22.3.1 Release Notes

InsightCloudSec Software Release Notice - 22.3.1 Minor Release (05/04/2022)

📘

Our latest Minor Release 22.3.1 is available for hosted customers on Wednesday, May 4, 2022. Availability for self-hosted customers is Thursday, May 5, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Release Highlights (22.3.1)

InsightCloudSec is pleased to announce Minor Release 22.3.1. This minor release includes support for Alibaba Kubernetes Clusters and AWS CloudHSM. 22.3.1 also provides enhanced API key management allowing users to specify an expiration, updates to enable the creation of an exemption from the Compliance Scorecard, and a new Bot action in support of our InsightVM integration. In addition, this release includes two updated Insights, eight updated Query Filters, two new Query Filters, one new Bot action, and seven bug fixes.

For our Cloud IAM Governance module, we have details around one bug fix.

Contact us through the new unified Customer Support Portal with any questions.

New Permissions Required (22.3.1)

🚧

New Permissions Required: AWS

For AWS Commercial Standard (Read-Only) Users:
"cloudhsm:DescribeClusters"

For AWS Commercial Power Users:
"cloudhsm:*"

For AWS GovCloud Standard (Read-Only) Users:
"cloudhsm:Describe*"

For AWS GovCloud Power Users:
"cloudhsm:*"

These new permissions support the added resource AWS CloudHSM. [ENG-14491]

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS' managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS' continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

Features & Enhancements (22.3.1)

API Key Management
We have added the ability to add an "expiration date" to generated API keys. Once this expiration date has passed, the API key is no longer usable and users will need to regenerate the API key.

We have added the ability to set a maximum age for API keys. Configuring this setting will force users creating API keys to follow this setting and limit the maximum expiration date for all generated API keys. Note that this will not retroactively update the expiration date for any existing keys; these keys will have to be deactivated or regenerated.

We have added a page in the product to review the API keys across the user base. This page includes information about the age of the API key, the expiration date of the API key, and the last time the API key was used. Check out details on this feature here. [ENG-15128]

ALIBABA

  • Improved harvesting times of Alibaba Cloud service-managed policies. [ENG-16192]

AWS

  • Updated the ServiceEventHistory table that's used by EDH to store the full text associated with an EDH event. This change also includes a new Query Filter Resource Provisioned Using Terraform that uses the data in user_agent_details to identify if a resource was provisioned by Terraform. [ENG-16041]

GCP

  • Updated the subnet harvester and reduced harvesting cadence for networks/subnets to reduce GCP Cloud Asset Inventory API calls. [ENG-16195]

MULTI-CLOUD/GENERAL

  • The desired vertical sorting value is persisted as a user setting when browsing the Resources section of the product. [ENG-16146]

  • Updated IVM integration settings with additional information that allows ICS to perform write operations against IVM consoles (e.g., delete asset). [ENG-16114]

  • Updated method for counting security group associations when working with Elasticache Replication Groups. For historical reasons, we considered each Elasticache Replication Group node as a separate association. We think it is more accurate to count the Elasticache Replication Group as a whole as a single association. So, if you have an Elasticache Replication Group with 6 nodes, after this update, its security group association count will decrease by 5 as the 6 associations with Elasticache Replication Group nodes are replaced by a single association with the Elasticache Replication Group itself. [ENG-16109]

  • Added the ability to get the details of a resource by passing a cloud namespace ID as a query string parameter in the Resources section. [ENG-16029]

  • Improved labeling of Query Filter blade dropdown menus. [ENG-15986]

  • This change adds a visual warning to the user for applying multiple resource Query Filters that have no supported types. This change also disables the save button when in this state and adds a tooltip to more completely explain the issue to the user. [ENG-15307]

  • Enabled a system setting to automatically remove IaC scans older than a user-defined number of days. [ENG-15181]

  • Enhanced the InsightVM integration to optionally accept Nexpose Console credentials that, when set, enable customers to use a new Bot action “Delete InsightVM Agent” that can clean up InsightVM assets in real time after they've been deleted from a cloud provider. Check out the following to see details on enabling this. [ENG-15058]

  • Users can now create exemptions from the Compliance Scorecard. Details on this process are documented here. [ENG-14736]

  • Added a new column in CSV download from Resources page for Cloud Accounts with payer_account details. [ENG-10736]

Resources (22.3.1)

ALIBABA

  • Introduced visibility to all four types of Kubernetes Clusters within Alibaba Cloud: Serverless, Edge, Dedicated and Standard. This change includes updates to several container cluster Query Filters–Kubernetes Cluster Engine Endpoint Public Access Enabled/Disabled, Kubernetes Cluster Version, and Container Cluster Type--as well as Alibaba Cloud support for the Insight EKS Container Cluster With Public Access Enabled. Note that while tag visibility is in the change, it is not currently possible to update tags on clusters from our tool. This resource can be found under the Containers category, resource type Clusters. [ENG-15930]

AWS

  • Added visibility into AWS IAM policy paths and updated the Query Filters Identity Resource Path Matches and Identity Resource Path Does Not Match. [ENG-16006]

  • Introduced visibility and tag support to AWS hardware security modules, AWS CloudHSM. Support includes the ability to view resource tags, delete the cluster, and identify orphaned clusters without at least one defined HSM and audit tagging policies. This new resource is part of the Compute category, HSM Cluster type. A new permission, “cloudhsm:DescribeClusters”, is required. [ENG-14491]

Insights (22.3.1)

MULTI-CLOUD/GENERAL

  • Cluster Not Upgraded to the Latest Version - Insight will now be automatically updated with the latest version of Kubernetes and will also be specific to each Cloud Provider rather than one value for all. [ENG-12674]

  • EKS Container Cluster With Public Access Enabled - This Insight was renamed to EKS/ACK Container Cluster With Public Access Enabled. The Insight identifies AWS (EKS) and Alibaba (ACK) Kubernetes clusters across accounts which have the Endpoint Public. [ENG-15930]

Query Filters (22.3.1)

ALIBABA

  • Container Cluster Type - Updated Query Filter now supports Kubernetes Clusters within Alibaba Cloud. [ENG-15930]

  • Kubernetes Cluster Engine Endpoint Public Access Enabled/Disabled (EKS) - Updated Query Filter was renamed Kubernetes Cluster Engine Endpoint Public Access Enabled/Disabled and identifies Kubernetes cluster engines with endpoint public access enabled/disabled. The Query Filter now supports Kubernetes Clusters within Alibaba Cloud. [ENG-15930]

  • Kubernetes Cluster Version (EKS/AKS/GKE) - Updated Query Filter was renamed to Kubernetes Cluster Version. It identifies Kubernetes clusters by specific version. The Query Filter now supports Kubernetes Clusters within Alibaba Cloud. [ENG-15930]

AWS

  • Graph API Using HTTP Data Source - New Query Filter identifies AWS AppSync resources that are leveraging cleartext HTTP for their data source. [ENG-15527]

  • Identity Resource Path Matches - Updated Query Filter now also accounts for AWS IAM policy. [ENG-16006]

  • Identity Resource Path Does Not Match. - Updated Query Filter now also accounts for AWS IAM policy. [ENG-16006]

  • Resource Provisioned Using Terraform - New Query Filter identifies resources provisioned using Terraform. [ENG-16041]

MULTI-CLOUD/GENERAL

  • Access List Rule Source/Destination Network - Updated Query Filter to handle egress rules like ingress rules. [ENG-13388]

  • Log Group Size At Least - Updated Query Filter includes the ability to specify the target size in bytes. [ENG-16026]

  • Resource Not In Cloud With Badge Key/Value - Updated Query Filter has removed the five badge limit placed to reduce the risk of creating a slow query (or Insight); in practice the limit no longer seems necessary. [ENG-8344]

Bot Actions (22.3.1)

  • “Delete InsightVM Agent” - New Bot action can clean up InsightVM assets in real time after they've been deleted from a cloud provider. [ENG-15058]

Bug Fixes (22.3.1)

  • [ENG-16222] Fixed a bug that prevented the removal of core Insights from custom Insight Packs.

  • [ENG-16165] Fixed an issue where in edge cases Insight count in the Compliance Packs page does not match the count on the Insights page.

  • [ENG-16131] Fixed a bug that prevented Oracle Kubernetes Engine (OKE) clusters from being harvested.

  • [ENG-16106] Fixed a bug involving the Jinja preview capability in BotFactory to handle situations where there are no resources in scope to preview. In those cases–and only for preview purposes–we de-scope the selection criteria and show another example resource.

  • [ENG-15956] Fixed an issue with the presentation of the Oracle Cloud logo.

  • [ENG-15899] Fixed: In some cases the resource creation timestamp was updated incorrectly.

  • [ENG-15484] Fixed an edge case impacting collection of Azure Network Firewalls when the firewalls did not have an IP configuration.

Cloud IAM Governance (Access Explorer) Updates - 22.3.1 Minor Release (05/04/2022)

👍

The following updates are related to enhancements and bug fixes for our Cloud IAM Governance (Access Explorer) capabilities.

Contact us at Customer Support Portal with any questions.

Cloud IAM Governance Bug Fixes (22.3.1)

  • [ENG-16120] Fixed a slow query when running a cache build in Access Explorer with a large number of ServiceRoles in the database.