should suggest Resource Group names as the user begins typing
  • ENG-334 Added new column to Resource CSV that provides the resources abbreviated cloud service provider
  • ENG-333 Support sending Slack messages to multiple channels
  • ENG-326 Changed default text from ""enter a tag"" to ""enter a value"" for filters that take an input. This provides less confusion when the input is not related to tags
  • ENG-325 We now look at specific events to see if the role in the ARN is approved or not
  • ENG-324 Scheduled Event view now shows events that are in a deletion state
  • ENG-323 Added column for Stack Template resource to provide a last updated date
  • ENG-321 Added more context to the 'All' option for the Access List Exposes Port (Security Group) filter
  • ENG-302 The input text box for Send Microsoft Teams Message has been increased
  • ENG-279 Added a number of new filters for database clusters that include filtering based on deletion protection, multi-zone availability, encryption, backup retention policy and when the latest restorable time was exceeded
  • ENG-113 Persist the sort order when viewing Bots between page views
  • ENG-74 Added support for named source networks within Azure

19.3.1 Release Notes

Divvy Software Release Notice - 19.3.1 Maintenance Release (08/21/2019).

Bug Fixes

  • ENG-339 Fixed an issue that caused harvesting jobs to fail after DivvyCloud detected it could not harvest a restrictive KMS key policy
  • ENG-319 Fixed an issue that caused resources to be removed from multiple other resource groups, when that resource was only removed from one resource group
  • ENG-277 Fixed an edge case that prevented Resources from showing up in the Compliance Scorecard, Bots and the Resources page

19.3.0 Release Notes

S3 Bucket Public Access

S3 Bucket Public access visibility is now determined using the AWS API.

❗️

Amazon Web Service Update

To leverage this, IAM policies in AWS Commercial, AWS GovCloud and AWS China must add the IAM permission s3:GetBucketPolicyStatus to the DivvyCloud policy. Using this API call allows DivvyCloud to more accurately detect public buckets, and mirrors the native visibility that customers see in the Amazon Web Services console. Note that if you do not have this permission, that public visibility will fall back to the existing internal logic that DivvyCloud has used since 2017.

Navigation

The lefthand side navigation has been reworked with categorization, providing additional context to the various sections of the tool.

📘

Custom Extensibility

For customers leveraging custom extensibility (e.g., provisioning), all modules are now located underneath the Extensibility menu.

Submenu options are shown as follows:

Compliance Scorecard

The compliance scorecard has had over a dozen improvements based on customer feedback.

  • Additional summary visualizations for Insight findings (by severity and resource type)
  • A summary visualization of historical Insight findings
  • Filter inputs moved to the lefthand side and now collapsable
  • Insight Packs with over 80 Insights can now be viewed

Enhanced Compliance Scorecard: Lefthand Side Filter Selections Expanded, Summary Resource Visualizations and Heat Map Displayed

Enhanced Compliance Scorecard: Lefthand Side Filter Selections Compressed, Resource History and Heat Map Displayed

Microsoft Teams Integration

Microsoft Teams works like other messaging integrations, sending notification messages to Microsoft Teams channels. As an example, you can send high priority security alerts when noncompliant security group rules are provisioned, such as SSH open to the world. This integration is compatible with all DivvyCloud resources.

New Cloud Resources

Following are the additional services which DivvyCloud supports with Release 19.3. For a complete listing of supported services, follow the links provided to the specific cloud service provider.

* Support for Glacier
* Support for VPC Endpoints/PrivateLink
* Support for Transit Gateway
* Support for Amazon Managed Streaming for Apache Kafka (MSK)
* Support for visibility into AWS EBS default encryption
* Tag visibility and lifecycle support for SNS Topics
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGateways",
"ec2:DescribeVpcEndpoints",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:GetEbsEncryptionByDefault",
"cloudfront:GetStreamingDistribution",
"glacier:DescribeVault",
"glacier:GetVaultAccessPolicy",
"glacier:GetVaultLock",
"glacier:ListTagsForVault",
"glacier:ListVaults",
"kafka:ListClusters",
"kinesisvideo:DescribeStream",
"kinesisvideo:ListStreams",
"kinesisvideo:ListTagsForStream",
"organizations:DescribePolicy",
"organizations:ListTargetsForPolicy",
"s3:GetBucketPolicyStatus"

General Enhancements

  • Added "Start" on-demand action for Machine Learning Instances
  • Added "Periodic Start/Stop," "Scheduled Start/Stop," and "Start/Stop by Tag Value" bot actions for Machine Learning Instances
  • Security Groups now throw modification events when associated/disassociated with Instances
  • Data Collection can be bulk added/updated using a CSV file
  • Insight Packs can now be flagged as global. When this flag is enabled the Insight Pack and its Insights can be viewed across all child organizations; however, updates to the pack can only be made from the parent organization.
  • Deletion Protection status for Database Instances is now visible in the UI.
  • Fixed an issue preventing IPv6 rules from being deleted.

New Filters

AWS

Cold Storage Last Inventory Date Threshold
Cold Storage Lock Expiring Before Date
Content Delivery Network Logging to Specified Bucket
Content Delivery Network Not Logging
Content Delivery Network Not Logging Cookies
Content Delivery Network Not Requiring HTTPS
Content Delivery Network Not Using WAF
Content Delivery Network Using Alternative Domain Names
Content Delivery Network Using Default SSL Certificate
Content Delivery Network Using Specified WAF Rule
Identity Resource Path Does Not Match
Identity Resource Path Matches
Network Flow Log Destination
Network Flow Log Logging To Bucket
Network Flow Log Not Logging To Bucket
Network Flow Log Not Logging To Log Group
Network Flow Log Traffic Logging Filter Type
Network Flow Logging To Specific Log Group
Region Encrypted With Provider Default Keys
Region With Default Encryption Enabled
Region Without Default Encryption Enabled
Resource Recently Probed
Serverless Function Contains Environment Variables
Serverless Function Contains Specific Environment Variables
Serverless Function With Environment Variables
Serverless Function Without Environment Variables
Storage Container Public Access Via IAM Policy
Storage Container Public Access Via Legacy Access Control List
Stream Instance Does Not Encrypt Cluster Communication
Stream Instance Encrypts Cluster Communication
Stream Instance Has Insecure Traffic
Stream Instance Has Monitoring Level
Stream Instance Has Secure Traffic
Stream Instance Lifecycle State
Stream Instance Total Node Count Greater Than
Stream Instance Total Node Count Less Than
Threat Finding Count Exceeds
Threat Finding Last Seen Date Threshold
Threat Finding Severity

Azure

Encryption Key Does Not Support Expiration
Key Vault Secret Does Not Support Expiration
Web App Allowing Anonymous Access
Web App Enforcing Client Certificate Validation
Web App Not Allowing Anonymous Access
Web App Not Enforcing Client Certificate Validation
Web App With Managed Identity Enabled
Web App With Managed Identity Enabled
Web App Without Managed Identity Enabled