Take Me to the Docs!API ReferenceRelease NotesSupport Portal
Contact Us
Back to All

23.2.28 Release Notes

3 months ago by [email protected]

📘

Required Permissions - Reference

InsightCloudSec has updated our approach to documenting all permissions. Permissions are provided in a single location and updated with each release.

23.2.28 and all future releases will include a reference section at the end of the release notes page with links to individual policy files.

InsightCloudSec Software Release Notice - 23.2.28 Release

🚧

Important Updates to Endpoint Handling

InsightCloudSec’s 23.2.28 release includes updates to our internal webserver library, Flask. As a result, some of our endpoint handling has changed in the following ways:

  • Any requests submitting JSON to an endpoint must explicitly include the Content-Type: application/json header (e.g. for POST requests).
  • Any requests POSTing empty bodies may fail with a 500 error as empty bodies for endpoints that expect one aren’t valid JSON.
  • Plugins that declare custom endpoints will also be affected by the above changes.

For more information about the above changes, refer to the details here. [ENG-23896]

Release Highlights (23.2.28)

InsightCloudSec is pleased to announce Release 23.2.28. This release includes the GA launch of our new Host Vulnerability Management feature. This release includes two new Compliance Packs, one for MITRE Att&ck Mitigations and one for Azure Security Benchmark V3, along with support for two new resources, one for AWS and one for GCP. 23.2.28 provides updates to our IAM policy behaviors, a new AWS China Policy to help manage permissions, expanded support for EDH, and added details to our Resources CSV export.

In addition, 23.2.28 includes 12 new Insights, two updated Insights, three updated Query Filters, four new Query Filters, three new Bot actions, and four bug fixes.

📘

Self-Hosted Deployment Updates (23.2.28)

Release availability for self-hosted customers is Thursday, March 2, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip

New Permissions (23.2.28)

🚧

New Permissions: AWS

For AWS Commercial and GovCloud Standard (Read-Only) Users:
"health:DescribeEvents"

For AWS Commercial Power Users and AWS GovCloud Power Users:
"health:*"

These permissions are part of our added support to harvest newly added resource AWS Health Dashboard [ENG-21307] for both AWS commercial and AWS GovCloud Standard (Read-only) users.

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS' managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS' continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

Features & Enhancements (23.2.28)

Introducing Host Vulnerability Management

23.2.28 includes our GA release for the new Host Vulnerability Management (HVM) feature. HVM enables Security and DevOps teams to efficiently view, prioritize, and orchestrate the response to vulnerabilities (Common Vulnerabilities and Exposures (CVEs)) detected on host instances across their cloud accounts. HVM Capabilities include:

  • Comprehensive assessment and visibility
  • Vulnerability Risk scores for each CVE calculated by a new, proprietary model leveraging intelligence about available exploits and their use by attackers in the wild
  • Advanced filters to narrow the focus on select resources and their packages and vulnerabilities for risk-based prioritization and remediation
  • Recommended solutions for each vulnerability as package and OSS version updates.
  • Actions and automation that trigger alerts, ticketing, remediation workflows, and data exports

Check out product documentation for complete details on this feature including capabilities, configuration, and the user guide.

Updates to IAM Policy Behaviors

For Alibaba Cloud, AWS, Azure, and Google Cloud Platform, we have added new properties to Identity Resources, i.e., Users, Groups, Roles, and Policies. We analyze IAM policies as to whether they contain write permission, admin permission, or are vulnerable to privilege escalation.

The analysis does not inspect the IAM policies for Conditions or limitations imposed by Service Control Policies. The analysis is focused on surfacing the relevant permissions in Policies and where they are in effect with Users, Groups, and Roles.

The definitions for write permission, admin permission, and privilege escalation vary by cloud type. [ENG-23558]

They are:

Alibaba Cloud

Write permission: Permissions that are not included in the service-wide policy ReadOnlyAccess

Admin permission: Permissions that include and :*

Privilege escalation: The following permissions: 

"ram:AddUserToGroup",
"ram:AttachGroupPolicy",
"ram:AttachRolePolicy", 
"ram:AttachUserPolicy",
"ram:CreateAccessKey",
"ram:CreateLoginProfile",
"ram:CreatePolicyVersion",
"ram:PassRole",
"ram:PutGroupPolicy",
"ram:PutRolePolicy",
"ram:PutUserPolicy",
"ram:SetDefaultPolicyVersion",
"ram:UpdateAssumeRolePolicy",
"ram:UpdateLoginProfile",

AWS

Write permission: Permissions that are not included in the service-wide policy ReadOnlyAccess

Admin permission: Permissions that include and :*

Privilege escalation: The following permissions:

"codestar:AssociateTeamMember",
"codestar:CreateProject",
"glue:UpdateDevEndpoint",
"iam:AddUserToGroup",
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:CreatePolicyVersion",
"iam:PassRole",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:PutUserPolicy",
"iam:SetDefaultPolicyVersion",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateLoginProfile",
"lambda:UpdateFunctionCode",

Azure

Write permission: Permissions that do not end in /read

Admin permission: *

Privilege escalation: The following permissions:

"Microsoft.Authorization/roleDefinitions/write",
"Microsoft.Authorization/roleAssignments/write"

Google Cloud Platform

Write permission: Permissions that do not end in get, list, aggregatedList, or getIamPolicy

Admin permission: There is no admin policy for GCP, so we assess whether a policy has admin-level access by the number of permissions. Currently > 7,200.

Privilege escalation: The following permissions either individually or in stated combination:

"deploymentmanager.deployments.create",
"iam.roles.update",
"iam.serviceAccountKeys.create",
"iam.serviceAccounts.actAs",
"iam.serviceAccounts.getAccessToken",
"iam.serviceAccounts.implicitDelegation",
"iam.serviceAccounts.signBlob",
"iam.serviceAccounts.signJwt",
  [
    "cloudfunctions.functions.sourceCodeSet",
    "cloudfunctions.functions.update",
    "iam.serviceAccounts.actAs",
  ],  # All three required
  [
    "cloudfunctions.functions.call",
    "cloudfunctions.functions.create",
    "cloudfunctions.functions.sourceCodeSet",
    "iam.serviceAccounts.actAs",
  ],  # All four required; cloudfunctions.functions.call version
  [
    "cloudfunctions.functions.create",
    "cloudfunctions.functions.setIamPolicy",
    "cloudfunctions.functions.sourceCodeSet",
    "iam.serviceAccounts.actAs",
  ],  # All four required; cloudfunctions.functions.setIamPolicy version
  [
    "compute.disks.create",
    "compute.instances.create",
    "compute.instances.setMetadata",
    "compute.instances.setServiceAccount",
    "compute.subnetworks.use",
    "compute.subnetworks.useExternalIp",
    "iam.serviceAccounts.actAs",
  ],  # All seven required

Updates to AWS China Policy

23.2.28 includes a new policy that pairs with the AWS China ReadOnlyAccess policy. The combined use of these policies provides read-only access to the AWS environment and should reduce the need for policy maintenance as new resources are supported. [ENG-23911]

Additional Features and Enhancements

  • We have added EDH tagging (add/remove) support for AWS Parameter Store parameters. [ENG-23793]

  • Updated the resource CSV export for private images, snapshots, and SSM documents to include the trusted account listing. [ENG-23563]

  • AWS EDH now supports SES, specifically the following events organized by their two resources:

"emailservicedomain": [
    "CreateEmailIdentity",
    "DeleteEmailIdentity",
    "CreateEmailIdentityPolicy",
    "UpdateEmailIdentityPolicy",
],
"emailservicerule": [
    "CreateReceiptRuleSet",
    "DeleteReceiptRuleSet",
    "UpdateReceiptRuleSet",
    "CreateReceiptRule",
    "DeleteReceiptRule",
    "UpdateReceiptRule",
    "SetActiveReceiptRuleSet",
],

[ENG-17050]

Resources (23.2.28)

AWS

  • New AWS Resource - AWS Health Dashboard, which we generalize as Service Health Events. These events track the availability and operations of AWS services at the global and account-specific level. The following new Permissions are required: "health:DescribeEvents" and "health:*" , and these apply for both AWS Commercial and AWS GovCloud. In addition, as part of this support we have added the following Query Filters:

    • Service Health Event Scope Code
    • Service Health Event Service
    • Service Health Event Status Code
    • Service Health Event Type Category
      [ENG-21307]

  • Expanded Support for Resource - We have added delete support for AWS NAT Gateways using BotFactory and Resource Details. [ENG-23572]

  • We have added the ability to include Tags when bulk downloading Resources. The Tag Keys will download as an additional column and will populate with Resource Tag Values. [ENG-20488]

GCP

  • New GCP Resource GCP (Cloud Logging bucket). This new resources appears in InsightCloudSec as ICS: (Network) Network Flow Log → (GCP) Logging Bucket. Support for this new resource also includes a new Query Filter Network Flow Log Retention Threshold. for customers to audit Logging Buckets based on their retention policy. [ENG- 23886]

Insights (23.2.28)

Azure Security Benchmark V3 - Compliance Pack

New Compliance Pack - We have created the Azure Security Benchmark V3 Pack. The Azure Security Benchmark (ASB) provides best practices and recommendations to help improve the security of workloads, data, and services on Azure. The Azure Security Benchmark focuses on cloud-centric control areas, you can learn more about it here [ENG-23525, ENG-22576]

MITRE Att&ck Mitigations - New Compliance Pack

MITRE Att&ck Mitigations pack is a new out of the box pack with ICS insights that align with MITRE’s Att&ck Mitigations. These mitigations represent security concepts and classes of technologies that can be used to help prevent a technique or sub-technique from being successfully executed. [ENG-21728]

AWS

  • New Insight - We have added a new Insight and Query Filter Database Instance Running Deprecated Engine Version that identifies Amazon RDS/Neptune/DocumentDB instances that are running unsupported/deprecated engine version. [ENG-22831]

  • We have updated the details of the Insight Serverless Function Exposed to the Public to make it more clear that the Insight is using the updated definition when assessing whether a Lambda function is public or not. [ENG-23828]

  • The Insight Cloud User Has Direct Permissions aligns with AWS CIS Benchmark 1.15 and has been updated to revise the CIS Remediation Steps. [ENG-23540]

GCP

We have expanded our GCP support to include the following Insights:
Airflow Environment Allows Public Access
App Run Service Allows Public Access
Artifact Registry Allows Public
Cloud Role Authorized From Unknown Project
DNS Domain With Registrant Privacy Protection Disabled
Stackdriver Sink Exporting To Unknown Project
Kubernetes Cluster Configured With Autopilot
Kubernetes Cluster without Shielded Nodes
Kubernetes Cluster Not Using Secure Boot
Kubernetes Cluster Not Using Integrity Monitoring

GCP/AWS
This Insight expands support for both GCP and AWS
Cloud Managed Secret Allows Public Access

All Insights listed above are included in the work performed in [ENG-23957]

Query Filters (23.2.28)

AWS

  • New Query Filter - Content Delivery Network Without Default Cache Policy, that can be used to help customers identify AWS CloudFront resources without a default caching policy. [ENG-22833]

  • New Query Filter - Database Instance Running Deprecated Engine Version that identifies Amazon RDS/Neptune/DocumentDB instances that are running unsupported/deprecated engine version. [ENG-22831]

  • Updated Query Filter - Access List Rule Source/Destination Network to work with AWS managed prefix lists. [ENG-20773]

GCP

  • New Query Filter - Network Flow Log Retention Threshold, adds GCP Logging Buckets into the Network Flow Log resource type. Allows customers to audit Logging Buckets based on their retention policy. [ENG- 23886]

MULTI-CLOUD

  • Updated Query Filter - Identity Resource Has Policy to include a "not in" option to more easily find users, groups, and roles by policies that are not attached, e.g.. not "read" policies. [ENG-23832]

  • Updated Query Filter - We have updated supported runtimes in the Query Filter Serverless Function By Runtime Language to include newly added runtimes. [ENG-23731]

  • New Query Filter Resource Shared With Account that can be used to find resources that are sharing with any account, this Query Filter supports GCP, AWS (including Gov and China) and Azure (including Gov and China). [ENG-23585]

IAM (23.2.28)

Refer to the detailed notes on changes to the IAM Policy behaviors under Features & Enhancements.

  • New Bot Action "Generate LPA Permissions Summary", to store LPA Summary data to S3. This can be one off, or scheduled regularly. This requires Least-Privileged Access (LPA) to be configured and works with the Resource types Cloud Users and Cloud Roles. It is best combined with the Cloud User or IAM Role That Has Unused Permissions Query Filter to refine resources before retrieving their principal permission usage (used/unused/unassessed) and storing the data to the LPA S3 Bucket (this bucket is configured in the IAM Settings). [ENG-23581]

Bot Actions (23.2.28)

  • New Bot Action "Generate LPA Permissions Summary", to store LPA Summary data to S3. This can be one off, or scheduled regularly. This requires Least-Privileged Access (LPA) to be configured and works with the Resource types Cloud Users and Cloud Roles. It is best combined with the Cloud User or IAM Role That Has Unused Permissions Query Filter to refine resources before retrieving their principal permission usage (used/unused/unassessed) and storing the data to the LPA S3 Bucket (this bucket is configured in the IAM Settings). [ENG-23581]

  • We have added a BotFactory action “Modify Database Instance Volume Type” to modify AWS RDS volumes. For example, to modify from gp2 to gp3 storage type, which is the latest default storage type and offers a significant cost savings over the legacy volume type gp2. [ENG-23373]

  • New Bot action, “Modify ML Instance Attribute”, allows users to modify ml instance attributes. The attributes that are supported are enabling and disabling root user, and updating the minimum metadata service version. This Bot action is available for AWS Commercial, AWS China, and AWS GovCloud. [ENG-21447]

Bug Fixes (23.2.28)

  • Fixed a bug that would not finalize EDH producer removal and reset the account back to standard harvesting. [ENG-23265]

  • Fixes a bug where some intrinsic functions were not resolvable because they did not have enough context. Some scan issues that were previously reported as scan errors are now reported as scan warnings. This issue will apply reasonable default values for when some values are unknown. [ENG-23381]

  • Serverless functions harvested that fail to associate with a function app now default their target resource in the DB to None rather than the function app's provider ID so it is more obvious which functions have failed to associate to an app. [ENG-18109]

  • We’ve updated the Insight Database Instance With Zero Connections to use information from Trusted Advisor rather than CloudWatch to provide improved data reliability. [ENG-15060]

Reference: Required Policies & Permissions

📘

Policies required for individual CSPs are as follows:

Alibaba Cloud

AWS

Azure

GCP

Oracle Cloud Infrastructure

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.