Take Me to the Docs!API ReferenceRelease NotesSupport Portal
Contact Us
Back to All

22.3.7 Release Notes

12 months ago by Mary Whaley

InsightCloudSec Software Release Notice - 22.3.7 Minor Release (06/15/2022)

📘

Our latest Minor Release 22.3.7 is available for hosted customers on Wednesday, June 15, 2022. Availability for self-hosted customers is Thursday, June 16, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

❗️

LONG UPGRADE TIMES (SELF-HOSTED CUSTOMERS)

For self-hosted customers upgrading from a release including or prior to 22.3.5, this upgrade will require longer-than-usual times to accommodate several database schema changes. (If you have already upgraded to 22.3.6, you will not be impacted.) Depending on your installation, upgrade times of up to two hours may be required. The upgrade process should not be interrupted, so plan accordingly.

Release Highlights (22.3.7)

InsightCloudSec is pleased to announce Minor Release 22.3.7. This Minor Release includes support for AWS EC2 Launch Template resources. With this release we have improved the efficiency of Bot scanning during harvest cycles. 22.3.7 includes added memory and performance improvements to harvesting for AWS Inspector2, Microsoft Defender, and GCP Container Analysis findings. We have also revised the styling and improved the user experience for the Resource Groups capability. In addition, 22.3.7 includes three updated Insights, seven updated Query Filters, six new Query Filters, and 18 bug fixes.

For our Cloud IAM Governance module, we have details around performance improvements and bug fixes for the IAM Access Explorer and cache.

Contact us through the new unified Customer Support Portal with any questions.

New Permissions Required (22.3.7)

🚧

New Permission Required: AWS

For AWS Commercial and GovCloud Standard (Read-Only) Users:
"ec2:DescribeLaunchTemplateVersions"

This permission "ec2:DescribeLaunchTemplateVersions" supports the newly added resource AWS EC2 Launch Template. [ENG-13798]

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS' managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS' continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

Features & Enhancements (22.3.7)

ORACLE CLOUD INFRASTRUCTURE (OCI)

  • Oracle Cloud Infrastructure (OCI) user defined tags are now harvested for all resource types in the product that previously supported freeform tags. [ENG-16094]

MULTI-CLOUD/GENERAL

  • We have updated our relationship storage model across ~35 additional database objects/harvesters. The original update to this pattern has shown dramatically reduced database CPU at scale. Extending the pattern to other resources should bring additional benefits. [ENG-14710]
  • Improved the efficiency of Bot scanning during harvest cycles. Customers with a large number of bots should see a substantial improvement in processing times. [ENG-16121]
  • Added the instance_id property to the Volume resource CSV export to make it easier to associate the resources. [ENG-16993]
  • Added memory and performance improvements to harvesting AWS Inspector2, Microsoft Defender and GCP Container Analysis findings. [ENG-16770]

User Interface Changes (22.3.7)

  • Restyled and improved the user experience within the Resource Groups section of the InsightCloudSec platform. Check out our updated Resource Groups documentation for details. [ENG-16764]

Resources (22.3.7)

AWS
We’ve added a new resource “Launch Template” (Compute category) which stores AWS EC2 Launch Template Support. A new permission is required: ”ec2:DescribeLaunchTemplateVersions”. We also include delete functionality and the following new Query Filters:

  • Launch Template Orphaned (AWS) - Identifies launch templates not attached to an autoscaling group
  • Launch Template In Use (AWS) - Identifies launch templates attached to an autoscaling group
  • Launch Template References Unknown Image (AWS) - Identifies launch templates that are configured with a machine image that is unknown/orphaned or is associated with a public image.
  • Launch Template Using Image Older Than Threshold (AWS) - Identifies launch templates that are configured with a machine image that is older than the provided number of days.
  • Private image in Autoscaling Launch Template - Identifies images being used by Launch Templates.

This resource type will also work with the Query Filter Resource With Clear Text Secret. [ENG-13798]

Insights (22.3.7)

AZURE

  • Public IP Address Unattached - Insight updated to include support for Azure. [ENG-17039]
  • Storage Container Without Access Logging - Insight updated to include support for Azure. [ENG-17039]

MULTI-CLOUD/GENERAL

  • When creating an Insight, users are now shown an error message when they select more than one Query Filter and the combination is not compatible with any resource types. [ENG-10266]
  • Network Interface Orphaned - This Insight was enhanced to consider Private Endpoints. [ENG-13510]

Query Filters (22.3.7)

AWS

  • Database/Big Data Instance Master Username - Broadened resource support for this Query Filter to include Database Clusters, Database Snapshots, and Big Data Snapshots. Accordingly, we are updating the Query Filter name to Resource Master Username. This Query Filter can be used to identify resources that have default or insecure master usernames, which maps to several AWS Foundational Security Best Practices (FSBP) controls [ENG-16944]:

    • RDS.24 | RDS database clusters should use a custom administrator username
    • RDS.25 | RDS database instances should use a custom administrator username
    • Redshift.8 | Amazon Redshift clusters should not use the default Admin username

  • Enhanced two AWS database Query Filters to support Database Migration Instances [ENG-16511]:

    • Database/Database Migration/Broker/Cache Database Cluster With Minor Upgrades Enabled (AWS)
    • Database/Database Migration/Broker/Cache Database Cluster Without Minor Upgrades Enabled (AWS)

  • Added multiple new Query Filters to support the new resource “Launch Templates” [ENG-13798]:

    • Launch Template Orphaned (AWS) - Identifies launch templates not attached to an autoscaling group
    • Launch Template In Use (AWS) - Identifies launch templates attached to an autoscaling group.
    • Launch Template References Unknown Image (AWS) - Identifies launch templates that are configured with a machine image that is unknown/orphaned or is associated with a public image.
    • Launch Template Using Image Older Than Threshold (AWS) - Identifies launch templates that are configured with a machine image that is older than the provided number of days.
    • Private image in Autoscaling Launch Template - Identifies images being used by Launch Templates.

  • Resource Master Username - Query Filter was renamed from Database/Big Data Instance Master Username (above) and broadened to identify resources that have default or insecure master usernames. [ENG-16944]

  • Resource With/Without Resource Access Policy - New Query Filter finds resources, including AWS REST API Gateways, with/without resource access policies. [ENG-16952]

MULTI-CLOUD/GENERAL

  • API Access Key Creation Date Threshold - New Query Filter identifies API access keys whose age exceeds a target date. [ENG-16959]
  • Content Delivery Network With/Without Region Specific Geo Restriction Allow - Updated Query Filter includes an “Additional Regions” flag to allow for non-exact matching of CDN geo-restrictions. [ENG-16581]
  • Content Delivery Network With/Without Region Specific Geo Restriction Block - Updated Query Filter includes an “Additional Regions” flag to allow for non-exact matching of CDN geo-restrictions. [ENG-16581]
  • Resource Security Group Has Public IP Space - Expanded Query Filter includes new optional input for security group names to exclude from analysis. [ENG-16647]

Bot Actions (22.3.7)

AWS

  • Enabled the start/stop cluster action to be added to bots targeting AWS Database Instances, allowing the associated Database Cluster to be started/stopped as needed. [ENG-14958]
  • Added support for starting and stopping AWS Lightsail instances both on-demand and as a Bot Action. [ENG-14960]

AZURE

  • Added support for disabling public access via Bot actions for Azure Event Hubs. [ENG-14982]
  • Added Bot action for disabling public network access for Microsoft Azure disks. [ENG-14974]

Bug Fixes (22.3.7)

  • [ENG-17070] Fixed a bug that used incorrect API endpoints for select harvesters in Azure China/Azure Government subscriptions.

  • [ENG-17058] Fixed an issue where dynamic scheduling metrics fail to execute if the scheduler is still generating the harvester jobs table.

  • [ENG-17040] Improved the efficiency of Bot scanning during harvest cycles. Customers with a large number of Bots should see a substantial improvement in processing times.

  • [ENG-16973] Fixed a bug in the Query Filter Resource Encrypted With Provider Default Keys for AWS Athena Workgroups (Data Analytics Workspaces in ICS) to correctly identify existing resources and also planned resources when using IaC scanning and within the backoffice Insight Data Analytics Workspace Encrypted Using Cloud Managed Key Instead Of Customer Provided Key.

  • [ENG-16953] Fixed a bug where VPC information associated with AWS Serverless Functions was failing to display in the user interface.

  • [ENG-16936] Fixed a bug in the Query Filter Encryption Key Using/Not Using HSM which manifested when evaluating encryption keys with impaired visibility due to missing harvest permissions.

  • [ENG-16901] Fixed a bug where the Resource Type column wasn't sorting properly in the Exemption Rules page.

  • [ENG-16898] Fixed a bug where some RDS Oracle instances are incorrectly flagged as enforcing encryption.

  • [ENG-16887] Fixed issue where missing policy assignments in Microsoft Defender policies were making some cloud properties not be harvested.

  • [ENG-16701] Fixed a bug where AWS IAM policies could not be deleted due to the presence of multiple policy versions.

  • [ENG-16472] We have broken down the background job ResourceAgentProcessor to run against a target agent_type instead of iterating over all agents in a single pass. This model should help reduce the run time for larger customers and make it more obvious which job to trigger.

  • [ENG-16168] Fixed a pagination bug in the Compliance Scorecard view that didn't honor the selected page setting.

  • [ENG-14329] Fixed scorecard pagination bug.

  • [ENG-12272] Fixed a bug where the , character would not separate out Email addresses when building out a new Email subscription in the Compliance Scorecard.

  • [ENG-9940] Fixed a bug that prevented cloud accounts from being searched in the Logs section of the tool.

  • [ENG-9937] Fixed a bug where the system didn't display a warning message to users when they attempt to associate an empty data collection with a filter in the Resources section.

  • [ENG-9890] Fixed an issue where some resource tags were not purged from the database when the resource was deleted.

  • [ENG-4687] Fixed a minor filtering bug on the report page.

Cloud IAM Governance (Access Explorer) Updates - 22.3.7 Minor Release (06/15/2022)

👍

The following updates are related to enhancements and bug fixes for our Cloud IAM Governance (Access Explorer) capabilities.

Contact us at Customer Support Portal with any questions.

Cloud IAM Governance Bug Fixes (22.3.7)

  • Fixed issues for performance improvements for IAM cache build. [ENG-16461]

  • Added validation of ARNs for partition and service Amazon Resource Names (ARNs) - AWS General Reference. [ENG-16181]

  • Fixed syntax to enhance validation of more complex policy syntax. Customers who make use of these policy elements may see more results in the access explorer. Some of the fixed syntax:

    • Principals with identity policies that allow “Action:*” and service control policies or permission boundaries that allow only specific actions [ENG-16704]
    • Policy stacks that contain service control policies and combine NotAction with any resource other than “*” or a resource-specific context key (aws:RequestedRegion) [ENG-16703]

  • Fixed “ForAnyValue” conditionals that contain context keys related to the principal (such as aws:PrincipalTag) and related to the resource (such as aws:RequestedRegion). [ENG-16531]

  • Fixed any multi-clause condition that depends on data from both the principal and resource. [ENG-16531]

  • Fixed issue for principals affected by multiple statements with NotAction and Condition in identity policies. [ENG-16531]

  • Fixed issue involving Identity policies with multiple statements, at least one of which contains NotAction and one of which contains Action. [ENG-16531]