23.2.15 Release Notes
Required Permissions - Reference
With our previous release (23.2.8), InsightCloudSec has updated our approach to documenting all permissions. Permissions are provided in a single location and updated with each release.
23.2.15 and all future releases will include a reference section at the end of the release notes page with links to individual policy files.
InsightCloudSec Software Release Notice - 23.2.15 Release
Release Highlights (23.2.15)
InsightCloudSec is pleased to announce Release 23.2.15. This release includes nine updated Insights, one new Query Filter, and six bug fixes.
- Contact us through the unified Customer Support Portal with any questions.
Self-Hosted Deployment Updates (23.2.15)
Release availability for self-hosted customers is Thursday, February 16, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.
Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip
Added new Risky Permission Insights. These Insights identify users, roles, groups, and policies that are vulnerable to privilege escalation because they contain the permissions noted with the Insight. [ENG-23057]:
Identity Resource Privilege Escalation by Passing Owner to New CodeStar Project– Permissions contained: “codestar:CreateProject, codestar:AssociateTeamMember”
Identity Resource Privilege Escalation by Passing More Privileged Role to New CodeStar Project– Permissions contained: “iam:PassRole, codestar:CreateProject”
Identity Resource Privilege Escalation by Passing Privileged Roles to New Glue Job– Permissions contained: “iam:PassRole, glue:CreateJob”
Identity Resource Privilege Escalation by Updating Glue Job Role and Command– Permissions contained: “iam:PassRole, glue:UpdateJob”
Identity Resource Privilege Escalation by Creating a Lambda Function and Allowing Another Principle to Invoke– Permissions contained: “iam:PassRole, lambda:AddPermission, lambda:CreateFunction”
Resource Privilege Escalation by Creating a Lambda Function and Associating with DynamoDB Table– Permissions contained: “iam:PassRole, lambda:CreateEventSourceMapping, lambda:CreateFunction”
Identity Resource Privilege Escalation to Modify the Assume-Role Policy– Permission contained: “iam:UpdateAssumeRolePolicy”
Identity Resource Privilege Escalation to Pass Role to Service– Permission contained: “iam:PassRole”
Identity Resource Privilege Escalation Passing Role to New Data Pipelines- Updated Insight to use datapipeline:ActivatePipeline. [ENG-23057]
Query Filters (23.2.15)
Database Instance Running Deprecated Engine Version- New Query Filter identifies Amazon RDS/Neptune/DocumentDB instances that are running unsupported/deprecated engine version. [ENG-22831]
We are now showing the Permission level in the AWS IAM blade (from Resources page). [ENG-23363]
Principal activity blade now shows used permissions for service-linked-role principals. [ENG-21563]
Bug Fixes (23.2.15)
Updates to remove some scheduler metrics logging that were causing a bottleneck in our cache. [ENG-23898]
Cache Instance does not Enforce Encryption at Restto remove reference to Memcache instances; updated the Insight to the standard Insight format. [ENG-23417]
Fixed a Layered Context bug; removed Insight
Storage Container without Block Public Access Protectionfrom list of Insights that flag public accessibility for layered context. [ENG-23312]
This fix resolves a rare edge case where some resources such as (publicimage, servicemanagedpolicy, servicemanagedpolicydocument), when viewed in Layered Context in the detail panel through the Public Accessibility tab, caused endpoint to fail. [ENG-23184]
Query Filters which are not configured correctly will now be surfaced with a red warning indicator within the Resources section of the product. [ENG-20624]
Fixed a bug related to Query Filter
Resource has a Private Endpointnot picking up private endpoint connections for Azure SQL Managed Instances. [ENG-16630]
Reference: Required Policies & Permissions
Policies required for individual CSPs are as follows:
- Managed Read Only Supplement Policy
- Customer-Managed Read Only Policy
- Commercial Power User Policy
- Read Only Policy
- Power User Policy
- For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended APIs that is maintained as part of our GCP coverage.
Oracle Cloud Infrastructure
For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.