23.1.25 Release Notes

InsightCloudSec Software Release Notice - 23.1.25 Release

📘

Documenting Required Permissions

Beginning with our February 2023 documentation version, InsightCloudSec will update our approach to documenting permissions.

Each month InsightCloudSec releases support for new resources, Insights, Bot Actions, and other updates that require dozens of permission changes. There is significant effort required to maintain accurate policies and ensure access to these ever-expanding features. We strongly encourage customers to use the policies offered by the providers (for example the AWS managed policy with our small supplemental InsightCloudSec policy) to minimize ongoing manual intervention and ensure the best visibility into our growing coverage.

Important Details to Note:

  • Future permissions required for connectivity to the CSPs we support will no longer be provided as documentation content (the most noticeable is likely AWS, as it’s offered here.)

  • In February all required permissions will be available in a central location with JSON policy files for each individual provider. We will continue to announce new permissions as part of our release notes.

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.

Release Highlights (23.1.25)

InsightCloudSec is pleased to announce Release 23.1.25. This release includes substantial updates to the Azure CIS 1.5.0 Compliance Pack, including the addition of numerous new Insights (displayed in the table below). 23.1.5 includes an update for the GCP CIS Compliance Pack 2.0.0, as well as updates to many Insights and Query Filters to support Alibaba Cloud.

In addition, this release includes six new Query Filters, two new Bot actions, and eight bug fixes.

📘

Self-Hosted Deployment Updates (23.1.25)

Release availability for self-hosted customers is Thursday, January 26, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip

Features & Enhancements (23.1.25)

User Interface Changes (23.1.25)

  • We have updated the Insight Severity selection modal to only show the Default option when one or more BackOffice (core) Insights are selected. If the selected Insight(s) are custom, then the Default option and helper text will not display. [ENG-22798]

Resources (23.1.25)

Alibaba Cloud

  • Expanded visibility to Alibaba Cloud Elasticsearch Instances. Multiple Insights and Query Filters (enumerated below) relating to these Elasticsearch Instances are now compatible with Alibaba Cloud. [ENG-22588]

AWS

  • Expanded resource dependencies to include security groups that are associated with AWS EKS clusters and added a new Query Filter Kubernetes Cluster With Permissive Security Group Attached to identify EKS clusters exposing ports outside of TCP 443. [ENG-17192]

AZURE

  • Added support for viewing enabled encryption protocols on an Azure API management service (TLS 1.0, TLS 1.1, TLS 1.2, and SSL 3.0). Three new Query Filters have been added: Rest API Has TLS Enabled, Rest API Has SSL Enabled, and Rest API Has Public IP. [ENG-20402]

Insights (23.1.25)

Azure CIS 1.5.0 Compliance Pack
This release includes a substantial update to the Azure CIS 1.5.0 Compliance Pack. This update includes a total of 23 new Azure Insights, taking our coverage from 60 Insights to 83 Insights. The table below lists the updated controls and the Insight that supports it:

Compliance RuleInsight Name
3.3 Ensure that Enable key rotation reminders is enabled for each Storage AccountStorage Account without Key Rotation Reminders Enabled
3.4 Ensure That Storage Account Access Keys are Periodically Regenerated (Manual)Storage Account Older than 90 Days without Access Keys Rotated
3.5 Ensure Storage Logging is Enabled for Queue Service for Read, Write, and Delete requestsStorage Account Queue Service Logging Disabled
3.9 Ensure Allow Azure services on the trusted services list to access this storage account is Enabled for Storage Account AccessStorage Account without Microsoft Azure Services Bypass Enabled
3.14 Ensure Storage Logging is Enabled for Table Service for Read, Write, and Delete RequestsStorage Account Table Service Logging Disabled
4.3.7 Ensure Allow access to Azure services for PostgreSQL Database Server is disabledDatabase Instance Allowing Access from Cloud Resources
4.3.8 Ensure Infrastructure double encryption for PostgreSQL Database Server is EnabledDatabase Instance without Infrastructure Encryption Enabled (PostgreSQL)
4.4.1 Ensure Enforce SSL connection is set to Enabled for Standard MySQL Database ServerDatabase Instance not Enforcing Transit Encryption (MySQL)
4.4.2 Ensure TLS Version is set to TLSV1.2 for MySQL flexible Database ServerDatabase Instance Minimum TLS Version
4.4.3 Ensure server parameter audit_log_enabled is set to ON for MySQL Database ServerDatabase Instance without Log Auditing Enabled (MySQL)
4.4.4 Ensure server parameter audit_log_events has CONNECTION set for MySQL Database ServerDatabase Instance without Connection Log Auditing Events (MySQL)
4.5.1 Ensure That Firewalls & Networks Is Limited to Use Selected Networks Instead of All NetworksDistributed Table without Network Access Restrictions
5.1.3 Ensure the Storage Container Storing the Activity Logs is not Publicly AccessibleStorage Container Containing Activity Logs Exposed To The Public
5.2.1 Ensure that Activity Log Alert exists for Create Policy AssignmentCloud Account without Activity Log Alert - Policy Assignment Create/Update
5.2.2 Ensure that Activity Log Alert exists for Delete Policy AssignmentCloud Account without Activity Log Alert - Policy Assignment Delete
5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security GroupCloud Account without Activity Log Alert - Network Security Group Create or Update
5.2.4 Ensure that Activity Log Alert exists for Delete Network Security GroupCloud Account without Activity Log Alert - Network Security Group Delete
5.2.5 Ensure that Activity Log Alert exists for Create or Update Security SolutionCloud Account without Activity Log Alert - Security Solution Create or Update
5.2.6 Ensure that Activity Log Alert exists for Delete Security SolutionCloud Account without Activity Log Alert - Security Solution Delete
5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall RuleCloud Account without Activity Log Alert - SQL Server Firewall Rule Create or Update
5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall RuleCloud Account without Activity Log Alert - SQL Server Firewall Rule Delete
5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address ruleCloud Account without Activity Log Alert - Public IP Address Rule Create or Update
5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address ruleCloud Account without Activity Log Alert - Public IP Address Rule Delete

GCP CIS 2.0.0 Compliance Pack
We have added a new Compliance Pack for GCP CIS 2.0.0 which includes updated control mappings as well as a new Insight Load Balancer With Backend Service Logging Disabled that identifies GCP Load Balancers that are attached to a Backend Service with logging disabled. [ENG-22732]

Alibaba Cloud
We expanded visibility to Alibaba Cloud Elasticsearch Instances. The following Insights relating to these Elasticsearch Instances are now compatible with Alibaba Cloud [ENG-22588]:

  • Elasticsearch Instances Exposed
  • Elasticsearch Instance does not Enforce Encryption at Rest
  • Elasticsearch Instance does not Support Private Networking
  • ElasticSearch Cluster without HTTPS Enforcement

Query Filters (23.1.25)

Alibaba Cloud
We expanded visibility to Alibaba Cloud Elasticsearch Instances. The following Query Filters relating to these Elasticsearch Instances are now compatible with Alibaba Cloud [ENG-22588]:

  • Elasticsearch Instance UltraWarm Enabled/Not Enabled
  • Elasticsearch Instance Availability Zone Count
  • Elasticsearch Instance Supports Private Networking
  • Elasticsearch Instance Does Not Support Private Networking
  • Elasticsearch Instance Version
  • Elasticsearch Instance With At Rest Encryption Enabled
  • Elasticsearch Instance With Transit Encryption
  • Elasticsearch Instance Without Transit Encryption
  • Elasticsearch Instance Exposed
  • Stream/Broker/Elasticsearch/Cache Instance Total Node Count Greater Than
  • Stream/Broker/Elasticsearch/Cache Instance Total Node Count Less Than

AWS

  • Database Instance Associated With DB Cluster and Database Instance Not Associated With DB Cluster - These two new Query Filters can be used for AWS RDS/Neptune/DocumentDB to identify instances that are/are not associated with a cluster. This distinction is important because when taking actions via BotFactory, you need to perform different workflows/actions based on the cluster association. [ENG-22638]

  • Kubernetes Cluster With Permissive Security Group Attached - New Query Filter identifies AWS EKS clusters that allow remote connectivity to ports outside of HTTPS (443). [ENG-17192]

AZURE

  • Rest API Has Public IP - New Query Filter identifies rest APIs with specific public IP addresses attached. An API is returned if any of the specified addresses are attached to the API. [ENG-20402]

  • Rest API Has SSL Enabled - New Query Filter identifies rest APIs with SSL encryption protocol enabled. [ENG-20402]

  • Rest API Has TLS Enabled - New Query Filter identifies rest APIs with specific TLS encryption protocols enabled. [ENG-20402]

Bot Actions (23.1.25)

AWS

  • “Add Policy To Role” - New Bot action allows the automated attachment of managed policies -- either customer managed or AWS managed -- to roles. The action requires a policy name and, if that policy is present in multiple accounts, it can be applied to multiple roles in separate accounts. [ENG-19579]

  • “Update Distributed Table Billing Mode” - New Bot action updates the billing mode and/or read/write capacity for one or more distributed tables. This change can save a lot of money at scale. [ENG-22877]

Bug Fixes (23.1.25)

  • Fixed an edge case that prevented the Compliance Scorecard Excel from generating when it contains an Insight Exemption. [ENG-22895]

  • Fixed a bug that prevented Insight totals from reflecting immediately after creation. [ENG-22823]

  • Fixed a bug that prevented public access from being removed on AWS RDS Cluster Snapshots. [ENG-22814]

  • Updated our analysis public accessibility of AWS Lambda functions to remain consistent with AWS's announced position that if the lambda can be invoked by an S3, its access policy must have a condition statement keyed off of AWS:SourceAccount. [ENG-22587]

  • Fixed dictionary key errors occurring on the Activity Log Alert harvester. [ENG-22586]

  • Improved error messaging to provide better details when running the DatabaseInstanceHarvester for AWS. [ENG-22197]

  • Fixed a bug where some IAM metadata was not removed when IAM principals were deleted. [ENG-21950]

  • Fixed a bug with the Web App Invalid Diagnostic Logging Configuration Query Filter, which was showing false positives due to a legacy casing issue being returned by Azure for some customers. [ENG-21143]