InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

20.7 Release Notes

10 months ago by Mary Whaley

Latest 20.7 Release

Release Highlights (20.7) 10 December 2020

DivvyCloud is pleased to announce our last major release of the year, 20.7. This major release includes a new Azure Security Pack, expanded support of several Azure resources (Application Gateway, Azure Firewall, Azure Firewall Rule, and Azure Firewall Rule Collection), AWS support for Amazon Lightsail and Route53 Resolver, numerous new and revised filters, and several updates to Bot actions. Take note of the new permissions required for the new AWS and Azure resources. This release also includes a significant number of bug fixes.

For our add-on Cloud IAM Governance module, we have details around one new feature.

Skip ahead to review the new AWS and Azure permissions, as well as all details for the general release and the Cloud IAM Governance updates. As always, contact us at [email protected] with any questions.

Divvy Software Release Notice - 20.7 Major Release (12/10/2020)

New Permissions Required (20.7)

🚧

New Permissions Required

FOR AWS:
AWS Standard User (Read Only) Policy
"lightsail:GetContainerServices",
"lightsail:GetDisks",
"lightsail:GetInstances",
"lightsail:GetLoadBalancers",
"lightsail:GetRelationalDatabases",
"route53resolver:ListResolverQueryLogConfigs",
"route53resolver:ListResolverQueryLogConfigAssociations"

AWS Power User Policy
"lightsail:*",

"route53resolver:*"

FOR AWS GovCloud:
AWS GovCloud Standard User (Read Only) Policy
"route53resolver:List*"

AWS GovCloud Power User Policy
"route53resolver:*"

FOR AZURE:
"Microsoft.Network/applicationGateways/read",
"Microsoft.Network/azurefirewalls/read"

MORE ON NEW AWS PERMISSIONS

  • "lightsail:GetContainerServices", "lightsail:GetDisks", "lightsail:GetInstances", "lightsail:GetLoadBalancers", and "lightsail:GetRelationalDatabases" support the added visibility, tag, and delete lifecycle capability for AWS Lightsail instances, relational databases, disks and load balancers. [ENG-5617]
  • "route53resolver:ListResolverQueryLogConfigs", "route53resolver:ListResolverQueryLogConfigAssociations" (both for the Standard or Read Only User policy), and "route53resolver:*" (for the Power User policy) support the added visibility, tag, and delete lifecycle support for Route 53 Resolver logging configurations. Route53 Resolver Configuration can be found on the UI’s main Resources page under the Network Category and the new resource type Query Log Config. [ENG-5623]

MORE ON NEW AZURE PERMISSION

  • “Microsoft.Network/azurefirewalls/read” supports the Azure Firewall resource. [ENG-5085].
  • “Microsoft.Network/applicationGateways/read" supports the Azure Application Gateway resource. [ENG-4549]

Features & Enhancements (20.7)

AWS

  • Added visibility, tag, and delete lifecycle capability for AWS Lightsail instances, relational databases, disks and load balancers. New permissions required are "lightsail:GetContainerServices", "lightsail:GetDisks", "lightsail:GetInstances", "lightsail:GetLoadBalancers", and
    lightsail:GetRelationalDatabases". Lightsail can be found on the main Resources page, Compute category, and Lightsail resource type. [ENG-5617]
  • Added direct linking support for new Lightsail resource. [ENG-5803]
  • Added visibility, tag, and delete lifecycle support for Route 53 Resolver logging configurations. Route53 Resolver Configuration can be found on the UI’s main Resources page under the Network Category and the new resource type Query Log Config. This new resource requires the following new permissions: "route53resolver:ListResolverQueryLogConfigs" and "route53resolver:ListResolverQueryLogConfigAssociations" for the Standard (Read Only) User policy, and "route53resolver:*" for the Power User policy. [ENG-5623]
  • Added a new filter SSL Certificate Uses Unknown/Missing Validation Record to identify AWS ACM certificates that use DNS validation and have an unknown/missing DNS record. [ENG-5628]
  • Enhanced the filter Volume Type to add support for filtering the new gp3/io2 EBS volume types that were announced by AWS. [ENG-5812]
  • Improved AWS NotificationTopic harvesting inefficiencies in lookups for linked subscriptions. [ENG-5769]

AZURE

  • 20.7 includes a new Azure Security Pack. This new security compliance pack is our first step to align with Azure Security Center (ASC) Recommendations. ASC Recommendations are the backbone of several features and services within Azure to include Azure Advisor, ASC Secure Score, and ASC Regulatory Compliance. Check out the complete summary here. [ENG-5799]
  • Added visibility, tag, and delete lifecycle support for Azure Application Gateway. A new permission is required: “Microsoft.Network/applicationGateways/read". This new resource is found on the main Resources page, Network category, and Load Balancer resource type as Azure ‘Load Balancer/Application Gateway’. [ENG-4549]
  • Added the new resource Azure Firewall, Azure’s managed, cloud-based network security service to protect network resources. A new permission “Microsoft.Network/azurefirewalls/read” is required for this service. Azure Firewall can be found on the Resources main page under the Network category, Network Firewall resource type. [ENG-5085].
  • Added support for Azure Firewall Rule and Azure Firewall Rule Collection. Azure Firewall Rule can be found on the main Resources page, Network category, under the Network Firewall Rule resource type. Azure Firewall Rule Collection can be found on the main Resources page, Network category, under the Network Firewall Rule List resource type. [ENG-5799]

MULTI-CLOUD/GENERAL

  • Renamed the filter Access List Rule Source Network to Access List Rule Source/Destination Network and added the ability to select between filtering at the source/destination level. [ENG-5368]
  • Added a terminating option to the filter ‘Instance Lifecycle State`. [ENG-5728]
  • Insight notes are now included within a new tab in the compliance scorecard export. [ENG-5767]
  • Added an Entitlement for Data Collections. With this Entitlement, Admins will be able to delegate access to Data Collections to basic users. Depending upon the access granted, basic users will be able to read, create, edit, and/or delete data collections and data collection elements. [ENG-5631]
  • Added a new filter, Cloud Provider Name In/Not In List, that permits searching for resources based on their cloud provider name. This search is similar to the existing filter Resource Name Regular Expression. Because it doesn't use regular expressions, it is less flexible, but faster. [ENG-5620]
  • Expanded the filter Resource Is In Subnet to work with database instances. [ENG-5730]
  • The Insight CSV export now includes the Description and Author of the Insight and also maps the severity to the human readable label. [ENG-4840]
  • Improved sorting for the Compliance Scorecard export. Insights on the Scorecard tab are now sorted alphabetically by the Insight type (Core/Custom). [ENG-5752]

New Resources (20.7)

AWS

  • Added visibility, tag, and delete lifecycle support for Route 53 Resolver logging configurations. Route53 Resolver Configuration can be found on the UI’s main Resources page under the Network Category and the new resource type Query Log Config. This new resource requires the following new permissions: "route53resolver:ListResolverQueryLogConfigs" and "route53resolver:ListResolverQueryLogConfigAssociations" for the Standard (Read Only) User policy, and "route53resolver:*" for the Power User policy. [ENG-5623]
  • Added visibility, tag, and delete lifecycle capability for AWS Lightsail instances, relational databases, disks and load balancers. New permissions required are "lightsail:GetContainerServices", "lightsail:GetDisks", "lightsail:GetInstances", "lightsail:GetLoadBalancers", and "lightsail:GetRelationalDatabases". Lightsail can be found on the main Resources page, Compute category, and Lightsail resource type. [ENG-5617]

AZURE

  • Added visibility, tag, and delete lifecycle support for Azure Application Gateway. This new resource is found on the main Resources page, Network category, and Load Balancer resource type as Azure ‘Load Balancer/Application Gateway’. [ENG-4549]
  • Added the new resource Azure Firewall, Azure’s managed, cloud-based network security service to protect network resources. A new permission “Microsoft.Network/azurefirewalls/read” is required for this service. Azure Firewall can be found on the Resources main page under the Network category, Network Firewall resource type. [ENG-5085].
  • Added support for Azure Firewall Rule and Azure Firewall Rule Collection. Azure Firewall Rule can be found on the main Resources page, Network category, under the Network Firewall Rule resource type. Azure Firewall Rule Collection can be found on the main Resources page, Network category, under the Network Firewall Rule List resource type. [ENG-5799]

Actions (20.7)

AWS

  • Added a new Bot action, ‘Update User Group Association’, that can be used to add/remove IAM group associations with one or more target IAM users. [ENG-310]

Filters (20.7)

AWS

  • Network Without Query Log Configuration Association - New filter adds visibility, tag, and delete lifecycle support for Route 53 Resolver logging configurations. [ENG-5623]
  • SSL Certificate Uses Unknown/Missing Validation Record - New filter identifies AWS ACM certificates that use DNS validation and have an unknown/missing DNS record. [ENG-5628]
  • Volume Type - This enhanced filter adds support for filtering the new gp3/io2 EBS volume types that were announced by AWS. [ENG-5812]

MULTI-CLOUD/GENERAL

  • Access List Rule Source/Destination Network - This filter was renamed from Access List Rule Source Network and adds the ability to select between filtering at the source/destination level. [ENG-5368]
  • Cloud Provider Name In/Not In List - New filter that permits searching for resources based on their cloud provider name. This search is similar to the existing filter Resource Name Regular Expression. Because it doesn't use regular expressions, it is less flexible, but faster. [ENG-5620]
  • Cloud User Last Activity (Password & API) - Updated helper text for this filter. [ENG-5729]
  • ‘Instance Lifecycle State` - This filter was modified by adding a terminating option. [ENG-5728]
  • Resource Is In Subnet - Filter was expanded to work with database instances. [ENG-5730]

Bug Fixes (20.7)

AWS

  • [ENG-5673] Fixed a bug that prevents the S3 key prefix from being set when updating an API Accounting Configuration.
  • [ENG-5360] Fixed a bug in the filter MapReduce Cluster Without Properly Configured Security Config that prevented accurate results from showing when the "Local Disk Encryption Uses Customer Master Key (CMK)" or "EMRFS Encryption Uses Customer Master Key (CMK)" were selected.

AZURE

  • [ENG-5061] Fixed an IaC bug that resulted in the inability to analyze Azure Network Security Groups which leverage application security groups.

MULTI-CLOUD/GENERAL

  • [ENG-5818] Fixed a bug that would result in orphaned global Insight Packs when the parent organization it was created in was removed from the installation.
  • [ENG-5738] Fixed a bug where IaC scans were not detecting Region.
  • [ENG-5625] Fixed a bug with the Bot action Mirror Resource Tags From Parent that prevented its use on database cluster snapshots.
  • [ENG-5468] Fixed bug when Jira ticket's state prevents our integration from attaching a file; create a new ticket instead of failing.
  • [ENG-5434] Fixed a bug where Insight Editor entitlement allowed basic Users to add/remove Insights to/from packs not belonging to them. Basic Users with 'Editor' Insight permissions will see two changes in flow:
    • Add to Pack: When Editor users try to add Insights from library to an existing pack, they will now see only a list of their own packs rather than the list of all the custom packs available.
    • Edit a custom pack: Editor users will not be able to see the options to edit custom insight packs that they didn't create. They will still be able to edit their own custom insight packs as before.
  • [ENG-5433] Fixed a UI bug where users with the editor entitlement for Insights were able to access the "record changes" button for Insights they did not create, resulting in recorded changes not being saved. Now the button only appears when user actually has ability to edit the Insight; editors can only edit their own insights
  • [ENG-5417] Updated UI hint on how to add a space for the badging field on subscriptions (users should enter "shift" + "space").
  • [ENG-500] When using the ‘Remove Access List From Dependencies’ action, if there are multiple access lists attached to a resource that match the filter criteria, all of the matches will be removed from the resource.

Cloud IAM Governance (Access Explorer) Updates - 20.7 Major Release (12/10/2020)

👍

The following updates are related to enhancements and bug fixes for our commercial add-on Cloud IAM Governance (Access Explorer) module.

Contact us at [email protected] with any questions.

Cloud IAM Governance Features & Enhancements (20.7)

  • Added an option to download policy data to the Effective Access view of Access Explorer. [ENG-5392]