DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

20.1 Release Notes

7 days ago by Mary Whaley

Latest Release

DivvyCloud is pleased to offer Minor Release 20.1.5. This minor release includes several fixed issues. Skip ahead to read all details for this minor release. As always, contact us at [email protected] with any questions.

Table of Contents

Major Release 20.1 (02/06/2020)
Minor Release 20.1.1 (02/13/2020)
Minor Release 20.1.2 (02/20/2020)
Minor Release 20.1.3 (03/05/2020)
Minor Release 20.1.4 (03/18/2020)
Minor Release 20.1.5 (04/01/2020)

Divvy Software Release Notice - 20.1 Major Release (02/06/2020)

DivvyCloud is pleased to present our first major release of the year, Release 20.1. This release includes some significant improvements--and also changes--to our platform. It is vital that you read the following notes in preparation for deploying this new release.

Release Essentials

Python Upgrade: Our core tech stack has been upgraded from Python 2.7.15 to 3.7.4. This change will likely result in breakage to any custom plugins/extensibility that you have in place. If you have custom plugins and have not discussed them with your support team, please coordinate with your DivvyCloud customer success manager to help with the migration process. Additional details about this update are included in the Appendix below.

Exemptions Management - Driven by customer demand, our exemptions system has been overhauled to provide a major improvement in usability. If you use exemptions, coordinate with your DivvyCloud customer success manager to review the new capabilities and determine the best strategy for your requirements. Review documentation on exemptions.

Password Management - To increase our security posture, some locally authenticated users will be required to reset their password. This one-time change provides an improved password hashing logic. Users who authenticate via SAML, Active Directory, or LDAP will not be impacted by this. In addition, 20.1 includes changes to the existing “new user email template” that may require a minor adjustment to some system defaults. We recommend reading the complete details here to ensure a smooth migration.

Updated Microsoft Teams Integration

We have implemented a new method for the Microsoft Teams integration and will be removing the current integration in 20.2. The new integration leverages Webhooks for easier integration into customer environments. Read more here.

Other major enhancements for 20.1 include:

Divvy IAM Badge AND/OR Improvements and Optimizations - DivvyCloud Roles have the ability to scope access to cloud accounts by badge. A new checkbox has been added to the badges form that, when enabled, matches the role of Cloud Accounts with ALL selected badges. Otherwise, the role matches Cloud Accounts with ANY of the selected badges.

To make the badges scoping changes possible, we needed to rework some of the internals of the role permissions system. This was done in conjunction with changes to minimize the surface area of the internal API as well as realize considerable performance improvements for customers with large numbers of users, groups, and roles.

For customers using the Python module directly through a plugin, we have documentation around breaking changes, reach out to us directly for details.

Pack-level Notifications - We’ve vastly improved our pack-level notifications by adding hourly to the existing cadence settings (daily and weekly). Users who currently rely on Bots to deliver hourly notifications of individual Insights may now use Insight Pack-level notifications on an hourly basis, reducing “noise” by combining these reports into a single email. You can read more here.

Alphabetized Resource Listing - We’ve alphabetized the resource type listings on the Resources pages of the UI for greater convenience in finding your many resources.

In addition, we’ve included many fixes, enhancements, and new filters, many of the last which support Kubernetes Pods. Read on for all 20.1 details. As always, contact us at [email protected] with any questions!

New Permissions Required (20.1)

New Permissions Required

For AWS:
"ds:DescribeDirectories",
"ec2:DescribeTrafficMirrorTargets",
"serverlessrepo:ListApplications",
"serverlessrepo:GetApplication",
"serverlessrepo:GetApplicationPolicy",
"wafv2:GetWebACL",
"wafv2:ListWebACLs"

New Resources (20.1)

We’ve added visibility and lifecycle support for the AWS Serverless Application Repository (SAR). Customers can now identify applications that are shared with unknown third parties as well as the public. This new resource is found on the Resources page under the Compute category as ‘Serverless Application’. New permissions required are “serverlessrepo:ListApplications”, “serverlessrepo:GetApplication”, and “serverlessrepo:GetApplicationPolicy”. [ENG-2235, ENG-1926]]

Added support for AWS Directory Service. Includes new filter Directory Service Without SSO Support, new permission "ds:DescribeDirectories", and new EDH events CreateDirectory, CreateMicrosoftAD, and DeleteDirectory. This new resources is found on the Resources page under the Identity & Management category as ‘Directory Service’. [ENG-2153]

Resource Enhancements (20.1)

  • Added support for AWS WAFv2. [ENG-2288]
  • Added the load balancer target group name and a new filter, Load Balancer Target Port AWS/Gov/China, to identify load balancers by the target port. [ENG-2214]
  • Provided more insight into Kubernetes Pods by harvesting the node_selector data point. To support this new data point we created a new filter, "Pod Does Not Have Node Selector". [ENG-1571]
  • Enhanced Pod Security Policies by increasing visibility into new data points: readOnlyRootFilesystem, allowedCapabilities, and requiredDropCapabilities. [ENG-1435]
  • Re-harvest data from Resource Type "PodSecurityPolicy" to support visibility of Kubernetes clusters. [ENG-1141]

General Enhancements (20.1)

  • Updated AWS Lambda harvesting to pull 10,000 functions per call which is the maximum allowed by the provider API. This should have a dramatic improvement on customer API rate limiting across the Lambda namespace. [ENG-2350]
  • Updated the PagerDuty logo on the integrations page. [ENG-2349]
  • Improved UX for viewing effective access for a divvy role. [ENG-2276]
  • Improved performance around the look up of cluster properties on map reduce clusters that are in a terminated state. {ENG-2258]
  • We now Include the account ID by default in the resources view. [ENG-2239]
  • Improved and expanded direct links to cloud account from a resource. [ENG-2146]
  • Added additional GCP console links within DivvyCloud Interface. [ENG-1869]
  • In RolePermissions, now supporting badge scope logic to be AND rather than OR. [ENG-575]

New EDH Events/Enhancements (20.1)

  • Added the ability to restart an AWS DB instance with a Bot. [ENG-2141]
    New Events:
    • Scheduled Restart/Reboot
    • Periodic Restart DB Instance
  • Added additional AWS EDH actions to the ResourceCreation processor. [ENG-2147]
  • Added support for AWS Directory Service. This enhancement is related to the new filter Directory Service Without SSO Support and the new permission, "ds:DescribeDirectories". [ENG-2153]
    New EDH Events:
    • CreateDirectory
    • CreateMicrosoftAD
    • DeleteDirectory

Enhanced Actions (20.1)

  • Added the ability to use Jinja2 templating when assigning multiple tags to a resource. [ENG-2259]
  • Extended Bot support for S3 enable/disable global encryption to AWS GovCloud/China. [ENG-2233]

New Filters (20.1)

  • Container Deployment With Available Replica Count - Adds Kubernetes to supported list for Tag filters. [ENG-1412]
  • Directory Service Without SSO Support - Increases support for AWS Directory Service; associated with new permission "ds:DescribeDirectories", and new EDH events CreateDirectory, CreateMicrosoftAD, and DeleteDirectory. [ENG-2153]
  • Kubernetes Resource In Given Namespace - Adds Kubernetes to supported list for Tag filters. [ENG-1412]
  • Kubernetes Service Has Load Balancer IP - Adds additional Kubernetes support. [ENG-1371]
  • Load Balancer Target Port AWS/Gov/China - Supports the newly added load balancer target group name, identifying load balancers by the target port. [ENG-2214]
  • Network Resource Without RFC 1918 Address Space - Identifies network/subnet resources which are provisioned with publicly routable IP CIDR blocks. [ENG-2242]
  • Pod Does Not Have Node Selector - Supports harvesting of the new node_selector data point, providing more insight into Kubernetes pods. [ENG-1571]
  • Pod Has a Security Context Configured (Kubernetes only) - Supports harvesting of the new Security Context data point, providing more insight into Kubernetes pods. [ENG-1572]
  • Pod Not Associated With Service Account (Kubernetes only) - Supports improved insight into Kubernetes pods. [ENG-1414]
  • Pod Security Policy Contains RequiredDropCapabilities - Checks whether Pod Security Policy Permits NET_RAW for containers drop capabilities; checks whether Pod Security Policy Permits ALL for containers drop capabilities. [ENG-1296], [ENG-1295]
  • Pod Security Policy Does Not Contain RequiredDropCapabilities - Checks whether Pod Security Policy Permits NET_RAW for containers drop capabilities; checks whether Pod Security Policy Permits ALL for containers drop capabilities. [ENG-1296], [ENG-1295]
  • Pod Security Policy Permits Container access for Root User - Supports harvesting of additional data for Pod Security policies. [ENG-1294]
  • Pod Security Policy Root Filesystem Read Only Setting - Determines whether or not your Kubernetes pod security policy has a root filesystem that has a read-only setting. [ENG-1297]
  • Resource Allows Access From Unapproved Networks - This new filter is the successor to "Instance Allows Access From Unauthorized Networks"; it works across eight additional resource types, and now will also take Azure/Google resource level firewall rules into account. [ENG-2096]

Bug Fixes (20.1)

[ENG-2351] - Fixed a bug with the AWS filter “Instance Uses Simple Networking (EC2 Classic)” that incorrectly identified pending instances as not being part of a VPC.

[ENG-2278] - Fixed bug that prevented Policies and Custom Policies from being attached to Users, Groups, and Roles.

[ENG-2166] - Improved the way we handle the removal of stale GCP labels when performing auto-badging.

[ENG-2051] - Improved logic behind permission check when adding a cloud account.

[ENG-1962] - Expanded the volume_id column to support longer managed disk names.

[ENG-1956] - Fixed bug preventing bots with names containing '/' to generate email notifications with csv file.

[ENG-673] - Fixed a bug that caused event error status to remain even when bots had recent successful runs.

Appendix 20.1

Python 3 Included in Release of DivvyCloud 20.1

As part of the 20.1 release, we are also announcing our migration to Python 3.7. Existing customers are likely to have already spoken with our Customer Success team concerning required updates. For customers who have not, it’s important to note that a successful installation or upgrade to DivvyCloud 20.1 requires a Python 3 environment.

NOTE: Official support for Python 2.x ended as of January 1, 2020. As a result, while DivvyCloud will support all versions of our product we will not be able to provide support for upgrades of legacy environments beyond DivvyCloud 19.5.4.

Since this process of supporting Python 3.7 varies based on the customer’s unique environment, we are unable to offer detailed global instructions; however, we are happy to answer questions or provide direct support to complete this process - reach out to us at [email protected]

For customers writing Python-based plugins going forward, keep in mind that plugins must be able to run in Python 3.7 in order to work with DivvyCloud 20.x+.

Some things to keep in mind for these plugins.

  • Python 3 includes changes in how text and binary data is managed
    • There is only a str type for text data; unicode and basestring no longer exist
    • Binary data is represented by the bytes type
  • The long type no longer exists:.
    • The int type should be used and supports large long numbers
  • There are changes in meta class definition:
    • This is a quiet error, which means that creating the class the old way won’t raise an error, but doesn’t result in the expected behavior at run time.
    • The metaclass class attribute is no longer used; instead the class constructor now takes a metaclass parameter

Minor Changes Include:

  • To stop iteration, simply return None; StopIteration is no longer used.
  • The xrange function is now range
  • The izip function is now zip
  • The map iteritem function is now items
    • In Python3 items returns an iterator, not the full list as was the case in Python 2.

Other Important Changes

  • httplib library now has sub modules.
  • urlib2/urllib is consolidated to urllib and also has sub modules
    • urlib2/urllib are split up to urllib.request and urllib.parse
  • the abc module import is now collections.abc in most cases
  • inspect.getargspec is now inspect.getfullargspec
  • import cStringIO is now import io
  • from distutils import sysconfig is now just import sysconfig

Divvy Software Release Notice - 20.1.1 Minor Release (02/13/2020)

In release 20.1.1, the major updates are centered around improvements to the usability and performance of our platform.

General Enhancements (20.1.1)

  • Added a create bot button in the compliance scorecard that matches the behavior of our insights page. [ENG-538]
  • 20.1.1 includes numerous updates to the Compliance Scorecard to load more dynamically (for dramatic improvements in overall usability and performance). These configuration changes require deliberate user actions, for example clicking on "search" and the selection of filters to load new visualization data. To review the complete details around our Compliance Scorecard, check out the full documentation here. [ENG-1751]
  • We added a configurable timeout to the Splunk integration. [ENG-2409]
  • Required Bot fields are now highlighted with red borders. [ENG-2389]
  • We’ve improved the performance around API calls when refreshing advisor checks in AWS. [ENG-2381]
  • We improved the error messaging when adding a Google Project. [ENG-2279]

Bug Fixes (20.1.1)

[ENG-2494] Fixed an issue with serverless function harvesting across AWS, Azure, and GCP.

[ENG-2472] Fixed UnboundLocalError when harvesting Azure virtual machines.

[ENG-2471] Fixed a bug that impacted the retrieval of the ACL and Lifecycle configurations for S3 buckets.

[ENG-2108] Fixed a bug that prevented modification of AWS Log Group retention policies within the UI.

[ENG-2101] Fixed an issue that caused an error when trying to add EKS clusters.

[ENG-2025] This was a minor bug when harvesting Azure Webapps; fixed now.

[ENG-2083] Added missing tooltip definitions for the AWS access analyzer and GCP firewall rules.

[ENG-1648] Improved performance of the Compliance Scorecard by adding a new search button that allows the user to control when a new scorecard heat map renders.

Divvy Software Release Notice - 20.1.2 Minor Release (02/20/2020)

Minor release 20.1.2 is highlighted by a new action to dynamically curate exemptions. It is the successor to the Resource Group driven curation. See the documentation on Exemptions for details.

Resource Enhancements (20.1.2)

  • Added visibility into Internet Gateway tags. [ENG-2514]
  • Added visibility into the last activity for AWS users. This property will show the last time that the user used the AWS Console or the programmatic API. [ENG-2466]

General Enhancements (20.1.2)

  • Insight exemption counts are refreshed when exemptions are created/updated. Read more about exemptions here. [ENG-2613]
  • We now allow domain and organization administrators to view all Insights created in the system, even those created as hidden by basic users. This allows administrators to fully audit custom Insights for duplicates. [ENG-2554]
  • Added a new getter that can be used to pull the role_arn and/or session name via Jinja templating. New Jinja command is resource.get_associated_account_role(). [ENG-2495]
  • We now show a loading bar when cloud accounts are being retrieved by badge during bot creation. [ENG-2459]

New Jinja Command (20.1.1)

  • resource.get_associated_account_role() - Added a new getter that can be used to pull the role_arn and/or session name via Jinja templating. [ENG-2495]

New Actions (20.1.1)

  • Added a new action, Curate Insight/Bot Exemptions, to dynamically curate Insight/Bot Exemptions. This new action is now the preferred way to maintain exemptions for an Insight. It is the successor to Resource Group Curation. [ENG-2616]

Enhanced Actions (20.1.1)

  • Added an optional delay to 'Instance Stop/Start By Tag Value' bot action. [ENG-2520]

New Filters (20.1.1)

  • Cloud Group User Threshold - Identifies cloud groups based on the number of users. Supported Clouds: AWS/Azure/Gov/China and AliCloud. [ENG-2464]
  • Network Interface Description Regular Expression - Identifies network interfaces using regular expressions against their description. [ENG-2509]

Bug Fixes (20.1.2)

[ENG-2515] Fixed bug that caused Azure scale set instances lifecycle state to be incorrect.

[ENG-2501] Fixed bug that showed non-top level resources in the resource type dropdown when viewing filters.

[ENG-2473] Fixed an InvalidRequestError caused by Azure allowing you to enter identical IP range rules.

[ENG-2458] Repaired bug in the tag explorer that prevented saving the configuration without the ‘contains/missing all’ options enabled.

[ENG-2447] Fixed bug that excluded subnet network access when evaluating public access to Azure Storage Accounts.

[ENG-2432] Now correctly surfacing name that is associated with Azure, GCP, and AWS Public IP addresses.

[ENG-2395] Now correctly distinguishing between auto-generated and user-generated badges.

Divvy Software Release Notice - 20.1.3 Minor Release (03/05/2020)

Release 20.1.3 includes improvements to our exemptions feature, refinements to current features, and numerous bug fixes.

New Permissions Required (20.1.3)

For AWS:

“elasticmapreduce:ListSecurityConfigurations”,
“elasticmapreduce:DescribeSecurityConfiguration”

These both support the added visibility into AWS EMR security configurations. [ENG-2293]

New & Enhanced Features (20.1.3)

In Release 20.1.3, we have:

  • Added the ability to execute the delete lifecycle operation for an AWS ECR image. [ENG-2451]
  • Added a new filter, Resource Not Associated With Insight Exemptions, that can be used to filter out resources that are exempt from a particular Insight. [ENG-2664]
  • Added a refresh button to the harvest info and background jobs views. [ENG-2563]
  • Added visibility into AWS EMR security configurations. This new visibility allows customers to identify map reduce clusters that do not support encryption at rest, encryption in transit, kerberos authentication and CMK utilization. Note that two new permissions are required in conjunction with this feature: “elasticmapreduce:ListSecurityConfigurations” and “elasticmapreduce:DescribeSecurityConfiguration”. [ENG-2293]
  • Enhanced how we handle deleting exemptions and updating insights:
    • If an Insight has its resource types modified, the exemptions which are no longer in scope are removed.
    • Exemptions are removed from an Insight after it is deleted. [ENG-2672]
  • Added harvesting of EFS resources from China and have updated EFS filters to include AWS China. [ENG-2692]

Resource Enhancements (20.1.3)

  • We now harvest AWS Elastic File System (EFS) resources from China and have updated EFS filters to include AWS China. [ENG-2692]
  • We added visibility into AWS EMR security configurations. This new visibility allows customers to identify map reduce clusters which do not support encryption at rest, encryption in transit, kerberos authentication, and CMK utilization. New permissions required for these enhancements are “elasticmapreduce:ListSecurityConfigurations” and “elasticmapreduce:DescribeSecurityConfiguration”. [ENG-2293]

New Actions (20.1.3)

  • Added the ability to execute the delete lifecycle operation for an AWS ECR image. [ENG-2451]

New Filters (20.1.3)

Resource Not Associated With Insight Exemptions - Can be used to filter out resources that are exempt from a particular Insight. [ENG-2664]

Bug Fixes (20.1.3)

[ENG-2679] Fixed an issue with the Incomplete Permission scan that results in a failed evaluation of the current permissions.

[ENG-2704] Fixed error when using 'Instance Start and Stop based on tag' action.

[ENG-2754] Corrected issues when updating Data collection information.

[ENG-2614] Updated IAM policy evaluation for transit encryption to include lists of actions and case insensitive evaluation.

[ENG-2735] Fixed a regression where badge keys and values were restricted. (Badges and keys were not allowing special characters.)

[ENG-2524] Fixed issue causing duplicate Azure account records to be inserted into the DB.

[ENG-2669] Corrected an error when using 'Suspend/Resume Autoscaling Group By Tag Value' bot action.
[ENG-2757] Hardened AWS BuildProject harvesting when using KMS keys not yet known by DivvyCloud.

[ENG-2561] Removed GCP labels in DivvyCloud when removed in GCP and auto-badging enabled.

[ENG-2497] Fixed a bug that caused the Session Id and External Id under Cloud settings page to disappear from the UI.

[ENG-2732] Fixed bug that prevented system logs from being downloaded.

[ENG-2736] Fixed typo in the Vulnerabilities column for Container Image resources.

Divvy Software Release Notice - 20.1.4 Minor Release (03/18/2020)

Minor Release 20.1.4 includes a ServiceNow feature enhancement, as well as several bug fixes. We have also added two new permissions for AWS RDS; these permissions are added in preparation for our next major release (20.2) when they will be required. As always, contact us at [email protected] with any questions.

New Permissions (20.1.4)

For AWS:

The following permissions are now tested for AWS RDS resources:

"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters"

If these are not present, the limited permission icon will appear. Currently, there is no reduction in functionality but this is in preparation for the 20.2 release when these will be required.

Feature Enhancement (20.1.4)

Added credential validation to the ServiceNow integration. [ENG-2922]

Bug Fixes (20.1.4)

[ENG-2903] Fixed an edge case that would prevent AWS RDS snapshots from properly reflecting their public visibility icon in the UI, despite the Insight properly flagging the snapshot as a match.

[ENG-2914] DivvyCloud Platform now retains the existing linked cloud account listing from the previous run of CloudMetadataHarvest.

[ENG-2887] Restored the ability to harvest AWS InstanceFlavors.

[ENG-2861] Fixed bug that caused every harvest of AWS VPCs to trigger modification hookpoints.

[ENG-2849] Restored the ability to build a new data collection using a CSV.

[ENG-2838] Platform now builds the tag mapping even if an account has keys without any aliases.

[ENG-2833] Restored the ability to send Compliance Scorecard Emails.

[ENG-2828] Fixed issue with allowing users to download a CSV file of their users.

Divvy Software Release Notice - 20.1.5 Minor Release (04/01/2020)

Minor release 20.1.5 includes several fixed issues. As always, contact us at [email protected] with any questions.

Bug Fixes (20.1.5)

[ENG-2817] - Fixed a bug that prevented users from updating AWS S3 lifecycle configuration policies.

[ENG-2834] - Corrected the region location when attempting to upload the Compliance Scorecard to S3.

[ENG-3022] - Fixed harvest strategy support for Kubernetes.

[ENG-3029] - Ensured the correct object is updated when CloudApiHarvester runs.

[ENG-3045] - Fixed Insight name selection in Scorecard.

[ENG-3054] - Returning correct information when there are no exemptions for the supplied Insight.

[ENG-3063] - Now performing EDH history lookup using the provider ID or the name.

[ENG-3070] - Added an organization service and region filter for ServerlessFunctions when harvesting.

[ENG-3105] - Fixed inelegant handling of exceptions when processing deletion notifications during the harvest cycle.