DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

21.1 Release Notes

4 months ago by Mary Whaley

Latest 21.1 Release

📘

Release Availability

Our latest minor release 21.1.5 is available for hosted customers on Wednesday February 17, 2021. Availability for self-hosted customers is Thursday February 18, 2021 - if you’re interested in learning more about becoming a hosted customer reach out to [email protected].

Release Highlights (21.1.5)

DivvyCloud is pleased to announce Minor Release 21.1.5. This minor release includes visibility and support for GCP’s Cloud NAT, as well as feature enhancements for AWS, Azure, and multi-cloud environments. In addition, this release contains 2 new filters, 5 modified (renamed) filters, and multiple bug fixes.

For our add-on Cloud IAM Governance module, we have details around 1 enhancement and 2 bug fixes.

Skip ahead to review the new permissions and details for the general release, as well as details for the Cloud IAM Governance. As always, contact us at [email protected] with any questions.

🚧

Important Updates and Reminders

User & Group Entitlement Support
User entitlement support will be deprecated in favor of group-level entitlements beginning with our next major release (anticipated for the end of February 2021). As of 21.1.4 (02/10/2021), we have deprecated the auto population of user entitlements when new user accounts are registered or updated. Check out this page for details.

Ubuntu Upgrade
We’re upgrading our container’s base OS from Ubuntu 19.x, to 20.x LTS. As a result, a newer minimum version of MySQL is required. The minimum version is fairly old, so the vast majority of customers won’t need to do anything. Skip ahead to details about the Ubuntu update and the MySQL version requirements.

EDH in Multiple Environments
DivvyCloud now supports EDH in multiple environments with both environments monitoring the same accounts as Producers, perhaps one as ReadOnly and the other as PowerUser. If you plan on enabling EDH in multiple environments, using the same accounts as Producers, there is some customization required in your deployment. The "fix" is easy, but best done with help. Contact your CSM or support.

For details or assistance with any of the items specified above contact us at [email protected].

👍

Table of Contents

Major Release 21.1 (01/20/2021)
Minor Release 21.1.1 (01/27/2021)
Minor Release 21.1.2 (01/28/2021)
Minor Release 21.1.3 (02/03/2021)
Minor Release 21.1.4 (02/10/2021)
Minor Release 21.1.5 (02/18/2021)

The following are updates related to enhancements and bug fixes for our commercial add-on Cloud IAM Governance (Access Explorer) module:

Cloud IAM Governance (Access Explorer) - 21.1 Major Release (01/20/2021)
Cloud IAM Governance (Access Explorer) - 21.1.3 Minor Release (02/03/2021)
Cloud IAM Governance (Access Explorer) - 21.1.4 Minor Release (02/10/2021)
Cloud IAM Governance (Access Explorer) - 21.1.5 Minor Release (02/18/2021)

Divvy Software Release Notice - 21.1.0 Major Release (01/20/2021)

New Permissions Required (21.1.0)

🚧

New Permissions Required

FOR AWS Standard (Read-Only) User:
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"lambda:GetFunction",
"lambda:GetPolicy",
"outposts:ListOutposts",
"ssm:DescribeParameters"

FOR AWS Power User:
"outposts:<wildcard>",
"ssm:<wildcard>"

FOR AWS GovCloud (Read-Only) User:
"outposts:List<wildcard>",
"ssm:Describe<wildcard>"

FOR AWS GovCloud Power User:
"outposts:<wildcard>",
"ssm:<wildcard>"

FOR AZURE:
"Microsoft.Compute/galleries/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/galleries/images/versions/read"

MORE ON PERMISSIONS: AWS

  • "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", and "ec2:DescribeVpnGateways" support the newly added resource AWS Virtual Private Gateway. [ENG-6208]
  • “lambda:GetFunction” - This permission is required in the read-only policy to see attached lambda resource-based policies. [ENG-6053]
  • “lambda:GetPolicy” - This permission is required in the read-only policy to see attached lambda resource-based policies. [ENG-5967]
  • “outposts:ListOutposts” - This permission is required to support the newly added resource AWS Outposts. [ENG-6040]
  • “ssm:DescribeParameters” - Supports the newly added resource AWS Systems Manager Parameter Store. [ENG-5719]
    Note: The AWS GovCloud policies additions should be included in this list. (01/25/2021)

MORE ON PERMISSIONS: AZURE

  • “Microsoft.Compute/galleries/read”, “Microsoft.Compute/galleries/images/read”, and “Microsoft.Compute/galleries/images/versions/read” add support for Azure Shared Image Galleries. [ENG-5636]

Features & Enhancements (21.1.0)

UBUNTU UPDATE
We’re updating our container’s base OS from Ubuntu 19.x, to 20.x LTS. As a result, a newer minimum version of MySQL is required. The minimum version is fairly old, so the vast majority of customers won’t need to do anything. Skip ahead to details for MySQL version requirements. Details are below. As always, contact us at [email protected] with any questions.

  • Test Drive

    • Minimum: v5.7.28, divvycloud/quickstart-db:v5.7.28
    • Recommended: v5.7.32 (latest), divvycloud/quickstart-db:v5.7.32 or divvycloud/quickstart-db
  • AWS

    • RDS MySQL minimum: v5.7.21
    • RDS MySQL recommended: v5.7.31 (latest)
    • (Aurora is still not recommended for unrelated performance reasons)
    • RDS Aurora minimum: v5.7.12
    • RDS Aurora recommended: v2.09.1 (latest)
    • See this AWS doc and this AWS doc for more information.
  • AZURE

    • NOTE: Unlike AWS, you cannot launch a specific minor release of MySQL v5.7.x, you can only choose v5.7
    • The MySQL version reported in the command line/console (v5.6.47.0) is not the actual MySQL version. See this Azure Doc for more information.
    • The current minor release, v5.7.29, is compatible with the upcoming DivvyCloud release.
  • GCP

    • NOTE: Unlike AWS, you cannot launch a specific minor release of MySQL v5.7.x, you can only choose v5.7
    • Unlike Azure, the MySQL version reported in the command line/console is the actual MySQL version. See this GCP doc for more information.
    • The current minor release, v5.7.25, is compatible with the upcoming DivvyCloud release.

GROUP LEVEL ENTITLEMENTS
Beginning with 21.1 DivvyCloud includes support for group-level entitlements [ENG-6110]. This feature enables the assignment of entitlements to defined groups instead of just at the individual user level.

Some important details to note:

  • We will continue to support user-level entitlements in addition to group-level entitlements until our next major release (21.2).
  • We will be disabling user entitlements with our next major release (21.2)
  • In order to provide the best experience we strongly recommend that you invest the time to create your desired group architecture for entitlements ahead of any planned upgrades to ensure continued access and visibility for your entitlements users.

To read additional details on this feature check out our entitlements documentation here.

SUPPORT FOR ORACLE CLOUD INFRASTRUCTURE

DivvyCloud now includes support for Oracle Cloud Infrastructure (OCI). While initial support for this new Cloud Service Provider will be limited, we expect to rapidly expand the supported features and services for OCI over the course of 2021. [ENG-6117]

  • Refer to our documentation here to get started and connect an Oracle tenet.
  • Check out our list of supported OCI resources
  • In addition, our OCI support includes a new OCI Compliance Pack. This pack includes DivvyCloud Insights that can map to the OCI CIS Benchmark requirements. Read more about it here.

NEW PCI DSS COMPLIANCE PACK
DivvyCloud's new Payment Card Industry Data Security Standard (PCI DSS) Pack includes DivvyCloud Insights that can map to the PCI DSS requirements. This pack is important for organizations that are required to align with the Payment Card Industry Data Security Standards. Read more about it here.

ADDITIONAL APPROACH FOR SETTING UP AWS READ-ONLY POLICIES
We have an additional approach for setting up an AWS Read-Only policy. This additional approach uses the AWS Managed “ReadOnlyAccess” policy in conjunction with a small supplemental DivvyCloud policy. The benefit of this approach lies in AWS' continuously updating the “ReadOnlyAccess” policy for new services, making it easier for customers to attach and maintain the policy. DivvyCloud's small supplemental policy is required for proper DivvyCloud operation.

  • For customers requiring a fully enumerated read-only policy, that option is still available.
  • For additional information, read Configuring AWS. The specific section detailing the two read-only options is available here.

General Features & Enhancements (21.1.0)

AWS

  • Added Terraform support for AWS DMS Replication Instances and EC2 AMIs within the Infrastructure-as-Code module. [ENG-6235]
  • Added the ability to view/update tags on Cloud Event Rules. [ENG-6142]
  • Added support for three new S3 GuardDuty checks: Discovery:S3/MaliciousIPCaller, Exfiltration:S3/MaliciousIPCaller, and Impact:S3/MaliciousIPCaller. [ENG-6107]
  • Added visibility into AWS Route53 Zones with/without DNSSEC. [ENG-6100]
  • Reworked Application Load Balancer (ALB) harvesting to use boto3 for more efficient harvesting and better support with EDH. [ENG-5964]
  • Added visibility, tag, and delete lifecycle capability for AWS Lightsail instances, relational databases, disks and load balancers. [ENG-5617]
  • Expanded the Bot action "Modify Database Attribute" to work with AWS Redshift so that the publicly accessible and enhanced VPC routing actions can be updated. [ENG-5670]
  • Added visibility into AWS Application Gateway resources which are configured to use the Websocket/HTTP protocols. [ENG-5470]

AZURE

  • Added visibility into the Azure Allow Public Access property on Storage Accounts and created a new Insight Storage Account Allows Public Blob Access to audit this. The property is also taken into consideration when evaluating public access for child Blob Containers. [ENG-6197]
  • Added support for Azure Shared Image Galleries. This requires new permissions for the DivvyCloud Standard User Role: “Microsoft.Compute/galleries/read”, “Microsoft.Compute/galleries/images/read”, and “Microsoft.Compute/galleries/images/versions/read”. [ENG-5636]

GCP

  • Added the ability for customers to perform string replacement for Email tags within the actions Send Delayed Email and Send Bulk Email. This can be useful for GCP customers given that Google does not allow the . and @ characters in tags. [ENG-5834]

MULTI-CLOUD/GENERAL

  • Improved BotFactory logging for on-demand scans, specifically when scopes are invalid because of their lifecycle state. [ENG-6255]
  • Administrators can now require a valid authentication session for Infrastructure-as-Code (IaC) scanning by toggling the setting in the System Administration panel. [ENG-6210]
  • Added visibility into Kubernetes Namespaces and their annotations. [ENG-6183]
  • Added visibility into Kubernetes Secrets and a new filter to identify default secrets. [ENG-6182]
  • Added the resource exemption count into the Compliance Scorecard tooltip. [ENG-6102]
  • Added optional SMTP screen to initial admin creation (FTUX) workflow. [ENG-5972]
  • Added the ability for customers to perform string replacement for Email tags within the actions Send Delayed Email and Send Bulk Email. This can be useful for GCP customers given that Google does not allow the . and @ characters in tags. [ENG-5834]
  • Insight Pack membership is now displayed in the Insight Notes when viewing an Insight. [ENG-5844]
  • Made the Network's Resource Listing column, Instance Count, sortable. [ENG-5820]
  • Modified filter Resource Exposing Specific Ports to look for Egress or Ingress rules for specified ports. [ENG-5785]
  • Customers can now change the look back period when sending themselves information on their billable resource counts. Instead of examining the past 180 days, customers can look back at shorter time periods. [ENG-5756]
  • Credentials are now refreshed during long-running jobs. [ENG-5663]
  • Load Balancer listener configuration information is now included in the CSV export. [ENG-5615]
  • Added Base URL to the FTUX/Onboarding workflow that admins go through as they create their account for the first time. [ENG-5364]

Resources (21.1.0)

AWS

  • We’ve added visibility and tagging support for AWS Virtual Private Gateways, AWS’ distributed edge routing function used by customers connecting their private co-locations to AWS. This new resource can be accessed from the Resources main page, the Network category, as the new Resource type ‘Virtual Private Gateway’. New permissions required are "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", and "ec2:DescribeVpnGateways". [ENG-6208]
  • We’ve added visibility into AWS Outposts, AWS’ fully managed service that extends AWS infrastructure, services, APIs, and tools to customer premises. We’ve also included a new filter Resource Running On Cloud Outpost to identify volumes, instances, network interfaces and subnets that are associated with an Outpost. AWS Outpost can be found on the Resources page of the tool, under the category Identity & Management, and the resource type Cloud Outpost. New Permission required: outposts:ListOutposts. [ENG-6040]
  • We’ve added support for AWS Systems Manager Parameter Store, providing secure, hierarchical storage for configuration data management and secrets management. This resource works with these existing filters: Resource Encrypted With Key, Resource Encrypted with Keys Other Than Provider Default, Resource Encrypted with Provider Default Keys, Resource Not Running With Individual Encryption Key, Resource Using Encryption Key Without Rotation Enabled; these new Filters: Stored Parameter is not Encrypted, Stored Parameter has no Expiration, Stored Parameter Expires Soon, Stored Parameter Using Storage Tier; and these new actions: “Delete Resource”, and “Update Tags”. This new resource can be found under the new Resource type Stored Parameters, part of the Storage category. New permission needed: “ssm:DescribeParameters”. [ENG-5719]

Actions (21.1.0)

AWS

  • Added a new Bot action to enable encryption at rest for AWS SNS topics. [ENG-5965]
  • Expanded the Bot action "Modify Database Attribute" to work with AWS Redshift so that the publicly accessible and enhanced VPC routing actions can be updated. [ENG-5670]

MULTI-CLOUD/GENERAL

  • Added a new Bot action for IAM roles that will remove unknown account/principals from the assume role policy document. [ENG-6211]
  • The action “Mirror Resource Tags From Parent” was updated to allow administrators to supply an optional list of tag keys to restrict which tags are mirrored. [ENG-6209]
  • Expanded the Bot actions “Disable/Enable Deletion Protection” to work with database clusters. [ENG-6103]

Insights (21.1.0)

With this release, release notes will include our new and enhanced Insights.

ENHANCED INSIGHTS
This list includes Insights which may have been improved or updated in a number of ways, including expanded or refined filters, adjusted/improved logic, expansion to include additional CSPs. For 21.1 this list includes many updates around our support of Oracle Cloud Infrastructure (OCI).

  • Access List Exposes SSH to World (Security Group) - Identify Access Lists (Security Groups) exposing port 22 to the world (0.0.0.0/0)
  • Access List Exposes Windows RDP to World (Security Group) - Identify Access Lists (Security Groups) exposing port 3389 to the world (0.0.0.0/0)
  • Cloud Account Missing Event Rule And Notification For IAM Group Changes (Oracle) - Identify cloud accounts that do not have event rules and notifications in place to alert when IAM Group changes occur
  • Cloud Account Missing Event Rule And Notification For IAM Policy Changes (Oracle) - Identify cloud accounts that do not have event rules and notifications in place to alert when IAM Policy changes occur
  • Cloud Account Missing Event Rule And Notification For IAM User Changes (Oracle) - Identify cloud accounts that do not have event rules and notifications in place to alert when IAM User changes occur
  • Cloud Account Missing Event Rule And Notification For Identity Provider Changes (Oracle) - Identify cloud accounts that do not have event rules and notifications in place to alert when Identity Provider changes occur
  • Cloud Account Missing Event Rule And Notification For Identity Provider Group Mappings Changes (Oracle) - Identify cloud accounts that do not have event rules and notifications in place to alert when Identity Provider Group Mappings changes occur
  • Cloud Account Missing Event Rule And Notification For Network Gateway Changes (Oracle) - Identify cloud accounts that do not have event rules and notifications in place to alert when network gateway changes occur
  • Cloud Account Missing Event Rule And Notification For Network Security Group Changes (Oracle) - Identify cloud accounts that do not have event rules and notifications in place to alert when network security group changes occur
  • Cloud Account Missing Event Rule And Notification For Route Table Changes (Oracle) - Identify cloud accounts that do not have event rules and notifications in place to alert when route table changes occur
  • Cloud Account Missing Event Rule And Notification For Security List Changes (Oracle) - Identify cloud accounts that do not have event rules and notifications in place to alert when security list changes occur
  • Cloud Account Missing Event Rule And Notification For Virtual Cloud Network Changes (Oracle) - Identify cloud accounts that do not have event rules and notifications in place to alert when Virtual Cloud Network (VCN) changes occur
  • Cloud Account Password Policy Age Without Annual Expiration - Identify cloud accounts having a password policy that does not enforce password changes every 365 days or sooner
  • Cloud Account Password Policy Length Too Short - Identify cloud accounts where the defined minimum password length is less than 14 characters
  • Cloud Account With Noncompliant Retention Period (Oracle) - Identify Oracle Cloud Accounts without an Audit Retention Period of 365 days
  • Cloud Account Without Cloud Guard Enabled In Root Compartment (Oracle) - Identify Cloud Accounts without Cloud Guard enabled
  • Cloud Account Without Compartment In Root Tenancy (Oracle) - Identify Oracle Cloud accounts which do not have created compartments so only the root compartment
  • Cloud Account Without Default Tags Defined At Root Compartment Level (Oracle) - Identify Cloud Accounts without the CreatedOn and CreatedBy default tags defined
  • Cloud User Account Without MFA - Identify cloud user accounts which do not require two-factor authentication
  • Cloud User With Stale API Credentials - Identify cloud users with any API access key older than 90 days which should be rotated
  • Encryption Keys Managed By Customer (CMKs) Not Rotated Annually (Oracle) - Identify CMKs which are older than 365 days and need to be rotated
  • Storage Container Exposed To The Public - Identify storage containers that are exposed to the public

NEW INSIGHTS

  • Cloud Account Missing Event Rule And Notification For IAM Group Changes - Identify cloud accounts that do not have event rules and notifications in place to alert when IAM Group changes occur Supported CSPs: OCI
  • Cloud Account Missing Event Rule And Notification For IAM Policy Changes - Identify cloud accounts that do not have event rules and notifications in place to alert when IAM Policy changes occur Supported CSPs: OCI
  • Cloud Account Missing Event Rule And Notification For IAM User Changes - Identify cloud accounts that do not have event rules and notifications in place to alert when IAM User changes occur Supported CSPs: OCI
  • Cloud Account Missing Event Rule And Notification For Identity Provider Changes - Identify cloud accounts that do not have event rules and notifications in place to alert when Identity Provider changes occur Supported CSPs: OCI
  • Cloud Account Missing Event Rule And Notification For Identity Provider Group Mappings Changes- Identify cloud accounts that do not have event rules and notifications in place to alert when Identity Provider Group Mappings changes occur Supported CSPs: OCI
  • Cloud Account Missing Event Rule And Notification For Network Gateway Changes - Identify cloud accounts that do not have event rules and notifications in place to alert when network gateway changes occur Supported CSPs: OCI
  • Cloud Account Missing Event Rule And Notification For Network Security Group Changes - Identify cloud accounts that do not have event rules and notifications in place to alert when network security group changes occur Supported CSPs: OCI
  • Cloud Account Missing Event Rule And Notification For Route Table Changes - Identify cloud accounts that do not have event rules and notifications in place to alert when route table changes occur Supported CSPs: OCI
  • Cloud Account Missing Event Rule And Notification For Security List Changes- Identify cloud accounts that do not have event rules and notifications in place to alert when security list changes occur Supported CSPs: OCI
  • Cloud Account Missing Event Rule And Notification For Virtual Cloud Network Changes - Identify cloud accounts that do not have event rules and notifications in place to alert when Virtual Cloud Network (VCN) changes occur Supported CSPs: OCI
  • Cloud Account Password Policy Age Without Annual Expiration - Identify cloud accounts having a password policy that does not enforce password changes every 365 days or sooner Supported CSPs: OCI
  • Cloud Account With Noncompliant Retention Period - Identify Oracle Cloud Accounts without an Audit Retention Period of 365 days Supported CSPs: OCI
  • Cloud Account Without Cloud Guard Enabled In Root Compartment - Identify Cloud Accounts without Cloud Guard enabled Supported CSPs: OCI
  • Cloud Account Without Compartment In Root Tenancy- Identify Oracle Cloud accounts which do not have created compartments so only the root compartment Supported CSPs: OCI
  • Cloud Account Without Default Tags Defined At Root Compartment Level - Identify Cloud Accounts without the CreatedOn and CreatedBy default tags defined Supported CSPs: OCI
  • Encryption Keys Managed By Customer (CMKs) Not Rotated Annually - Identify CMKs which are older than 365 days and need to be rotated Supported CSPs: OCI

AWS: NEW INSIGHTS

  • Stored Parameter Encrypted with Provider Default Keys - Identify Parameter Stores which are configured to use default provider encryption keys instead of a Customer Master Key (CMK) Supported CSPs: AWS, AWS Gov, AWS China
  • Stored Parameter is not Encrypted- Identify Stored Parameters that are not encrypting data at rest Supported CSPs: AWS, AWS Gov, AWS China

AZURE: NEW INSIGHTS

  • Storage Account Allows Public Blob Access - Audits visibility into the Azure Allow Public Access property on Storage Accounts. The property is also taken into consideration when evaluating public access for child Blob Containers. [ENG-6197] Supported CSPs: Azure

Filters (21.1.0)

AWS

  • API Accounting Is/Is Not An Organization Trail - Supports Organization Cloud Trails. [ENG-5966]
  • Launch Configuration References Unknown Image - Supports ASG Launch Configurations referencing an unknown image. [ENG-5966]
  • Resource Running On Cloud Outpost - Supports visibility into AWS Outposts. [ENG-6040]
  • Stored Parameter is not Encrypted - Adds support for AWS Systems Manager Parameter Store. [ENG-5719]
  • Stored Parameter has no Expiration - Adds support for AWS Systems Manager Parameter Store. [ENG-5719]
  • Stored Parameter Expires Soon - Adds support for AWS Systems Manager Parameter Store. [ENG-5719]
  • Stored Parameter Using Storage Tier - Adds support for AWS Systems Manager Parameter Store. [ENG-5719]

AZURE

  • Instance Lifecycle State Exceeds Threshold - Added ResourceHistory support for the deallocated (Azure) virtual machine state. [ENG-6212]

MULTI-CLOUD/GENERAL

  • Container Image Tag Search - New filter allows Users to Filter Container Images by tag name. [ENG-5754]
  • Instance Image Age Exceeds Threshold - This enhancement to an existing filter adds the ability to leverage an operator field. [ENG-6104]
  • Instance Metadata Usage Without Token Count - New filter to identify the maximum count of IMDSv1 calls made against the metadata service. [ENG-6101]
  • Resource Contains Tag Key With Empty Value - New filter to identify resources with an empty value for a supplied tag key. [ENG-6184]
  • Resource Exposing Specific Ports - Filter modified to look for Egress or Ingress rules for specified ports. [ENG-5785]
  • Route State - New filter to identify and automate cleanup of blackhole routes. [ENG-6223]

Bug Fixes (21.1.0)

AWS

  • [ENG-6053] Fixed an issue with a missing permission, “lambda:GetFunction”, in the read-only policy to see attached lambda resource-based policies.
  • [ENG-5967] Fixed an issue with a missing permission, “lambda:GetPolicy”, in the read-only policy to see attached lambda resource-based policies.

AZURE

  • [ENG-6155] Fixed a bug that prevented Azure Application Gateways without a public IP from being harvested.
  • [ENG-6036] This fix hardens AWS application load balancer harvesting to handle load balancer targets without a port.
  • [ENG-5939] Fixed bug with filter Load Balancer Without Web Application Firewall Protection that incorrectly identified an Azure Application Gateway as not having a WAF due to missing ResourceLinks.

MULTI-CLOUD/GENERAL

  • [ENG-6283] Fixed the linked visualization within the Cloud Summary view.
  • [ENG-6059] Restored the ability to manage Insight Subscriptions as an organization/domain administrator.
  • [ENG-6051] Reworked Insight and Botfactory executions to reduce their memory consumption, reducing risk of crashes due to memory utilization.
  • [ENG-6045] Fixed a bug during cloud permission check that failed to alert users of certain missing permissions.
  • [ENG-6042] Issue fixed: Added to the OrphanResourceCleanup to Cleanup any orphan subscriptions in the InsightPackSubscriptions and Subscriptions table associated with a deleted pack.
  • [ENG-6031] Fixed an issue that prevented basic users from seeing Bot logs.
  • [ENG-6030] Fixed a bug that did not consider the selected resource type when downloading the Insights CSV.
  • [ENG-6028] Fixed a bug with Access List Rule Source/Destination Network filters failing on multiple inputs w/ Not In.
  • [ENG-6025] Badges can now be sorted and exported in the Clouds view.
  • [ENG-5939] - Fixed bug related to Load Balancer Without Web Application Firewall Protection failing for Azure App Gateway.
  • [ENG-5851] Fixed UI from falsely showing success notification when a user without permission attempts to edit/save an Insight; also ensured that insight-admin-entitled users can edit other users’ Insights.
  • [ENG-5585] Fixed a bug that caused the harvest strategy of a new cloud to be set as default harvest strategy even when another harvest strategy was selected.
  • [ENG-5503] Added maximum limit value of 14 to Database Instance With Zero Connections filter; only 14 days worth of metrics kept.
  • [ENG-5452] Issue fixed: Modification hookpoints are now fired when the permissions are modified for private images and database snapshots.
  • [ENG-5351] Updated the omitted logging format to include the hostname.
  • [ENG-5265] Removes a short flash of "No Entitlements" message when refreshing the entitlements page.
  • [ENG-4378] Issue fixed: StorageContainers will no longer have a created_date; this is due to discrepancies in the value returned from both AWS and AZURE. (The value can be either the created_date or the last_modified_date.) Filters such as "Resource Age Exceeds" will use the discovered date of the StorageContainer.

Cloud IAM Governance (Access Explorer) Updates - 21.1.0 Major Release (01/20/2021)

👍

The following updates are related to enhancements and bug fixes for our commercial add-on Cloud IAM Governance (Access Explorer) module.

Contact us at [email protected] with any questions.

Cloud IAM Governance Features & Enhancements (21.1.0)

  • Added backend endpoint in IAM Explorer for returning AWS tag values given a tag key (exact match) and tag value (substring). [ENG-5710]
  • Added ability to filter by AWS tag keys in IAM Access Explorer. [ENG-5708]
  • Add AWS tags as columns to Access Explorer. [ENG-5579]
  • Added filtering by empty, missing, and all tags capability in IAM Access Explorer. [ENG-5961]
  • Added new clickable option 'Explore this Subject' to the roles on the IAM Effective Access page that allows the user to explore that subject. [ENG-5905]
  • Added backend for sorting in IAM columns. [ENG-5837]
  • Added a list of accounts with resources in a given application to the Access Explorer. [ENG-5830]
  • Added a count of distinct accounts with resources in an application to the Access Explorer. [ENG-5829]
  • Added ability to sort some IAM Access Explorer table columns (App, Principal, Resource pages). [ENG-5646]
  • Added Account ID and Account Names to the Access Explorer views. [ENG-5645]
  • Support for PrincipalTag: StringLike in policy conditionals, now supported and tested for both identity-based and resource-based policies. [ENG-4950]

Divvy Software Release Notice - 21.1.1 Minor Release (01/27/2021)

DivvyCloud's Minor Release 21.1.1 includes an Exemptions update that implements our new design system, as well as some feature enhancements and several bug fixes.

🚧

Reminder!

User entitlement support will be deprecated in favor of group-level entitlements beginning with our next major release, anticipated for the end of February 2021. Check out this page for details.

📘

DivvyCloud now supports EDH in multiple environments with both environments monitoring the same accounts as Producers, perhaps one as ReadOnly and the other as PowerUser. If you plan on enabling EDH in multiple environments, using the same accounts as Producers, there is some customization required in your deployment. The "fix" is easy, but best done w/ help. Please contact your CSM or support at [email protected].

As always, contact us at [email protected] with any questions.

Permissions Required (21.1.1)

🚧

Permissions Required

FOR AWS GovCloud Standard (Read-Only) Policy:
"outposts:List<wildcard>",
"ssm:Describe<wildcard>"

FOR AWS GovCloud Power User Policy:
"outposts:<wildcard>"

Note: These AWS GovCloud permissions were mistakenly left out of the v21.1 release notes (01/20/2021). They are required for support of the 21.1 release’s newly added AWS resources Outposts [ENG-6040] and AWS Systems Manager Parameter Store [ENG-5719].

Features & Enhancements (21.1.1)

  • Exemptions have been updated to our new design system. This is the first implementation of this design system, and customers can expect improved UI accessibility with each iteration. You can see details of the changes in the updated Exemptions documentation here. [ENG-3585]
  • DivvyCloud now supports EDH in multiple environments with both environments monitoring the same accounts as Producers, perhaps one as ReadOnly and the other as PowerUser. If you plan on enabling EDH in multiple environments, using the same accounts as Producers, there is some customization required in your deployment. The "fix" is easy, but best done w/ help. Please contact your CSM or support at [email protected].
  • We’ve added Infrastructure-as-Code support for ACM SSL certificates and CodeBuild Projects. [ENG-6321]
  • With this update, the IaC scan results can now differentiate based on system badges to enable better reporting around resources that may have been previously marked as failed rather than ignored (based on cloud type). [ENG-6092]

Bug Fixes (21.1.1)

AWS

  • [ENG-6331] Fixed AWS application gateway harvesting when auto-deployment is enabled.

MULTI-CLOUD/GENERAL

  • [ENG-6311] Fixed: IaC dynamic linking was incorrectly pulling unrelated resources.
  • [ENG-6305] Fixed a bug that would not display the impaired visibility properties of an S3 bucket if the API call s3:GetBucketLocation was blocked using a bucket policy.
  • [ENG-6298] Fixed bug where, even though the user does not actually have permission perform the action, could click on the “add exemption” button. Button has been disabled for users who do not have the appropriate permission.

Divvy Software Release Notice - 21.1.2 Minor Release (01/28/2021)

📘

Release 21.1.2 resolves an issue preventing automation jobs from executing in some circumstances. This issue impacts releases 21.1.0 (01/20/2021) and 21.1.1 (01/27/21) for some customers. We recommend customers take release 21.1.2 for the fix, as well as for access to all of the features and enhancements of 21.1.0 and 21.1.1. Contact your CSM or support at [email protected].

Bug Fixes (21.1.2)

MULTI-CLOUD/GENERAL

  • [ENG-6390] Fixed: An issue preventing automation jobs from executing in some circumstances.

Divvy Software Release Notice - 21.1.3 Minor Release (02/03/2021)

Minor Release 21.1.3 includes two new AWS resources (AWS DataSync Tasks and AWS Storage Gateways) with associated permissions and filters. We include an improved Insights page to clarify resources in violation compared to resources in scope. This release also includes a number of bug fixes.

In addition, for our add-on Cloud IAM Governance module, we have details around one minor enhancement and two bug fixes.

As always, contact us at [email protected] with any questions.

🚧

Reminder!

User entitlement support will be deprecated in favor of group-level entitlements beginning with our next major release, anticipated for the end of February 2021. Check out this page for details.

🚧

Ubuntu Update

We’re upgrading our container’s base OS from Ubuntu 19.x, to 20.x LTS. As a result, a newer minimum version of MySQL is required. The minimum version is fairly old, so the vast majority of customers won’t need to do anything. Skip ahead to details about the Ubuntu update and the MySQL version requirements. As always, contact us at [email protected] with any questions.

New Permissions Required (21.1.3)

🚧

New Permissions Required

FOR AWS Standard User (Read-Only) Policy:
"datasync:DescribeTask",
"datasync:ListTasks",
"storagegateway:DescribeNFSFileShares",
"storagegateway:DescribeSMBFileShares",
"storagegateway:ListFileShares"

FOR AWS Power User Policy:
"datasync:<wildcard>",
"storagegateway:<wildcard>"

FOR AWS GovCloud Standard User (Read-Only) Policy:
"datasync:Describe<wildcard>",
"datasync:List<wildcard>",
"storagegateway:Describe<wildcard>"
"storagegateway:List<wildcard>"

FOR AWS GovCloud Power User Policy:
"datasync:<wildcard>",
"storagegateway:<wildcard>"

MORE ON NEW AWS PERMISSIONS

  • "datasync:DescribeTask" and "datasync:ListTasks" support the newly added resource AWS DataSync Tasks. [ENG-6416]
  • "storagegateway:DescribeNFSFileShares", "storagegateway:DescribeSMBFileShares", and "storagegateway:ListFileShares" support the newly added AWS resource NFS/SMB File Gateway Share. [ENG-6415]

Features & Enhancements (21.1.3)

AWS

  • Added IaC support for AWS API Gateway/API Gateway V2. Added visibility and tag lifecycle support for AWS API Gateway Stages/API Keys. [ENG-6433]
  • We have added visibility and tag lifecycle support for AWS DataSync Tasks. New permissions required are "datasync:DescribeTask" and "datasync:ListTasks". This new resource can be found on the Resources pages, Storage category, as Data Sync Task. [ENG-6416]
  • We have added support for AWS Storage Gateways, specifically File System (NFS) or Server Message Block (SMB) File Gateway Share. Three new permissions are required: "storagegateway:DescribeNFSFileShares", "storagegateway:DescribeSMBFileShares", and "storagegateway:ListFileShares". Associated new filters are File Share Type, File Share Storage Class, and File Share Client List. This newly supported resource can be found in the Storage category of the Resources page, under the new Resource type ‘File Share’. [ENG-6415]
  • Added visibility into the tag mutability for AWS ECR and added support for IaC. [ENG-6329]

MULTI-CLOUD/GENERAL

  • The Insights page on the UI has an updated display. The column Resource Breakdown now displays #Violations/#In scope. Scoped clouds are now also displayed in tooltips. [ENG-6330]
  • Update tooltip for badge selector on clouds page: changed tooltip to display as 1. ”Search for badge key or badge value. Limit of 25 results displayed.” Also updated max dropdown display to match. [ENG-6396]
  • We’ve improved the SSL Certificate Expiring Soon filter, allowing results to be filtered using a date range, e.g., 30 to 60 days out. It also allows the results to be active SSL Certificates only. [ENG-6194]

Resources (21.1.3)

AWS

  • We have added visibility and tag lifecycle support for AWS DataSync Tasks. New permissions required are "datasync:DescribeTask" and "datasync:ListTasks". This new resource can be found on the Resources pages, Storage category, as Data Sync Task. [ENG-6416]
  • We have added support for AWS Storage Gateways, specifically File System (NFS) or Server Message Block (SMB) File Gateway Share. Three new permissions are required: "storagegateway:DescribeNFSFileShares", "storagegateway:DescribeSMBFileShares", and "storagegateway:ListFileShares". Associated new filters are File Share Type, File Share Storage Class, and File Share Client List. This newly supported resource can be found in the Storage category of the Resources page, under the new Resource type ‘File Share’. [ENG-6415]

Filters (21.1.3)

AWS

  • Access List Orphaned - This filter is updated to allow users to exclude Security Groups that are referenced by other Security Groups. (Of note, AWS blocks deletion of Security Groups that are referenced by other Security Groups even if they are not being used by an AWS service.) [ENG-6313]
  • File Share Type, File Share Storage Class, and File Share Client List - all three of these filters support the newly supported AWS resource NFS/SMB File Gateway Share. [ENG-6415]
    • SSL Certificate Expiring Soon - We’ve improved this filter, allowing results to be filtered using a date range, e.g., 30 to 60 days out. It also allows the results to be active SSL Certificates only. [ENG-6194]

Bug Fixes (21.1.3)

AZURE

  • [ENG-6422] Fixed a bug that prevented Azure Resource Groups from displaying on the Compliance Scorecard in the resource types dropdown.

MULTI-CLOUD/GENERAL

  • [ENG-6431] Fixed the SSL Certificate Validation Email filter that could return a possible 504.
  • [ENG-6430] Fixed issue where the template Cache hangs on a failing Insight using a bad filter.
  • [ENG-6419] Fixed a bug that prevented a CSV from being downloaded when viewing individual Insights.
  • ENG-6340] Fixed incorrect operator used for Cloud Account Without Network Watcher enabled for Region filter arguments.
  • [ENG-5957] Fixed a UI bug where a badge scoped Insight view was not loading properly.

Cloud IAM Governance (Access Explorer) Updates - 21.1.3 Minor Release (02/03/2021)

👍

The following updates are related to enhancements and bug fixes for our commercial add-on Cloud IAM Governance (Access Explorer) module.

Contact us at [email protected] with any questions.

Cloud IAM Governance Features & Enhancements (21.1.3)

  • This change introduces a new section in the Access Explorer cache status dropdown which expands and reveals two link-like buttons. The first View Cache Build Logs, launches a modal that shows a table of the last 30 cache builds and allows you to download that data in XLSX format. The second Download Debug Data, downloads a JSON file of debug data that the user can inspect and send to support to aid in debugging issues. [ENG-5643]

Cloud IAM Governance Bug Fixes (21.1.3)

  • [ENG-6170] Fixed a bug related to search states persist in the URL.

Divvy Software Release Notice - 21.1.4 Minor Release (02/10/2021)

Minor Release 21.1.4 includes new resources for AWS (AWS Managed Airflow Environment for Apache Airflow), Azure (Azure Dedicated Hosts and Azure Search Service), and GCP (GCP AI Platform Notebook). We also include the new permissions required for these resources. In addition, this release contains two new filters and three bug fixes.

For our add-on Cloud IAM Governance module, we have details around one new enhancement.

As always, contact us at [email protected] with any questions.

🚧

Reminder!

User entitlement support will be deprecated in favor of group-level entitlements beginning with our next major release, anticipated for the end of February 2021. As of 21.1.4 (02/10/2021), we have deprecated the auto population of user entitlements when new user accounts are registered or updated. Check out this page for details.

New Permissions Required (21.1.4)

🚧

New Permissions Required

FOR AWS Commercial Standard Read-Only Policy:
"airflow:GetEnvironment",
"airflow:ListEnvironments"

FOR AWS Commercial Power-User Policy:
"airflow:*"

FOR AZURE Standard User Role:
"Microsoft.Compute/hostGroups/read",
"Microsoft.Search/searchServices/read"

FOR AZURE Power User Role:
"Microsoft.Search/*"

FOR GCP:
“notebooks.instances.list" - We recommend that you enable Notebooks API in order to gain visibility and access to this GCP service. See Adding a GCP Project through the Google Console Step 3 for details.

MORE ABOUT AWS PERMISSIONS:

  • "airflow:GetEnvironment" and "airflow:ListEnvironments" support the newly added resource AWS Managed Airflow Environment for Apache Airflow. This new resource is not applicable to AWS GovCloud. [ENG-6393]

MORE ABOUT AZURE PERMISSIONS:

  • "Microsoft.Compute/hostGroups/read" supports the added visibility and Infrastructure-as-Code (IAC) support for Azure Dedicated Hosts. [ENG-6471]
  • "Microsoft.Search/searchServices/read" supports the added visibility and lifecycle support for Azure Search Services. [ENG-6535]

MORE ABOUT GCP PERMISSIONS:

  • “notebooks.instances.list" supports added visibility and lifecycle support for GCP AI Notebook Instances (GCP AI Platform Notebook). We recommend that you enable Notebooks API in order to gain visibility and access to this GCP service. See Adding a GCP Project through the Google Console Step 3 for details. [ENG-6436]

Features & Enhancements (21.1.4)

AWS

  • Created new filter Parameter Store with String Type for Resource Type Stored Parameters to identify AWS SSM Parameter Store - Parameter types that are either a String, StringList, or SecureString. [ENG-6482]
  • Added visibility, tag, and EDH support for AWS Managed Airflow Environment for Apache Airflow. This resource can be found on the Resources main page, Compute category, as the resource type Airflow Environment. New permissions "airflow:GetEnvironment" and "airflow:ListEnvironments" are required. You can read more about this AWS resource here. [ENG-6393]

AZURE

  • Added visibility and Infrastructure-as-Code (IAC) support for Azure Dedicated Hosts. New Permission Required: "Microsoft.Compute/hostGroups/read". This new resource can be found under the Compute category of the Resources main page, under the Hypervisor resource type. [ENG-6471]
  • Added visibility and lifecycle support for Azure Search Service, Azure’s cloud search service that provides developers APIs and tools for building content in web, mobile, and enterprise applications. New Filter: Search Cluster Publicly Accessible. New Permission required: "Microsoft.Search/searchServices/read". This new Azure resource can be found on the Resources main page in the Compute category, Search Cluster resource type. [ENG-6353]

GCP

  • Added visibility and lifecycle support for GCP AI Notebook Instances (GCP AI Platform Notebook). New Permission required: "notebooks.instances.list". This resource can be found in the Compute category of the Resources main page under Machine Learning Instance. We recommend that you enable Notebooks API in order to gain visibility and access to this GCP service. See Adding a GCP Project through the Google Console Step 3 for details. [ENG-6436]

MULTI-CLOUD/GENERAL

  • Added a new navigation item, “Dashboard”, to the main navigation.This allows customers to quickly return to the dashboard from any location within the tool. [ENG-6394]
  • Deprecated the auto population of user entitlements when new user accounts are registered or updated. [ENG-6489]
  • Updated our Splunk integration to not require the index/data type. Modern versions of Splunk automatically infer this information based on the HEC configuration supplied. [ENG-6185]

Resources (21.1.4)

AWS

  • Added visibility, tag, and EDH support for AWS Managed Airflow Environment for Apache Airflow. This resource can be found on the Resources main page, Compute category, as the resource type Airflow Environment. New permissions "airflow:GetEnvironment" and "airflow:ListEnvironments" are required. You can read more about this AWS resource here. [ENG-6393]

AZURE

  • Added visibility and Infrastructure-as-Code (IAC) support for Azure Dedicated Hosts. New Permission Required: "Microsoft.Compute/hostGroups/read". This new resource can be found under the Compute category of the Resources main page, under the Hypervisor resource type. [ENG-6471]
  • Added visibility and lifecycle support for Azure Search Service, Azure’s cloud search service that provides developers APIs and tools for building content in web, mobile, and enterprise applications. New Filter: Search Cluster Publicly Accessible. New Permission required: "Microsoft.Search/searchServices/read". This new Azure resource can be found on the Resources main page in the Compute category, Search Cluster resource type. [ENG-6353]

GCP

  • Added visibility and lifecycle support for GCP AI Notebook Instances (GCP AI Platform Notebook). New Permission required: "notebooks.instances.list". This resource can be found in the Compute category of the Resources main page under Machine Learning Instance. We recommend that you enable Notebooks API in order to gain visibility and access to this GCP service. See Adding a GCP Project through the Google Console Step 3 for details. [ENG-6436]

Filters (21.1.4)

AWS

  • Parameter Store with String Type for Resource Type Stored Parameters - New filter identifies AWS SSM Parameter Store - Parameter types that are either a String, StringList, or SecureString. [ENG-6482]

AZURE

  • Search Cluster Publicly Accessible - New filter supports added visibility and lifecycle support for Azure Search Services. [ENG-6535]

Bug Fixes (21.1.4)

AWS

  • [ENG-6477] Fixed an issue with AWS ALB/NLB harvesting setting boolean values to strings.

MULTI-CLOUD/GENERAL

  • [ENG-6488] Included the encryption key resource ID in the API response when pulling notification topics.
  • [ENG-6411] This change appends newly identified accounts to the list of known accounts, thereby eliminating display of duplicate records in the Cloud Account Summary.

Cloud IAM Governance (Access Explorer) Updates - 21.1.4 Minor Release (02/10/2021)

👍

The following updates are related to enhancements and bug fixes for our commercial add-on Cloud IAM Governance (Access Explorer) module.

Contact us at [email protected] with any questions.

Cloud IAM Governance Enhancement (21.1.4)

  • Added new endpoint that will return the counts of principal resource pairs per account. [ENG-6359]

Divvy Software Release Notice - 21.1.5 Minor Release (02/18/2021)

This minor release 21.1.5 is available for hosted customers on Wednesday February 17, 2021. Availability for self-hosted customers is Thursday February 18, 2021 - if you’re interested in learning more about becoming a hosted customer reach out to [email protected].

Minor Release 21.1.5 includes visibility and support for GCP’s Cloud NAT, as well as feature enhancements for AWS, Azure, and multi-cloud environments. In addition, this release contains 2 new filters, 5 modified (renamed) filters, and multiple bug fixes.

As always, contact us at [email protected] with any questions.

New Permissions Required (21.1.5)

🚧

New Permissions Required

FOR AWS Standard User (Read-Only) Policy:
"cloudwatch:GetMetricData"

FOR AWS DivvyCloud Supplement to AWS ReadOnly Policy:
"airflow:GetEnvironment",
"airflow:ListEnvironments"

FOR GCP:
"compute.routers.list" - This permission is enabled when DivvyCloud’s recommended APIs for GCP are enabled.

MORE ON PERMISSIONS - AWS:

  • "cloudwatch:GetMetricData" - This permission supports the retrieval of Cloudwatch metrics data for Instances, a feature added in an earlier release. Inclusion of this permission here is part of bug fix [ENG-6661].
  • "airflow:GetEnvironment" and "airflow:ListEnvironments" - These permissions should be added to the DivvyCloud Supplement to AWS ReadOnly Policy for users employing DivvyCloud’s IAM read-only policy (Option 1), namely the AWS managed read-only policy in conjunction with DivvyCloud’s Supplement to that policy. These specific permissions support AWS Managed Airflow Environment for Apache Airflow, which was added to DivvyCloud with release 21.1.4; these permissions were added to the explicit read-only policy with the 21.1.4 release. [ENG-6702]

MORE ON PERMISSIONS - GCP:

  • "compute.routers.list" - This permission supports the added visibility and IaC support for GCP Cloud NAT. This permission is enabled when DivvyCloud’s recommended APIs for GCP are enabled. [ENG-6437]

Features & Enhancements (21.1.5)

AWS

  • Updated the Bot action “Publish To Cloud Topic” that publishes messages to cloud topics such as AWS SNS to no longer require the target topic to be known within the installation when the application role (Assume Role) feature is enabled. [ENG-6648]
  • Added a new Filter Parameter Store with String Type for Resource Type Stored Parameters to identify AWS SSM Parameter Store - Parameter types that are either a String, StringList, or SecureString. [ENG-6482]
  • Renamed all AWS Stored Parameter filters to follow standard filter naming conventions [ENG-6577]:
    • Stored Parameter Expires Soon renamed as Stored Parameter Expires Soon (AWS Only) - Identifies Parameter Store parameters that will expire soon.
    • Stored Parameter has no Expiration renamed as Stored Parameter No Expiration (AWS Only) - Identifies Parameter Store parameters that do not expire.
    • Stored Parameter is not Encrypted renamed as Stored Parameter Not Encrypted (AWS Only) - Identifies Parameter Store parameters that are not encrypted.
    • Stored Parameter String Type renamed as Stored Parameter String Type (AWS Only) - Identifies Parameter Store parameters that have a specific string type.
    • Stored Parameter Using Storage Tier renamed as Stored Parameter Storage Tier (AWS Only) - Identifies Parameter Store parameters that are using a specific storage tier.

AZURE

  • Added Infrastructure-as-Code (IaC) support for Azure Kubernetes Clusters and Container Registries. [ENG-6470]
  • Added IaC support for Azure MySQL/PostgreSQL/MariaDB/SQL Database Instances. [ENG-6456]

GCP

  • Added visibility and IaC support for GCP Cloud NAT. New Filter: NAT Gateway Without Logging Enabled. New Permission: "compute.routers.list". This new resource can be found on the Resources main page, Network category, under the resource type NAT Gateway. [ENG-6437]

MULTI-CLOUD/GENERAL

  • Simplified workflow in creating basic users and aligning them to user groups. [ENG-6578]
  • Added the ability to customize the status codes sent back when IaC scans are triggered via the API. [ENG-6566]
  • Enhanced the Insight cloud filtering to only show grayscale when a cloud is selected; this now matches cloud icon status in Insights Library with active scope. [ENG-6512]
  • Included the encryption key resource ID in the API response when pulling notification topics. [ENG-6507]
  • Added a new db table to track the IaC resources that we support across each major cloud. [ENG-6421]

Resources (21.1.5)

GCP

  • Added visibility and IaC support for GCP Cloud NAT. New Filter: NAT Gateway Without Logging Enabled. New Permission: "compute.routers.list". This new resource can be found on the Resources main page, Network category, under the resource type NAT Gateway. [ENG-6437]

Actions (21.1.5)

AWS

  • “Publish To Cloud Topic” - This Bot action, that publishes messages to cloud topics such as AWS SNS, was updated to no longer require the target topic to be known within the installation when the application role (Assume Role) feature is enabled. [ENG-6648]

Filters (21.1.5)

AWS

  • Parameter Store with String Type for Resource Type Stored Parameters - Identifies AWS SSM Parameter Store - Parameter types that are either a String, StringList, or SecureString. [ENG-6482]
  • The following filters are renamed from existing AWS Stored Parameter filters to follow standard filter naming conventions [ENG-6577]:
    • Stored Parameter Expires Soon (AWS Only) renamed from Stored Parameter Expires Soon - Identifies Parameter Store parameters that will expire soon.
    • Stored Parameter No Expiration (AWS Only) renamed from Stored Parameter has no Expiration - Identifies Parameter Store parameters that do not expire.
    • Stored Parameter Not Encrypted (AWS Only) renamed from Stored Parameter is not Encrypted - Identifies Parameter Store parameters that are not encrypted.
    • Stored Parameter String Type (AWS Only) renamed from Stored Parameter String Type - Identifies Parameter Store parameters that have a specific string type.
    • Stored Parameter Storage Tier (AWS Only) renamed from Stored Parameter Using Storage Tier - Identifies Parameter Store parameters that are using a specific storage tier.

GCP

  • NAT Gateway Without Logging Enabled - Supports the added visibility and IaC support for GCP Cloud NAT. [ENG-6437]

Bug Fixes (21.1.5)

AWS

  • [ENG-6671] Added ETL Data Catalog and Security Config resource support for filter Resource In Region.
  • [ENG-6661] Added missing permission "cloudwatch:GetMetricData" to retrieve Cloudwatch metrics data for Instances.
  • [ENG-6649] Fixed a bug that did not display replicated regions for AWS DynamoDB tables which were using Global Table Version 2019.11.21/.
  • [ENG-6467] Fixed a bug that would not process EDH tag changes for AWS IAM Users/Roles.
  • [ENG-6465] Improved handling of S3 IaC plans which have an empty logging configuration.

AZURE

  • [ENG-6605] Updated the filter Cache Instance Exposed To The Public (Azure Only) to not include Redis Cache instances which are associated with a Virtual Network (VNet) since they do not have a public IP.
  • [ENG-5983] Fixed a bug in the filter Resource Has Azure Lock that would not yield the correct results when the Not In option was enabled.
  • [ENG-5815] Disabled tag support for Azure serverless functions since they can't have tags.

GCP

  • [ENG-6327] Fixed role_arn not being populated for GCP org clouds.

MULTI-CLOUD/GENERAL

  • [ENG-6514] Fixed a bug that did not show the pod count value when viewing Kubernetes Container Instances within the resources section.
  • [ENG-6297] Fixed an issue where the Resource Tags Do Not Mirror Parent filter returned resources that have no parent.

Cloud IAM Governance (Access Explorer) Updates - 21.1.5 Minor Release (02/18/2021)

👍

The following updates are related to enhancements and bug fixes for our commercial add-on Cloud IAM Governance (Access Explorer) module.

Contact us at [email protected] with any questions.

Cloud IAM Governance Features & Enhancements (21.1.5)

  • Added an access level dropdown that allows the user to fine tune exploration of the IAM relationships between their resources by allowing them to optionally show principals that do and do not have access to the primary subject currently being inspected. [ENG-5929]

Cloud IAM Governance Bug Fixes (21.1.5)

  • [ENG-6557] Fixed a display bug in Access Explorer resource panel.
  • [ENG-6531] Fixed a bug related to selecting "Explore this <subject" from the Access Explorer breadcrumbs.