Take Me to the Docs!API ReferenceRelease NotesSupport Portal
Contact Us
Back to All

23.2.8 Release Notes

4 months ago by [email protected]

📘

Documenting Required Permissions

InsightCloudSec has updated our approach to documenting permissions with the 23.2.8 release.

Each month InsightCloudSec releases support for new resources, Insights, Bot Actions, and other updates that require dozens of permission changes. There is significant effort required to maintain accurate policies and ensure access to these ever-expanding features. We strongly encourage customers to use the policies offered by the providers (for example the AWS managed policy with our small supplemental InsightCloudSec policy) to minimize ongoing manual intervention and ensure the best visibility into our growing coverage.

Important Details to Note:

All required permissions for each CSP are now available as JSON policy files that can be downloaded from our public S3 bucket. The following policies are available (and utilized by the documentation during cloud setup):

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.

InsightCloudSec Software Release Notice - 23.2.8 Release

Release Highlights (23.2.8)

InsightCloudSec is pleased to announce Release 23.2.8. This release includes added support for AWS Simple Email Service (SES) Rules for AWS commercial and AWS GovCloud users. For AWS GovCloud users, we now support Inspector. For Azure, this release adds support for Azure Bot Service. We have updates to our new Layered Context feature, and two updates to our IAM functionality (one specific to Access Explorer), details are provided below.

In addition, 23.2.8 includes seven new Insights, two updated Query Filters, eight new Query Filters, one new Bot action, and 13 bug fixes.

📘

Self-Hosted Deployment Updates (23.2.8)

Release availability for self-hosted customers is Thursday, February 9, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip

New Permissions Required (23.2.8)

🚧

New Permissions Required: AWS

For AWS Commercial and GovCloud Standard (Read-Only) Users:
"ses:DescribeReceiptRuleSet"
"ses:ListReceiptRuleSets"

For AWS GovCloud Standard (Read-only) Users:
"inspector:ListFindings"

For AWS GovCloud Power Users:
"inspector:*"

These permissions support the newly added resource AWS Simple Email Service (SES) Rule [ENG-15241] for both AWS commercial and AWS GovCloud Standard (Read-only) users, as well as the addition of AWS Inspector support for AWS GovCloud [ENG-23355].

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS' managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS' continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

🚧

New Permission Required: Azure

For Azure Standard (Reader Role) Users:
"Microsoft.BotService/botServices/read"

For Azure Power User Role:
"Microsoft.BotService/*"

These permissions support the newly added resource Azure Bot Service. [ENG-16354]

Features & Enhancements (23.2.8)

FEATURE ENHANCEMENTS: LAYERED CONTEXT

  • Layered Context includes new conditional parameter 'not in' for filtering. [ENG-22582]

  • Within Layered Context updated resource details to provide a new IAM policy tab (for certain resource types). [ENG-23262]

OTHER FEATURE ENHANCEMENTS

  • Added Domain Viewer (Read-only Domain Admin) to the possible group mappings for JIT provisioning. [ENG-9879]

Resources (23.2.8)

AWS

  • We have added support for AWS Simple Email Service (SES) Rule (Compute category, new Resource type Email Service Rule). Added a new harvester “EmailServiceRuleHarvester” to harvest SES receipt rules. Three new Query Filters were added: Email Service Rule State, Email Service Rule Scanning State, and Email Service Rule TLS Setting. New permissions are also required for AWS Commercial and Govcloud read-only policies: "ses:DescribeReceiptRuleSet" and "ses:ListReceiptRuleSets". [ENG-15241]

  • AWS has introduced AWS Inspector support for AWS GovCloud, so we are now harvesting resource vulnerabilities identified by AWS Inspector from AWS GovCloud. New permissions are needed: "inspector:ListFindings" for AWS GovCloud Standard (Read-only) users, and "inspector:*" for AWS GovCloud Power Users. [ENG-23355]

  • Expanded harvesting support for Sagemaker in AWS GovCloud in the east and StorageGateway in Zurich and Spain. [ENG-23110]

AZURE

  • We have added support for Azure Bot Service (Compute category, new Resource type Bot Service). A new permission is required: "Microsoft.BotService/botServices/read". In addition, the following Query Filters and Insights have been added:

    • Bot Services Within Particular Resource Group - Identifies Bot Services within a particular resource group.
    • Bot Services with Public Network Access - Identifies Bot Services with public network access enabled.
    • Bot Services Microsoft Application Types - Identifies Bot Services applications which have been registered by type.

    The following Insights have been added:

    • Bot Services with Public Network Access - Identifies Bot Services which allow public network access.
    • Bot Services Application Registration as Multi-tenant - Identifies Bot Services which were registered as multi-tenant.
      [ENG-16354]

Insights (23.2.8)

AZURE

  • We have added four Insights related to Azure Automation Accounts [ENG-23089]:

    • Automation Account with Local Authentication
    • Automation Account with Public Access
    • Automation Account with Source Control Integration
    • Automation Account not using Managed Identity

  • We have added two new Insights related to support for Azure Bot Service [ENG-16345]:

    • Bot Services with Public Network Access - Identifies Bot Services which allow public network access.
    • Bot Services Application Registration as Multi-tenant - Identifies Bot Services which were registered as multi-tenant.

  • Cloud Account Microsoft Defender for Cloud Log Analytics agent/Azure Monitor agent Not Enabled - New Insight identifies Azure subscriptions which have Microsoft Defender for cloud Log Analytics agent/Azure monitor agent set to off. [ENG-18831]

Query Filters (23.2.8)

AWS

  • Cloud Account With Service Control Policy - Enhanced this Query Filter by adding the Not In flag to enable users to find cloud accounts not utilizing specific AWS Service Control Policies. [ENG-23187]

  • Added two new Query Filters for Database Migration Endpoints [ENG-23308]:

    • Database Migration Endpoint SSL Mode - Identifies database migration endpoints by SSL mode.
    • Database Migration Endpoint Type - Identifies database migration endpoints by endpoint type.

  • Added three new Query Filters related to support for AWS Simple Email Service (SES) Rule [ENG-15241]:

    • Email Service Rule State - New Query Filter identifies email service rules that are active or inactive (default).
    • Email Service Rule Scanning State - New Query Filter identifies email service rules by whether its messages are scanned for spam and viruses or not (default).
    • Email Service Rule TLS Setting - New Query Filter identifies email services rules by whether Transport Layer Security (TLS) is required or optional (default).

AZURE

  • We have added three new Query Filters related to support for Azure Bot Service [ENG-16345]:

    • Bot Services Microsoft Application Types - Identifies Bot Services applications which have been registered by type.
    • Bot Services Within Particular Resource Group - Identifies Bot Services within a particular resource group.
    • Bot Services with Public Network Access - Identifies Bot Services with public network access enabled.

  • Cloud Account Microsoft Defender for Cloud Log Analytics agent/Azure Monitor agent Not Enabled (Azure) - Renamed an existing Query Filter to better suit its purpose. The old QF name was Cloud Account Microsoft Defender for Cloud Automatic Provisioning of Monitoring Agent Not Enabled (Azure). [ENG-18831]

IAM (23.2.8)

  • Updated UI within Access Explorer to provide revised design/color for permissions. Matched the tags from Azure Permissions blade: red for write/admin, blue for the rest. [ENG–14886]

  • Updated the LPA setup test query for greater efficiency, eliminating some errors during LPAAthenaSetupJob we saw on customers with many accounts. [ENG-22967]

Bot Actions (23.2.8)

AWS

  • “Cleanup Unknown/Untrusted Third Party Access From Resource Access Policy” - New high-value Bot action inspects resource access policies to determine whether the resource trusts an unknown or untrusted third party. Specifically, it inspects the policies for Principals with ARNs and then inspects the ARNs for account numbers that are not 1) on an allow list, 2) already onboarded to ICS, or 3) used by AWS to provide services. If the resource access policy trusts an unknown account, it will update the policy by the specific ARNs from the affected Principals in the affected statements. The Bot action supports twelve resource types currently. They are:
    • ResourceType.BACKUP_VAULT,
    • ResourceType.COLD_STORAGE,
    • ResourceType.CONTAINER_REGISTRY,
    • ResourceType.ELASTICSEARCH_INSTANCE,
    • ResourceType.MESSAGE_QUEUE,
    • ResourceType.NETWORK_ENDPOINT,
    • ResourceType.NOTIFICATION_TOPIC,
    • ResourceType.SEARCH_CLUSTER,
    • ResourceType.SECRET,
    • ResourceType.SERVERLESS_FUNCTION,
    • ResourceType.SERVICE_EVENT_BUS,
    • ResourceType.STORAGE_CONTAINER
      [ENG-18399]

Bug Fixes (23.2.8)

  • Fixed an issue where in some cases we were keeping track of last run time for some unnecessary jobs. This was making the background processors view slow. [ENG-23406]

  • Fixed an issue with missing permissions displaying for Azure policy resource type, due to the permission missing the read suffix. [ENG-23389]

  • Fixed an edge case where it was not possible to disable dynamic harvesting through the modal. [ENG-23364]

  • Fixed a bug with the Query Filter Resource Encrypted With Cloud Managed Key that would cause Bot failures when called during resource harvesting. [ENG-23330]

  • Fixed an issue when checking cloud visibility for Azure cloud microsoft graph permissions. [ENG-23303]
    *Fixed a bug where in some cases the Compliance Scorecard was not getting generated when exempted resources were no longer non-compliant. [ENG-23258]
    Async download jobs were marked as success even when there were errors

  • Fixed a bug where Azure Bot actions without the correct permissions to perform the action were logging this error incorrectly. [ENG-23241]

  • Fixed a bug where Insights would be marked as favorite when their configuration/metadata was modified. [ENG-23240]

  • Made ‘StopDatabaseInstance’ and ‘StartDatabaseInstance’ actions work for Azure Database for MySQL servers. Note: These actions apply to Azure Database for MySQL/Postgres/Maria DB servers only. [ENG-23227]

  • This change fixed an edge case with the Query Filter Resource Specific Policy Principal/Action Search that could result when a corrupt IAM policy was hit. This rare case that appears to only have been possible to introduce via the API. [ENG-23198]

  • Resolved issue with updating list for harvesting regions to include missing Azure region. [ENG-23112]

  • Hardened “Toggle Agent View” by correlating IVM assets to ICS resources using ICS resource IDs. [ENG-22042]

  • Fixed an error in Bot Action “Cleanup Exposed Storage Container”. See new Bot action “Cleanup Unknown/Untrusted Third Party Access From Resource Access Policy”. [ENG-18399]