23.2.15 Release Notes


Required Permissions - Reference

With our previous release (23.2.8), InsightCloudSec has updated our approach to documenting all permissions. Permissions are provided in a single location and updated with each release.

23.2.15 and all future releases will include a reference section at the end of the release notes page with links to individual policy files.

InsightCloudSec Software Release Notice - 23.2.15 Release

Release Highlights (23.2.15)

InsightCloudSec is pleased to announce Release 23.2.15. This release includes nine updated Insights, one new Query Filter, and six bug fixes.


Self-Hosted Deployment Updates (23.2.15)

Release availability for self-hosted customers is Thursday, February 16, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip

Insights (23.2.15)


  • Added new Risky Permission Insights. These Insights identify users, roles, groups, and policies that are vulnerable to privilege escalation because they contain the permissions noted with the Insight. [ENG-23057]:

    • Identity Resource Privilege Escalation by Passing Owner to New CodeStar Project – Permissions contained: “codestar:CreateProject, codestar:AssociateTeamMember”

    • Identity Resource Privilege Escalation by Passing More Privileged Role to New CodeStar Project – Permissions contained: “iam:PassRole, codestar:CreateProject”

    • Identity Resource Privilege Escalation by Passing Privileged Roles to New Glue Job – Permissions contained: “iam:PassRole, glue:CreateJob”

    • Identity Resource Privilege Escalation by Updating Glue Job Role and Command – Permissions contained: “iam:PassRole, glue:UpdateJob”

    • Identity Resource Privilege Escalation by Creating a Lambda Function and Allowing Another Principle to Invoke – Permissions contained: “iam:PassRole, lambda:AddPermission, lambda:CreateFunction”

    • Resource Privilege Escalation by Creating a Lambda Function and Associating with DynamoDB Table – Permissions contained: “iam:PassRole, lambda:CreateEventSourceMapping, lambda:CreateFunction”

    • Identity Resource Privilege Escalation to Modify the Assume-Role Policy – Permission contained: “iam:UpdateAssumeRolePolicy”

    • Identity Resource Privilege Escalation to Pass Role to Service – Permission contained: “iam:PassRole”

  • Identity Resource Privilege Escalation Passing Role to New Data Pipelines - Updated Insight to use datapipeline:ActivatePipeline. [ENG-23057]

Query Filters (23.2.15)

  • Database Instance Running Deprecated Engine Version - New Query Filter identifies Amazon RDS/Neptune/DocumentDB instances that are running unsupported/deprecated engine version. [ENG-22831]

IAM (23.2.15)

  • We are now showing the Permission level in the AWS IAM blade (from Resources page). [ENG-23363]

  • Principal activity blade now shows used permissions for service-linked-role principals. [ENG-21563]

Bug Fixes (23.2.15)

  • Updates to remove some scheduler metrics logging that were causing a bottleneck in our cache. [ENG-23898]

  • Updated Insight Cache Instance does not Enforce Encryption at Rest to remove reference to Memcache instances; updated the Insight to the standard Insight format. [ENG-23417]

  • Fixed a Layered Context bug; removed Insight Storage Container without Block Public Access Protection from list of Insights that flag public accessibility for layered context. [ENG-23312]

  • This fix resolves a rare edge case where some resources such as (publicimage, servicemanagedpolicy, servicemanagedpolicydocument), when viewed in Layered Context in the detail panel through the Public Accessibility tab, caused endpoint to fail. [ENG-23184]

  • Query Filters which are not configured correctly will now be surfaced with a red warning indicator within the Resources section of the product. [ENG-20624]

  • Fixed a bug related to Query Filter Resource has a Private Endpoint not picking up private endpoint connections for Azure SQL Managed Instances. [ENG-16630]


Reference: Required Policies & Permissions

Policies required for individual CSPs are as follows:

Alibaba Cloud




Oracle Cloud Infrastructure

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.