DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

21.2 Release Notes

2 months ago by Mary Whaley

Latest 21.2 Release

📘

Release Availability

Our latest minor release 21.2.6 is available for hosted customers on Wednesday March 31, 2021. Availability for self-hosted customers is Thursday April 1, 2021 - if you’re interested in learning more about becoming a hosted customer reach out to [email protected]

❗️

Long-running Schema Update

As part of the v21.2/21.2.x release(s), the scheduler will need to process a large schema update. THIS OPERATION WILL TAKE APPROXIMATELY 20 MINUTES TO COMPLETE.

Example scheduler log output:

INFO Performing DB upgrade
INFO Found [4] database migrations to run for [divvy].
INFO Executing [/usr/local/lib/python3.8/dist-packages/divvycloud_divvydb/20_7_add_consumer_type.sql]
INFO Executing [/usr/local/lib/python3.8/dist-packages/divvycloud_divvydb/21_1_create_iam_action_table.sql]
INFO Executing [/usr/local/lib/python3.8/dist-packages/divvycloud_divvydb/21_1_set_string_policies_to_null.sql]
INFO Executing [/usr/local/lib/python3.8/dist-packages/divvycloud_divvydb/21_2_add_scheduled_event_type_idx]
INFO Creating missing DB [divvy_iac]
INFO Running rollup [/usr/local/lib/python3.8/dist-packages/divvycloud_divvydb/rollup.sql]
THIS OPERATION WILL TAKE APPROX 20M ---> INFO Executing [/usr/local/lib/python3.8/dist-packages/divvycloud_divvydb/rollup.sql]
INFO Found [52] database migrations to run for [divvy_iac]

Release Highlights (21.2.6)

DivvyCloud is pleased to announce Minor Release 21.2.6. This minor release includes a couple bug fixes.

Skip ahead to review the details for the general release. As always, contact us at [email protected] with any questions.

📘

With the 21.2.5 release, many of our filters may display as “updated” for minor changes around naming. This behavior is the result of applying a stricter naming convention to our existing filters to make them more concise, as well as easier to find and understand. In many cases, the change is trivial, e.g., Container Log Driver (AWS Only) changed to Container Log Driver (AWS). Reach out if you have any questions about this: [email protected].

🚧

Important Updates & Reminders

User & Group Entitlement Support
As of release 21.2.3, user entitlement support has been deprecated in favor of group-level entitlements. The user/personal entitlements feature has been completely removed. Entitlements now are managed only through Basic User Groups. Check out this page for details.

EDH in Multiple Environments
DivvyCloud now supports EDH in multiple environments with both environments monitoring the same accounts as Producers, perhaps one as ReadOnly and the other as PowerUser. If you plan on enabling EDH in multiple environments, using the same accounts as Producers, there is some customization required in your deployment. The "fix" is easy, but best done with help. Contact your CSM or support.

For details or assistance with any of the items specified above contact us at [email protected].

👍

Table of Contents

Major Release 21.2.0 (02/24/2021)
Minor Release 21.2.1 (02/25/2021)
Minor Release 21.2.2 (03/03/2021)
Minor Release 21.2.3 (03/10/2021)
Minor Release 21.2.4 (03/17/2021)
Minor Release 21.2.5 (03/24/2021)
Minor Release 21.2.6 (03/31/2021)

The following are updates related to enhancements and bug fixes for our commercial add-on Cloud IAM Governance (Access Explorer) module:

Cloud IAM Governance (Access Explorer) - 21.2 Major Release (02/24/2021)
Cloud IAM Governance (Access Explorer) - 21.2.2 Minor Release (03/03/2021)
Cloud IAM Governance (Access Explorer) - 21.2.3 Minor Release (03/10/2021)
Cloud IAM Governance (Access Explorer) - 21.2.4 Minor Release (03/17/2021)

Divvy Software Release Notice - 21.2.0 Major Release (02/24/2021)

New Permission Required (21.2.0)

🚧

New Permission Required

FOR AZURE:
"Microsoft.DataFactory/factories/read" for the Standard User role

"Microsoft.DataFactory/*" for the Power User role

MORE ON NEW PERMISSION REQUIRED:
"Microsoft.DataFactory/factories/read" supports the newly added resource Azure Data Factory. {ENG-6448]

Features & Enhancements (21.2.0)

IaC
We have substantially improved the performance of Infrastructure as Code (IaC) scan times. Customers should expect to see up to a 500% reduction in overall scan times. These changes should be transparent for most customers running DivvyCloud on AWS, as the default user provisioned for RDS has root level permissions and can create/modify existing and new database schemas. In addition, improvements include the separation of the data schema, allowing simulation scans to avoid impact by table locks and row level operations that can sometimes create delays.

AZURE

  • Beginning with 21.2.0 DivvyCloud includes support for adding multiple Azure clouds/accounts by taking advantage of the Azure Management Groups functionality. To learn more about this feature and access details on setting it up, refer to our documentation here. [ENG-6509]
  • Added visibility and IaC support for Azure Data Factory. This new resource is found under the Storage category of the Resources main page, under the new resource type Data Factory. New Filters: Data Factory Supports Public Network Access and Data Factory Uses Provider Managed Encryption. New Permission required: "Microsoft.DataFactory/factories/read". [ENG-6448]

MULTI-CLOUD/GENERAL

  • Added a new Bot action “Detach Cloud Policy” to detach a cloud policy from users, groups and roles. [ENG-4798]
  • Expanded the Bot action “Database Instance Stop/Start By Tag Value” to work with database clusters. [ENG-6629]
  • Added a table index that improves the time taken to render the Bots listing. [ENG-6750]

New Resource (21.2.0)

AZURE

  • Added visibility and IaC support for Azure Data Factory. This new resource is found under the Storage category of the Resources main page, under the new resource type Data Factory. New Filters: Data Factory Supports Public Network Access and Data Factory Uses Provider Managed Encryption. New Permission required: "Microsoft.DataFactory/factories/read". [ENG-6448]

Actions (21.2.0)

MULTI-CLOUD/GENERAL

  • Added a new Bot action “Detach Cloud Policy” to detach a cloud policy from users, groups and roles. [ENG-4798]
  • “Database Instance Stop/Start By Tag Value” - This Bot action was expanded to work with database clusters. [ENG-6629]

Insights (21.2.0)

AWS

  • Airflow Environment Allows Public Web Server Access - Identifies Airflow Environments by their access mode set to public. Applies to AWS (not China or GovCloud).
  • Airflow Environment Without Proper Logging Configuration - Identifies Airflow Environments based on their logging configuration. Applies to: AWS (not China or GovCloud).
  • File Share Has Allowed Clients Set To 0.0.0.0/0 - Matches NFS File Shares by the client list source network set to 0.0.0.0/0. Applies to: AWS, AWS China, AWS GovCloud.
  • Kubernetes Cluster Engine Logging Disabled - Identifies Kubernetes cluster engines with logging disabled. Applies to: AWS, AWS China, AWS GovCloud.

AZURE

  • Storage Account not using Customer Master Key (CMK) - Matches Storage Accounts that are encrypted using provider default keys. Applies to: Azure, Azure China, Azure Gov.

GCP

  • NAT Gateway Without Logging Enabled - Matches NAT Gateways which are not logging. Applies to: GCP.

Filters (21.2.0)

AZURE

  • Data Factory Supports Public Network Access - Supports newly added resource Azure Data Factory. [ENG-6448]
  • Data Factory Uses Provider Managed Encryption - Supports newly added resource Azure Data Factory. [ENG-6448]

Bug Fixes (21.2.0)

AWS

  • [ENG-6604] Added tag visibility and lifecycle support for AWS CloudWatch Log Groups.

MULTI-CLOUD/GENERAL

  • [ENG-6507] Included the encryption key resource ID in the API response when pulling notification topics.

Cloud IAM Governance (Access Explorer) Updates - 21.2.0 Major Release (02/24/2021)

👍

The following updates are related to enhancements and bug fixes for our commercial add-on Cloud IAM Governance (Access Explorer) module.
Contact us at [email protected] with any questions.

Cloud IAM Governance Features & Enhancements (21.2.0)

  • The page title is now clickable, and returns you to the root of the Access Explorer. [ENG-6658]
  • Improved performance of loading Access Explorer. [ENG-6765]

Divvy Software Release Notice - 21.2.1 Minor Release (02/25/2021)

The single item in this minor release is a fix for an edge case where Insight creation was broken for anyone who has never run an IaC scan or new installations of DivvyCloud. [ENG-6838]

Divvy Software Release Notice - 21.2.2 Minor Release (03/03/2021)

Minor Release 21.2.2 includes added visibility into the Viewer Protocol Policy for AWS CloudFront as well as support for AWS API Gateway Domain. This release also includes new and updated Bot actions and filters, as well as a number of bug fixes.

As always, contact us at [email protected] with any questions.

Features & Enhancements (21.2.2)

AWS

  • Added two new filters---Notification Subscription To Unapproved Email Domain and Notification Subscription To Unknown Endpoint (AWS)--for Notification Subscriptions to identify subscriptions which are configured to send to an unknown/unapproved endpoint. [ENG-6761]
  • Added visibility into the Viewer Protocol Policy for AWS CloudFront resources. [ENG-6636]
  • Updated the filter Serverless Function By Runtime Language with additional runtime options such as NodeJS 14.x. [ENG-6554]
  • Enhanced the Bot action "Modify Elasticsearch Instance Attribute" to include the ability to change Elasticsearch encryption at rest/in transit configuration. Note: this action will only work on AWS Elasticsearch Domains running version 6.7 or greater. [ENG-6403]
  • Added visibility and IaC support for API Gateway Domains. We’ve added a new Filter: Application Gateway Domain TLS Version. No new permissions are required. This new resource can be found on the Resources main page, Network category, Application Gateway Domain resource type. [ENG-1967]
  • Updated the Bot action “Update Content Delivery Network Attributes” to support Jinja2 templating for the S3 bucket name and bucket prefix. New Filter: Content Delivery Network Viewer Protocol Policy. [ENG-6785]

AZURE

  • Added a new filter Web Apps With HTTP2 Required to identify Azure Web Applications based on whether or not HTTP2 is required. [ENG-6715]
  • Added new Bot action, “Mirror Resource Tags From Parent Resource Group (Azure)”. This new action, which is exclusively for Microsoft Azure resources, can be used to mirror the tags assigned to the parent resource group with the child resources contained within. This is a great action to maintain tag consistency across your Azure cloud footprint. [ENG-5630]
  • Updated the existing notification actions “Scheduled Email” and “Send Bulk Email” with a new Azure-specific option, “Pull Tags From Parent Resource Group (Azure Only)”. This option can be used to pull tag values from the parent resource group to use for dynamic notification. As an example, if you want to send the Email to the owner of a compute instance, and the instance is not tagged with the owner Email, this new option can pull the Owner value from the parent resource group. [ENG-5630]

MULTI-CLOUD/GENERAL

  • Added the "Not In" option to the query filter Resource Encrypted With Key. [ENG-6762]
  • A new link is added in IaC-> Scan->Scan details as 'download report as HTML', which allows users to download a finished IaC scan report in HTML format. [ENG-5653]

Resources (21.2.2)

AWS

  • Added visibility and IaC support for API Gateway Domains. We’ve added a new Filter: Application Gateway Domain TLS Version. No new permissions are required. This new resource can be found on the Resources main page, Network category, Application Gateway Domain resource type. [ENG-1967]

Actions (21.2.2)

AWS

  • “Modify Elasticsearch Instance Attribute" - This action was enhanced to include the ability to change Elasticsearch encryption at rest/in transit configuration. Note: this action will only work on AWS Elasticsearch Domains running version 6.7 or greater. [ENG-6403]
  • “Update Content Delivery Network Attributes” - Updated this Bot action to support Jinja2 templating for the S3 bucket name and bucket prefix. [ENG-6785]

AZURE

  • “Mirror Resource Tags From Parent Resource Group (Azure)” - This new action, which is exclusively for Microsoft Azure resources, can be used to mirror the tags assigned to the parent resource group with the child resources contained within. This is a great action to maintain tag consistency across your Azure cloud footprint. [ENG-5630]
  • “Scheduled Email” and “Send Bulk Email” - These existing notification actions have been updated with a new Azure-specific option, “Pull Tags From Parent Resource Group (Azure Only)”. This option can be used to pull tag values from the parent resource group to use for dynamic notification. As an example, if you want to send the Email to the owner of a compute instance, and the instance is not tagged with the owner Email, this new option can pull the Owner value from the parent resource group. [ENG-5630]

Filters (21.2.2)

AWS

  • Application Gateway Domain TLS Version - New filter supports added visibility and IaC support for API Gateway Domains. [ENG-1967]
  • Notification Subscription To Unapproved Email Domain--for Notification Subscriptions to identify subscriptions which are configured to send to an unknown/unapproved endpoint. [ENG-6761]
  • Notification Subscription To Unknown Endpoint (AWS)--for Notification Subscriptions to identify subscriptions which are configured to send to an unknown/unapproved endpoint. [ENG-6761]
  • Serverless Function By Runtime Language - This filter was updated with additional runtime options such as NodeJS 14.x. [ENG-6554]
  • Update Content Delivery Network Attributes - Updated this Bot action to support Jinja2 templating for the S3 bucket name and bucket prefix. [ENG-6785]

AZURE

  • Web Apps With HTTP2 Required - Added a new filter to identify Azure Web Applications based on whether or not HTTP2 is required. [ENG-6715]

MULTI-CLOUD/GENERAL

  • Content Delivery Network Viewer Protocol Policy - This new filter supports the updated Bot action “Update Content Delivery Network Attributes” to support Jinja2 templating for the S3 bucket name and bucket prefix. [ENG-6785]
  • Resource Encrypted With Key - Added the "Not In" option to this query filter. [ENG-6762]

Bug Fixes (21.2.2)

AWS

  • [ENG-6883] Fixed AWS issue whereby new region ap-northeast-3 does not have support for some resource types.
  • [ENG-6826] Fixed a GuardDuty harvesting bug for AWS GovCloud.
  • [ENG-6810] Fixed a bug that prevented resource dependencies from being accessible for AWS Build Projects.
  • [ENG-6710] Fixed a bug that would not process EDH tag changes for AWS IAM Users/Roles.

AZURE

  • [ENG-6864] Fixed a bug that caused an attribute error when harvesting Azure Database Instances.
  • [ENG-6814] Fixed a bug that caused a runtime error when harvesting Azure Threat Findings.

Cloud IAM Governance (Access Explorer) Updates - 21.2.2 Minor Release (03/03/2021)

👍

The following updates are related to enhancements and bug fixes for our commercial add-on Cloud IAM Governance (Access Explorer) module.
Contact us at [email protected] with any questions.

Cloud IAM Governance Features & Enhancements (21.2.2)

Improved support for condition statements within the access explorer as follows:

  • Added support for conditionals in SCPs, Resource Policies, and Permission Boundaries
  • Added support for multiple conditionals in all policy types
  • Added support for unsupported context keys
  • Added support for multiple values in a conditional (e.x. ForAnyValue, ForAllValues)
    [ENG-6866]

Divvy Software Release Notice - 21.2.3 Minor Release (03/10/2021)

In DivvyCloud's Minor Release 21.2.3, user-level entitlement support has been deprecated in favor of group-level entitlements. With the removal of user-level entitlements, all entitlements are now managed through Basic User Groups (details are linked below). This minor release also features our newest approach to Event-Driven Harvesting, known as Org-Level or CloudTrail EDH, which provides a new method for AWS users to implement EDH. Further, we have added support for Azure's Databricks Workspace. We have also updated the icon for our Bot Creation feature, removing the wrench icon and replacing it with a more recognizable context menu. In addition, this minor release includes several other feature enhancements, numerous bug fixes, and 2 new filters.

New Permissions Required (21.2.3)

🚧

New Permissions Required

FOR AZURE:
"Microsoft.Databricks/workspaces/read" for the Standard User role
"Microsoft.Databricks/*" for the Power User role

MORE ON NEW PERMISSIONS

  • "Microsoft.Databricks/workspaces/read" - This new permission is required for our added support of Azure’s Databricks Workspace. [ENG-6450]

Features & Enhancements (21.2.3)

AWS

  • Beginning with 21.2.3 DivvyCloud includes support for Org-Level or CloudTrail EDH. Our newest approach to Event-Driven Harvesting, behaves in the same way as our existing EDH with two key differences, speed and maintenance. Org-Level EDH retrieves information in approximately 10-15 minute intervals and does not require additional manual configuration when new cloud accounts are added. Review our documentation here.
  • Added the ability to disable a cloud user account and their API keys directly from the tool. Users can now open the Cloud User Resource Type to view actions and access the new "Disable User" button. (This capability applies only to AWS). [ENG-6409]
  • Added Query Filter Virtual Private Gateway Attachment Status for AWS Virtual Private Gateways. [ENG-6280]

AZURE

  • We have added support for Azure’s Databricks Workspace, an environment for accessing all Databricks assets. A new permission is required for this support: "Microsoft.Databricks/workspaces/read". A new filter is also available: Data Factory Uses Provider Managed Encryption. This new resource can be found under the Storage category, Databricks Workspace resource type. [ENG-6450]

MULTI-CLOUD/GENERAL

  • As of this release, all entitlements are managed through Basic User Groups. We’ve removed references to User Entitlements within the Identity Management section of the product and renamed the Roles section Basic User Roles. Check out this page for details. [ENG-6811]
  • Implemented Basic User Entitlements for the IaC component. [ENG-6228]
  • A “Create Bot” button replaces the wrench icon for creating a Bot. [ENG-4852]

Resources (21.2.3)

AZURE

  • We have added support for Azure’s Databricks Workspace, an environment for accessing all Databricks assets. A new permission is required for this support: "Microsoft.Databricks/workspaces/read". A new filter is also available: Data Factory Uses Provider Managed Encryption. This new resource can be found under the Storage category, Databricks Workspace resource type. [ENG-6450]

Filters (21.2.3)

AWS

  • Virtual Private Gateway Attachment Status - This new filter supports AWS Virtual Private Gateways. [ENG-6280]

AZURE

  • Data Factory Uses Provider Managed Encryption - This new filter supports Azure’s Databricks Workspace. [ENG-6450]

Bug Fixes (21.2.3)

AZURE

  • [ENG-6819] Fixed a bug around Azure InstanceInterfaceIP Harvester.

MULTI-CLOUD/GENERAL

  • [ENG-6889] Fixed a messaging around IaC Scans.
  • [ENG-6501], [ENG-6497] Fixed two bugs concerning improperly saving Insights and scopes.
  • [ENG-5748] Fixed messaging around filters that allow wildcard searches, clarifying that only one wildcard at a time can be used.

Cloud IAM Governance (Access Explorer) Updates - 21.2.3 Minor Release (03/10/2021)

👍

The following updates are related to enhancements and bug fixes for our commercial add-on Cloud IAM Governance (Access Explorer) module.
Contact us at [email protected] with any questions.

Cloud IAM Governance Feature/Enhancement (21.2.3)

  • Improved UX and system communication. Changes to settings necessitating a cache rebuild will generate a dialog prompting a user to rebuild the cache. [ENG-6000, ENG-5568]

Divvy Software Release Notice - 21.2.4 Minor Release (03/17/2021)

DivvyCloud's Minor Release 21.2.4 includes Just-in-time (JIT) provisioning support for both SAML and LDAP. JIT enables the creation and management of user data through external tools and allows synchronization for all user data with DivvyCloud. In addition, this minor release includes several other feature enhancements, numerous bug fixes, 2 new filters, and 3 filter enhancements.

Features & Enhancements (21.2.4)

Just-in-Time (JIT) Provisioning
DivvyCloud Just In-Time Provisioning provides the capability to synchronize users and groups from an external Identity Provider (IDP) authentication server such as Okta, LDAP, Ping, and Microsoft's Active Directory. DivvyCloud groups are mapped to corresponding groups from the authentication server and memberships are synchronized in its mapped groups to those on the authentication server. Read more about the feature and the setup here.

AWS

  • We are surfacing more information about AWS Cloud Alarms. Specifically, we are surfacing in resource listing and details the Alarm description, which may hold useful Alarm information, and the Metric Name, which is the name of the metric the Alarm monitors. [ENG-6865]
  • We added a new filter Container Image Finding Count to identify container images by their finding count. [ENG-6949]
  • Added Filter/Insight to assert on S3 cross-region replication. Added the following options to the filter Storage Container Replication: Enabled With Full Bucket Replication, Enabled Without Full Bucket Replication, Enabled With Prefix or Tag Replication, Enabled Without Prefix or Tag Replication, Enabled With AWS KMS Replication, and Enabled Without AWS KMS Replication. Added new filter Storage Container Replication Target Bucket to filter out resources that don't have the bucket name in the replication rule using the Replication Target Bucket Name value. [ENG-4073]

MULTI-CLOUD/GENERAL

  • Added the Database Cluster and Database resource types to the filter Resource Is Not Encrypted. [ENG-7055]
  • The transit encryption property and value are now accessible within the Resources view for database instances. [ENG-7054]
  • Expanded the filter Instance Security Group Count to work with Big Data, Replication, Elasticsearch, and Cache instances. [ENG-6995]
  • User Insight Pack pagination and sort settings are now persisted between sessions. [ENG-6948]
  • We’ve added the ability to generate long-term API tokens from the user profile view for users with the appropriate permissions. We’ve also introduced the capability to toggle this ability on/off for users who are not domain/organization administrators. [ENG-6417]
  • Diagnostics now include worker health. [ENG-5005]

Filters (21.2.4)

AWS

  • Container Image Finding Count - New filter to identify container images by their finding count. [ENG-6949]
  • Storage Container Replication - Added the following options to the filter Storage Container Replication to assert on S3 cross region replication [ENG-4073]:
    • Enabled With Full Bucket Replication
    • Enabled Without Full Bucket Replication
    • Enabled With Prefix or Tag Replication
    • Enabled Without Prefix or Tag Replication
    • Enabled With AWS KMS Replication
    • Enabled Without AWS KMS Replication
    • Storage Container Replication Target Bucket - New filter to filter out resources that don't have the bucket name in the replication rule using the Replication Target Bucket Name value. [ENG-4073]

MULTI-CLOUD/GENERAL

  • Instance Security Group Count - This filter was expanded to work with Big Data, Replication, Elasticsearch and Cache instances. [ENG-6995]
  • Resource Is Not Encrypted - This filter was enhanced by adding the Database Cluster and Database resource types to the filter. [ENG-7055]

Bug Fixes (21.2.4)

AWS

  • [ENG-7049] Fixed an edge case that resulted in intermittent processing of the AssociateIamInstanceProfile / DisassociateIamInstanceProfile events.
  • [ENG-7043] Fixed a bug that prevented AWS Storage Gateway file shares from being harvested.

AZURE

  • [ENG-6822] Fixed an issue where an Azure snapshot in a failed state may incorrectly report disk size.

MULTI-CLOUD/GENERAL

  • [ENG-7036] Fixed a bug with IaC analysis that wouldn't properly link all IAM policy attachments.
  • [ENG-6586] Improved handling for MySQL operational errors in InsightCache.

Cloud IAM Governance (Access Explorer) Updates - 21.2.4 Minor Release (03/17/2021)

👍

The following updates are related to enhancements and bug fixes for our commercial add-on Cloud IAM Governance (Access Explorer) module.
Contact us at [email protected] with any questions.

Cloud IAM Governance Feature Enhancements (21.2.4)

  • Made performance improvements to IAM cache build. [ENG-6870, ENG-6777]
  • Made an enhancement to allow scheduling periodic jobs to run at a particular time via an environmental variable like DIVVY_SCHEDULE_REFRESHIAMDATA=02:15. [ENG-6406]

Cloud IAM Governance Bug Fixes (21.2.4)

  • [ENG-6771] Fixed a bug with the tag key column select functionality when the server times out.

Divvy Software Release Notice - 21.2.5 Minor Release (03/24/2021)

DivvyCloud's Minor Release 21.2.5 includes support for AWS CloudWatch Logs Destinations and Azure Synapse. It also includes additional feature enhancements, new and enhanced filters, as well as many bug fixes.

As always, contact us at [email protected] with any questions.

📘

With the 21.2.5 release, many of our filters may display as “updated” for minor changes around naming. This behavior is the result of applying a stricter naming convention to our existing filters to make them more concise, as well as easier to find and understand. In many cases, the change is trivial, e.g., Container Log Driver (AWS Only) changed to Container Log Driver (AWS). Reach out if you have any questions about this: [email protected].

New Permissions Required (21.2.5)

🚧

New Permissions Required: AWS

FOR AWS Standard (Read-Only) Users:
"logs:DescribeDestinations",
"waf:ListLoggingConfigurations"

Note: We recommend our AWS Standard (Read-Only) Users employ AWS' managed read-only policy, supplemented by a small additional DivvyCloud policy. The benefit of using the AWS managed policy lies in AWS' continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS Standard User (read-only) Policy - Option 1.

MORE ON AWS PERMISSIONS:

  • “logs:DescribeDestinations" supports AWS CloudWatch Logs Destinations. [ENG-5546]
  • "waf:ListLoggingConfigurations" adds a missing permission needed for the CFT reference file. [ENG-7142]

🚧

New Permission Required: Azure

FOR AZURE Standard (Read-Only) Users:
"Microsoft.Synapse/workspaces/read"

FOR AZURE Power Users:
"Microsoft.Synapse/*"

MORE ON AZURE PERMISSION:

  • "Microsoft.Synapse/workspaces/read" supports the newly added resource Azure Synapse. [ENG-5990]

User Interface Updates (21.2.5)

  • We now show a loading spinner when fetching the Insight options while editing/creating an IaC configuration. [ENG-6975]
  • With the addition of Azure’s Synapse, Azure’s resource SQL Database/SQL Data Warehouse is now renamed SQL Database/Dedicated SQL Pool, which can still be found in our tool under the Compute category, Database resource type. Synapse is found under the Compute category, Big Data Workspace resource type. [ENG-5990]

Features & Enhancements (21.2.5)

AWS

  • We’ve added support for AWS CloudWatch Logs Destinations, a resource allowing you to specify CloudWatch Logs destinations. A new permission is required: “logs:DescribeDestinations". This new resource can be found under the resource Identity & Management category, as a Cloud Search Index resource type. [ENG-5546]
  • We have added two new filters, Cloud Policy With Negation Key (AWS) and Cloud Role Using Policy With Negation Key (AWS). These filters identify cloud policies and roles that use policies – attached and inline – with two discouraged negation keys, i.e., "NotAction" and "NotResource". While there are valid use cases for those keys in policies, they are generally discouraged. [ENG-6892]
  • We’ve added a new filter Load Balancer with HTTP listener not redirecting to HTTPS to show load balancers containing HTTP listeners that are not redirecting to HTTPS. [ENG-6555]
  • We’ve added support for AWS CloudWatch Logs Destinations, a resource allowing you to specify CloudWatch Logs destinations. A new permission is required: “logs:DescribeDestinations". This new resource can be found under the resource Identity & Management category, as a Cloud Search Index resource type. [ENG-5546]

AZURE

  • We’ve added support for Azure Synapse, Azure’s analytics service that combines “enterprise data warehousing and Big Data analytics”. (You can read more about Azure Synapse here.) This new resources requires the new permission "Microsoft.Synapse/workspaces/read". New filters: Big Data Workspace With Double Encryption Enabled, Big Data Workspace With Double Encryption Disabled, and Big Data Workspace Publicly Accessible. This new resource can be found on our main Resources page under the Compute category and the new Resource type Big Data Workspace. Note: Azure’s resource SQL Database/SQL Data Warehouse can still be found in our tool under the Compute category, as a Database resource type; it is now renamed SQL Database/Dedicated SQL Pool. [ENG-5990]
  • We’ve added a new filter Cloud Account Security Center Defender Status to filter cloud accounts which have Azure Defender enabled/disabled for specific resources. [ENG-6189]

MULTI-CLOUD/GENERAL

  • We now show a loading spinner when fetching the Insight options while editing/creating an IaC configuration. [ENG-6975]
  • Added the "without badges" option to 2 existing filters (Resource In Cloud With Badge Key and Resource In Cloud With Badge Key/Value) and renamed these as Resource In Cloud With/Without Badge Key and Resource In Cloud With/Without Badge Key/Value. [ENG-6737]
  • Added the ability to add/update labels for Insights from the Insight library view. [ENG-6717]
  • Improved the loading time/responsiveness of BotFactory when viewing/working with Bots with a large number of scopes. [ENG-6192]
  • Added the ability to download a CSV of the Bot listing. The CSV will include the filters and actions which are used by the Bot. [ENG-4733]

Resources (21.2.5)

AWS

  • We’ve added support for AWS CloudWatch Logs Destinations, a resource allowing you to specify CloudWatch Logs destinations. A new permission is required: “logs:DescribeDestinations". This new resource can be found under the resource Identity & Management category, as a Cloud Search Index resource type. [ENG-5546]

AZURE

  • We’ve added support for Azure Synapse, Azure’s analytics service that combines “enterprise data warehousing and Big Data analytics”. (You can read more about Azure Synapse here.) This new resource requires the new permission "Microsoft.Synapse/workspaces/read". There are three new filters to accompany the resource: Big Data Workspace With Double Encryption Enabled, Big Data Workspace With Double Encryption Disabled, and Big Data Workspace Publicly Accessible. This new resource can be found on our main Resources page under the Compute category and the new Resource type Big Data Workspace. Note: Azure’s resource SQL Database/SQL Data Warehouse can still be found in our tool under the Compute category, as a Database resource type; it is now renamed SQL Database/Dedicated SQL Pool. [ENG-5990]

Filters (21.2.5)

With the 21.2.5 release, many of our filters may be denoted as “updated” when all that has changed is the filter name. This update is a result of our applying a stricter naming convention to our existing filters to make them more concise and easier to find and understand. In many cases, the change is trivial, e.g., Container Log Driver (AWS Only) changed to Container Log Driver (AWS). Please let us know if you have any questions about this: [email protected].

AWS

  • Cloud Policy With Negation Key (AWS) -- This new filter identifies cloud policies and roles that use policies – attached and inline – with discouraged negation keys, i.e., "NotAction" and "NotResource". While there are valid use cases for those keys in policies, they are generally discouraged. [ENG-6892]
  • Cloud Role Using Policy With Negation Key (AWS) - This new filter identifies cloud policies and roles that use policies – attached and inline – with discouraged negation keys, i.e., "NotAction" and "NotResource". While there are valid use cases for those keys in policies, they are generally discouraged. [ENG-6892]
  • Load Balancer with HTTP listener not redirecting to HTTPS - This new filter shows load balancers containing HTTP listeners that are not redirecting to HTTPS. [ENG-6555]

AZURE

  • Big Data Workspace Publicly Accessible- This new filter supports Azure Synapse. [ENG-5990]
  • Big Data Workspace With Double Encryption Disabled - This new filter supports Azure Synapse. [ENG-5990]
  • Big Data Workspace With Double Encryption Enabled - This new filter supports Azure Synapse. [ENG-5990]
  • Cloud Account Security Center Defender Status - This new filter is used to filter cloud accounts which have Azure Defender enabled/disabled for specific resources. [ENG-6189]

MULTI-CLOUD/GENERAL

  • Resource In Cloud With/Without Badge Key - This enhancement adds the "without badges" option to the existing filter Resource In Cloud With Badge Keyand renames the filter to Resource In Cloud With/Without Badge Key. [ENG-6737]
  • Resource In Cloud With Badge Key/Value - This enhancement adds the "without badges" option to the existing filter Resource In Cloud With Badge Key/Valueand renames the filter to Resource In Cloud With/Without Badge Key/Value. [ENG-6737]

Bug Fixes (21.2.5)

AWS

  • [ENG-7142] Fixed a missing permission, "waf:ListLoggingConfigurations", for CFT reference file.
  • [ENG-7103] Fixed a bug with the Network Endpoint harvester.
  • [ENG-7100] Fixed the filters Encryption Key Rotation Enabled and Encryption Key Rotation Disabled to no longer scope to asymmetric CMKs within AWS as keys of this type do not support key rotation.

AZURE

  • [ENG-7110] Fixed a bug that did not show the minimum TLS version for Azure Storage Accounts.
  • [ENG-7093] Fixed a bug that prevented association of the Azure VNet when harvesting Azure Redis instances.

MULTI-CLOUD/GENERAL

  • [ENG-7162] Fixed an IaC analysis bug that prevented parsing of the viewer protocol policy for AWS CloudFront Distributions.
  • [ENG-6971] Fixed a bug with the filter "Instance uses simple networking".
  • [ENG-6970] We've extended the filter Public IP Allocation Type to include Azure and Oracle public IP resources.

Divvy Software Release Notice - 21.2.6 Minor Release (03/31/2021)

DivvyCloud's Minor Release 21.2.6 includes a couple bug fixes. As always, contact us at [email protected] with any questions.

Bug Fixes (21.2.6)

AWS

  • [ENG-7232] Resolved S3 bucket public block settings being listed as false when they were just off during harvesting.
  • [ENG-7208] Fixed an issue where some endpoints were failing when the content-type header was set to JSON but the payload was not JSON.

MULTI-CLOUD/GENERAL

  • [ENG-7269] Fixed a permission escalation issue after granting a user the permission to generate API keys.
  • [ENG-7220] Improved performance of the Resources section when a pending deletion is being queried.