18.1 Release Notes

The first release of the year, 18.1, dives deeper into industry compliance standards, provides greater Google Cloud Platform and VMware support, and enhances badge capabilities within the tool.

Insights have grown since their introduction late last year. Now, Insights suggest actions to resolve findings, show how enabled bots have taken action to enforce compliance and can flag issues as resolved.

Next, DivvyCloud expands and enhances its cloud coverage across Google and VMware by adding support for additional resources as well as server provisioning capabilities and lifecycle actions.

Lastly, you can now do more with Badges, a DivvyCloud feature that allows you to add and use global metadata to manage your cloud infrastructure. You can now dynamically scope Bots using and/or logic, add Badges to new or existing cloud accounts and leverage them to simplify role based access at scale.

Insights and Industry Compliance Standard Support

• Tighter compliance context surrounding various frameworks.
• Recommendations for automated correction, monitoring and enforcement using Bots
• Visualize results of corrective actions taken by Bots to keep infrastructure in compliance with Insight Packs

Additional Cloud Support

VMware

• Provision virtual machines
• Resize virtual machines
• Virtual machine snapshots
• Support for vApps

Google Cloud Platform

• Added support for Google Cloud Storage
• Exteded support for Google Cloud SQL
• Added support for Google Cloud Functions

Amazon Web Services

• Support for ACM (Certificate Manager)
• S3 bucket website configuration
• S3 bucket lifecycle configuration

Enhanced Badge Support

• Dynamically scope Bots using AND/OR logic for Bot scope
• Automatically add System Badges to existing and future cloud accounts
• Associate badge key/value scopes with a role for identity management

Added Resource Tags Modified Hookpoint

In BotFactory, we have added a new hookpoint, Resource Tags Modified. As the name implies, this hookpoint will only trigger when the tags of a resource change. This should really help with Tag Audit bots, that are taking action.

Improved Cloud Listing

The Clouds view now shows additional data about connected cloud accounts and now allows sorting on a variety of key properties. Visual status indictators are now included when one or more cloud accounts are in an impaired state.

Global Health Check

18.1 now includes a global health check. If the system has not harvested anything across the whole organization in four hours, Customers will see an alert at the top of the screen when they login, regardless of which page they are re-directed to on login. This message can be dismissed and won’t show again unless the client is reloaded. * Note: If you see this as a developer, it’s because you haven’t harvested in four hours. Don’t panic! ;)

Disable User Account

Prevent a user from accessing the account resources for a certain time. This is helpful if someone has left the company, if they’ve disabled multifactor authentication or if their key is too old and/or hasn’t been used in a specific amount of time.

Disable API Key

Disabling an API key means it cannot be used for API calls. You can do this for when rotating keys, or even revoking user/application access all together.

Set Minimum/Maximum Autoscaling Group Size

Ensure your autoscaling groups never go over or under a certain amount can help with cost allocations and availability.

Enable/Disable Encryption Key Rotation

Automatically toggle the key rotation property for encryption keys such as AWS KMS.

Load Balancer Type

Filtering for specific load balancer types, i.e, classic, application, or network, will allow you to find orphaned load balancers, which is good for cost and containment.

Load Balancer Has Impaired Instances

Works across all three types of Load Balancers. We surface any unhealthy hosts which can help with cost and ensure your load balancers are functioning correctly.

Instances in/not in Autoscaling Group

Filter for instance participating or not participating in Autoscaling groups.

Autoscaling Group Subnet Count

Filter to determine the number of subnets an Autoscaling Group is using.

Autoscaling Does/Does Not Support Multiple Availablity Zones

Filter to identify autoscaling groups that are or are not in multiple Availability Zones

Cloud User With Multiple API Keys

Filtering to find users with multiple API keys ensures least-access network privilege is enforced, aiding in policy and regulatory complaiance.

Encryption Keys Without Key Rotation

Rotating encryption keys reduces the blast radius of material leaked by a single key compromise. Finding and ensuring rotation can help strengthen security measures.

Exposed Elasticsearch Instances

Finding access, and locking down Elasticsearch Instances will protect sensitive data and adheres to industry best practices.

Database Instances Without Automatic Backups

Database Instances are used to persist important data which is necessary to back up in case of any unforseen issues.

Cloud User API Key Active/Inactive

Filtering to find users with active or inactive API keys ensures least-access network privilege is enforced, aiding in policy and regulatory complaiance.

Database Instances Not Enforcing Transit Encryption

Enforcing transit encryption helps ensure the authenticity, integrity, and privacy of data in transit.

Resource Access List Rule Source Network

Filter to find potentially malicious/unapproved IP ranges within rule definitions

Big Data Instance Security Group Exposed

Expansion of Database Instance Security Group Exposed filter, which finds instances with Security Groupss permitting public access.

Security Group With Non-RFC 1918 IP Addresses

Now customers can identify rules to find Security Groups that use public IP addresses, not private IP addresses, specifically important for highly regulated customers who cannot have public facing compute capacity.

Network Peers connected to unknown accounts

Identify networking peering across account IDs not connected to the DivvyCloud platform/in your AWS Organization.

Compute Instance Source Image Exceeds Age

Filtering to find instances whose underlying image exceeds a given age. Older images are likely to have out of date packages or system errata.

Compute Instances With Unencrypted Volumes

This is helpful if you have to adhere to specific regulatory frameworks such as HIPAA that mandates that such data must be encrypted.

Storage Container Default Storage Class

Filter to find storage containers by storage class type. This information can help you understand the cost, availablility per region, and monthly uptime percentage for your storage containers.

Storage Container Is/Is Not Website

Find storage containers that have/have not been configured to serve as websites so they’re not being pulled as exposed to the world and help remove false positives.

Storage Container With/Without Lifecycle Policy

Filter to find storage containers that have lifecycle policies, e.g., archive objects older than X, in place. This helps with cost containment/control.

"acm:ListCertificates",
"acm:DescribeCertificate",
"acm:ListTagsForCertificate",
"acm:RemoveTagsFromCertificate",
"acm:AddTagsToCertificate"