Latest 20.3 Release

Release Highlights 20.3.4 (08/17/2020)

DivvyCloud announces Minor Release 20.3.4. This minor release includes several new features, enhancements, resource support (including a new permission  for Azure), and filters, as well as a new EDH action, and several bug fixes, too.

Skip ahead to review the new Azure permission  as well as all details for this release . As always, contact us at support@divvycloud.com with any questions.

Divvy Software Release Notice - 20.3 Major Release (07/16/2020) DivvyCloud is pleased to present Major Release 20.3. Highlights of this major release include:

• An updated ISO 27001 Compliance Pack 
• Many improvements and enhancements to the Compliance Scorecard
• A new Azure resource, Azure Container Instances
• Added visibility and new permissions 
• A dozen new filters

As always, contact us at support@divvycloud.com with any questions.

Divvy Software Release Notice - 20.3 Major Release (07/16/2020)

Release Highlights (20.3)

ISO 27001 COMPLIANCE PACK DivvyCloud’s new ISO 27001 Compliance Pack contains dozens of new checks that can map to the ISO 27001:2013 . For complete details on our updated compliance pack, click here . [ENG-3885]

COMPLIANCE SCORECARD - NEW FEATURES & ENHANCEMENTS Multiple enhancements to the Scorecard have been made. These include:

• The scorecard heatmap will now display the last time (in UTC) a successful harvest occurred; you’ll see UTC timestamp immediately after upgrading. [ENG-3784]
• The compliance scorecard export will now include 14 day historical totals for Insight Pack violations by severity over time, as well as aggregate totals. Note: after upgrading, it can take up to 24 hours for the first one to generate the 90 days worth of historical data within your installation, and as such you may not see this data in your export right away. [ENG-3784]
• Improved user navigation: Users are now able to navigate to and click on “Manage Subscriptions” and “Manage Exports” regardless of filter states. [ENG-4085]
• Added a new column to the Compliance Scorecard export which includes the Insight severity associated with the control. [ENG-1314]
• Added resource details blade to the Scorecard report view. [ENG-1188]
• Enhancements to Scorecard’s Report Card export: Added Insight link and Severity to the overview page. Added “Resource Type” and “Identified At” columns to the resources tabs. Removed “Insights” column. [ENG-3064]
• Enhanced the Compliance Scorecard export to include Insight finding visualizations by severity as well as over the past fourteen days. Note: These are pack-level aggregations, and as such, if you do an export with only a handful of Insights instead of the entire pack, the visuatizations won’t render scoped to just those few Insights. [ENG-3910]
• Added the notes associated with Insight exemptions into the Exempted Resources tab of the Compliance export. [ENG-3947]

For additional details on the Compliance Scorecard, review the updated product documentation here .

New Permissions Required (20.3)

More on the AWS permissions:

• “iam:GetOpenIDConnectProvider” and “iam:ListOpenIDConnectProviders” support visibility into AWS OpenID Identity Providers. [ENG-4107]
• “route53:ListHostedZonesbyVpc” supports visibility into AWS Route53 Hosted Zones. [ENG-4034]
• “s3:GetBucketObjectLockConfiguration” supports visibility into AWS Storage Container Object Lock configurations. [ENG-1089]

The new Azure permissions---“Microsoft.ContainerInstance/containerGroups/read” for the standard user custom role, and “Microsoft.ContainerInstance/*” for the power user custom role---support Azure Container Instances. [ENG-4043]

New Features (20.3)

Visibility & Filters:

• Added support for plugin filters in Filters page. Users can now toggle to view their custom filters using the Owner sort. Details here . [ENG-359]
• Added visibility and filter support for the minimal TLS version associated with Azure SQL, MySQL and PostgreSQL database instances. Information on this can be found via https://azure.microsoft.com/en-us/updates/azuretls12/ . [ENG-3915]
• Added visibility into Storage Container Object Lock configurations. Note that this visibility requires a new IAM permission: s3:GetBucketObjectLockConfiguration. New Filter: Storage Container Object Lock Configuration’ [ENG-1089]
• Added visibility into the payer account ID when viewing the Cloud Summary page. [ENG-3931]
• Added a filter to identify container registries with/without a lifecycle policy. New Filter: Container Registry With/Without Lifecycle Policy [ENG-4027]
• Added new filters to identify Content Delivery Networks With/Without Geo Restriction. [ENG-4065]
• Added visibility and filtering support for the parameter groups which are associated with database/big data instances. New Filters: Database/Big Data Instance With Parameter Group. [ENG-4066]
• Added visibility into Route53 Hosted Zones which are associated with VPCs as well as two additional filters: Network Associated With Hosted Zone and Network Associated With Hosted Zone From Unknown Account. [ENG-4034]

Actions:

• Added a Bot action for removing public EKS access. [ENG-3548]
• Added a new Bot action to create AWS CloudTrail resources. [ENG-3023]

Tags & Badging:

• Added tag visibility and lifecycle support for AWS ECS Task Definitions. [ENG-3576]
• Added tag support to Azure SQL databases. [ENG-3972]
• For GCP Organizations with enabled auto badging of projects, all clouds corresponding with a project that does not have a parent folder will have a cloud_org_path badge with a value of ’/’ to signify they are at the root. More information can be found here . [ENG-3976]
• Surfaced CloudFront tags in the UI. [ENG-3570]

Other New Features:

• Added the ability to filter Insights by freeform category/tag keys which can be associated during Insight creation/updating. This can help better organize Insights into categories such as encryption, identity, storage, etc. [ENG-3395]
• Added the ability to delete a GCP Memorystore instance. [ENG-3613]
• When viewing exemptions, the user can now see the Insight severity and resource type. [ENG-3952]

Enhancements (20.3)

• On the Identity Management page, the user search has been updated to allow users to search by name, username, and email. [ENG-3999]
• Added the ability to include the Bot severity and description in your Jinja template using the following properties [ENG-3955]:

Severity: event.bot_severity
Bot Description: event.bot_description

• Improved the error messaging when an invalid/unsupported regular expression is sent to the server when querying resources. [ENG-3825]
• Improved exception handling for Jinja2 validation that identifies the field and location of the templating error when creating/updating Bots. [ENG-3788]
• Updated insight name: ‘Security Group Allows Public Access’ to ‘Access List Allows Public Access’. [ENG-3276]
• Administrators can now configure Email/Slack health notification settings in the System Administration section of the tool. [ENG-1083]
• Improved the IaC CI/CD API script by adding SSL-verification-disabling, and improved error messaging. Refer to the IaC docs here. [ENG-4152]

New Resources (20.3)

Azure Container Instances - This Azure service can now be found on the Resources main page under the category ‘Containers’ and the ‘Container Instance’ resource type. The standard user custom role in the docs needs to add this permission: “Microsoft.ContainerInstance/containerGroups/read”. The power user custom role in the docs needs to add this permission: “Microsoft.ContainerInstance/*”. [ENG-4043]

Resource Enhancements (20.3)

Added Visibility & Filtering Support:

• Added visibility into AWS OpenID Identity Providers. [ENG-4107]
• Added visibility into the enhanced routing configuration for big data instances. New Filters: Big Data Instance With/Without Enhanced Routing. [ENG-4071]
• Added visibility and filtering support for the parameter groups which are associated with database/big data instances. New Filter: Database/Big Data Instance With Parameter Group. [ENG-4066]
• Added visibility into **Route53 Hosted Zones **which are associated with VPCs as well as two additional filters: Network Associated With Hosted Zone and Network Associated With Hosted Zone From Unknown Account. [ENG-4034]
• Added a filter to identify container registries with/without a lifecycle policy; New Filter: Container Registry With/Without Lifecycle Policy. [ENG-4027]
• Added visibility and filter support for the minimal TLS version associated with Azure SQL, MySQL and PostgreSQL database instances. Information on this can be found via https://azure.microsoft.com/en-us/updates/azuretls12/ . New Filter: Database Instance Minimal TLS Version. [ENG-3915]
• Added visibility into Storage Container Object Lock configurations. Note that this visibility requires a new IAM permission: “s3:GetObjectLockConfiguration”. New Filter: `Storage Container Object Lock Configuration’. [ENG-1089]

Network Endpoints and Network Endpoint Services:

• Added Event Driven Harvesting support for Network Endpoints and Network Endpoint Services.
• Added the ability to manage tags and execute lifecycle operations on Network Endpoints and Network Endpoint Services. [ENG-3873]

Other Resource Enhancements:

• Added three new data points for Network Endpoint Services: publicly_accessible, connections, connections_count. Added four new filters: Network Endpoint Service State, Network Endpoint Service Connections Count, Network Endpoint Service Accessible To The Public, and Network Endpoint Service With Connection From Unknown Account. [ENG-3969]
• Added the ability to delete a GCP Memorystore instance. [ENG-3613]
• Added tag visibility and lifecycle support for AWS ECS Task Definitions.[ENG-3576]
• Surfaced CloudFront tags in the UI. [ENG-3570]

New Actions (20.3)

New Actions added:

• Missing tag support to Azure SQL databases. [ENG-3972]
• The ability to delete a GCP Memorystore instance. [ENG-3613]
• Tag visibility and lifecycle support for AWS ECS Task Definitions. [ENG-3576]
• A new Bot action, “Create API Accounting Config”, to create AWS CloudTrail resources. [ENG-3023]
• “Force Delete Instance” - action restricted to AWS clouds only. [ENG-2488]

Enhanced Actions (20.3)

• Updated the BotFactory action “Disable Cloud User” to allow API keys to be optionally disabled as a part of the workflow. [ENG-3751]

New EDH Events & Enhancements (20.3)

Added support for Network Endpoints and Network Endpoint Services [ENG-3873]:

• Added Event Driven Harvesting support for Network Endpoints and Network Endpoint Services.
• Added the ability to manage tags and execute lifecycle operations on Network Endpoints and Network Endpoint Services.

Filters (20.3)

Big Data Instance With/Without Enhanced Routing - Adds visibility into the enhanced routing configuration for big data instances. [ENG-4071]

Big Data/Database Instance With Parameter Group - Adds visibility and filtering support for the parameter groups which are associated with database/big data instances. Adds ability to check if RDS/Redshift is running the default parameter group. [ENG-4066]

Compute Instance Shielded Configuration - Adds support for the Shielded VM configuration for Google compute instances. [ENG-3916]

Container Registry With/Without Lifecycle Policy- Identifies container registries with/without a lifecycle policy. [ENG-4027]

Content Delivery Networks With/Without Geo Restriction - Adds ability to check if CloudFront has a georestriction set.[ENG-4065]

Database Instance Minimal TLS Version - Adds support for the minimal TLS version associated with Azure SQL, MySQL, and PostgreSQL database instances. Additional information on this can be found here . [ENG-3915]

Encryption Key Using/Not Using HSM - In order to harvest the necessary data to support that query filter, access policies for Azure Key vaults will need to be updated to include the Get Key permission. [ENG-3109]

Network Associated With Hosted Zone & Network Associated With Hosted Zone From Unknown Account - Add visibility into Route53 Hosted Zones which are associated with VPCs. [ENG-4034]

Network Endpoint Connecting To Unauthorized Service - this filter was enhanced to accept an optional whitelist for approved services. [ENG-4047]

The following four filters add support for Network Endpoint Services [ENG-3969]: Network Endpoint Service State Network Endpoint Service Connections Count Network Endpoint Service Accessible To The Public Network Endpoint Service With Connection From Unknown Account

Storage Container Object Lock Configuration - Adds visibility into Storage Container Object Lock configurations. This visibility requires a new IAM permission: “s3:GetBucketObjectLockConfiguration”. [ENG-1089]

Bug Fixes (20.3)

[ENG-4081] Fixed a bug that prevented reserved GCP public IP addresses from showing their instance attachment.

[ENG-4075] Expanded the following Bot actions to work in AWS GovCloud and AWS China: “Set Storage Container Policy”, “Remove Storage Container Statement”, and “Lock Down Storage Container”.

[ENG-4050] Fixed a bug that resulted in stale load balancer targets persisting in the database which under certain circumstances could impact harvesting of load balancers.

[ENG-4049] Restored the ability to add/remove tags for Azure Container Clusters.

[ENG-4046] Prevent logging of sensitive information when adding new cloud accounts.

[ENG-4045] Fixed a bug where whitelisted principals for one Network Endpoint Service would be displayed for other NESs.

[ENG-4035] Resource IDs for Azure Container Cluster resources have been changed to avoid an issue with the IDs being non-unique in some cases. This will cause existing container cluster resources to be re-harvested.

[ENG-4032] Fixed a bug that would show the wrong message when validating cloud permissions after successfully connecting a new account.

[ENG-4026] Fixed a bug that prevented Azure resource groups from being linked to load balancer resources.

[ENG-4025] Fixed a typo in Add Container Registry Lifecycle Policy Action description.

[ENG-4013] Fixed false positives for ‘Security Group Allows Public Access’ insight.

[ENG-4001] Fixed a bug that prevented basic users from filtering Insights by the supported resource type.

[ENG-3998] Fixed a bug that prevented the retrieval of ECR Container Image vulnerabilities from being harvested.

[ENG-3906] Fixed resource delete for AWS users with MFA enabled.

[ENG-3905] Fixed some system filters would not show in the filters page.

[ENG-3864] Fixed a bug that prevented importing bot configs that didn’t have a description.

[ENG-3809] Added visibility for Containers with malformed image tags (primarily affects ECS). Added the filter Container With Malformed Image Tag.

[ENG-3802] Add the ability to tag/untag AWS Secret resources.

[ENG-3646] Removed false timeout message for scorecard subscription reports taking more than 60 seconds to process. Added preliminary organization smtp settings validation.

[ENG-3563] Restored the ability to delete an RDS cluster.

[ENG-3329] Fixed query filter creation timestamp to only update on creation.

[ENG-3151] Fixed back-to-top behavior on Resource Type wheel in IaC scan results page.

Divvy Software Release Notice - 20.3.1 Minor Release (07/23/2020)

DivvyCloud’s Minor Release 20.3.1 consists of several UX and visibility improvements, updates to filters, (including a new filter), additional Jinja2 templating capabilities, as well as a handful of bug fixes.

As always, contact us at support@divvycloud.com with any questions.

New Permissions Required (20.3.1)

This permission supports visibility into AWS S3 Bucket Replication. [ENG-1199]

Features (20.3.1)

**Added visibility into private/public Azure Kubernetes Service (AKS) clusters **and whether or not they have pod security policy support enabled. [ENG-4241]

Added the **ability to pass in a target field **to the get_age_in_days() jinja method. [ENG-4173]

Expanded error/warning message timeouts to 10s and added a button to copy the message to the user’s clipboard. [ENG-4164]

Added the ability to control application entitlements for the Exemptions and Infrastructure-as-Code sections of the product. [ENG-4160]

Added a new Jinja property for access key: resource.get_access_key_info() which retrieves information about user’s API access keys. [ENG-4157]

AWS Security Group rules which use prefix lists will now show in the tool. A new filter Security Group Contains Prefix List Rules has been created to simplify the identification of where prefix lists are in use. [ENG-4155]

Allow **creation of harvesting strategies **in the absence of respective cloud accounts in the system. [ENG-3958]

Added visibility into AWS S3 Bucket Replication and included a new filter “Storage Container Replication” that can check for the following four configurations:

• Replication enabled
• Replication disabled
• Replication enabled without encryption
• Replication enabled to an unknown cross account bucket This feature also requires the new permission “s3:GetReplicationConfiguration”. [ENG-1199]

New Filter (20.3.1)

Security Group Contains Prefix List Rules - simplifies the identification of where prefix lists are in use; supports AWS Security Group rules which use prefix lists, allowing them to display in the tool. [ENG-4155]

Resource Enhancements (20.3.1)

Added tag visibility and query filter support for stack templates. [ENG-4158]

Added visibility into AWS Security Group rules which use prefix lists; added a new filter Security Group Contains Prefix List Rules to simplify the identification of where prefix lists are in use. [ENG-4155]

General Enhancements (20.3.1)

Added the ability to pass in a target field to the get_age_in_days() jinja method. [ENG-4173]

Expanded error/warning message timeouts to 10s and added a button to copy the message to the user’s clipboard. [ENG-4164]

Added the ability to control application entitlements for the Exemptions and Infrastructure-as-Code sections of the product. [ENG-4160]

Allowed creation of harvesting strategies in the absence of respective cloud accounts in the system. [ENG-3958]

Bug Fixes (20.3.1)

[ENG-4240] Premium Azure Redis Cache instances will now show the associated network as a resource dependency.

[ENG-4211] Fixed a bug that resulted in a false positive identification of AWS RDS Aurora instances with/without MultiAZ enabled.

[ENG-4189] Fixed a bug where the search string in the Insights Library wasn’t taken into consideration for the pagination count.

[ENG-4158] Added tag visibility and query filter support for stack templates.

[ENG-4156] Updated the Bot action “Set Backup Retention Period” to schedule the change during the scheduled maintenance window for DB instances.

[ENG-4048] Fixed the Public IP Orphaned filter for Azure and Google.

[ENG-3932] Fixed update to filter counts of use in Bots/Insights; added filters’ Insights & Bots usage counting job to scheduler, runs every 6 hours.

[ENG-3406] Insight exemptions are now taken into consideration when showing the breakdown by severity in the Compliance Scorecard. Graph change: ‘Newly Discovered Noncompliant Resources’ is now ‘Total Pack Findings’.

[ENG-821] Added visibility into cost optimization Azure Cloud Advisor checks for reserved instances.

Divvy Software Release Notice - 20.3.2 Minor Release (07/30/2020)

DivvyCloud’s Minor Release 20.3.2 includes the implementation of a new product analytics feature that will allow customers to continue to help us with feedback and product improvements. This release also includes a new bot action, an additional permission for a previously available resource, a number of general enhancements, and a dozen bug fixes as well.

As always, contact us at support@divvycloud.com with any questions.

Permissions (20.3.2)

New Features (20.3.2)

**Product Analytics ** DivvyCloud is expanding analytics to gain insights into utilization patterns and the user experience within the platform. [ENG-3929, ENG-4136]

• DivvyCloud is working to improve the user/customer experience.
• We are striving to leverage more data about user/customer use of our product to drive our development efforts and improvements to the overall user experience.
• This effort includes more customer input via feedback sessions; early access programs (EAP) for new major features; better instrumentation of the product; and virtual user group meetings.
• The new analytics will provide DivvyCloud with general navigation and utilization patterns while masking any actual information, including cloud data, personal information, or customer sensitive data.
• If you prefer to opt-out or if you have any questions or concerns, please raise them with your customer success manager.
• We appreciate your support and partnership as we continue to improve the DivvyCloud product.
• For details, refer to our docs here .

Other

• Added **visibility into Azure Policy rules **which are in place at the subscription level. These can be queried/viewed from the Cloud Accounts section of the Resources UI. [ENG-3335]
• Added tag visibility and support for API Gateway resources. [ENG-4274]

New Actions (20.3.2)

Added a new action, “Add Tag To Parent Autoscaling Group”; Launch Configuration linked to ASG for bot action. [ENG-1061]

Resource Enhancements (20.3.2)

For AWS, added tag visibility and support for API Gateway resources. [ENG-4274]

Filter Enhancements (20.3.2)

Instance On A Public Subnet (Route to Internet) - This is the new name for the filter ‘Instance With Internet Gateway’, modified to take other gateway types into consideration. [ENG-3236]

General Enhancements (20.3.2)

Azure Network Security Group rules whose access is superseded by a higher priority deny statement are now evaluated when using the filter Access List Rule Exposes Non Web Ports. [ENG-3578]

Compliance pack visualizations available from dashboard: Added the ability to visualize a compliance pack score, findings by severity and total cloud scope from the dashboard. [ENG-4203]

**Reduced the DB load **by pulling KMS keys from Redis and only retrieving keys needed at the time of harvest. [ENG-4083]

Added a **direct link to the Insight **in question when viewing exemptions. [ENG-3126]

Users can now – via system settings – require users to enter Approver name and/or email when creating exemptions. When Approver email is provided, DivvyCloud is able to send notification of upcoming exemption expiration so the Approver has the opportunity to extend the exemption. Relatedly, users can modify the advance notice from its default value of 3 days to a value of their choosing, e.g., 7 days, so Approvers have a week to make any changes before exemption expiration. You can read more here . [ENG-2663]

Basic users with the Add Cloud permission are now able to **update the settings for cloud accounts **they have access to. [ENG-947]

Added **pagination controls **to the bottom of the resource listing table. [ENG-4332]

Bug Fixes (20.3.2)

AWS

[ENG-2106] Fixed a bug in which High-Availability AWS WebApp configurations would fail to harvest.

GCP

[ENG-3642] Added delete resource support for Google service account access keys.

[ENG-3640] Added delete resource support for Google DNS zones.

[ENG-3639] Added delete resource support for Google subnets.

[ENG-3638] Added delete resource support for Google database snapshots.

[ENG-3636] Removed delete resource option for GCP load balancers due to a lack of API support from GCP.

[ENG-3633] Added delete resource support for Google serverless functions.

[ENG-3634] Added delete resource support for Google container clusters.

[ENG-3632] Implemented support for deleting Google Private Image resources.

[ENG-2534] Added support for validating GCP Cloud Permissions when adding a cloud account.

MULTI-CLOUD

[ENG-4313] Fixed a bug that improperly showed S3 logging visibility as being impaired in the UI.

[ENG-4202] Fixed issue where domain viewers are not prevented from adding clouds.

[ENG-4014] Fixed an issue where the loading state of the application wasn’t clear.

[ENG-3875] Fixed: Users using bulk email from bot actions would see multiple emails for the same change; Users using bulk email + 2nd action would see the 2nd action executed but not the bulk email.

[ENG-3819] Manage Subscriptions and Exports in Scorecard now launch in overlay, preserving the scorecard filters when going back to the scorecard.

[ENG-3391] Fixed hourly Insight pack subscriptions failing during the 23:00 (UTC) runs.

[ENG-3186] Fixed bug where deleting cloud organization from any divvy organization removes all children cloud accounts across divvy organizations.

[ENG-3031] Fixed a dark mode bug on the IaC configuration creation screen.

[ENG-109] Fixed: Users using bot actions triggered by resource updates would see the same action executed many times when instance resources changed state.

Divvy Software Release Notice - 20.3.3 Minor Release (08/05/2020)

Minor Release 20.3.3 includes several new filters, a new Bot action, a number of general enhancements, and a couple of bug fixes as well.

As always, contact us at support@divvycloud.com with any questions.

New Features (20.3.3)

• Added a new filter Instance Without Network Security Group Assignment that can be used to detect Azure Virtual Machines without a network security group assignment at the NIC/Subnet level. [ENG-4180]
• Under “System Administration —> Settings”, Node worker status now shows IP addresses. [ENG-122]

New Action (20.3.3)

• Added a new Bot action to remove snapshot permissions from untrusted/unknown accounts. [ENG-4333]

Filters (20.3.3)

NEW FILTERS

• Container Log Driver - Adds visibility and filter support for Container log drivers and log group configurations. [ENG-4402]
• Instance Without Network Security Group Assignment - Used to detect **Azure Virtual Machines **without a network security group assignment at the NIC/Subnet level. [ENG-4180]
• Route Table With Noncompliant Route - Identifies route tables/routes with noncompliant routes. [ENG-4068]

ENHANCED FILTERS

• Cloud User With Group Association and Cloud User Without Group Association - These filters were expanded to take in optional target group names as a part of the filter configuration. This can be helpful when performing IAM audits. [ENG-4446]

Resource Enhancements (20.3.3)

• Added visibility and filter support for Container log drivers and log group configurations. New Filter: Container Log Driver. [ENG-4402]

General Enhancements (20.3.3)

• Added a new system setting to lock down Insight severity changes to only domain administrators. [ENG-4382]
• Removed the ability to add system. badges and added a notification to inform the user they are attempting to add an invalid badge key. [ENG-1757]

Bug Fixes (20.3.3)

ALL SERVICE PROVIDERS [ENG-4379] Fixed a bug that prevented Insight Labels from persisting to the database upon save.

[ENG-4377] Fixed a bug that when harvesting AliCloud volumes sometimes failed due to a missing attach time.

[ENG-4040] When a user attempts to configure a pack-level notification, if SMTP is not configured, they will be prominently warned with an error banner and will be unable to Add any subscriptions till they configure the SMTP. Users can navigate to configure SMTP setting page by clicking on the error banner.

[ENG-4005] Fixed bug that caused backoffice packs to incorrectly filter/scope clouds when viewing available clouds to select from.

[ENG-3827] Hardened Bot creation/modification for basic users to eliminate the possibility of permission escalation.

[ENG-3164] Fixed rendering issue with IAC Insight Configuration dropdown.

[ENG-2139] Authentication Server users can no longer attempt password reset in DivvyCloud, and neither can an admin trigger password reset for such users.

Divvy Software Release Notice - 20.3.4 Minor Release (08/17/2020)

DivvyCloud’s Minor Release 20.3.4 includes several new features, enhancements, and filters, as well as new EDH actions, and several bug fixes, too.

As always, contact us at support@divvycloud.com with any questions.

New Permissions Required (20.3.4)

These two new permissions---“Microsoft.ContainerRegistry/registries/pull/read” and “Microsoft.Security/assessments/read”---support the added functionality to harvest images for Azure Container Registries along with associated vulnerability information from Azure Security Center if it is enabled. [ENG-4147]

Features & Enhancements (20.3.4)

AWS

• Enhanced filter API Keys Last Used filter to work AWS GovCloud. [ENG-4517]
• Added AWS EDH support for the AllocateAddress event that creates Elastic IP addresses. [ENG-4492]
• Added visibility and threat finding definitions for the recently announced **AWS S3 GuardDuty **findings. [ENG-4449]
• Added encryption key filtering support for AWS SQS and EFS resources. [ENG-4344]

AZURE

• Added visibility into Azure Virtual Machines with IP forwarding enabled. [ENG-4393]
• Added functionality to harvest images for Azure Container Registries along with associated vulnerability information from Azure Security Center if it is enabled. Enhanced Filters are: Container Image Last Scanned, Container Image Push/Upload Date, Container Image Vulnerability Search, Container Image Vulnerability Severity Search, and Container Registry Without Images. New permissions needed are: “Microsoft.ContainerRegistry/registries/pull/read” and “Microsoft.Security/assessments/read”. Note: The Microsoft.ContainerRegistry/registries/pull/read will need to be added to the power user, standard user, and reader plus roles as it needs to be explicit if not using one of the built-in Owner, Contributor, or {{AcrPull}}roles. [ENG-4147]

GCP

• Added a new filter to identify GCP Database Instances without the required database flags. New filter: Database Instance Without Required Flag. [ENG-4491]
• Added visibility to the following CIS checks for GCP compliance: Ensure oslogin is enabled for a Project (CIS 4.4), and Ensure that Cloud Storage buckets have uniform bucket-level access enabled (CIS 5.2) [ENG-4343]

MULTI-CLOUD

• Added the ability to customize the metric namespace that the job backlog exports to. You can read more here . [ENG-4412]
• Feature enhancement to the password verification component that is used during password reset to give users better feedback on the necessary requirements. [ENG-3651]
• Added a ‘not in’ option to the filter Content Delivery Network Restricting Access To Specified Access Identity. [ENG-3341]

Resource Enhancements (20.3.4)

• Added visibility and threat finding definitions for the recently announced AWS S3 GuardDuty findings. [ENG-4449]
• Added functionality to harvest images for **Azure Container Registries **along with associated vulnerability information from Azure Security Center if it is enabled. Enhanced Filters are: Container Image Last Scanned, Container Image Push/Upload Date, Container Image Vulnerability Search, Container Image Vulnerability Severity Search, and Container Registry Without Images. New permissions needed are: “Microsoft.ContainerRegistry/registries/pull/read” and “Microsoft.Security/assessments/read”. Note: The Microsoft.ContainerRegistry/registries/pull/read will need to be added to the power user, standard user, and reader plus roles as it needs to be explicit if not using one of the built-in Owner, Contributor, or {{AcrPull}}roles. [ENG=4147]

EDH Events/Enhancements (20.3.4)

• Added two new EDH events for S3: “DeleteBucketPublicAccessBlock”, “PutBucketPublicAccessBlock”. [ENG-4419]
• Added AWS EDH support for the “AllocateAddress” event that creates Elastic IP addresses. [ENG-4492]

General Enhancements (20.3.4)

• Added the ability to customize the metric namespace that the job backlog exports to. [ENG-4412]
• Added visibility to the following CIS checks for GCP compliance: Ensures oslogin is enabled for a Project (CIS 4.4); Ensures that Cloud Storage buckets have uniform bucket-level access enabled (CIS 5.2). [ENG-4343]
• Enhanced password verification component that is used during password reset to give users better feedback on the necessary requirements. [ENG-3651]

Filters (20.3.4)

NEW FILTER Database Instance Without Required Flag - Identifies GCP Database Instances without the required database flags. [ENG-4491]

ENHANCED FILTERS: AWS API Keys Last Used - This filter was enhanced to work with AWS GovCloud. [ENG-4517] Resource With Encryption, Resources Supporting Encryption, etc. - Added encryption key filtering support for AWS SQS and EFS resources. [ENG-4344]

ENHANCED FILTERS: AZURE The following enhanced filters add functionality to harvest images for Azure Container Registries along with associated vulnerability information from Azure Security Center if it is enabled. [ENG-4147]: Container Image Last Scanned Container Image Push/Upload Date Container Image Vulnerability Search Container Image Vulnerability Severity Search Container Registry Without Images

Bug Fixes (20.3.4)

AWS [ENG-4381] Fixed a bug which sometimes caused AWS ConfigHarvester to fail unexpectedly.

AZURE [ENG-4367] Fixes bug in Azure Subscription Names; Allows duplicate names for Azure org services if the subscription IDs are different.

MULTI-CLOUD [ENG-4380] Fixed a bug that prevented database snapshot harvesting for Oracle based engines. [ENG-3823] Added helpful hint text to the Approver field of the Exemptions form. [ENG-3768] Auto populates the start-date input in exemption creation dialog with the current date. [ENG-1045] Adds missing supported clouds setting to the divvy.query.storage_containers_open_to_world filter to limit to AWS and GCP clouds since the filter settings are specific to those clouds; Updates the divvy.query.instance_allows_public_access_via_sg query filter to take the ResourceNetworkAccess rules into account for Azure and GCP database instances.