Our latest Minor Release 22.3.2 is available for hosted customers on Wednesday, May 11, 2022. Availability for self-hosted customers is Thursday, May 12, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.
InsightCloudSec is pleased to announce Minor Release 22.3.2. This Minor Release includes a new GCP Compliance Pack, “Center for Internet Security (CIS) - GCP 1.3.0”. This release also includes new support for Azure Traffic Manager, expanded support for AWS MSK Serverless, and support for 15 additional GCP Recommenders. In addition, 22.3.2 includes 22 new Insights, three updated Insights (details on two below), one new Query Filter, five updated Query Filters, and 13 bug fixes.
These following Insights have been updated:
Autoscaling Group Automatic OS Upgrades Enabledto the inverse
Autoscaling Group Automatic OS Upgrades Disabledto identify ASGs with upgrades that are disabled.
Instance Not Configured to Use Default Service Accountto the inverse
Instance Configured to Use Default Service Accountto identify instances that are configured to use the default service account.
For our Cloud IAM Governance module, we have details around performance improvements to the IAM cache build.
Contact us through the new unified Customer Support Portal with any questions.
New Permission Required: AZURE
For AZURE Standard (Read-Only) Users:
"Microsoft.Network/trafficManagerProfiles/read" is required to support the Azure Traffic Manager resource. [ENG-14511]
Center for Internet Security (CIS) - GCP 1.3.0
Release 22.3.2 introduces a new Compliance Pack: Center for Internet Security (CIS) - GCP 1.3.0. The new pack includes just over 20 additional GCP Insights (listed under “Insights” below), as well as additional data properties across several resource types. [ENG-16054]
Replaced harvesting of ECR basic findings with gathering of Container Image vulnerabilities using Inspector V2 only. All vulnerability info for container images is now shown in the Vulnerability sidenav; associated columns in the resource listing table (Last Scanned, Finding Count, High, Medium and Low) have been removed. Two Query Filters–
Resource Vulnerable To Specific Vulnerability (CVE)and
Resource Vulnerability Counthave been modified to support the Container Images resource type. [ENG-15814]
All AWS STS AssumeRole session credentials are now automatically refreshed when the harvester or task takes longer than the expiration time. This behavior is now consistent across all AWS session management. [ENG-12653]
Enabled Dynamic Harvesting for Google Cloud accounts on the Harvesting Strategy Listing page. [ENG-16306]
To reduce confusion, we are hiding the
Create Exemptionsbutton when
Show exempted resourcesis selected in the Report Card view of the Compliance Scorecard. [ENG-16373]
Added the Insight Severity to the Cloud Results worksheet of the Compliance Scorecard export. [ENG-16166]
Improved the loading times of the Event Driven Harvesting overview page. [ENG-15630]
Added a setting on the system admin page to generate a message to be displayed on the login screen. Also added the ability to enable/disable the display of this message. [ENG-12485]
Added Network and Route Table related to the subnet to the Dependencies tab of the resource property panel for private subnets. [ENG-9286]
- Expanded MSK Serverless visibility to now harvest in all supported regions. Additional information on the MSK expanded availability can be found here. [ENG-16193]
- We are adding support to the new resource in Azure called Traffic Manager, Azure's new resource for routing incoming traffic for high performance and availability. This new resource is part of the Network category as a new resource type Traffic Manager. A new permission is required: “Microsoft.Network/trafficManagerProfiles/read”. [ENG-14511]
Added support for additional GCP Recommenders into the Recommendations/Recommendation Findings resource types. Added a new Query Filter
Service Role with Recommendation attached (GCP)to support this capability. Newly supported types are [ENG-15549]:
Note: Either of these roles–
cloudsql.viewerare recommended to access the permissions required for these new recommenders. In InsightCloudSec you will need to have the
Recommender APIenabled (as listed here) the specific required permissions are:
Autoscaling Group Automatic OS Upgrades Disabled- Updated Insight reworked and renamed from
Autoscaling Group Automatic OS Upgrades Enabled. Note: Insight now looks for Autoscaling Groups with automatic OS upgrades disabled. [ENG-16310]
Database Instance/Database Cluster Affected By AWS Security Bulletin - AWS-2022-004- Updated Insight renamed from
AWS Security Bulletin - AWS-2022-004 - Information Exposure from RDS Service Credentialsfor clarity. [ENG-15761]
Instance Configured to Use Default Service Account- This Insight was updated and renamed (from
Instance Not Configured to Use Default Service Account) to identify instances that are configured to use the default service account. [ENG-16054]
The following new Insights were created as a part of the new Compliance Pack, “Center for Internet Security (CIS) - GCP 1.3.0”. [ENG-16054]:
Cloud Account Without Cloud Asset Inventory Enabled
Cloud Dataset Without Customer Managed Key
Database Instance Flag '3625 (trace flag)' Enabled
Database Instance Flag 'cross db ownership chaining' Enabled
Database Instance Flag 'external scripts enabled' Enabled
Database Instance Flag 'log_checkpoints' Disabled
Database Instance Flag 'log_duration' Disabled
Database Instance Flag 'log_error_verbosity' Set Incorrectly
Database Instance Flag 'log_executor_stats' Enabled
Database Instance Flag 'log_hostname' Disabled
Database Instance Flag 'log_min_error_statement' Not Set Appropriately
Database Instance Flag 'log_min_messages' Not Set Appropriately
Database Instance Flag 'log_parser_stats' Enabled
Database Instance Flag 'log_planner_stats' Enabled
Database Instance Flag 'log_statement' Not Set Appropriately
Database Instance Flag 'log_statement_stats' Enabled
Database Instance Flag 'remote access' Enabled
Database Instance Flag 'skip_show_database' Disabled
Instance Without Confidential Computing Enabled
Map Reduce Cluster Without Customer Managed Key
Network Without DNS Logging Profile
Serverless Function With Secret In Environment Variables
Database Instance/Database Cluster Affected By AWS Security Bulletin - AWS-2022-004- This updated Query Filter was renamed from
AWS Security Bulletin - AWS-2022-004 - Information Exposure from RDS Service Credentialsfor clarity and consistency with QF naming conventions. [ENG-15761]
Instance Security Group Allows Access From Unknown Public IP- Expanded Query Filter now works with AWS MQ and DynamoDB Clusters. [ENG-11349]
Resource Vulnerability Count- This Query Filter updated to support the Container Images resource type. [ENG-15814]
Resource Vulnerable To Specific Vulnerability (CVE)- This Query Filter updated to support the Container Images resource type. [ENG-15814]
Service Role with Recommendation attached (GCP)- New Query Filter supports additional GCP Recommenders in the Recommendations/Recommendation Findings resource types. [ENG-15549]
Instance Running Unapproved Image (Regex/Age)Updated Query Filter to add an option “not_match”. This allows matching of image names which do not match the supplied expression. [ENG-13048]
[ENG-16395] Fixed a bug where removing a custom Insight from a custom pack deletes that Insight.
[ENG-16349] We have updated several Bot actions so that they follow the intended behavior of removing scheduled events prior to their execution when a resource transitions from non-compliant to compliant. For example, if a message is scheduled via the Bot action "Publish to Notification Topic With Target" about a resource that is non-compliant and – before the scheduled message is sent – the resource becomes compliant, the scheduled delivery of the message will be removed.
[ENG-16327] Fixed a bug with Query Filters
Content Delivery Network With/Without Region Specific Geo Restriction Blockand
Content Delivery Network With/Without Region Specific Geo Restriction Allowto ensure all regions specified are accounted for in the query.
[ENG-16316] Fixed a bug where a credential health check mistook the expiration on AWS AssumeRole credentials and preemptively disabled the account.
[ENG-16218] Fixed a bug related to "Read the Docs" links from the Insights page.
[ENG-16213] Fixed a bug with Web Application Firewall (WAF) harvester.
[ENG-16194] Fixed a bug that prevented the use of the Bot action “Cleanup Resource Access Policy” on AWS Glacier resources.
[ENG-15715] Fixed AWS Content Delivery Network Resources in IaC for compatibility with Exemption Rules. Exemption Rules will now check against CloudFront Distributions' CFT logical IDs and Terraform addresses, rather than the domain at which they serve content.
[ENG-15566] Fixed a bug in the action “Remove Tags From Resource” when the
Case Sensitiveoption is enabled.
[ENG-15390] Fixed an issue where AWS GovCloud accounts were showing an impaired visibility icon after the IncompletePermissionsScan processor ran.
[ENG-14567] Fixed edge case where Organizations created based on other Organizations created duplicate global packs/Insights.
[ENG-12653] Fixed a bug involving AWS STS AssumeRole session credentials failing when the harvester or task took longer than the expiration time. This behavior is now consistent across all AWS session management.
[ENG-10246] Fixed a bug that prevented the inspection of Threat Finding details on an individual resource through the property panel.
The following updates are related to enhancements and bug fixes for our Cloud IAM Governance (Access Explorer) capabilities.
Contact us at Customer Support Portal with any questions.
- Made performance improvements to IAM cache build. [ENG-16319, ENG-16267]