22.3.6 Release Notes

InsightCloudSec Software Release Notice - 22.3.6 Minor Release (06/08/2022)

📘

Our latest Minor Release 22.3.6 is available for hosted customers on Wednesday, June 8, 2022. Availability for self-hosted customers is Thursday, June 9, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

❗️

LONG UPGRADE TIMES

Release 22.3.6 requires longer-than-usual times for upgrades to accommodate several database schema changes. Depending on your installation, upgrade times of up to two hours may be required. The upgrade process should not be interrupted, so plan accordingly. Please contact us though our Customer Support Portal if you have questions.

Release Highlights (22.3.6)

InsightCloudSec is pleased to announce Minor Release 22.3.6. This Minor Release includes added visibility into AWS WAF resources for tagging and lifecycle support and Memcached AWS ElastiCache instances. We have also made harvesting performance improvements for the resource “Service Event Rules”, increased the maximum number of resource tags that may be included with Compliance Scorecard, and added health monitoring to the Insight Cache that will notify domain administrators if the Insight Cache has not been successfully built for 24 hours. In addition, 22.3.6 includes one updated Insight, two updated Query Filters, and ten bug fixes.

Contact us through the new unified Customer Support Portal with any questions.

New Permissions Required (22.3.6)

🚧

UPDATE TO PERMISSIONS: ALIBABA CLOUD

We have updated our Alibaba Cloud read-only policy. In addition, we have excluded some regions from some of our harvesters where the resource is not supported, e.g., cn-nanjing and ServiceEncryptionKeyHarvester. The revised policy can be viewed in our Alibaba documentation. [ENG-16858]

Features & Enhancements (22.3.6)

MULTI-CLOUD/GENERAL

  • Added the ability for customers to now see if there are missing permissions related to Container Vulnerability Assessment (CVA) when viewing their harvesting visibility in the cloud listing. [ENG-16685, ENG-16684]
  • Increased the maximum number of resource tags that may be included with Compliance Scorecard exports from 10 to 20. This increase should allow customers with greater tagging requirements to analyze their impacted resources by filtering and sorting across more tags. [ENG-15140]
  • Added health monitoring to the Insight Cache that will notify domain administrators if the Insight Cache has not been successfully built for 24 hours. [ENG-7754]

User Interface Changes (22.3.6)

  • In the Query Filter blade, standardized on a single cloud icon and included tool tips, where necessary, to distinguish between commercial, government, and China offerings. [ENG-15537]

Resources (22.3.6)

AWS

  • Removed the property Target ARNs from the resource “Service Event Rules” because of the negative impact on harvesting performance. The property requires a separate API call list_targets_by_rule that increases “Service Event Rules” harvest remote processing by roughly 10 times. [ENG-16900]

  • Added tag visibility and lifecycle support for AWS WAF resources. [ENG-16885]

  • Added visibility into Memcached AWS ElastiCache instances that are not enforcing transit encryption. This capability was released by AWS in late May. More information can be found here. [ENG-16857]

  • Added ability to track Maintenance and Backup windows for RDS instances. [ENG-15598]

Insights (22.3.6)

GCP

  • Resource Audit Not In Continental US - Updated this Insight to include additional GCP regions that are in the continental United States, specifically us-east5, us-west2, us-west3, and us-west4. [ENG-16874]

Query Filters (22.3.6)

AWS

  • Cloud Region Without Access Analyzer Enabled - Updated Query Filter now only considers active AWS regions. This update ensures that opt-in regions which aren't enabled are not included in the analysis. [ENG-16929]

  • Resource Specific Policy Principal/Action Search - Updated Query Filter by adding the option Exempt Conditional Statements to ignore policies that included a Condition key when filtering. [ENG-16347]

Bug Fixes (22.3.6)

  • [ENG-16930] We have updated the Bot action “Mirror Resource Tags From Parent” to more robustly accommodate parent resources without tags.

  • [ENG-16908] Fixed a display issue where the selected Insight results did not properly update when changing scopes in the Insight Library.

  • [ENG-16876] Fixed an issue with InsightCloudSec users changing authentication servers.

  • [ENG-16824] Fixed an issue involving a deprecated permission for our EDH policies. AWS deprecated permission “sqs:DeleteMessageBatch” by permitting the “DeleteMessageBatch” action when given the permission “sqs:DeleteMessage”. We have updated our EDH policies (EDH Manual IAM Setup Option and EDH Automatic Setup) by removing the deprecated permission.

  • [ENG-16789] Fixed a bug that prevented Insight Exemptions from being viewed in the UI when 200/page was selected.

  • [ENG–16774] Fixed a bug that wouldn't display the summary of compute cores/memory of the Oracle Cloud dashboard.

  • [ENG-16748] Fixed a bug that improperly detected Azure Big Data Workspaces as being public when a firewall explicitly blocked access.

  • [ENG-16698] Fixed a regression that was introduced in 22.3.3 where the calculation of a particular Query Filter for orphaned resources would cause excessive memory and computational load that may have impacted Insight and Scorecard reports.

  • [ENG-16305] Fixed a bug involving downloading JSON export of resource detail fails when a particular feature flag was not enabled.

  • [ENG-15550] Fixed the bug for Query Filter Resource Encrypted With Keys Other Than Provider Default for Azure’s Cosmos DB resource. Note: For the Query Filter to work, the Cosmos DB resource associated keyvault must have access policy to the App that's using the resource. After giving access policy in the key vault, harvest the Encryption key vault harvester and DistributedTables harvester and apply the filter.