Take Me to the Docs!API ReferenceRelease NotesSupport Portal
Contact Us
Back to All

23.2.1 Release Notes

4 months ago by [email protected]

📘

Documenting Required Permissions

InsightCloudSec will update our approach to documenting permissions with the February documentation branch for the 23.2.8 release.

Each month InsightCloudSec releases support for new resources, Insights, Bot Actions, and other updates that require dozens of permission changes. There is significant effort required to maintain accurate policies and ensure access to these ever-expanding features. We strongly encourage customers to use the policies offered by the providers (for example the AWS managed policy with our small supplemental InsightCloudSec policy) to minimize ongoing manual intervention and ensure the best visibility into our growing coverage.

Important Details to Note:

All required permissions will be available as JSON policy files for each individual provider linked throughout the documentation with the CSP-specific content.

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.

InsightCloudSec Software Release Notice - 23.2.1 Release

Release Highlights (23.2.1)

InsightCloudSec is pleased to announce Release 23.2.1. This release introduces our Layered Context feature. We have added visibility into the Darwin platform for AWS EC2 instances, and expanded AWS support and visibility to the recently announced Melbourne region (ap-southeast-4). For Azure, we have added visibility and lifecycle support to Azure Automation Accounts and have added harvesting functionally to retrieve Azure Web Application Firewall resources. We have also added support for SSH Key Names for GCP instances.

In addition, this release includes a substantial expansion to the AWS Foundational Security Best Practices Pack to cover 26 additional checks. The expanded coverage, which includes numerous new Insights, is detailed in the table below.

Finally, 23.2.1 includes seven updated Insights, 15 updated Query Filters, eight new Query Filters, and nine bug fixes.

📘

Self-Hosted Deployment Updates (23.2.1)

Release availability for self-hosted customers is Thursday, February 2, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip

Modules can be updated with the terraform get -update command.

Permissions (23.2.1)

🚧

New Permissions Required: Azure

For Azure Reader Role:
“Microsoft.Automation/automationAccounts/read”

For Azure Power User Role:
“Microsoft.Automation/*"

These permissions enable the newly added support for Azure Automation Accounts [ENG-21824].

For Azure Reader Role:
“Microsoft.Automation/automationAccounts/read”

For Azure Power User Role:
“Microsoft.Automation/*"

These permissions enable the newly added support for Azure Automation Accounts [ENG-21824].
###Features & Enhancements (23.2.1)

Introducing Layered Context
23.2.1 includes our GA release for the new Layered Context feature. Layered Context provides a holistic view of the most critical resources found in all environments that are connected to InsightCloudSec and provides:

High-level visualizations around the most critical high risk resources
A resource-centric view of risk across multiple security domains in a unified, consolidated framework
Easy access to details of risk surrounding a specific resource
Filtering on specific resource types, severities, and security domains for better triaging/risk prioritization
Reduced noise, offering a better view to understanding risk posture of your cloud estate

Check out our feature product documentation, including a video walkthrough.

Other Features & Enhancements

  • Individual object IDs are now included in the resource details API response. [ENG-21356]

User Interface Changes (23.2.1)

  • Added an informative message when attempting to add duplicate Insights to a compliance pack. [ENG-17454]

Resources (23.2.1)

AWS

  • Added visibility into the Darwin platform for AWS EC2 instances. The Query Filters Instance CPU Architecture and Instance/Private Image Platform were updated to allow this visibility into Mac offerings. [ENG-23053]

  • Added visibility to the size of AWS Redshift snapshots. [ENG-21944]

  • Expanded AWS support and visibility to the recently announced Melbourne region (ap-southeast-4). [ENG-22956]

  • Expanded RDS transit encryption enforcement to cover MariaDB engines which AWS now supports. [ENG-22861]

AZURE

  • Added harvesting functionally to retrieve Azure Web Application Firewall resources. Added five new Query Filters to support this new functionality: Web Application Firewall Policy Tier, Web Application Firewall Type (Azure), Web Application Firewall Associations, Web Application Firewall Default Action, and Web Application Firewall Default Action (Azure). [ENG-21833]

  • Added visibility and lifecycle support to Azure Automation Accounts (Compute category, new resource type Automation Account). A new permission is required: “Microsoft.Automation/automationAccounts/read”. Customers can leverage the following new Query Filters to audit these resources:

    • Automation Account Configured With Public Access
    • Automation Account Configured With Local Authentication
    • Automation Account Not Configured To Use Managed Identity
    • Automation Account Without Private Endpoints Configured
    • Automation Account Configured With Source Control Configurations
      [ENG-21824]

GCP

  • Added support for SSH Key Names for GCP instances. If there are multiple SSH keys on an instance in GCP they will all be returned unlike AWS which returns the Key the instance was created with. Thus the key_name column in the Instances table is updated to accept lists. Key names will be shown as lists in the UI. [ENG-16044]

Insights (23.2.1)

Alibaba Cloud

  • Expanded visibility to the following Insights to Alibaba Cloud [ENG-21510]:
    • Cloud Role Providing Cross Account Access Without External ID
    • Cloud Role Trust Policy Without External ID
    • Cloud Role Trusting Unknown Account
    • Cloud Role with Cross-Account Access
    • Cloud Role Trusting Unknown/Third Party Account

AWS

  • Message Queue not Enforcing Transit Encryption - New Insight identifies message queues such as AWS SQS that do not have SSL transit encryption enforced. [ENG-23005]

  • Expanded the AWS Foundational Security Best Practices Pack to cover 26 additional checks. This included the addition of 14 new Insights. The expanded mapping is shown here [ENG-22909]:

Compliance RuleInsight Name
[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabledApplication Gateway without X-Ray Tracing Enabled - New Insight identifies application gateways with one or more stages that do not have X-Ray tracing enabled.
[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom originsContent Delivery Network Using Deprecated SSL Protocol - New Insight identifies content delivery networks that are configured to use the deprecated SSLv3 protocol.
[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at restDistributed Table Cluster without Encryption At Rest Enabled - New Insight identifies distributed table clusters such as AWS DynamoDB DAX without encryption at rest enabled.
[EC2.4] Stopped EC2 instances should be removed after a specified time periodInstance Stopped for 30 Days or Longer - New Insight identifies instances that have been in a stopped state for at least 30 days.
[EC2.17] EC2 instances should not use multiple ENIsInstance Configured with Multiple Network Interfaces - New Insight identifies instances that are using multiple network interfaces.
[EC2.22] Unused EC2 security groups should be removedInstance Without Access List Assignment
[EC2.23] EC2 Transit Gateways should not automatically accept VPC attachment requestsTransit Gateway Configured to Automatically Accept Attachments - New Insight identifies transit gateways configured to automatically accept shared VPC attachments.
[ECS.2] Amazon ECS services should not have public IP addresses assigned to them automaticallyContainer Service With Auto Assign Public IP
[ECS.4] ECS containers should run as non-privilegedTask Definition Running in Privileged Mode - New Insight identifies task definitions that have one or more containers running in privileged mode.
[ECS.5] ECS containers should be limited to read-only access to root filesystemsTask Definition Running Containers without Read Only Filesystem - New Insight identifies task definitions that have one or more containers running without the filesystem running as read only.
[ECS.8] Secrets should not be passed as container environment variablesTask Definition with Secret in Environment Variables
[GuardDuty.1] GuardDuty should be enabledCloud Account without Cloud Guard Enabled in Root Compartment
[IAM.8] Unused IAM user credentials should be removedCloud User Inactive
[IAM.8] Unused IAM user credentials should be removedAPI Key Unused for 90 Days
[Kinesis.1] Kinesis Data Streams should be encrypted at restData Stream Without Encryption
[Lambda.2] Lambda functions should use supported runtimesServerless Function Configured with Deprecated Runtime
[OpenSearch.1 ] OpenSearch domains should have encryption at rest enabledIdentity Resource Privilege Escalation by Passing Role to Cloudformation Stack
[OpenSearch.2] OpenSearch domains should be in a VPCElasticsearch Instance Configured on Public Subnet - New Insight identifies elasticsearch instances deployed on a public subnet with Internet access.
[OpenSearch.3] OpenSearch domains should encrypt data sent between nodesElasticsearch Instance without Node-to-Node Encryption
[OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2Resource does not Support TLS 1.2
[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabledBig Data Instance without Automatic Upgrades Enabled - New Insight identifies big data instances that do not have the automatic upgrades to major versions enabled.
[S3.1] S3 Block Public Access setting should be enabledCloud Account without Block Public Access Enabled - New Insight identifies cloud accounts without the S3 Block Public Access capability enabled.
[SageMaker.3] Users should not have root access to SageMaker notebook instancesMachine Learning Instance with Root Access Enabled
[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabledSecret without Automatic Rotation Enabled - New Insight identifies secrets that do not have automatic rotation enabled.
[SecretsManager.3] Remove unused Secrets Manager secretsSecret Inactive for at Least 90 Days - New Insight identifies secrets that have not been accessed for at least 90 days.
[SSM.1] EC2 instances should be managed by AWS Systems ManagerInstance not Managed by AWS Systems Manager - New Insight identifies instances not managed by AWS Systems Manager.

AZURE

  • The following Insights have been updated to support Azure resources:
    • Web Application Firewall Orphaned
    • Web Application Firewall With Allow Default Rule Policy
      [ENG-21833]

GCP

  • Google Service Account is Default - New Insight identifies Cloud Roles which are Default Roles. [ENG-17155]

Query Filters (23.2.1)

AWS

  • Instance CPU Architecture and Instance/Private Image Platform - Updated Query Filters support added visibility into the Darwin platform for AWS EC2 instances, allowing visibility into Mac offerings. [ENG-23053]

  • Instance Has Been Accessed Via SSM - Updated Query Filter takes in regular expression inputs for inclusion/exclusion. [ENG-20863]

AZURE

  • Content Delivery Network With/Without Geo Restriction - Updated Query Filter now includes Azure CDNs. [ENG-8203]

  • Resource Allows Ingress Access From Unapproved Networks and Resource With Permissive Network Access Rules - We have broadened support to two Query Filters for Azure Service Bus. [ENG-22770]

  • Added harvesting functionally to retrieve Azure Web Application Firewall resources. Also added the following Query Filters:

    • Web Application Firewall Policy Tier - Identifies Web Application Firewall resources by the selected policy tier.
    • Web Application Firewall Type (Azure) - Identifies Azure Web Application Firewall resources by the selected type.
    • Web Application Firewall Associations - Identifies Web Application Firewall resources by the selected association(s) whose count is greater than one.
    • Web Application Firewall Default Action - Identifies Web Application Firewall resources by the selected default action(s).
    • Web Application Firewall Default Action (Azure) - Identifies Azure Web Application Firewall resources by the selected default action(s).
      [ENG-21833]

  • The following existing Query Filters have been updated to support Azure resources:

    • Web Application Firewall Rule Count
    • Web Application Firewall Orphaned
    • Web Application Firewall In Use
    • Web Application Firewall With Allow Default Rule Policy
    • Web Application Firewall Contains Rule Names
    • Web Application Firewall Contains Managed Rule Names
    • Web Application Firewall Contains Rule With Noncompliant Actions
      [ENG-21833]

GCP

  • Cloud Role Is/Is Not a Default Role - New Query Filter identifies Cloud Roles which are Default Roles. [ENG-17155]

  • The three following Query Filters were updated to support GCP:

    • Instance Not Running Authorized SSH Key Pair
    • Instance Not Associated With SSH Key Pair
    • Instance Associated With SSH Key Pair
      [ENG-16044]

MULTI-CLOUD/GENERAL

  • Content Delivery Network Has no Tags - New Query Filter identifies content delivery networks that have zero tags. [ENG-8203]

  • Resource Availability Zone Count - New Query Filter identifies resources based on the number of availability zones they are available within. Customers can use this Query Filter to identify resources that are not spread across a specified number of zones. Applies to Alibaba Cloud and AWS. [ENG-22769]

Bug Fixes (23.2.1)

  • Fixed an issue where AWS Commercial accounts were only calling the V1 Web Application Firewall (WAF) endpoint, and not the V2 WAF endpoint as well. [ENG-23270]

  • Fixed a bug that prevented tags from being removed on AWS API Gateway V2 resources. [ENG-23116]

  • Fixed DynamoDB logic to not attempt to retrieve the continuous backup policy unless the table is in an ACTIVE or UPDATING state. [ENG-23052]

  • Fixed latency issue of the list_processor_jobs endpoint. [ENG-23041]

  • Fixed a potential issue with user count when listing basic user groups. If customers promote an existing basic user to an organization admin, the user count of the basic user groups wasn't decremented properly. [ENG-22903]

  • Fixed a backend database error that occurs frequently when adding or modifying resources during a harvest. The new logic will attempt to store the value again (95% of the time this will resolve the error and save the changes, but if not it will reraise the error). [ENG-22333]

  • Fixed a bug that would prevent the harvesting of Azure Database Instances that were in an Inaccessible state. [ENG-22021]

  • Fixed issue where some EDH events do not get processed. [ENG-21422]

  • Added a callout for missing Azure graph-based permissions. Now, if any permissions are missing, they can be seen on the Clouds Listing (Visibility) or Cloud Overview page. [ENG-16389]