21.4.7 Release Notes - InsightCloudSec

👍

Announcing InsightCloudSec

Last week on July 7, 2021 we shared our rebrand with customers. This week, we are pleased to present the 21.4.7 InsightCloudSec by Rapid7 Release Notes.

Our release notes, that you know and love, will continue to have all of the same detailed content for our product just under our new Rapid7 product name.

  • The DivvyCloud/InsightCloudSec product documentation is actively under renovation. While our URL (docs.divvycloud.com) will stay the same for the interim, the logo and naming have been revised to reflect our new name.

  • Additional updates for all content, including logos, text, screen captures, and feature documentation, are ongoing. For the next several weeks/months the documentation may reference either InsightCloudSec or DivvyCloud.

The most important thing to note is that the product functionality has remained the same. If you have any questions or concerns, we are always here to help. Reach out to us through [email protected].

📘

Release Availability

Our latest minor release 21.4.7 is available for hosted customers on Wednesday July 14, 2021. Availability for self-hosted customers is Thursday July 15, 2021 - if you’re interested in learning more about becoming a hosted customer reach out to [email protected].

InsightCloudSec Software Release Notice - 21.4.7 Minor Release (07/14/2021)

Release Highlights (21.4.7)

InsightCloudSec is pleased to announce Minor Release 21.4.7. This minor release includes added visibility into the transit encryption property for AWS DynamoDB DAX Clusters (and a recommended permission removal), Infrastructure-as-Code (IaC) support for SNS Subscription in Terraform, a new Bot action for Service Roles, and an expanded Bot action to support multiple resource types. In addition, this release includes one new filter, one enhanced filter, and a handful of bug fixes.

As always, contact us at [email protected] with any questions.

Permission Removal (21.4.7)

🚧

PERMISSION REMOVAL: AWS

AWS Standard (Read-Only) Users May Remove:
“dax:ListTags”

This permission removal is a result of retrieving AWS DynamoDB DAX Cluster tags using the more efficient AWS Resource Groups Tagging API. Removal of the permission is optional but recommended. [ENG-8821]

Note: We recommend our AWS Standard (Read-Only) Users employ AWS' managed read-only policy, supplemented by a small additional InfoCloudSec policy. The benefit of using the AWS managed policy lies in AWS' continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

User Interface Changes (21.4.7)

  • See the callout above concerning the rebrand from DivvyCloud to InsightCloudSec.

Features & Enhancements (21.4.7)

AWS

  • Added visibility into the transit encryption property for AWS DynamoDB DAX Clusters. DynamoDB DAX tags are now retrieved using the more efficient AWS Resource Groups Tagging API. This results in an optional but recommended removal of the permission "dax:ListTags" from the Standard (Read-Only) User policy. [ENG-8821]
  • Added visibility into envelope encryption for AWS EKS clusters with a new filter Container Cluster Without Envelope Encryption For Secrets (AWS EKS). [ENG-8819]
  • Added a new attribute called 'build_image' to the BuildProjects resource, which shows the image the Code Build project is working on. [ENG-7987]

MULTI-CLOUD/GENERAL

  • Updated the filter Cloud User With Access From Unauthorized Domain to support multiple authorized domains. [8946]
  • Expanded the Bot Action "Mirror Resource Tags From Parent" to support other resource types. Now, in addition to mirroring tags from compute resources to their associated Volumes and Snapshots, you can mirror tags to their Network Interfaces and from Networks to their corresponding Subnets and Route Tables. [ENG-8945]
  • Added a new action for Service Roles. Whether directly or via bot, customers can now revoke the session of a Service Role by attaching an inline Service Policy. This action can be customized to block future sessions too. This action can be helpful for customers that want to suspend inactive roles, for example, but do not want to delete them in case they are needed in the future. [ENG-8916]

Infrastructure-as-Code (IaC) New Support (21.4.7)

  • Added IaC support for SNS Subscription in Terraform. [ENG-7256]

Actions (21.4.7)

  • Expanded the Bot Action "Mirror Resource Tags From Parent" to support other resource types. Now, in addition to mirroring tags from compute resources to their associated Volumes and Snapshots, you can mirror tags to their Network Interfaces and from Networks to their corresponding Subnets and Route Tables. [ENG-8945]
  • Added a new action for Service Roles. Whether directly or via bot, customers can now revoke the session of a Service Role by attaching an inline Service Policy. This action can be customized to block future sessions too. This action can be helpful for customers that want to suspend inactive roles, for example, but do not want to delete them in case they are needed in the future. [ENG-8916]

Filters (21.4.7)

AWS

  • Container Cluster Without Envelope Encryption For Secrets (AWS EKS) - New filter adds visibility into envelope encryption for AWS EKS clusters. [ENG-8819]

MULTI-CLOUD/GENERAL

  • Cloud User With Access From Unauthorized Domain - This filter was enhanced to support multiple authorized domains. [8946]

Bug Fixes (21.4.7)

AWS

  • [ENG-8932] Added missing tag visibility and lifecycle support for AWS IAM/ACM SSL certificates. We supported tag harvesting for ACM certificates, but not for IAM certificates.
  • [ENG-8902] Fixed an issue with filter Encryption Key Rotation Disabled. Updated the filter to exclude asymmetric AWS encryption keys.

MULTI-CLOUD/GENERAL

  • [ENG-8974] Fixed a bug in the Compliance Scorecard Excel export that did not reflect the severity of Insight Exemptions.
  • [ENG-8512] Fixed an issue with the ‘Not In’ option of filter Resource Specific Policy Principal/Action Search. The filter no longer returns resources without policies; it does find resources with policies that have certain properties – either by matching inputs or not matching inputs.
  • [ENG-7092] Fixed sorting problems for the Insights section ‘Resource Breakdown’ column of the Insights Library.