23.1.25 Release Notes
InsightCloudSec Software Release Notice - 23.1.25 Release
Documenting Required Permissions
Beginning with our February 2023 documentation version, InsightCloudSec will update our approach to documenting permissions.
Each month InsightCloudSec releases support for new resources, Insights, Bot Actions, and other updates that require dozens of permission changes. There is significant effort required to maintain accurate policies and ensure access to these ever-expanding features. We strongly encourage customers to use the policies offered by the providers (for example the AWS managed policy with our small supplemental InsightCloudSec policy) to minimize ongoing manual intervention and ensure the best visibility into our growing coverage.
Important Details to Note:
Future permissions required for connectivity to the CSPs we support will no longer be provided as documentation content (the most noticeable is likely AWS, as itβs offered here.)
In February all required permissions will be available in a central location with JSON policy files for each individual provider. We will continue to announce new permissions as part of our release notes.
For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.
Release Highlights (23.1.25)
InsightCloudSec is pleased to announce Release 23.1.25. This release includes substantial updates to the Azure CIS 1.5.0 Compliance Pack, including the addition of numerous new Insights (displayed in the table below). 23.1.5 includes an update for the GCP CIS Compliance Pack 2.0.0, as well as updates to many Insights and Query Filters to support Alibaba Cloud.
In addition, this release includes six new Query Filters, two new Bot actions, and eight bug fixes.
- Contact us through the unified Customer Support Portal with any questions.
Self-Hosted Deployment Updates (23.1.25)
Release availability for self-hosted customers is Thursday, January 26, 2023. If youβre interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.
Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip
Features & Enhancements (23.1.25)
- Added the ability to clear the medium and high priority queues from the System Administration page. Refer to specifics on our systems settings page. [ENG-20966]
User Interface Changes (23.1.25)
- We have updated the Insight Severity selection modal to only show the Default option when one or more BackOffice (core) Insights are selected. If the selected Insight(s) are custom, then the Default option and helper text will not display. [ENG-22798]
Resources (23.1.25)
Alibaba Cloud
- Expanded visibility to Alibaba Cloud Elasticsearch Instances. Multiple Insights and Query Filters (enumerated below) relating to these Elasticsearch Instances are now compatible with Alibaba Cloud. [ENG-22588]
AWS
- Expanded resource dependencies to include security groups that are associated with AWS EKS clusters and added a new Query Filter
Kubernetes Cluster With Permissive Security Group Attachedto identify EKS clusters exposing ports outside of TCP 443. [ENG-17192]
AZURE
- Added support for viewing enabled encryption protocols on an Azure API management service (TLS 1.0, TLS 1.1, TLS 1.2, and SSL 3.0). Three new Query Filters have been added:
Rest API Has TLS Enabled,Rest API Has SSL Enabled, andRest API Has Public IP. [ENG-20402]
Insights (23.1.25)
Azure CIS 1.5.0 Compliance Pack
This release includes a substantial update to the Azure CIS 1.5.0 Compliance Pack. This update includes a total of 23 new Azure Insights, taking our coverage from 60 Insights to 83 Insights. The table below lists the updated controls and the Insight that supports it:
| Compliance Rule | Insight Name |
|---|---|
3.3 Ensure that Enable key rotation reminders is enabled for each Storage Account | Storage Account without Key Rotation Reminders Enabled |
| 3.4 Ensure That Storage Account Access Keys are Periodically Regenerated (Manual) | Storage Account Older than 90 Days without Access Keys Rotated |
3.5 Ensure Storage Logging is Enabled for Queue Service for Read, Write, and Delete requests | Storage Account Queue Service Logging Disabled |
3.9 Ensure Allow Azure services on the trusted services list to access this storage account is Enabled for Storage Account Access | Storage Account without Microsoft Azure Services Bypass Enabled |
3.14 Ensure Storage Logging is Enabled for Table Service for Read, Write, and Delete Requests | Storage Account Table Service Logging Disabled |
4.3.7 Ensure Allow access to Azure services for PostgreSQL Database Server is disabled | Database Instance Allowing Access from Cloud Resources |
4.3.8 Ensure Infrastructure double encryption for PostgreSQL Database Server is Enabled | Database Instance without Infrastructure Encryption Enabled (PostgreSQL) |
4.4.1 Ensure Enforce SSL connection is set to Enabled for Standard MySQL Database Server | Database Instance not Enforcing Transit Encryption (MySQL) |
4.4.2 Ensure TLS Version is set to TLSV1.2 for MySQL flexible Database Server | Database Instance Minimum TLS Version |
4.4.3 Ensure server parameter audit_log_enabled is set to ON for MySQL Database Server | Database Instance without Log Auditing Enabled (MySQL) |
4.4.4 Ensure server parameter audit_log_events has CONNECTION set for MySQL Database Server | Database Instance without Connection Log Auditing Events (MySQL) |
4.5.1 Ensure That Firewalls & Networks Is Limited to Use Selected Networks Instead of All Networks | Distributed Table without Network Access Restrictions |
| 5.1.3 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible | Storage Container Containing Activity Logs Exposed To The Public |
| 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment | Cloud Account without Activity Log Alert - Policy Assignment Create/Update |
| 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment | Cloud Account without Activity Log Alert - Policy Assignment Delete |
| 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group | Cloud Account without Activity Log Alert - Network Security Group Create or Update |
| 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group | Cloud Account without Activity Log Alert - Network Security Group Delete |
| 5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution | Cloud Account without Activity Log Alert - Security Solution Create or Update |
| 5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution | Cloud Account without Activity Log Alert - Security Solution Delete |
| 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule | Cloud Account without Activity Log Alert - SQL Server Firewall Rule Create or Update |
| 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule | Cloud Account without Activity Log Alert - SQL Server Firewall Rule Delete |
| 5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule | Cloud Account without Activity Log Alert - Public IP Address Rule Create or Update |
| 5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule | Cloud Account without Activity Log Alert - Public IP Address Rule Delete |
GCP CIS 2.0.0 Compliance Pack
We have added a new Compliance Pack for GCP CIS 2.0.0 which includes updated control mappings as well as a new Insight Load Balancer With Backend Service Logging Disabled that identifies GCP Load Balancers that are attached to a Backend Service with logging disabled. [ENG-22732]
Alibaba Cloud
We expanded visibility to Alibaba Cloud Elasticsearch Instances. The following Insights relating to these Elasticsearch Instances are now compatible with Alibaba Cloud [ENG-22588]:
Elasticsearch Instances ExposedElasticsearch Instance does not Enforce Encryption at RestElasticsearch Instance does not Support Private NetworkingElasticSearch Cluster without HTTPS Enforcement
Query Filters (23.1.25)
Alibaba Cloud
We expanded visibility to Alibaba Cloud Elasticsearch Instances. The following Query Filters relating to these Elasticsearch Instances are now compatible with Alibaba Cloud [ENG-22588]:
Elasticsearch Instance UltraWarm Enabled/Not EnabledElasticsearch Instance Availability Zone CountElasticsearch Instance Supports Private NetworkingElasticsearch Instance Does Not Support Private NetworkingElasticsearch Instance VersionElasticsearch Instance With At Rest Encryption EnabledElasticsearch Instance With Transit EncryptionElasticsearch Instance Without Transit EncryptionElasticsearch Instance ExposedStream/Broker/Elasticsearch/Cache Instance Total Node Count Greater ThanStream/Broker/Elasticsearch/Cache Instance Total Node Count Less Than
AWS
-
Database Instance Associated With DB ClusterandDatabase Instance Not Associated With DB Cluster- These two new Query Filters can be used for AWS RDS/Neptune/DocumentDB to identify instances that are/are not associated with a cluster. This distinction is important because when taking actions via BotFactory, you need to perform different workflows/actions based on the cluster association. [ENG-22638] -
Kubernetes Cluster With Permissive Security Group Attached- New Query Filter identifies AWS EKS clusters that allow remote connectivity to ports outside of HTTPS (443). [ENG-17192]
AZURE
-
Rest API Has Public IP- New Query Filter identifies rest APIs with specific public IP addresses attached. An API is returned if any of the specified addresses are attached to the API. [ENG-20402] -
Rest API Has SSL Enabled- New Query Filter identifies rest APIs with SSL encryption protocol enabled. [ENG-20402] -
Rest API Has TLS Enabled- New Query Filter identifies rest APIs with specific TLS encryption protocols enabled. [ENG-20402]
Bot Actions (23.1.25)
AWS
-
βAdd Policy To Roleβ - New Bot action allows the automated attachment of managed policies -- either customer managed or AWS managed -- to roles. The action requires a policy name and, if that policy is present in multiple accounts, it can be applied to multiple roles in separate accounts. [ENG-19579]
-
βUpdate Distributed Table Billing Modeβ - New Bot action updates the billing mode and/or read/write capacity for one or more distributed tables. This change can save a lot of money at scale. [ENG-22877]
Bug Fixes (23.1.25)
-
Fixed an edge case that prevented the Compliance Scorecard Excel from generating when it contains an Insight Exemption. [ENG-22895]
-
Fixed a bug that prevented Insight totals from reflecting immediately after creation. [ENG-22823]
-
Fixed a bug that prevented public access from being removed on AWS RDS Cluster Snapshots. [ENG-22814]
-
Updated our analysis public accessibility of AWS Lambda functions to remain consistent with AWS's announced position that if the lambda can be invoked by an S3, its access policy must have a condition statement keyed off of AWS:SourceAccount. [ENG-22587]
-
Fixed dictionary key errors occurring on the Activity Log Alert harvester. [ENG-22586]
-
Improved error messaging to provide better details when running the DatabaseInstanceHarvester for AWS. [ENG-22197]
-
Fixed a bug where some IAM metadata was not removed when IAM principals were deleted. [ENG-21950]
-
Fixed a bug with the
Web App Invalid Diagnostic Logging ConfigurationQuery Filter, which was showing false positives due to a legacy casing issue being returned by Azure for some customers. [ENG-21143]