21.3 Release Notes

Latest 21.3 Release

📘

21.3.5 Latest Release 5/14/2021

Release 21.3.5 resolves an issue identified in DivvyCloud’s 21.3.0 release with harvest jobs not getting scheduled. After running for long periods of time, the scheduler may fail to schedule certain harvest jobs, causing a slow leak of harvests. This release resolves this issue and ensures that all harvest jobs are scheduled as specified by the harvest strategy. [ENG-7852]

We recommend customers on versions 21.3.0 through 21.3.4 immediately take release 21.3.5 to address the issue. Contact your CSM or support at [email protected] with questions or concerns.

Release Highlights (21.3.4)

DivvyCloud is pleased to announce Minor Release 21.3.4. This minor release includes two feature enhancements, updates to several filters, one UI update, and several bug fixes.

For our add-on Cloud IAM Governance module, we have details around one feature enhancement.

This minor release 21.3.4 was available for hosted customers on Wednesday May 12, 2021 and distributed to self-hosted customers on Thursday May 13, 2021 - if you’re interested in learning more about becoming a hosted customer reach out to [email protected].*

Skip ahead to review the details for the general release, as well as details for Cloud IAM Governance. As always, contact us at [email protected] with any questions.

👍

Table of Contents

Major Release 21.3.0 (04/14/2021)
Minor Release 21.3.1 (04/21/2021)
Minor Release 21.3.2 (04/21/2021)
Minor Release 21.3.3 (05/05/2021)
Minor Release 21.3.4 (05/12/2021)
Minor Release 21.3.5 (05/14/2021)

The following are updates related to enhancements and bug fixes for our commercial add-on Cloud IAM Governance (Access Explorer) module:

Cloud IAM Governance (Access Explorer) - 21.3 Major Release (04/14/2021)
Cloud IAM Governance (Access Explorer) - 21.3.1 Minor Release (04/21/2021)
Cloud IAM Governance (Access Explorer) - 21.3.3 Minor Release (05/05/2021)
Cloud IAM Governance (Access Explorer) - 21.3.4 Minor Release (05/12/2021)

Divvy Software Release Notice - 21.3.0 Major Release (04/14/2021)

New Permissions Required (21.3.0)

🚧

New Permissions Required: AWS

For AWS Standard (Read-Only) Users:
"elasticache:DescribeReservedCacheNodes",
"elastictranscoder:ListPipelines",
"es:DescribeReservedElasticsearchInstances",
"kendra:DescribeIndex",
"kendra:ListIndices"

For AWS Power Users:
"elastictranscoder:*",
"kendra:*"

Note: We recommend our AWS Standard (Read-Only) Users employ AWS' managed read-only policy, supplemented by a small additional DivvyCloud policy. The benefit of using the AWS managed policy lies in AWS' continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS Standard User (read-only) Policy - Option 1.

More on AWS Permissions:

  • "elasticache:DescribeReservedCacheNodes" - Supports added visibility into AWS Elasticsearch and AWS ElastiCache reserved instances. [ENG-6718]
  • "elastictranscoder:ListPipelines" - Provides visibility and lifecycle support for the newly added resource AWS Elastic Transcoder Pipelines. [ENG-7057]
  • "es:DescribeReservedElasticsearchInstances" - Supports added visibility into AWS Elasticsearch and AWS ElastiCache reserved instances. [ENG-6718]
  • "kendra:DescribeIndex" and "kendra:ListIndices" - Support the added visibility, tag, and deletion lifecycle support for AWS Kendra Search Indexes. [ENG-6239]

🚧

New Permissions Required: Azure

For Azure Standard (Read-Only) Users:
"Microsoft.OperationalInsights/workspaces/read"

For Azure Power Users:
"Microsoft.OperationalInsights/*"

More on Azure Permissions:
"Microsoft.OperationalInsights/workspaces/read" - Supports the newly added resource Azure Log Analytics Workspaces. [ENG-6247]

User Interface Enhancements (21.3.0)

  • We have added a Scheduler Mailbox Queue count to the admin System Health Settings view, enabling visibility into the scheduler queue. This queue count is typically expected to stay near zero, however if it continues to increase, this can be viewed as an early warning that there may be issues with the scheduler. [ENG-7494]
  • Improved the user experience for IaC with better/clearer error messaging for an invalid Terraform scan template and without a stack trace in the UI. [ENG-7193]
  • DivvyCloud’s Insight Library view now allows users to add/update labels from the context menu available next to each Insight name. [ENG-6717]

Features & Enhancements (21.3.0)

SCHEDULER IMPROVEMENTS
We have introduced several performance and reliability improvements to the scheduler, specifically with processing worker messages. In rare cases, customers have observed scheduled events taking longer to appear after being created by Bots or being marked as complete after the action was executed. This was resolved by removing possible bottlenecks in message processing. In addition, scheduler log messages now have better context when originating from a Bot; we have also improved visibility and resiliency for recovering information around scheduler thread failures. [ENG-7453]

AWS

  • We have enriched EDH metadata by storing the IP which provisioned the resource [ENG-7121]:
    • We have expanded the metadata we can attach to resources harvested using Event Driven Harvesting (EDH) to include the IP address of the creator. Now, we can also auto-tag provisioned resources with a “divvy.creator_ip” tag, which captures the IP address of the user who created the resource.
    • Added a new filter, Resource Provisioned From Unauthorized Network (AWS), that compares resource creator IP addresses with authorized IPv4 networks to identify resources provisioned from outside of those networks.
    • To make the filter more useful, we recommend first creating a data collection for the filter called “Authorized Networks”. The data collection should have internal approved networks supplemented with AWS networks to surface true concerns. Next, we recommend creating a Bot that runs using the “Resource Created” hookpoint. The Bot can send notifications, take corrective actions, or both.
  • Added visibility and lifecycle support for AWS Elastic Transcoder Pipelines, the queues that manage AWS’ transcoding jobs. A new permission is required: "elastictranscoder:ListPipelines". This new resource can be located on the main Resources page, Compute category, as a new Resource Type “Transcoding Pipeline”. [ENG-7057]
  • Added visibility, tag, and deletion lifecycle support for AWS Kendra Search Indexes. New permissions required are "kendra:DescribeIndex" and "kendra:ListIndices". The AWS Kendra Index resource can be found on the main Resources page, Compute category, as a new Resource Type “Search Index”. [ENG-6239]
  • Added visibility into AWS Elasticsearch and AWS ElastiCache reserved instances. New permissions required are "elasticache:DescribeReservedCacheNodes" and "es:DescribeReservedElasticsearchInstances". [ENG-6718]
  • Added visibility and filtering support for the authentication strategy and auto minor upgrade configuration values of Amazon MQ Broker Instances. The updated filters are Database/Broker Instance Without Minor Upgrades Enabled (previously named Database Instance Without Minor Upgrades Enabled) and Database/Broker Instance With Minor Upgrades Enabled (previously named Database Instance With Minor Upgrades Enabled). [ENG-7202]
  • We have added a filter, Resource Specific Policy With Negation Key (AWS), to identify resources with policies that use two discouraged negation keys, i.e., "NotAction", and "NotPrincipal". While there are valid use cases for those keys in policies, they are generally discouraged. [ENG-6928]
  • Added a new Bot action “Update Cloud Role Session Duration” that can be used to update the maximum session duration for AWS IAM Roles. [ENG-7182]
  • Added a new Bot action “Enable ETL Data Catalog Encryption” to enable AWS Glue Data Catalog encryption at rest and password encryption. [ENG-6322]
  • Added three new filters for AWS Elasticsearch instances:
    • Elasticsearch Instance UltraWarm Enabled/Not Enabled
    • Elasticsearch Instance Zone Awareness Enabled/Not Enabled
    • Elasticsearch Instance Without Advanced Security Enabled
  • Added a new filter Distributed Table With Default Encryption to identify AWS DynamoDB tables that leverage provider default encryption. [ENG-7184]

AZURE

  • Added the Azure subscription that a resource group belongs to as helper text when scoping Bots. [ENG-6835]
  • Added support for Azure Log Analytics Workspaces. A new permission "Microsoft.OperationalInsights/workspaces/read" is required for this resource, which can be found on the Resources main page, Identity & Management category, as a new Resource Type “Log Analytics Workspace”. In addition, Azure Virtual Machines can now be queried for whether they are exporting logs to a workspace using the Resource Not Exporting To Log Analytics Workspace filter. [ENG-6247]
  • Added the ability to delete and disassociate an Azure Public IP. [ENG-3443]

GCP

  • Added visibility into publicly accessible Google Cloud Functions and included support for IaC analysis via Terraform. A new filter, Serverless Function Uses HTTP Trigger (GCP), identifies serverless functions that leverage an HTTP trigger. [ENG-7233]

MULTI-CLOUD/GENERAL

  • Made improvements in the scheduler to increase reliability in monitoring and logging, as well as to improve performance. [ENG-6398]
  • Added a configuration option to AWS and Azure Organizations to automatically remove clouds for suspended accounts. [ENG-7101]
  • Introduced a new filter Resource Engine Version that identifies resources by their engine version (major and minor). It works with the following resource types: Airflow Environments, Big Data Instances, Broker Instances, Cache Instances, Database Clusters, Database Instances, Database Migration Instances, Elasticsearch Instances, Stream Instances. [ENG-7213]
  • Insights are now filtered by the cloud provider when a specific cloud resource type is selected. [ENG-7194]
    *Provide a display of the IAC Provider type in the Scan Result header. [ENG-7189]
  • Added the ability to add/update labels for Insights from the Insight library view. [ENG-6717]
  • Provided the ability for users to copy and paste a list of tags directly into any Tags selector across our app, e.g., the Query Filters and Bot Action Filters. Customers can now copy and paste Tags from anywhere, and on pasting them into the tag selector, they will see a list of separate tags. [ENG-6701]
  • We’ve removed the log file handler and stopped the application from writing logs to disk to prevent consuming disk space. [ENG-7309]

Resources (21.3.0)

AWS

  • Added visibility and lifecycle support for AWS Elastic Transcoder Pipelines, the queues that manage AWS’ transcoding jobs. A new permission is required: "elastictranscoder:ListPipelines". This new resource can be located on the main Resources page, Compute category, as a new Resource Type “Transcoding Pipeline”. [ENG-7057]
    *Added visibility, tag, and deletion lifecycle support for AWS Kendra Search Indexes. New permissions required are "kendra:DescribeIndex" and "kendra:ListIndices". The AWS Kendra Index resource can be found on the main Resources page, Compute category, as a new Resource Type “Search Index”. [ENG-6239]
  • Added visibility and tagging support to these AWS resource types: IAM policies, SAML, OpenID Identity Providers, and Event Bridge event buses. More information on this can be found here. [ENG-6697]

AZURE

  • Added support for Azure Log Analytics Workspaces. A new permission "Microsoft.OperationalInsights/workspaces/read" is required for this resource, which can be found on the Resources main page, Identity & Management category, as a new Resource Type “Log Analytics Workspace”. In addition, Azure Virtual Machines can now be queried for whether they are exporting logs to a workspace using the Resource Not Exporting To Log Analytics Workspace filter. [ENG-6247]

Actions (21.3.0)

AWS

  • Added a new Bot action “Update Cloud Role Session Duration” that can be used to update the maximum session duration for AWS IAM Roles. [ENG-7182]
  • Added a new Bot action “Enable ETL Data Catalog Encryption” to enable AWS Glue Data Catalog encryption at rest and password encryption. [ENG-6322]

Filters (21.3.0)

AWS

  • Database/Broker Instance With Minor Upgrades Enabled (previously named Database Instance With Minor Upgrades Enabled) - This filter supports the added visibility and filtering for the authentication strategy and auto minor upgrade configuration values of Amazon MQ Broker Instances. [ENG-7202]
  • Database/Broker Instance Without Minor Upgrades Enabled (previously named Database Instance Without Minor Upgrades Enabled) - This filter supports the added visibility and filtering for the authentication strategy and auto minor upgrade configuration values of Amazon MQ Broker Instances. [ENG-7202]
  • Distributed Table With Default Encryption - This new filter identifies AWS DynamoDB tables that leverage provider default encryption. [ENG-7184]
  • Elasticsearch Instance UltraWarm Enabled/Not Enabled - Supports AWS Elasticsearch instances. [ENG-7074]
  • Elasticsearch Instance Zone Awareness Enabled/Not Enabled - Supports AWS Elasticsearch instances. [ENG-7074]
  • Elasticsearch Instance Without Advanced Security Enabled - Supports AWS Elasticsearch instances. [ENG-7074]
  • Encryption Key Rotation Disabled - Updated this filter to no longer scope to asymmetric CMKs within AWS as keys of this type do not support key rotation. [ENG-7100]
  • Encryption Key Rotation Enabled - Updated this filter to no longer scope to asymmetric CMKs within AWS as keys of this type do not support key rotation. [ENG-7100]
  • Resource Provisioned From Unauthorized Network (AWS) - This new filter compares resource creator IP addresses with authorized IPv4 networks to identify resources provisioned from outside of those networks. [ENG-7121]
  • Resource Specific Policy With Negation Key (AWS) - This new filter identifies resources with policies that use two discouraged negation keys, i.e., "NotAction", and "NotPrincipal". While there are valid use cases for those keys in policies, they are generally discouraged. [ENG-6928]

AZURE

  • Resource Not Exporting To Log Analytics Workspace - This new filter can be used to query Azure Virtual Machines for whether they are exporting logs to a workspace. [ENG-6247]

GCP

  • Serverless Function Uses HTTP Trigger (GCP) - This new filter identifies serverless functions that leverage an HTTP trigger. [ENG-7233]

MULTI-CLOUD/GENERAL

  • Resource Engine Version - This new filter identifies resources by their engine version (major and minor). It works with the following resource types: Airflow Environments, Big Data Instances, Broker Instances, Cache Instances, Database Clusters, Database Instances, Database Migration Instances, Elasticsearch Instances, Stream Instances. [ENG-7213]

Bug Fixes (21.3.0)

AWS

  • [ENG-6887] Bots are now allowed to automatically enable geo-restriction on CloudFront distributions for increased security.
  • [ENG-6716] Fixed a bug involving Cloud Advisor Check incorrectly communicating severity.

AZURE

  • [ENG-7440] Fixed a bug that prevented the linking of all Azure Resource Group resources to DivvyCloud resources.
  • [ENG-7206] Fixed harvester for MicrosoftAzureARN; resolves a bug involving VM ParentResouceNotFound error during harvest.
  • [ENG-7145] Fixed harvester for NetworkFirewallHarvester; resolves a bug involving incorrect Azure Network Firewall Harvesting.
  • [ENG-7045] Fixed an issue where Azure Load Balancers and Application Gateways do not display a Fully Qualified Domain Name (FQDN).
  • [ENG-6996] Fixed a bug involving encryption status for DataBricks harvesting incorrectly.
  • [ENG-6690] Removed the "create ingress/egress rule" action for Azure NSG resources.
  • [ENG-6335] Fixed a bug involving the filter Resource has Azure Lock not working when the "Not In" check box was enabled.

MULTI-CLOUD/GENERAL

  • [ENG-7327] Fixed a bug that incorrectly rendered the status of the Delete permission when viewing DivvyCloud role permissions.
  • [ENG-7221] Fixed a bug with Bot deletion: added logic to remove pending scheduled events and resource noncompliance records for resources which were exempted within the tool or using the Bot action Curate Insight/Bot Exemptions.
  • [ENG-6980] Fixed a bug with IaC scan results returning poorly-formatted URLs.
  • [ENG-6973] Removed duplicates from the Impact Pack Membership list for each Insight.
  • [ENG-6955] Fixed error display that was broken in Update Authentication Server Modal; cleaned up error message styling.

Cloud IAM Governance (Access Explorer) Updates - 21.3.0 Major Release (04/14/2021)

👍

The following updates are related to enhancements and bug fixes for our commercial add-on Cloud IAM Governance (Access Explorer) module.

Contact us at [email protected] with any questions.

Cloud IAM Governance Features & Enhancements (21.3.0)

  • IAM Analyzer Performance improvements and bug fixes. [ENG-7217]
  • Added Identity Resource Principal With Effective Wildcard Access On Service Or Action (AWS) Query Filter (IAM Customers ONLY). This filter matches Principals who are allowed to perform all actions within an AWS service (e.g., s3 or ec2) within some user-defined tolerance (for example, a role which can perform all but 2 ec2 actions). [ENG-6617]
  • Added Identity Resource Principal Has Any Actions On Service (AWS) filter for detecting AWS Users and Roles with access to services. [ENG-7032]
  • Improved IAM Cache Build performance; Modified IAM Cache Build status to show relationships (instead of resources), which updates the progress bar more frequently. [ENG-7201]

Cloud IAM Governance Filters (21.3.0)

  • Identity Resource Principal Has Any Actions On Service (AWS) - This is a new filter for detecting AWS Users and Roles with access to services. [ENG-7032]
  • Identity Resource Principal With Effective Wildcard Access On Service Or Action (AWS) - This new query filter (for IAM Customers ONLY) matches Principals who have or nearly have Wildcard for Services or Actions. User specifies which services or can specify all services (which is default). This is an Effective Access filter; we compute the full policy stack and the answer is based on full effective access. [ENG-6617]

📘

Important Note on Cloud IAM Governance Filters

Both filters above require the implementation of the Parallel Cache Build and whitelisting of accounts.

Cloud IAM Governance Bug Fix (21.3.0)

  • [ENG-7066] Fixed bug in IAM Access Analyzer that resolved improper star denies and star allows.

Divvy Software Release Notice - 21.3.1 Minor Release (04/21/2021)

Minor Release 21.3.1 includes new support for three Azure resources--Azure NAT Gateway, Azure Logic Apps, and Azure NSG Flow Logs (permissions needed to access these new resources are provided below). This release also includes a simplified integration with InsightVM, multiple new features and enhancements, an enhanced Bot action and improvements to existing actions. 21.3.1 provides numerous new filters and enhancements to existing filters, and a generous amount of bug fixes. As always, contact us at [email protected] with any questions.

New Permissions Required (21.3.1)

🚧

New Permission Required: AWS

For AWS Standard (Read-Only) User Policy:
"ec2:GetSerialConsoleAccessStatus"

  • Note: We recommend our AWS Standard (Read-Only) Users employ AWS' managed read-only policy, supplemented by a small additional DivvyCloud policy. The benefit of using the AWS managed policy lies in AWS' continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS Standard User (read-only) Policy - Option 1.

MORE ABOUT NEW AWS PERMISSION

  • "ec2:GetSerialConsoleAccessStatus" - This new permission supports the added visibility into AWS regions where the newly released serial console is available. [ENG-7331]

🚧

New Permissions Required: Azure

For Azure Standard (Read-Only) User Policy:
"Microsoft.Logic/workflows/read",
"Microsoft.Network/natGateways/read",
"Microsoft.Network/networkWatchers/flowLogs/read",
"Microsoft.Network/networkWatchers/configureFlowLog/action"

For Azure Power User Policy:
"Microsoft.Logic/*"

MORE ABOUT NEW AZURE PERMISSIONS

  • "Microsoft.Logic/workflows/read" - Supports the added visibility into Azure Logic Apps. [ENG-6131]
  • "Microsoft.Network/natGateways" - Supports the added visibility into Azure NAT Gateway. [ENG-7513]
  • "Microsoft.Network/networkWatchers/flowLogs/read" and "Microsoft.Network/networkWatchers/configureFlowLog/action" support the added visibility into Azure NSG Flow Logs. [ENG-6376]

User Interface Changes (21.3.1)

MULTI-CLOUD/GENERAL

  • The account ID that is associated with GCP, Azure, Alibaba Cloud and Oracle Cloud is now included in the Compliance Scorecard export overview page. [ENG-7515]

Features & Enhancements (21.3.1)

AWS

  • We now identify which Elastic Container Service Clusters (AWS) are using Fargate. The new filter Container Cluster Engine Using Fargate (AWS) finds Fargate/non-Fargate ECS Clusters; the Fargate property is now visible and sortable on the Resource Listing page (for 'Clusters'). [ENG-5821]
  • Added visibility into AWS regions where the newly released serial console is available. A new permission is required: “ec2:GetSerialConsoleAccessStatus”. A new filter Cloud Region Serial Console Status is also available. [ENG-7331]
  • Added EDH visibility into the ssm:StartSession event within AWS. This event can be used to track the last time an AWS instance was accessed using SSM. [ENG-7516]
  • Added a new option to the Bot action “Modify Database/Big Data Instance Attribute” that allows SSL to be required for all connections to AWS Redshift instances. [ENG-7517]
  • Added a new filter Database Migration Instance Is Not Encrypted to identify AWS DMS Replication Instances without encryption at rest. [ENG-7429]
  • Added database migration instance to the list of supported resources for the filter Resource Is Not Encrypted. [ENG-7429]
  • Added AWS EDH support for the ConsoleLogin event. Added two new filters: Cloud User/Role Console Logon By Country Code (AWS) and Cloud User/Role Console Logon From Unauthorized Network (AWS). [ENG-7228]
  • Added Event Driven Harvesting (EDH) support for AWS GovCloud. [ENG-6109]

AZURE

  • Added tag visibility and lifecycle support to Azure Cloud Functions. [ENG-7593]
  • Added visibility into Azure NAT Gateway. This new resource can be found under the Network category of the Resources main page, as the resource type NAT Gateway. A new permission is required: “Microsoft.Network/natGateways” for the Standard (Read Only) User role. [ENG-7513]
  • Added visibility into Azure Logic Apps. The new resource can be found on the main Resources page, Compute category, and new resource type “Logic App”. New permission required: New permission needed: "Microsoft.Logic/workflows/read”. New filter: Logic Apps Using Unapproved Connectors. [ENG-6131]
  • Added visibility in Azure NSG Flow Logs. This new resource can be found under the Network category as the new Resource type Access List Flow Log. Two new permissions are required: "Microsoft.Network/networkWatchers/flowLogs/read" and "Microsoft.Network/networkWatchers/configureFlowLog/action". [ENG-6376]
  • Added four new filters to support visibility into Azure NSG Flow Logs: Access List Flow Log Logging To Storage Status (Azure), Access List Flow Log Version (Azure), Access List Flow Log Destination ID (Azure), and Access List Flow Log Retention Policy Status (Azure). [ENG-6377]

GCP

  • Enhanced visibility for GCP Memorystore Memcached Instances. [ENG-7404]
  • Expanded GCP IaC support for the following services [ENG-7404]:
    • Cloud DNS
    • Cloud Bigquery Dataset
    • Cloud Memorystore
    • Cloud ML Notebook Instances
    • Compute Private Image
    • Compute Snapshot
    • Compute Address
    • Filestore Instance
    • Bigtable Instance
    • Network Peer

MULTI-CLOUD/GENERAL

  • Simplified the integration of DivvyCloud with InsightVM to use region and an API key. Refer to the documentation here. Important Note for existing users: upgrading will require this integration to be configured again (previous integration data will be invalid). [ENG-7637]
  • Added Destroyed as a new lifecycle state for encryption keys in filter Encryption Key State. [ENG-7427]
  • Added a new filter Resource Does Not Support TLS 1.2 to identify resources across multiple asset types which do not support TLS 1.2. [ENG-7424]
  • Added the ability to include an optional tag key in the get_impacted_resources() Jinja2 method to enrich the response with the value of the supplied tag. This enhancement works for the resource types AWS Trusted Advisor and AWS GuardDuty. [ENG-7332]
  • Reduced calls to the DB while improving the API response time when interacting with the Clouds section of the tool. [ENG-6550]
  • Added “Not In” support to the filter Elasticsearch Instance TLS Security Policy. [ENG-7419]
  • Added support for harvesting additional information associated with your resources from an external .json file. Refer to the documentation here. [ENG-6846]

Resources (21.3.1)

AZURE

  • Added visibility into Azure NAT Gateway. This new resource can be found under the Network category of the Resources main page, as the resource type NAT Gateway. A new permission is required: “Microsoft.Network/natGateways” for the Standard (Read Only) User role. [ENG-7513]
  • Added visibility into Azure Logic Apps. The new resource can be found on the main Resources page, Compute category, and new resource type “Logic App”. New permission required: New permission needed: "Microsoft.Logic/workflows/read”. New filter: Logic Apps Using Unapproved Connectors. [ENG-6131]
  • Added visibility in Azure NSG Flow Logs. This new resource can be found under the Network category as the new Resource type Access List Flow Log. Two new permissions are required: "Microsoft.Network/networkWatchers/flowLogs/read" and "Microsoft.Network/networkWatchers/configureFlowLog/action". [ENG-6376]

Actions (21.3.1)

AWS

  • Added a new option to the Bot action “Modify Database/Big Data Instance Attribute” that allows SSL to be required for all connections to AWS Redshift instances. [ENG-7517]

Filters (21.3.1)

FILTER WILL BE DEPRECATED
We have deprecated the filter Resource Specific Policy Principal Search--now named Resource Specific Policy Principal Search (Deprecated)-- in favor of the new 21.3 version Resource Specific Policy Principal/Action Search. This new filter matches resources whose access policy either contains or is missing desired target principal statements. Note that this filter only inspects resource-specific access policies such as those attached to S3 or KMS resources.
Please migrate Bots and Insights to the newer version of this filter. The filter is not used in any Insights provided by DivvyCloud. Steps for this migration are:

  1. In the DivvyCloud tool, access the Filters main page (Security ⇒ Filters)
  2. Use the search input field to find the filter Resource Specific Policy Principal Search (DEPRECATED)
  3. Use the links for Bots to find the bots that use the filter
  4. Open each Bot and choose the "Reconfigure" action
  5. Navigate to the Bot's conditions and add the replacement filter Resource Specific Policy Principal/Action Search
  6. Copy over the configuration from the deprecated filter to the replacement filter
  7. Remove the deprecated filter
  8. Save the Bot
  9. Return to Filters main page to find the custom Insights using the deprecated filter
  10. Open each Insight and choose "Record Changes"
  11. Add the replacement filter Resource Specific Policy Principal/Action Search
  12. Copy the configuration from the deprecated filter to the replacement filter
  13. Remove the deprecated filter
  14. Save the changes

The old filter will be retired after Release 21.4.0 (planned), so customers should update their Bots and Insights accordingly (to more easily see what impact, if any, the update will have).
If customers prefer to have the migration performed on their behalf, they can wait until Release 21.4.0 (planned) and we will update their Bots and Custom Insights automatically via database migration. [ENG-4949]

AWS

  • Cloud Region Serial Console Status - Supports added visibility into AWS regions where the newly released serial console is available. [ENG-7331]
  • Cloud User/Role Console Logon By Country Code (AWS) - New filter adds AWS EDH support for the ConsoleLogin event. [ENG-7228]
  • Cloud User/Role Console Logon From Unauthorized Network (AWS)- New filter adds AWS EDH support for the ConsoleLogin event. [ENG-7228]
  • Container Cluster Engine Using Fargate (AWS) - New filter identifies which Elastic Container Service Clusters (AWS) are using Fargate; the Fargate property is now visible and sortable on the Resource Listing page (for ‘Clusters’). [ENG-5821]
  • Database/Big Data Instance With Default Parameter Group (AWS) - New filter supports the new option for the Bot action “Modify Database/Big Data Instance Attribute” that allows SSL to be required for all connections to AWS Redshift instances. [ENG-7517]
  • Database Migration Instance Is Not Encrypted - New filter identifies AWS DMS Replication Instances without encryption at rest. [ENG-7429]
  • Resource Is Not Encrypted - Existing filter was enhanced by adding database migration instance to this filter’s list of supported resources. [ENG-7429]

AZURE

  • Access List Flow Log Destination ID (Azure)- New filter supports visibility into Azure NSG Flow Logs. [ENG-6377]
  • Access List Flow Log Logging To Storage Status (Azure)- New filter supports visibility into Azure NSG Flow Logs. [ENG-6377]
  • Access List Flow Log Retention Policy Status (Azure)- New filter supports visibility into Azure NSG Flow Logs. [ENG-6377]
  • Access List Flow Log Version (Azure)- New filter supports visibility into Azure NSG Flow Logs. [ENG-6377]
  • Logic Apps Using Unapproved Connectors - New filter supports added visibility into Azure Logic Apps. [ENG-6131]

MULTI-CLOUD/GENERAL

  • Elasticsearch Instance TLS Security Policy - Existing filter was enhanced with the addition of “Not In” support. [ENG-7419]
  • Encryption Key State - Existing filter was enhanced with the addition of Destroyed as a new lifecycle state for encryption keys. [ENG-7427]
  • Resource Does Not Support TLS 1.2 - New filter identifies resources across multiple asset types which do not support TLS 1.2. [ENG-7424]

Bug Fixes (21.3.1)

GCP

  • [ENG-7462] Fixed a bug that would prevent harvesting of GCP Pub/Sub topics with names that have a length of 255 characters.

MULTI-CLOUD/GENERAL

  • [ENG-7640] Fixed the way we catch unhandled errors in the worker processes so we get more visibility on issues apparently hanging the worker(s). As a result of this fix, customers may see more exceptions surfaced.
  • [ENG-7524] Fixed a bug where Exemptions notifications would fail in multi-org set up with some orgs missing SMTP setup.
  • [ENG-7519] Fixed a sorting bug that prevented users from accessing the Scheduled Event history page.
  • [ENG-7203] Fixed a bug with the Compliance Scorecard not properly displaying clouds with the same name. Duplicate cloud names in the Scorecard now show as separate rows in the heatmap.

Cloud IAM Governance (Access Explorer) Updates - 21.3.1 Minor Release (04/21/2021)

👍

The following updates are related to enhancements and bug fixes for our commercial add-on Cloud IAM Governance (Access Explorer) module.

Contact us at [email protected] with any questions.

Cloud IAM Governance Features & Enhancements (21.3.1)

  • Added a health check to notify if DivvyCloud is unable to harvest details about the AWS Organization structure (IAM Module Only). [ENG-6795]

Cloud IAM Governance Bug Fixes (21.3.1)

  • [ENG-6645] Fixed a bug involving incorrect formatting of policies in the analyzer. This involved additional validation to confirm basic format and structure, along with specific exceptions/errors if the policy cannot be processed.

Divvy Software Release Notice - 21.3.2 Minor Release (04/21/2021)

Release 21.3.2 resolves an issue identified in DivvyCloud’s 21.3.1 release with the filter “Instance Exposing Public SSH” where the filter may return incorrect results for newly harvested AWS EC2s with a potential impact to related Insights and Bot automation. This release ensures that the filter behaves as expected. [ENG-7721]

Divvy Software Release Notice - 21.3.3 Minor Release (05/05/2021)

Minor Release 21.3.3 includes support for AWS RDS Database Proxy (and associated permission), and Azure Diagnostic Settings. This release also includes an enhancement for integration with InsightVM and expanded resource support for IaC. Release 21.3.3 includes multiple new features and general enhancements, a new Bot action, numerous new filters and enhancements to existing filters, and several bug fixes. As always, contact us at [email protected] with any questions.

New Permissions Required (21.3.3)

🚧

New Permission Required: AWS

For AWS Standard (Read-Only) Policy:
“rds:DescribeDbProxies”

  • Note: We recommend our AWS Standard (Read-Only) Users employ AWS' managed read-only policy, supplemented by a small additional DivvyCloud policy. The benefit of using the AWS managed policy lies in AWS' continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS Standard User (read-only) Policy - Option 1.

MORE ON NEW AWS PERMISSION:

  • “rds:DescribeDbProxies” - Supports added visibility into AWS RDS Database Proxy. [ENG-7570]

User Interface Changes (21.3.3)

  • Updated our Insights Library listing to show the major release in which an Insight was first available. (This functionality already exists for Filters.) [ENG-7601]
  • Added a new view in the Resources section to show the vulnerabilities, exploit kits, and malware associated with compute instances. This view can be accessed when the InsightVM integration is configured. You can read more here. [ENG-7773]
  • Increased the limit of tags from 5 to 10 when viewing resources. [ENG-7718]
  • IAC Configurations now use a table view in place of a Cards view. [ENG-6787]

Features & Enhancements (21.3.3)

AWS

  • Added visibility and EDH support for AWS RDS Database Proxy, AWS’ fully managed, highly available database proxy for Amazon Relational Database Service (RDS). This requires the permission “rds:DescribeDbProxies”. This new resource type, Database Proxy, is found on the Resources main page under the Storage category. [ENG-7570]
  • Added a new filter Data Analytics Workspace Is/Is Not Primary to identify Data Analytics Workspace resources that are primary/not primary. [ENG-7676]
  • Added a new filter Content Delivery Network Not Logging To Specified Storage Container (AWS) to identify Content Delivery resources which do not log to a supplied list of approved S3 buckets. [ENG-7901]
  • Added the option “without” to the filter Load Balancer With/Without Redirection Rules (AWS). [ENG-7681]
  • Added the option “without” to the filter Application Gateway Endpoint Configuration (AWS). [ENG-7605]
  • Added IaC support for Athena Workgroup, Autoscaling Group, Backup Vault, Glue Data Catalog, EBS Snapshot, Workspace Instances, Glacier, and Firehose. [ENG-6683]
  • Added a new filter Cache Instance Automatic Failover Enabled/Disabled (AWS) to identify cache instances that have automatic failover capability by their setting. [ENG-7592]

AZURE

  • Added IaC support for Azure Network Security Group Flow Logs. [ENG-6378]
  • Added visibility into Azure’s Diagnostic Settings, which can be used to send metrics for certain Azure services into Azure Monitor Logs for analysis. This resource can be found under the resource category Identity & Management, as the new resource type Diagnostic Settings. The following new filters have been added to support this resource:
    • Container Registry Invalid Diagnostic Logging Configuration
    • Logic App Invalid Diagnostic Logging Configuration
    • Network Invalid Diagnostic Logging Configuration
    • Access List Invalid Diagnostic Logging Configuration
    • Serverless Function Invalid Diagnostic Logging Configuration
    • One additional filter, Resource Without Diagnostic Settings (Microsoft Azure) was added to support this resource. In addition to Diagnostic Settings, this filter also applies to the following Azure resources: Data Lake Storage, Data Stream, Key Vault, Message Queue, Web App, Network Security Group, Application Gateway, Virtual Network, Function App, Container Registries, and Logic App. [ENG-7240]

MULTI-CLOUD/GENERAL

  • The Splunk and InsightIDR integrations now support API Activity logs. [ENG-7698]
  • Enhanced External Data source feature exception logging. [ENG-7492]
  • Added the ability to limit import scope for AWS/Google/Azure organizations to multiple parents. [ENG-7405]
  • In the template preview for Send Bulk Email action, all external parameters show “This attribute data is collected from an external source if applicable/configured.” This replaces the use of placeholder mock values of the parameter. [ENG-7148]
  • IAC Configurations now allow search on configurations. [ENG-6787]
  • Added two new filters--Kubernetes Resource With Annotations and Kubernetes Resource Without Annotations--to match Kubernetes resources that have/do not have annotations. [ENG-6003]

New Resource (21.3.3)

AWS

  • Added visibility and EDH support for AWS RDS Database Proxy, AWS’ fully managed, highly available database proxy for Amazon Relational Database Service (RDS). This requires the permission “rds:DescribeDbProxies”. This new resource type, Database Proxy, is found on the Resources main page under the Storage category. [ENG-7570]

AZURE

  • Added visibility into Azure’s Diagnostic Settings, which can be used to send metrics for certain Azure services into Azure Monitor Logs for analysis. This resource can be found under the resource category Identity & Management, as the new resource type Diagnostic Settings. The following new filters have been added to support this resource [ENG-7240]:
    • Access List Invalid Diagnostic Logging Configuration
    • Container Registry Invalid Diagnostic Logging Configuration
    • Logic App Invalid Diagnostic Logging Configuration
    • Network Invalid Diagnostic Logging Configuration
    • Serverless Function Invalid Diagnostic Logging Configuration
    • Resource Without Diagnostic Settings (Microsoft Azure)
      • This filter also works with following Azure resources: Data Lake Storage, Data Stream, Key Vault, Message Queue, Web App, Network Security Group, Application Gateway, Virtual Network, Function App, Container Registries, and Logic App.

Actions (21.3.3)

AWS

  • Added the ability to delete and update AWS Application Domains. [ENG-7463]

Insights (21.3.3)

  • The Insight Database Instance Flag 'log_min_duration_statement' Disabled was reconfigured to correctly show which 'log_min_duration_statement' database flag for Database Instances are not set to -1 (disabled). Customers who have been using that Insight and not getting failures may possibly see failures with the new configuration.

Filters (21.3.3)

AWS

  • Application Gateway Endpoint Configuration (AWS) - This filter was enhanced to include the option “without”. [ENG-7605]
  • Cache Instance Automatic Failover Enabled/Disabled (AWS) - New filter identifies cache instances that have automatic failover capability by their setting. [ENG-7592]
  • Content Delivery Network Not Logging To Specified Storage Container (AWS) - New filter identifies Content Delivery resources which do not log to a supplied list of approved S3 buckets. [ENG-7901]
  • Data Analytics Workspace Is/Is Not Primary - New filter identifies Data Analytics Workspace resources that are primary/not primary. [ENG-7676]
  • Load Balancer With/Without Redirection Rules (AWS) - This renamed filter, originally Load Balancer With Redirection Rules, was enhanced to include the option “Without”. [ENG-7681]

AZURE

  • Access List Invalid Diagnostic Logging Configuration- Supports visibility into Azure’s Diagnostic Settings. [ENG-7240]
  • Container Registry Invalid Diagnostic Logging Configuration- Supports visibility into Azure’s Diagnostic Settings. [ENG-7240]
  • Logic App Invalid Diagnostic Logging Configuration- Supports visibility into Azure’s Diagnostic Settings. [ENG-7240]
  • Network Invalid Diagnostic Logging Configuration- Supports visibility into Azure’s Diagnostic Settings. [ENG-7240]
  • Resource Without Diagnostic Settings (Microsoft Azure)- Supports visibility into Azure’s Diagnostic Settings. This filter works for the following Azure resources: Data Lake Storage, Data Stream, Key Vault, Message Queue, Web App, Network Security Group, Application Gateway, Virtual Network, Function App, Container Registries, and Logic App. [ENG-7240]
  • Serverless Function Invalid Diagnostic Logging Configuration- Supports visibility into Azure’s Diagnostic Settings. [ENG-7240]

MULTI-CLOUD/GENERAL

  • Kubernetes Resource With Annotations and Kubernetes Resource Without Annotations - These two new filters match Kubernetes resources that have/do not have annotations. [ENG-6003]
  • Resource Contains Tag Key Regular Expression - This new filter is similar in functionality to Resource Contains Tag Key And Value Regular Expression, but instead of examining values of tags with specific keys, it examines all keys. It is, therefore, a slower query as it applies a regex to every tag. [ENG-7563]

Bug Fixes (21.3.3)

AWS

  • [ENG-7706] Fixed a bug involving Terraform IaC support for aws_sqs_queue_policy.
  • [ENG-7518] Fixed a bug that would yield a false positive for AWS S3 buckets enforcing encrypted uploads using StringNotLikeIfExists.

AZURE

  • [ENG-7904] Fixed an error where a third party service may provide incorrect partitioning details involving the Azure Network Endpoint harvester.
  • [ENG-7865] Fixed an issue where Azure App Service access restrictions using service tags were handled incorrectly.
  • [ENG-7864] Fixed an issue during harvesting of Azure App Services.
  • [ENG-6815] Added an exception to catch an Azure Key Vault “HttpResponseError: (Unauthorized) AKV10032: Invalid issuer.”

MULTI-CLOUD/GENERAL

  • [ENG-7994] Resolved a bug where the Bot actions "Publish to Cloud Notification Topic" and "Send Message to Queue" resulted in Bots going into an infinite loop.
  • [ENG-7867] Fixed a bug that did not account for vulnerabilities when downloading the resource CSV when Vulnerability View is engaged.
  • [ENG-7741] Fixed: Bots created from Insights were creating a second bot without scope. Fix also cleans up duplicate entries of Bot without scope.

Cloud IAM Governance (Access Explorer) Updates - 21.3.3 Minor Release (05/05/2021)

👍

The following updates are related to enhancements and bug fixes for our commercial add-on Cloud IAM Governance (Access Explorer) module.

Contact us at [email protected] with any questions.

Cloud IAM Governance Feature Enhancements (21.3.3)

  • Added role disambiguation to Access Explorer for Federated Users. [ENG-7303]
  • Changed the layout of the EA page, introducing a new feature that allows the user to view the entire policy stack for their selected path, as well as highlight parts of the stack by clicking on items in the policy stack left-side navigator. [ENG-6912]

Cloud IAM Governance Bug Fixes (21.3.3)

  • [ENG-7658] Fixed a variety of bugs:
    • Fixed various mutation bugs.
    • Fixed the ARN class to better handle S3 resources.
    • Fixed a bug in handling of context keys with multiple forward slashes (e.g., “///”).
    • Fixed sentry representation of Action Node with more info for debugging.
    • Fixed a bug with NotAction leading to incorrect analysis.
  • [ENG-7338] Fixed a bug where context keys in conditionals with multiple backslash (“/”) characters caused the analyzer to break.
  • [ENG-7335] Fixed a bug in NotAction statements with “*” or “?” and full actions.

Divvy Software Release Notice - 21.3.4 Minor Release (05/12/2021)

Minor Release 21.3.4 includes two feature enhancements, updates to several filters, one UI update, and several bug fixes. As always, contact us at [email protected] with any questions.

User Interface Changes (21.3.4)

  • Updated the resource type name ‘Cloud Search Index’ to ‘Cloud Log Destinations’ in the Identity & Management resource category on the UI. [ENG-8007]

Features & Enhancements (21.3.4)

AWS

  • We are surfacing more information about Cloud Alarms. Specifically, we are surfacing Alarm actions in resource listing and details, i.e., the actions an Alarm takes when in different states: Alarm, Okay, and Insufficient Data. Further, we are generating resource modification hookpoints when those actions change. [ENG-7029]
  • Updated the filter Instance Security Group Count to work with AWS DMS Replication instances with Infrastructure as Code (IaC) Scanning. Read more about IaC here. [ENG-7938]

MULTI-CLOUD/GENERAL

  • Updated to include sorting by column to the Infrastructure as Code (IaC) configuration table. [ENG-7751]

Filters (21.3.4)

AWS

  • Instance Security Group Count - This filter has been updated to work with AWS DMS Replication instances with Infrastructure as Code (IaC) Scanning. Read more about IaC here. [ENG-7938]
  • Notification Subscription Protocol - This filter allows users to identify notification subscriptions by their protocol. It is available for AWS, AWS GovCloud, and AWS China. [ENG-8010]

Bug Fixes (21.3.4)

AWS

  • Fixed a bug with filter "Load Balancer (Application-type) Without Web Application Firewall" to enable it to work correctly again for AWS. [ENG-7502]
  • Fix for determining TLS version for API Gateway Domains when scanning with Terraform. [ENG-8086]

GCP

  • Fixed a bug that would display a Create button when viewing permissions for a GCP Storage resource. [ENG-7739]

MULTI-CLOUD/GENERAL

  • Fixed an issue where database connections were failing to detach from an object which could lead to running out of connections. [ENG-8121]
  • Revised the resource type name ‘Cloud Search Index’ to ‘Cloud Log Destination’ in the Identity & Management resource category on the UI. [ENG-8007]
  • Improved performance of the /v2/public/entitlements/set API [ENG-7888]

Cloud IAM Governance (Access Explorer) Updates - 21.3.4 Minor Release (05/12/2021)

👍

The following updates are related to enhancements and bug fixes for our commercial add-on Cloud IAM Governance (Access Explorer) module.

Contact us at [email protected] with any questions.

Cloud IAM Governance Feature Enhancements (21.3.4)

  • Added the filter Identity Resource Principal With Effective Wildcard Access On Resource. This filter applies to AWS resources. [ENG-6739]

📘

Important Note on Cloud IAM Governance Filter

The filter above requires the implementation of the Parallel Cache Build and whitelisting of accounts.

Divvy Software Release Notice - 21.3.5 Minor Release (05/14/2021)

21.3.5 resolves an issue identified in DivvyCloud’s 21.3.0 release with harvest jobs not getting scheduled. After running for long periods of time the scheduler may fail to schedule certain harvest jobs, causing a slow leak of harvests. This release resolves this issue and ensures that all harvest jobs are scheduled as specified by the harvest strategy. Contact your CSM or support at [email protected] with questions or concerns.

Bug Fixes (21.3.5)

MULTI-CLOUD/GENERAL

  • [ENG-7852] Resolved issue to ensure that all harvest jobs are scheduled as specified by the harvest strategy.