20.4 Release Notes

Release Highlights (20.4.4)

DivvyCloud is pleased to announce Minor Release 20.4.4. This minor release includes several new or enhanced features. These include: tag support for AWS SSH pairs, direct links for AWS Memcache Snapshots, and a new filter for Azure VMs without a vulnerability assessment extension. In addition, this release includes a few new or enhanced filters, and a couple of bug fixes, too.

Skip ahead to review all details for this release. As always, contact us at support@divvycloud.com with any questions.

Divvy Software Release Notice - 20.4 Major Release (08/26/2020)

Release Highlights 20.4

DivvyCloud is pleased to announce Major Release 20.4. This major release includes:

• An updated HIPAA Compliance Pack
• An updated GCP CIS Benchmark Pack
• Added an Insight/Bot versioning system that provides customers the ability to fall back to the last known good configuration. Each time an Insight/Bot is updated, a version is recorded and set as the active version. Administrators can revert back to previous versions. Note that only custom Insights support versioning. [ENG-2291]
• AWS S3 public access block settings are now taken into consideration when evaluating a bucket for public access. The RestrictPublicBuckets and IgnorePublicAcls settings are now evaluated against public IAM policies and public ACLs, and the bucket will not be marked as public if they are in place. We also expanded S3 public access block visibility into AWS GovCloud and enhanced the filter Storage Container Without Preventative Public Access Enforcement to take in multiple options so customers can build more complex policies. [ENG-4447]
• For Azure, we've added over a dozen new or enhanced filters that align with Azure Security Center recommendation checks. We’ve also enhanced visibility and support for a number of Azure resources: Azure SQL managed instances, Azure Web Apps, Azure blob storage, and others.

Details for this release follow. As always, contact us at support@divvycloud.com with any questions.

New Permissions (20.4)

More on the Azure Permissions:

• "Microsoft.Authorization/classicAdministrators/read" - Supports new filter Cloud User With Owner Access. [ENG-4389]
• "Microsoft.DBforMySQL/servers/keys/read" and "Microsoft.DBforPostgreSQL/servers/keys/read" -
• Support harvesting BYOK info for Azure MySQL and PostgreSQL database instances and properly set the encrypted flag for Azure SQL Servers, Azure SQL Managed Instances, and Azure MySQL/PostgreSQL/MariaDB servers. Enhanced Filters for this added support are Resource Encrypted With Provider Default Keys and Resource Encrypted With Keys Other Than Provider Default. [ENG-4483]
• "Microsoft.Sql/managedInstances/securityAlertPolicies/read" - Supports added harvesting for Advanced Data Security properties for Azure SQL managed instances. [ENG-4385]
• “Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/read” - Supports added visibility for Azure immutable blob storage and new filter Storage Container Immutability Policy (Azure). [ENG-4593]
• “Microsoft.Storage/storageAccounts/fileServices/shares/read” - Supports reworked Shared Filesystem Harvest to use Management SDK. [ENG-4592]

Features & Enhancements (20.4)

HIPAA Compliance Pack DivvyCloud's new HIPAA Compliance Pack contains hundreds of new Insights that can map to the HIPAA Security Rule. For complete details on our updated compliance pack, click here. [ENG-4148]

**GCP CIS Benchmark Pack ** DivvyCloud's new GCP CIS Benchmark Pack has been updated to the newer GCP CIS Benchmark (1.1.0). For complete details on our updated compliance pack, click here. [ENG-4518]

AWS

• AWS S3 public access block settings are now taken into consideration when evaluating a bucket for public access. The RestrictPublicBuckets and IgnorePublicAcls settings are now evaluated against public IAM policies and public ACLs, and the bucket will not be marked as public if they are in place. We also expanded S3 public access block visibility into AWS GovCloud and enhanced the filter Storage Container Without Preventative Public Access Enforcement to take in multiple options so customers can build more complex policies. [ENG-4447]
• AWS clouds linked by API key/secret will display the API key being utilized in the settings tab of account. [ENG-2536]
• Added visibility into additional ACM SSL properties. New filters: SSL Certificate Validation Method, SSL Certificate Validation Email. [ENG-4481]
• Added visibility for the desync mitigation mode for application/classic load balancers within AWS and a new Bot action to modify the value. New Action: “Modify Desync Mitigation Mode”. New Filter: Load Balancer Desync Mitigation Mode [ENG-4625]
• Added an optional regular expression input into the "Storage Container Not Configured With Lifecycle Rules" and "Storage Container Configured With Lifecycle Rules" filters to give users the ability to identify S3 buckets with misconfigured lifecycle policies. [ENG-4512]
• Updated help text for AWS Organization add form DurationSeconds field. Help text now reads: "Note that even though the max duration is 43,200 seconds, the target role may be configured for a lower value. The default value is 3,600 seconds. Please consult the IAM console to identify what the max duration is set to for this role." [ENG-4539]
• Customers can now leverage JInja2 templating to aid in uniqueness for policy ID statements in the actions “Encrypt Storage Container” and “Lock Down Storage Container”. [ENG-844]
• Added a new Bot action "Toggle Managed Updates/Automatic Patching" to automatically enable/disable automatic patching in AWS Elastic Beanstalk environments. [ENG-3918]
• Added the ability to remove SSL certificates from AWS. [ENG-3102]

AZURE

• Added visibility into the TLS version configured on Microsoft Azure Storage Accounts and a new filter to query the information: Storage Account Minimum TLS Version. [ENG-4624]
• Added visibility and filter support for Azure immutable blob storage. New Filter: Storage Container Immutability Policy (Azure). New Permission: Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/read [ENG-4593]
• Reworked Shared Filesystem Harvest to use Management SDK. New permission to add to the Azure Standard User custom role: “Microsoft.Storage/storageAccounts/fileServices/shares/read”. [ENG-4592]
• Added visibility into the minimum TLS version configured for Azure Web Apps and a new filter Web App Minimum TLS Version. [ENG-4591]
• Added support for Azure Web Apps CORS settings (allowed origins and credentials support).
• Added two new filters: Web App CORS Allows Origin and Web App CORS Credentials. [ENG-4387]
• Added harvesting for Advanced Data Security properties for Azure SQL managed instances. [ENG-4385]

MULTI-CLOUD/GENERAL

• Added an Insight/Bot versioning system that provides customers the ability to fall back to the last known good configuration. Each time an Insight/Bot is updated, a version is recorded and set as the active version. Administrators can revert back to previous versions. Note that only custom Insights support versioning. [ENG-2291]
• New Monthly option has been added to subscription schedules. [ENG-4039]
• Added new schedulable bot action "Post Request To URL By Tag Value". [ENG-4182]
• Only top level resource types display in the Compliance Scorecard filter. [ENG-4524]
• The creation time of big data instances is now included in the resources view and property panel. [ENG-4542]
• Updated the Harvest Info page to display the last successful and failed times for each job, as well as the error type. [ENG-4610]
• All remaining legacy cloud providers--OpenStack, VMware vCloud Director, VMware, Rackspace, DigitalOcean, and IBM Cloud--have been hidden from the UI. [ENG-3852]

Resource Enhancements (20.4)

AWS

• Added visibility into additional ACM SSL properties. New filters are SSL Certificate Validation Method and SSL Certificate Validation Email. [ENG-4481]
• Added visibility for the desync mitigation mode for application/classic load balancers within AWS and a new Bot action to modify the value. New Action: “Modify Desync Mitigation Mode”. New Filter: Load Balancer Desync Mitigation Mode [ENG-4625]
• The creation time of big data instances such as AWS Redshift is now included in the resources view and property panel. [ENG-4542]
• S3 web hosting and domain controls. New filters. New filters: are Storage Container Website Configuration Uses HTTP Redirect and Storage Container Website Configuration Uses Unapproved Domain. [ENG-2137]

AZURE

• Added visibility and filter support for Azure immutable blob storage. New Filter: Storage Container Immutability Policy (Azure). New Permission: “Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/read”. [ENG-4593]
• Added visibility into the TLS version configured on Microsoft Azure Storage Accounts and a new filter to query the information: Storage Account Minimum TLS Version. [ENG-4624]
• Added visibility into the minimum TLS version configured for Azure Web Apps; added a new filter Web App Minimum TLS Version. [ENG-4591]
• We now harvest BYOK info for Azure MySQL and PostgreSQL database instances and properly set the encrypted flag for Azure SQL Servers, Azure SQL Managed Instances, and Azure MySQL/PostgreSQL/MariaDB servers. New permissions to add to the DivvyCloud Standard custom role: “"Microsoft.DBforMySQL/servers/keys/read" and “"Microsoft.DBforPostgreSQL/servers/keys/read". Enhanced Filters (Added Azure support) are Resource Encrypted With Provider Default Keys and Resource Encrypted With Keys Other Than Provider Default. [ENG-4483]
• Added harvesting for Advanced Data Security properties for Azure SQL managed instances. New Permission: "Microsoft.Sql/managedInstances/securityAlertPolicies/read". [ENG-4385]

GCP

• Added a new filter to identify GCP projects which are missing one or more of the recommended log metric filters/alarms for CIS Logging & Monitoring. New Filter: Cloud Account CIS Alerting Policy Missing (GCP Only). [ENG-4559]

Actions (20.4)

AWS: NEW ACTIONS "Delete AWS SSL Certificate" - Bot Action adds the ability to remove SSL certificates from AWS [ENG-3102]

“Modify Desync Mitigation Mode” - Modifies the value for the desync mitigation mode for application/classic load balancers within AWS. [ENG-4625]

"Toggle Managed Updates/Automatic Patching" - Bot action to automatically enable/disable automatic patching in AWS Elastic Beanstalk environments. [ENG-3918]

AWS: ENHANCED ACTIONS “Encrypt Storage Container” and “Lock Down Storage Container” - Customers can now leverage JInja2 templating to aid in uniqueness for policy ID statements in these actions. [ENG-844]

MULTI-CLOUD/GENERAL: NEW ACTION "Post Request To URL By Tag Value" - Added new schedulable bot action. [ENG-4182]

MULTI-CLOUD/GENERAL: ENHANCED ACTIONS "Curate Insight/Bot Exemptions" - Enhanced to allow the approver/notes field to be set. [ENG-4545]

Filters (20.4)

AWS: NEW FILTERSLoad Balancer Desync Mitigation Mode - Adds visibility for the desync mitigation mode for application/classic load balancers within AWS; supports new Bot action (“Modify Desync Mitigation Mode”) to modify the value. [ENG-4625]

Storage Container Website Configuration Uses HTTP Redirect and Storage Container Website Configuration Uses Unapproved Domain - Support S3 web hosting and domain controls. [ENG-2137]

SSL Certificate Validation Email and SSL Certificate Validation Method- Adds visibility into additional ACM SSL properties. [ENG-4481]

AWS: ENHANCED FILTERSStorage Container Not Configured With Lifecycle Rules and Storage Container Configured With Lifecycle Rules - Added an optional regular expression input into these filters to give users the ability to identify S3 buckets with misconfigured lifecycle policies. [ENG-4512]

Storage Container Without Preventative Public Access Enforcement - Filter enhancement now takes in multiple options so customers can build more complex policies. [ENG-4447]

AZURE: NEW FILTERSAutoscaling Group Automatic OS Upgrades Enabled - New query filter for Azure finds VM scale sets that need system security updates and critical updates. [ENG-4395]

Cloud Account Owners Count Greater/Less Than Threshold - Adds information that aligns with Azure Security Center checks; finds subscriptions with only one owner, allows a maximum of 3 owners designated for the subscription. [ENG-4396], [ENG-4618]

Cloud User Sign In Blocked- Shows if there are any deprecated accounts in a subscription. [ENG-4388]

Cloud User With Owner Access - Shows if there are any deprecated accounts with ownership permissions in a subscription; supports removing deprecated accounts from your subscription w/ owner permissions. [ENG-4389]

Cloud User With Write Access - Shows external accounts with write permissions. [ENG-4391]

Network With DDoS Protection Enabled - Shows whether DDOS Protection is enabled for a virtual network. [ENG-4566]

Storage Container Immutability Policy (Azure).Supports added visibility for Azure immutable blob storage. [ENG-4593]

Storage Account Minimum TLS Version - Adds visibility into the TLS version configured on Microsoft Azure Storage Accounts. [ENG-4624]

Web App CORS Allows Origin and Web App CORS Credentials - New filters add support for Azure Web Apps CORS settings (allowed origins and credentials support). [ENG-4387]

Web App Minimum TLS Version - Adds visibility into the minimum TLS version configured for Azure Web Apps. [ENG-4591]

AZURE: ENHANCED FILTERSResource Encrypted With Provider Default Keys and Resource Encrypted With Keys Other Than Provider Default - Adds support for harvesting of BYOK info for Azure MySQL and PostgreSQL database instances and properly set the encrypted flag for Azure SQL Servers, Azure SQL Managed Instances, and Azure MySQL/PostgreSQL/MariaDB servers. New permissions are required for the DivvyCloud Standard custom role are required: "Microsoft.DBforMySQL/servers/keys/read" and “"Microsoft.DBforPostgreSQL/servers/keys/read". [ENG-4483]

GCP: NEW FILTERSCloud Account CIS Alerting Policy Missing (GCP Only) - Identifies GCP projects which are missing one or more of the recommended log metric filters/alarms for CIS Logging & Monitoring. [ENG-4559]

MULTI-CLOUD/GENERAL: ENHANCED FILTERSCloud Account Contains Identity Resource and Cloud Account Missing Identity Resource - These filters enhanced to take in an optional list of names or a data collection for improved searching at scale. [ENG-4334]

Bug Fixes (20.4)

AWS [ENG-4707] Fixed a bug that prevented the filters Storage Container Without Global/Policy Encryption (AWS Only) and Storage Container With Global/Policy Encryption (AWS Only) from returning false positives.

[ENG-1576] Fixed a bug that prevented storage containers from showing up as using provider managed keys for encryption at rest.

AZURE [ENG-4584] Fixed a bug which sometimes prevented Azure ContainerClusters in a specific state to not be harvested.

GCP [ENG-4626] Fixed a bug that prevented GCP Sinks from being harvested.

MULTI-CLOUD/GENERAL [ENG-4648] Fixed a bug that prevented the filter Kubernetes Cluster Engine Logging Enabled/Disabled (EKS) from working with all logging types.

[ENG-4561] Fixed: Bots getting paused an insight dissociated after users tried to delete a backoffice insight.

[ENG-4555] Fixed a bug regarding pack subscription notifications: Minute option for pack subscriptions are now removed from Daily, Weekly, Monthly frequencies, and existing pack subscriptions with minutes specified will now be considered to run between specified hour at 0 minute and an hour later.

[ENG-4526] Fixed a bug that didn’t retain the active scope when browsing to the impacted resources for a single cloud from the Insights page.

[ENG-4543] - Fixed issue with incorrectly flagging badges during cloud add as being auto-generated.

[ENG-4540] Fixed a bug that prevented the deletion of public IP addresses.

[ENG-4521] - Updated Scorecard Resource Types drop down to only show top level resource types; alphabetized these.

[ENG-4495] The All Permissions column in the Roles table is now removed: now, when All Permissions is True, then View, Provision, Manage, and Delete are all shown as checked in the table.

[ENG-4488] Fixed a bug preventing properly showing all password requirements when a user is resetting their password.

[ENG-4460] Added version data to several filters with missing version data.

[ENG-4199] Fixed the 'Update Roles' dialog behavior to separate ‘All Permissions’ and ‘Add Cloud’. Some of the checkbox functionality is changed, including:

• ‘Add Cloud’ and 'All Resource Permissions' are separate and independent of each other.
• When 'All Resource Permissions' is selected, all the permissions under it (View, Provision, Manage, Delete) are selected.
• If one of the permissions under ‘All Resource Permissions’ is deselected, then 'All Resource Permissions' is deselected
• If all the permissions under ‘All Resource Permissions’ are selected, then 'All Resource Permissions' is selected.

ENG-3845] Fixed a bug that prevented cloud account status from updating correctly.

[ENG-3830] Fixes an issue where inactive worker processes were being displayed in the list of active workers in the DivvyCloud system administration page.

[ENG-3712] Removed the Publicly Accessible column in the Snapshots/Database Snapshots column to avoid confusion. Customers can still rely on the filter Snapshot Accessible To Public to identify snapshots that fall into this category.

[ENG-3506] Fixed a bug that prevented the filter 'Cloud Resource Type Count' from working as expected.

[ENG-3409] Fixed Okta/SAML mismatch user sessions. See the red callout at the beginning of these notes.

[ENG-2832] Changed/updated CIS Custom Pack logo.

DivvyCloud's Minor Release 20.4.1 includes a new DivvyCloud Dashboard, new features and enhancements, two new permissions for AWS, as well as several more filters and bug fixes, too.

As always, contact us at support@divvycloud.com with any questions.

New Permissions Required (20.4.1)

These new AWS permissions enhance support for SFTP Transfer Server with a new filter Transfer Server User Credential Threshold to identify users on a SFTP Transfer Server that have credentials which exceed a defined threshold. This enhancement also supports a newJinja2 get function, resource.get_users(), to pull 'users' data in notification resource.get_users(). [ENG-4689]

Features & Enhancements (20.4.1)

Updated DivvyCloud Dashboard Beginning with 20.4.1, all DivvyCloud users can take advantage of the new dashboard experience. The Dashboard now includes compliance and security findings recorded over time with data segmented at the Insight Pack level. It includes a compliance score and visualizations, data around compliance by severity, and data based on Insight pack type (core or custom) and exemptions. It also provides historical views and a saved view based on user. To review the full details check out our updated Dashboard page here.

AWS

• Added a new filter Transfer Server User Credential Threshold that can be used to identify users on a SFTP Transfer Server that have credentials which exceed a defined threshold. New Permission: "transfer:DescribeUser", "transfer:ListUsers" . New Jinja2 function to support pull of 'users' data in notification resource.get_users(). [ENG-4689]
• Enhanced support for SFTP Transfer Server with a new filter Transfer Server User Credential Threshold to identify users on a SFTP Transfer Server that have credentials which exceed a defined threshold. New Permission: "transfer:DescribeUser", "transfer:ListUsers" . New Jinja2 function to support pull of 'users' data in notification resource.get_users(). [ENG-4689]
• Added a new filter Resource Not Running With Individual Encryption Key to identify resources running without a unique customer master key (CMK). [ENG-4661]

AZURE

• Added support for Azure App Service diagnostic settings when harvesting WebApps. Added a new filter: Web App Invalid Diagnostic Logging Configuration. [ENG-4567]
• Added support for diagnostic settings in Azure MessageQueues. Added a new filter: Message Queue Invalid Diagnostic Logging Configuration. [ENG-4568]
• Added visibility for diagnostic settings to Data Lake Storage resources. Added a new filter: Data Lake Storage Invalid Diagnostic Logging Configuration. [ENG-4390]
• Updated the filters Cloud Account Contains Identity Resource and Cloud Account Missing Identity Resource to support Azure. [ENG-4647]

GCP

• Added a filter to identify Google encryption keys based on the rotation period. New Filter: Encryption Key Rotation Period Threshold. [ENG-4679]

MULTI-CLOUD/OTHER

• Added support for remote certificate download via environment variables. [ENG-4688]
• Enhanced the webhook alias field in the MS Teams integration to support templating via Jinja2. This enables dynamic webhook routing based on resource tagging/badging. [ENG-4691]
• Updated the Bot listing page to display the date created/modified columns in MM/DD/YYYY format. [ENG-4690]

Resource Enhancements (20.4.1)

AWS

• Enhanced support for AWS SFTP Transfer Server with a new filter Transfer Server User Credential Threshold to identify users on a SFTP Transfer Server that have credentials which exceed a defined threshold. New Permission: "transfer:DescribeUser", "transfer:ListUsers" . New Jinja2 function to support pull of 'users' data in notification resource.get_users(). [ENG-4689]
• Added the AWS Route53 CreateHostedZone/DeleteHostedZone actions to supported calls for event driven harvesting. [ENG-4732]
• Added visibility and filter support for AWS MSK instances without the proper logging configuration. [ENG-4667]

AZURE

• Added support for diagnostic settings in Azure MessageQueues. Added a new filter: Message Queue Invalid Diagnostic Logging Configuration. [ENG-4568]
• Added support for Azure App Service diagnostic settings when harvesting WebApps. Added a new filter: Web App Invalid Diagnostic Logging Configuration. [ENG-4567]
• Added visibility for diagnostic settings to Azure Data Lake Storage resources. Added a new filter: Data Lake Storage Invalid Diagnostic Logging Configuration. [ENG-4390]

Enhanced Actions (20.4.1)

• Added a new Jinja getter to pull the user information from a server (e.g. resource.get_users()) [ENG-4689]

Filters (20.4.1)

AWS

• Resource Not Running With Individual Encryption Key - Identifies resources running without a unique CMK. [ENG-4661]
• Transfer Server User Credential Threshold - Enhances support for SFTP Transfer Server by identifying users on a SFTP Transfer Server that have credentials which exceed a defined threshold. Associated with new permissions ("transfer:DescribeUser" and "transfer:ListUsers") as well as a new Jinja2 function to support pull of 'users' data in notification resource.get_users(). [ENG-4689]
• Stream Instance Logging Destination Not Enabled - Added visibility and filter support for AWS MSK instances without the proper logging configuration. [ENG-4667]

AZURE

• Cloud Account Contains Identity Resource and
• Cloud Account Missing Identity Resource - These filters were updated to support Azure [ENG-4647]
• Data Lake Storage Invalid Diagnostic Logging Configuration - Adds visibility for diagnostic settings to Azure Data Lake Storage resources. [ENG-4390]
• Message Queue Invalid Diagnostic Logging Configuration - Supports diagnostic settings in Azure MessageQueues. [ENG-4568]
• Web App Invalid Diagnostic Logging Configuration - Adds support for Azure App Service diagnostic settings when harvesting WebApps. [ENG-4567]

GCP

• Encryption Key Rotation Period Threshold - Identifies Google encryption keys based on the rotation period. [ENG-4679]

MULTI-CLOUD/OTHER

• Notification Topic Exposing Permissions To Public (AWS) - Add a new filter to identify SNS Topics exposing specific permissions. [ENG-70]

Bug Fixes (20.4.1)

AWS

• [ENG-4685] Fixed a bug that prevented global encryption from being validated on S3 buckets during IaC scanning.

MULTI-CLOUD/OTHER

• [ENG-4715] Fixed an edge case with the filter Message Queue Encryption At Rest Enabled.
• [ENG-4673] Fixed bug that caused optional description field to be mandatory in "Update Bot Information" Pop-Up Window.
• [ENG-4501] We now remove stale plugin entries in db on start.

DivvyCloud's Minor Release 20.4.2 includes enhanced support for AWS GuardDuty, Azure Database Instances, and GCP Snapshots. It also includes a new Azure permission, more than a dozen features and enhancements, 8 new or enhanced filters, and several bug fixes.

As always, contact us at support@divvycloud.com with any questions.

New Permission Required (20.4.2)

This permission supports visibility into JIT network access controls for Azure Instances. [ENG-4719]

Features & Enhancements (20.4.2)

AWS

• Improved EDH onboarding process time by obtaining AWS organization membership information at the time of cloud add. [ENG-4847]
• Expanded AWS GuardDuty support to include visibility into S3 findings. [ENG-4839]
• We have added support for harvesting information related to Database Activity Streams, which are described by AWS here. [ENG-4783]

AZURE

• Added visibility into the public network access configuration for Azure Database Instances. A new filter Database Instance Public Network Access Configuration was also added. [ENG-4781]
• Added a new filter to identify Azure Key Vaults without proper diagnostic log configuration. New filter is Key Vault Invalid Diagnostic Logging Configuration. [ENG-4735]
• Added visibility into JIT network access controls for Azure Instances and new filters: Instance Without JIT Access Control Enabled, Instance Management Ports Not Protected Using JIT Access Control, Instance Ports Not Protected Using JIT Access Control. New required permission: "Microsoft.Security/locations/jitNetworkAccessPolicies/read". [ENG-4719]

GCP

• Added visibility into snapshot storage size for GCP Snapshots. [ENG-4531]

MULTI-CLOUD & OTHER GENERAL ENHANCEMENTS

• Pagination settings are now persisted between sessions within the Tag Explorer. [ENG-4827]
• Bots can now be filtered by those created by the end-user. This can make it easier to find the Bots you care about. [ENG-4823]
• Improved the add-to-pack dialogue to include more data about the packs and sort capabilities. [ENG-4718]
• Added a new integration to InsightIDR which can be used to feed Bot events into a target event collector. [ENG-4806]
• Expanded the filter Cloud Role Trust Relationship Policy Without External ID to support an optional list of target accounts. [ENG-4841]
• Upon creating/editing a Bot, users will now be transitioned to the Bot overview instead of the Bot listing. [ENG-4850]
• Pagination settings are now persisted between sessions within the Tag Explorer. [ENG-4827]
• Bots can now be filtered by those created by the end-user. This can make it easier to find the Bots you care about. [ENG-4823]
• Added support for special characters in the Exemptions Approver field. [ENG-4843]

Resource Enhancements (20.4.2)

AZURE

• Added visibility into the public network access configuration for Azure Database Instances. A new filter Database Instance Public Network Access Configuration was also added. [ENG-4781]

GCP

• Added visibility into snapshot storage size for GCP Snapshots. [ENG-4531]

Action Enhancements (20.4.2)

MULTI-CLOUD/GENERAL

• Added helper text (jinja2 allowed) to Bot action for MS Teams webhook channel. You can read more here. [ENG-4861]
• Added Jinja preview capabilities to the "Post Request To URL By Tag Value" and "Post Request To URL" actions. [ENG-4853]

Filters (20.4.2)

AWS

• ‘Identity Resource With Boundary Policy’ - Identifies permission boundary misconfigurations for cloud users/roles. [ENG-4807]

AZURE

• Database Instance Public Network Access Configuration - Adds visibility into the public network access configuration for Azure Database Instances. [ENG-4781]
• Instance Management Ports Not Protected Using JIT Access Control,
• Instance Ports Not Protected Using JIT Access Control,
• Instance Without JIT Access Control Enabled - These 3 new filters provide visibility into JIT network access controls for Azure Instances. [ENG-4719]
• Key Vault Invalid Diagnostic Logging Configuration - Identifies Azure Key Vaults without proper diagnostic log configuration. [ENG-4735]
• Kubernetes Cluster Version (EKS and AKS) - This Kubernetes Cluster Version query filter has been updated to support Azure AKS. [ENG-4725]

MULTI-CLOUD/GENERAL: NEW FILTERS

• Identity Resource Has Managed Policy - Identifies cloud users, groups, and roles that have managed policies attached. [ENG-4811]
• SSL Certificate Duration Exceeds Threshold - Identifies SSL Certificate validity in days. This can be used to identify and enforce SSL Certificate rotation. [ENG-4791]

MULTI-CLOUD/GENERAL:ENHANCED FILTERS

• Cloud Role Trust Relationship Policy Without External ID - Expanded this filter to support an optional list of target accounts. [ENG-4841]
• Instances Using Specific Role - Filter expanded to support regular expressions. [ENG-4849]

Bug Fixes (20.4.2)

AWS

• [ENG-4825] Fixed a bug involving support for case insensitivity when looking for public permissions when using filters Message Queue Exposing Permissions To Public and Notification Topic Exposing Permissions To Public.

AZURE

• [ENG-4880] Restored the ability to enable/disable public access for Azure Storage Containers.

GCP

• [ENG-4703] Fixed a bug with the CloudAccountProcessor that caused issues when adding GCP orgs.

MULTI-CLOUD/GENERAL

• [ENG-4878] Hidden insights will now remain hidden even after a new harvest.
• [ENG-4877] Fixed a bug that prevented Compliance Scorecard selections from being saved and stored.
• [ENG-4856] Fixed sorting for the Insight Pack creation/updated columns.
• [ENG-4829] Fixed bug that prevented user from being able to download csv of cloud accounts.
• [ENG-4706] Updated the TF version for all three supported clouds.
• [ENG-4669] Fixed back button issue when navigating to insight summary.
• [ENG-4501] Automatically resolves the potential causes for issues in the description on system start.

Release Highlights (20.4.3)

DivvyCloud's Minor Release 20.4.3 includes enhanced visibility into AWS Container Registries, enhanced support for Azure Active Directory and Azure database instance data security. It also includes new filters for Kubernetes, new filters for improved visibility, and about a dozen or so bug fixes.

As always, contact us at support@divvycloud.com with any questions.

New Permissions Required (20.4.3)

MORE ON PERMISSIONS: AWS

• "rds:DescribeOptionGroups" supports the expanded filters Database Instance Without SSL Enforced and Database Instance With SSL Enforced to support Oracle database engines on AWS RDS. [ENG-4879]
• "elasticfilesystem:DescribeBackupPolicy" and "elasticfilesystem:DescribeLifecycleConfiguration" support the expanded AWS EFS and FSx support into additional regions and added visibility into the lifecycle policy and backup configurations. [ENG-4920]

MORE ON PERMISSIONS: AZURE

• "Microsoft.Sql/servers/vulnerabilityAssessments/read" and “Microsoft.Sql/managedInstances/vulnerabilityAssessments/read" support the new query filter for Azure: Database Instance Advanced Data Security Enabled. [ENG-4737]
• "Microsoft.DBforMySQL/servers/administrators/read", "Microsoft.DBforPostgreSQL/servers/administrators/read", and "Microsoft.Sql/managedInstances/administrators/read" support the check that an Azure administrator is provisioned for Azure Managed SQL instances, Azure PostgreSQL, and Azure Mysql. [ENG-4739]

Features & Enhancements (20.4.3)

AWS

• Added visibility into the encryption configuration of AWS Container Registries. [ENG-4854]
• Added EDH lifecycle support for kms:PutKeyPolicy. [ENG-4890]
• Expanded AWS EFS and FSx support into additional regions and added visibility into the lifecycle policy and backup configurations. New filters: Shared File System Lifecycle Policy and Shared File System Backup Policy. [ENG-4920]

AZURE

• Added a new query filter for Azure: Database Instance Advanced Data Security Enabled. This requires new permissions: “Microsoft.Sql/servers/vulnerabilityAssessments/read” and “Microsoft.Sql/managedInstances/vulnerabilityAssessments/read”. [ENG-4737]
• Enhanced the existing filter Database Instance Azure Active Directory Administrator Not Configured to provide added support for Azure AD Administrators visibility into PostgresSQL, MySQL, and Managed SQL instances. New Azure permissions required: “Microsoft.DBforMySQL/servers/administrators/read”, “Microsoft.DBforPostgreSQL/servers/administrators/read”, and “Microsoft.Sql/managedInstances/administrators/read”. [ENG-4739]

MULTI-CLOUD & OTHER GENERAL ENHANCEMENTS

• Added new fields in the BotFactory "Create ServiceNow Incident" action for the assignment group and CMDB CI properties. [ENG-4851]
• Expanded the filter Access List Contains Public Addresses Outside Of Known IPs to work with resource access list rules. [ENG-4868]
• Improved messaging when customers attempt to add a Kubernetes cluster without network access. [ENG-4865]
• Added a new filter to identify Kubernetes Ingress resources which are not configured with HTTPS: Kubernetes Ingress Not Listening On Port 443. [ENG-4919]

Resource Enhancements (20.4.3)

AWS

• Added visibility into the encryption configuration of AWS Container Registries. [ENG-4854]
• Expanded AWS EFS and FSx support into additional regions and added visibility into the lifecycle policy and backup configurations. New filters: Shared File System Lifecycle Policy and Shared File System Backup Policy. [ENG-4920]

AZURE

• Added visibility into Azure SQL and Managed SQL instance Advanced data security settings. New query filter for Azure: Database Instance Advanced Data Security Enabled. New required permissions: “Microsoft.Sql/servers/vulnerabilityAssessments/read” and “Microsoft.Sql/managedInstances/vulnerabilityAssessments/read”. [ENG-4737]

Enhanced Action (20.4.3)

• Added new fields in the BotFactory "Create ServiceNow Incident" action for the assignment group and CMDB CI properties. [ENG-4851]

Filters (20.4.3)

AWS

• Database Instance Without SSL Enforced and
• Database Instance With SSL Enforced - Enhanced these filters to support Oracle database engines on AWS RDS. [ENG-4879]
• Resource Encrypted With Provider Default Keys - Enhanced filter to add visibility into the encryption configuration of AWS Container Registries. [ENG-4854]
• Shared File System Lifecycle Policy and
• Shared File System Backup Policy - These new filters expand AWS EFS and FSx support into additional regions and add visibility into the lifecycle policy and backup configurations. New filters: [ENG-4920]

AZURE

• Database Instance Advanced Data Security Enabled - New filter to show whether advanced data security is enabled on SQL servers. [ENG-4737]
• Database Instance Azure Active Directory Administrator Not Configured - This enhanced filter provides added support for Azure AD Administrators visibility into PostgresSQL, MySQL, and Managed SQL instances. [ENG-4739]

MULTI-CLOUD/GENERAL

• Access List Contains Public Addresses Outside Of Known IPs - Expanded this filter to work with resource access list rules. [ENG-4868]
• Kubernetes Ingress Not Listening On Port 443 - Added a new filter to identify Kubernetes Ingress resources which are not configured with HTTPS. [ENG-4919]

Bug Fixes (20.4.3)

AWS

• [ENG-4888] Fixed a bug that prevented harvesting of Kinesis Video Streams.
• [ENG-4879] Fixed issue where Transit Encryption was not properly detected for AWS RDS Oracle databases.

AZURE

• [ENG-4832] Fixed a bug involving duplicate Azure Subscriptions being added to Divvy via API.

MULTI-CLOUD/GENERAL

• [ENG-4929] - Fixed a bug involving the filter Message Queue Type.
• [ENG-4901] - Fixed a bug involving Compliance Report Card view failing to account for permissions when viewing Insight results.[ENG-4888] Fixed a bug that prevented harvesting of Kinesis Video Streams.
• [ENG-4900] Fixed a UI bug that prevented the overflow scrollbar from displaying on filters/actions with large inputs within BotFactory.
• [ENG-4886] Fixed a bug in Insights: Compliance and Custom Packs list counts were not updating when changing the "Hide Disabled Packs" toggle.
• [ENG-4873] Repaired Clouds Download not working with badges.
• [ENG-4810] Fixed a bug that prevented Insight violations from being viewed for routes.
• [ENG-4362] Fixed a bug involving users seeing incorrect Cloud Event Bus resources after applying regex name filters.

DivvyCloud's Minor Release 20.4.4 includes several new or enhanced features. These include: tag support for AWS SSH pairs, direct links for AWS Memcache Snapshots, and a new filter for Azure VMs without a vulnerability assessment extension. In addition, this release includes a few new or enhanced filters, and a couple of bug fixes, too.

As always, contact us at support@divvycloud.com with any questions.

Features & Enhancements (20.4.4)

AWS

• Added tag support for SSH keypairs and fixed a bug that prevented direct linking. Refer to the callout above for details. [ENG-3856]
• Added direct links for AWS Memcache Snapshots. [ENG-3180]

AZURE

• Added a new filter for Azure VMs without a vulnerability assessment extension installed. New query filter: Instance Without a Vulnerability Assessment Extension Installed. [ENG-4792]

MULTI-CLOUD & OTHER GENERAL ENHANCEMENTS

• Expanded the filter Cloud User Last Activity (Password & API) to support filtering on the inverse operator (greater than). [ENG-5010]
• Expanded the filter Access List Rule Count to support direction and operator configuration. This enhancement can be useful when customers are looking for access lists which are empty. [ENG-4971]
• Added a new Cloud User with Read Access query filter which can be combined with the existing Cloud User Is Guest filter to provide a check for external accounts with read permissions. [ENG-4944]
• Generalized the Workspace volume encryption filters by adding a third filter that identifies workspaces with either encryption disabled on either the user volume or root volume. New filter: Workspace Without Volume Encryption Enabled. [ENG-4913]
• Added warning message for non-chrome users to recommend the use of Chrome on a non-mobile environment. [ENG-4644]

Filters (20.4.4)

AZURE

• Instance Without a Vulnerability Assessment Extension Installed - Added a new filter for Azure VMs without a vulnerability assessment extension installed. [ENG-4792]

MULTI-CLOUD/GENERAL: NEW FILTERS

• Cloud User with Read Access - New query filter can be combined with the existing Cloud User Is Guest filter to provide a check for external accounts with read permissions. [ENG-4944]
• Workspace Without Volume Encryption Enabled - We have generalized the Workspace volume encryption filters by adding a third filter that identifies workspaces with either encryption disabled on either the user volume or root volume. [ENG-4913]

MULTI-CLOUD/GENERAL: ENHANCED FILTERS

• Access List Rule Count - Expanded this filter to support direction and operator configuration. This enhancement can be useful when customers are looking for access lists which are empty. [ENG-4971]
• Cloud User Last Activity (Password & API) - Filter enhanced to support filtering on the inverse operator (greater than). [ENG-5010]

Bug Fixes (20.4.4)

AZURE

• [ENG-5027] Fixed a bug involving Azure AD using SAML. Added new SAML server config to specify subject attribute to be sent or not.

MULTI-CLOUD/GENERAL

• [ENG-4970] Added a search input to the Insight Scopes sidebar and fixed the default sort order.
• [ENG-4918] Fixed a bug that prevented basic users with viewer entitlements from downloading individual Insight results from the Compliance Scorecard to Excel.
• [ENG-4744] Fixed a bug that resulted in the Tag Explorer CSV download including prefixed characters in front of tag key columns.