22.3.5 Release Notes

InsightCloudSec Software Release Notice - 22.3.5 Minor Release (06/01/2022)

📘

Our latest Minor Release 22.3.5 is available for hosted customers on Wednesday, June 1, 2022. Availability for self-hosted customers is Thursday, June 2, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Release Highlights (22.3.5)

InsightCloudSec is pleased to announce Minor Release 22.3.5. This Minor Release includes EDH support for AWS CloudFront, added visibility into Azure role assignment usage, and harvesting of the certificate type for GCP SSL certificates. In this release we have updated Bot actions around AWS EC2 instances to support hibernating. We have also revised Insights related to Database Instance Flags for GCP CIS (view the full list below). 22.3.5 also includes three updated Query Filters, five new Query Filters, and 14 bug fixes.

Contact us through the new unified Customer Support Portal with any questions.

Features & Enhancements (22.3.5)

MULTI-CLOUD/GENERAL

  • Improved the confirmation dialog when updating custom Insights to include any linked Bots which will also be updated as a part of the Insight change. [ENG-16678]
  • We now prepend the organization name to resource export downloads when there is more than one organization. [ENG-15438]
  • Container Vulnerability Assessment customers can now watch their container definition in multiple tabs to improve their investigation of the workload vulnerabilities. [ENG-15594]

Resources (22.3.5)

AWS

  • Updated EDH Support for AWS CloudFront to include the following events: CreateDistribution, DeleteDistribution, and UpdateDistribution. [ENG-16652]
  • Added harvesting of the creation date of AWS EC2 SSH Keypair resources to help customers identify keypairs which are in need of rotation based on age. [ENG-16356]

AZURE

  • Added visibility into Azure role assignment usage within the Cloud Limit resource type. The new limit is named RoleAssignmentLimit. [ENG-15108]

GCP

  • Added harvesting of the type of certificate for GCP SSL certificates (managed vs self-managed) and added GCP support to the filter SSL Certificate Type. [ENG-16645]

Insights (22.3.5)

GCP

  • Updated our GCP CIS Insights that relate to Database Instance Flags to include filters by engine type. Without the engine type filter, some Insights incorrectly flagged database instances as not having a proper Database Instance Flag setting when the setting does not apply to their engine type. The updated Insights are [ENG-16649]:
    • Database Instance Flag '3625 (trace flag)' Disabled
    • Database Instance Flag 'contained database authentication' Enabled
    • Database Instance Flag 'cross db ownership chaining' Enabled
    • Database Instance Flag 'external scripts enabled' Enabled
    • Database Instance Flag 'local_infile' Enabled
    • Database Instance Flag 'log_checkpoints' Disabled
    • Database Instance Flag 'log_connections' Disabled
    • Database Instance Flag 'log_disconnections' Disabled
    • Database Instance Flag 'log_duration' Disabled
    • Database Instance Flag 'log_error_verbosity' Not Default
    • Database Instance Flag 'log_executor_stats' Enabled
    • Database Instance Flag 'log_hostname' Enabled
    • Database Instance Flag 'log_lock_waits' Disabled
    • Database Instance Flag 'log_min_duration_statement' Enabled
    • Database Instance Flag 'log_min_error_statement' Not Set Appropriately
    • Database Instance Flag 'log_min_messages' Not Set Appropriately
    • Database Instance Flag 'log_parser_stats' Enabled
    • Database Instance Flag 'log_planner_stats' Enabled
    • Database Instance Flag 'log_statement' Not Set Appropriately
    • Database Instance Flag 'log_statement_stats' Enabled
    • Database Instance Flag 'log_temp_files' Disabled
    • Database Instance Flag 'remote access' Enabled
    • Database Instance Flag 'skip_show_database' Disabled

Query Filters (22.3.5)

AWS

  • Access List Exposes Port (Network ACL) (AWS) - New Query Filter identifies AWS Network ACLs that have specific ports open to the world. [ENG-15832]
  • Autoscaling Launch Configuration IP Address Type - New Query Filter identifies autoscaling launch configurations that are launching EC2 instances with Public IPs, either explicitly or when defaulting to subnet auto-assign IP settings. This Query Filter will be used to create an Insight to support AWS FSBP pack. [ENG-16728]
  • Cloud Account Without Public Access Bucket Controls - New Query Filter identifies accounts that are missing any of the four public access bucket controls or any combination of them. Alternatively, it allows you to identify accounts that have any of the four public access bucket controls or any combination of them. [ENG-16700]
  • Cloud Region With/Without API Accounting - New Query Filter assesses whether a region has CloudTrail enabled. This new Query Filter will consider regions covered by organization-wide trails, single-account multi-region trails, and single-account single-region trails. [ENG-14586]
  • Site-to-Site VPN Tunnel Status - New Query Filter identifies site-to-site VPNs that have one or both tunnels down. [ENG-16738]

AZURE

  • Cloud User With/Without Owner Access - Updated–and renamed–the Query Filter Cloud User With Owner Access to include the inverse, i.e., ‘without’. [ENG-16772]

GCP

  • Resource Associated With Default Role - Expanded support for this Query Filter to work with GCP Dataproc Clusters. [ENG-16552]
  • SSL Certificate Type - Enhanced this Query Filter to add support for GCP. [ENG-16645]

Bot Actions (22.3.5)

AWS

  • Added a "hibernate" action for AWS EC2s that meets certain requirements. We have added the action to BotFactory (under Schedule Hibernate and Periodic Hibernate) and updated the ondemand action as well. [ENG-16612]

Bug Fixes (22.3.5)

  • [ENG-16814] For IaC fixes TF converter for AWS encryption keys to capture if the key is public due to a permissive policy.
  • [ENG-16751] Resolved an issue to make sure findings will be saved correctly and not reappear once processed.
  • [ENG-16744] Fixed IaC scan policy evaluating incorrectly on non-string booleans and does not appropriately set the SQS or s3 resource’s data model.
  • [ENG-16720] Revised JSON to ensure the email body for bulk email includes the correct formatting.
  • [ENG-16698] Fixed a regression that was introduced in 22.3.3 where the calculation of a particular filter for orphaned resources would cause excessive memory and computational load that may have impacted Insight and Scorecard reports.
  • [ENG-16651] Fixed an issue when harvesting GCP Cloud SQL to correctly identify SQL Server engines as sqlserver.
  • [ENG-16564] Fixed issue for API Gateway Key resource not able to scan.
  • [ENG-16558] Resolved an edge case issue where Bots were failing to delete child resources due to missing parents.
  • [ENG-16521] Hardened the process of adding jobs from plugins to avoid re-loading.
  • [ENG-16513] Updated the configuration to restrict the Query Filter "Load Balancer Invalid Diagnostic Logging Configuration" to Application load balancers as expected.
  • [ENG-16341] Addressed an issue sorting by name and namespace for Container Cron Jobs.
  • [ENG-15491] Fixed an edge case that prevented certain browsers from loading fonts and other assets.
  • [ENG-15055] Clarified failure context for harvesting jobs that failed due to IAM or service control policy.
  • [ENG-12660] Resolved Compliance Scorecard issue where apply button was perpetually in an error state.