23.2.15 Release Notes

📘

Required Permissions - Reference

With our previous release (23.2.8), InsightCloudSec has updated our approach to documenting all permissions. Permissions are provided in a single location and updated with each release.

23.2.15 and all future releases will include a reference section at the end of the release notes page with links to individual policy files.

InsightCloudSec Software Release Notice - 23.2.15 Release

Release Highlights (23.2.15)

InsightCloudSec is pleased to announce Release 23.2.15. This release includes nine updated Insights, one new Query Filter, and six bug fixes.

• Contact us through the unified Customer Support Portal with any questions.

📘

Self-Hosted Deployment Updates (23.2.15)

Release availability for self-hosted customers is Thursday, February 16, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip

Insights (23.2.15)

AWS

• Added new Risky Permission Insights. These Insights identify users, roles, groups, and policies that are vulnerable to privilege escalation because they contain the permissions noted with the Insight. [ENG-23057]:

  • Identity Resource Privilege Escalation by Passing Owner to New CodeStar Project – Permissions contained: “codestar:CreateProject, codestar:AssociateTeamMember”

  • Identity Resource Privilege Escalation by Passing More Privileged Role to New CodeStar Project – Permissions contained: “iam:PassRole, codestar:CreateProject”

  • Identity Resource Privilege Escalation by Passing Privileged Roles to New Glue Job – Permissions contained: “iam:PassRole, glue:CreateJob”

  • Identity Resource Privilege Escalation by Updating Glue Job Role and Command – Permissions contained: “iam:PassRole, glue:UpdateJob”

  • Identity Resource Privilege Escalation by Creating a Lambda Function and Allowing Another Principle to Invoke – Permissions contained: “iam:PassRole, lambda:AddPermission, lambda:CreateFunction”

  • Resource Privilege Escalation by Creating a Lambda Function and Associating with DynamoDB Table – Permissions contained: “iam:PassRole, lambda:CreateEventSourceMapping, lambda:CreateFunction”

  • Identity Resource Privilege Escalation to Modify the Assume-Role Policy – Permission contained: “iam:UpdateAssumeRolePolicy”

  • Identity Resource Privilege Escalation to Pass Role to Service – Permission contained: “iam:PassRole”

• Identity Resource Privilege Escalation Passing Role to New Data Pipelines - Updated Insight to use datapipeline:ActivatePipeline. [ENG-23057]

Query Filters (23.2.15)

• Database Instance Running Deprecated Engine Version - New Query Filter identifies Amazon RDS/Neptune/DocumentDB instances that are running unsupported/deprecated engine version. [ENG-22831]

IAM (23.2.15)

• We are now showing the Permission level in the AWS IAM blade (from Resources page). [ENG-23363]

• Principal activity blade now shows used permissions for service-linked-role principals. [ENG-21563]

Bug Fixes (23.2.15)

• Updates to remove some scheduler metrics logging that were causing a bottleneck in our cache. [ENG-23898]

• Updated Insight Cache Instance does not Enforce Encryption at Rest to remove reference to Memcache instances; updated the Insight to the standard Insight format. [ENG-23417]

• Fixed a Layered Context bug; removed Insight Storage Container without Block Public Access Protection from list of Insights that flag public accessibility for layered context. [ENG-23312]

• This fix resolves a rare edge case where some resources such as (publicimage, servicemanagedpolicy, servicemanagedpolicydocument), when viewed in Layered Context in the detail panel through the Public Accessibility tab, caused endpoint to fail. [ENG-23184]

• Query Filters which are not configured correctly will now be surfaced with a red warning indicator within the Resources section of the product. [ENG-20624]

• Fixed a bug related to Query Filter Resource has a Private Endpoint not picking up private endpoint connections for Azure SQL Managed Instances. [ENG-16630]

📘

Reference: Required Policies & Permissions

Policies required for individual CSPs are as follows:

Alibaba Cloud

• Read Only Policy

AWS

• Commercial
  • Managed Read Only Supplement Policy
  • Customer-Managed Read Only Policy
    • Part 1
    • Part 2
    • Part 3
  • Commercial Power User Policy
• GovCloud
  • Read Only Policy
    • Part 1
    • Part 2
  • Power User Policy

Azure

• Commercial
  • Custom Reader User Role
  • Power User Role
  • Reader Plus User Role
• GovCloud
  • Custom Reader User Role
  • Power User Role

GCP

• For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended APIs that is maintained as part of our GCP coverage.

Oracle Cloud Infrastructure

• Power User Policy
• Read Only Policy

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.