Latest 20.5 Release

Release Highlights (20.5.4)

DivvyCloud is pleased to announce Minor Release 20.5.4. This minor release includes new features and enhancements, Bot actions, and several bug fixes.

For our add-on Cloud IAM Governance  module, we have details around two feature enhancements.

Skip ahead to review the details  for the general release as well as details  for Cloud IAM Governance. As always, contact us at support@divvycloud.com with any questions.

Divvy Software Release Notice - 20.5 Major Release (09/30/2020)

Release Highlights (20.5)

DivvyCloud is pleased to announce Major Release 20.5. This major release contains DivvyCloud’s first add-on commercial module for Cloud IAM Governance . We are also introducing the ability to add an API-Only user . This release additionally includes: an update to the AWS CIS Benchmark pack, a new Compute resource (Event Subscriptions), a new bot action to remove specific SQS permissions, a dozen new or enhanced filters, and a couple of bug fixes. Note the new permissions required for the AWS RDS Event Subscriptions and assessing AWS CIS compliance.

Contact us at support@divvycloud.com with any questions.

New Permissions Required (20.5)

MORE ABOUT THE PERMISSIONS: AWS

• “rds:DescribeEventSubscriptions” - This new required permission for AWS supports the new resource, Event Subscription (RDS Event Subscriptions), and the query filters Event Subscriptions By Source Type and Resource With Event Subscriptions. [ENG-4660]
• “cloudwatch:DescribeAlarmsForMetric”, “logs:DescribeMetricFilters”, and “shield:GetSubscriptionState” - These permissions support the new filter Cloud Account CIS Alerting Policy Missing that can be used to identify missing alerting policies which are a part of AWS CIS compliance. [ENG-5013]

Features & Enhancements (20.5)

NEW ADD-ON COMMERCIAL MODULE FOR IAM GOVERNANCE Release 20.5 contains DivvyCloud’s first add-on commercial module for Cloud IAM Governance. This new add-on module supports an organization’s need for visibility and management around who and what has access to the organization’s cloud resources. Explore resources via Access Explorer and see what IAM principals have access to those resources and which policies grant that access.

Read more about the value of IAM in cloud security through our white paper - Gaining Control Over Cloud IAM Chaos . You can also check out the IAM Governance page  to learn a bit more about the value of this feature and request a demo. Reach out to your customer success rep to learn more, too! Complete feature documentation is available here .

For those customers using the new Cloud IAM Governance Module through Access Explorer, 20.5 also includes the following new filters:

• Identity Resource With No Boundary Policy
• Cloud Policy Or IAM Principal Allows Actions For Wildcard Resource
• Cloud Policy Or IAM Principal Allows All Actions
• Cloud Policy Or IAM Principal Allows Wildcard Actions
• Cloud Policy Or IAM Principal Allows Actions for All Resources

NEW API-ONLY USER Beginning with 20.5, Administrators have the ability to create an API-only user by preventing console access and granting an API Key. API Keys can be used instead of user credentials to programmatically log into the system. This functionality operates through a series of API endpoints. These enable the creation of a new API-only user, or the conversion of an existing Basic user to an API-only user. Some important things to note about this new capability include [ENG-2460]:

• When an API-only user is created a new unique API key is generated for that user. Once the key is generated it is important to properly store the key as you will not be able to access it at a later time.
• By default, API-only users will not have console access.
  • If console access is granted after an API-only user is created it will convert the user to local authentication (username/password) and require a password reset to generate a password to provide the console access.
  • If an Admin removes console access for an existing user, the initial authentication type will persist when console access is restored.
• An API Key can be used to access the endpoints by using a valid ‘Api-Key’ in header instead of ‘X-Auth-Token’.
• All API-only users are basic users
• Admins cannot be API-only (they can however also have API keys in addition to console access, console access cannot be revoked for Admins).
• Admins have the ability to revoke access and generate new keys for users.
  • Note that if a new key is generated any existing API keys will be deactivated.

Additional information for API-only users may be found here .

AWS

• DivvyCloud’s newest Compliance Pack is our updated AWS CIS Benchmark Pack. This pack has been updated to the newer AWS CIS Benchmark  (1.3.0). Read complete details on this compliance pack here . [ENG-5129]
• Added visibility to the CPU architecture that’s associated with AWS EC2 instances. New filter: Instance CPU Architecture. [ENG-4981]
• Added a new resource, “Event Subscription (RDS Event Subscriptions)”, and new query filters Event Subscriptions By Source Type and Resource With Event Subscriptions to support it. Requires new permission: “rds:DescribeEventSubscriptions”. The Event Subscription resource can be found on the main Resources page under the Compute category. [ENG-4660]
• Added visibility into the CloudWatch Logging configuration of AWS Application Gateway/Stages and a new filter to identify them: Application Gateway Without CloudWatch Logging Enabled. [ENG-5047]
• Expanded encryption checking with new filters ‘Delivery Stream Is Not Encrypted’, and ‘Delivery Stream Is Encrypted’ to identify Kinesis Delivery Streams which do not support encryption at rest. [ENG-5044]
• Added a new filter Application Stage Parent Endpoint Configuration to identify stages associated with a parent that matches a particular edge configuration. [ENG-5011]

AZURE

• Added a new query filter for Azure, Public Kubernetes Cluster Without IP Access Restrictions, a modification of the existing Kubernetes Cluster Engine Public Access CIDRs query filter to support Azure AKS clusters. [ENG-5034]

MULTI-CLOUD/GENERAL

• Expanded the Tag Explorer support to 20 additional resource types. [ENG-5063]
• Improved cloud account names in scorecard UI. [ENG-3113]
• Added support for a new environment variable, DIVVY_K8S_PROXY which can be used to set the Kubernetes proxy configuration. [ENG-4789]
• Added a bot action to remove specific SQS permissions. New Action: “Cleanup Exposed Message Queue”. [ENG-4916]
• Added a new filter Resource Trusting Account Outside Of Allowed List to identify resources with shares to accounts outside of a defined allowed list. [ENG-5064]

Resources (20.5)

NEW RESOURCE: AWS

• Added a new resource, “Event Subscription (RDS Event Subscriptions)”, and new query filters Event Subscriptions By Source Type and Resource With Event Subscriptions to support it. Requires new permission: “rds:DescribeEventSubscriptions”. The Event Subscriptions resource can be found on the main Resources page under the Compute category. [ENG-4660]

RESOURCE ENHANCEMENT: AWS

• Added visibility to the CPU architecture that’s associated with AWS EC2 instances. New filter: Instance CPU Architecture. [ENG-4981]

Actions (20.5)

MULTI-CLOUD/GENERAL

• Added a bot action to remove specific SQS permissions. New Action: “Cleanup Exposed Message Queue”. [ENG-4916]
• Renamed the Bot action “Remove Snapshot Unknown Account” to “Remove Snapshot/Image Unknown Account Shared Permission” and expanded the resource type support to include snapshots, database snapshots and private images. [ENG-5009]
• Expanded the Bot action “Assign Owner Tag To Resource” to work with SSH key pairs. [ENG-5067]

Filters (20.5)

AWS

• Application Gateway Without CloudWatch Logging Enabled - Adds visibility into the CloudWatch Logging configuration of AWS Application Gateway/Stages. [ENG-5047]
• Application Stage Parent Endpoint Configuration - identifies stages associated with a parent that matches a particular edge configuration. [ENG-5011]
• Cloud Account CIS Alerting Policy Missing - New filter to identify missing alerting policies which are a part of AWS CIS compliance. New permissions required: “cloudwatch:DescribeAlarmsForMetric”, “logs:DescribeMetricFilters”, and “shield:GetSubscriptionState”. [ENG-5013]
• ‘Delivery Stream Is Encrypted’ and ‘Delivery Stream Is Not Encrypted’ - These filters identify Kinesis Delivery Streams which do not support encryption at rest. [ENG-5044]
• Event Subscriptions By Source Type - New query filter to support the new resource, “Event Subscription (RDS Event Subscriptions)”. Note: requires new permission “rds:DescribeEventSubscriptions”. [ENG-4660]
• Instance CPU Architecture - Adds visibility to the CPU architecture that’s associated with AWS EC2 instances. [ENG-4981]
• Resource With Event Subscriptions - New query filter to support the new resource, “Event Subscription (RDS Event Subscriptions)”. Note: requires new permission “rds:DescribeEventSubscriptions”. [ENG-4660]

AZURE

• Public Kubernetes Cluster Without IP Access Restrictions - This is a modification of the existing Kubernetes Cluster Engine Public Access CIDRs query filter to support Azure AKS clusters. [ENG-5034]

MULTI-CLOUD/GENERAL

• Application Stage Parent Endpoint Configuration - Identifies stages associated with a parent that matches a particular edge configuration. [ENG-5011]
• Expanded the filter Kubernetes Resource In Given Namespace - This filter was expanded to support “Not In” and take in more than one namespace. [ENG-4848]
• Resource Trusting Account Outside Of Allowed List - Identifies resources with shares to accounts outside of a defined allowed list. [ENG-5064]

Bug Fixes (20.5)

AWS

• [ENG-5062] Fixed a bug that prevented AWS RDS DB Clusters from being analyzed in the IaC module

MULTI-CLOUD/GENERAL

• [ENG-4939] Fixed a bug that caused organizations to allow adding duplicate cloud accounts. Divvy Software Release Notice - 20.5.1 Minor Release (10/07/2020)

Release Highlights (20.5.1)

DivvyCloud’s Minor Release 20.5.1 includes:

• InsightVM Integration
• A new Service Organization Control 2 (SOC2) Pack
• Improvements to the Integrations page
• One enhanced filter
• Multiple bug fixes

Also, check out the callout below for an advanced notice of an upcoming widget.

As always, contact us at support@divvycloud.com with any questions.

New Permissions Required (20.5.1)

MORE ON PERMISSIONS: GCP These permissions are now required for GCP Backlog Metrics. [ref ENG-5201]

Features & Enhancements (20.5.1)

Service Organization Control 2 (SOC2) Pack DivvyCloud’s new Service Organization Control 2 (SOC2) Pack includes DivvyCloud Insights that can map to the SOC2 Trust Services Criteria requirements . The legacy version had 61 insights; the new one has 365 insights. For complete details on our updated compliance pack, click here . [ENG—5026]

InsightVM Integration We’ve added integration with Rapid7’s InsightVM with support for agent host scanning. This integration provides DivvyCloud the ability to ingest vulnerability and CVE information associated with cloud instances, and identify gaps in agent deployment gaps across a company’s cloud footprint. You can read more in our docs here . [ENG-5105]

AWS

• Expanded AssumeRole support to work in AWS China. [ENG-5122]

AZURE

• Added visibility into deallocated lifecycle states within Azure [ENG-5197]
• Enhanced Azure Distributed Table publicly accessible evaluation to take Azure Virtual Network attachments into consideration [ENG-5123]

MULTI-CLOUD/GENERAL

• Improved cleanup operations for Insight resource findings. [ENG-5156]
• Expanded the filter Access List Rule Count to support direction and operator configuration. This enhancement can be useful when customers are looking for access lists which are empty. [ENG-4971]
• Improved styling for integrations page and cards. [ENG-5072]
• Included the versioning property in the Resources UI when viewing Storage Containers. [ENG-5131]

Filters (20.5.1)

MULTI-CLOUD/GENERAL

• Access List Rule Count - Expanded filter to support direction and operator configuration. This enhancement can be useful when customers are looking for access lists which are empty. [ENG-4971]

Bug Fixes (20.5.1)

AWS

• [ENG-5130] Fixed an edge case in the filter “Resource Trusting Unknown Account” that would report false positives for S3 buckets being used for access logging and sharing to trusted AWS accounts. These accounts are listed here .

GCP

• [ENG-5201] Fixed job backlog export for GCP.

MULTI-CLOUD/GENERAL

• [ENG-5200] Fixed bug that prevented some application load balancers from being harvested.
• [ENG-5106] Fixed a bug that prevented sorting by the last login time when viewing DivvyCloud users/admin accounts.
• [ENG-4973] Fixed issue on widescreen monitors; now better supporting widescreen displays of the main dashboard.
• [ENG-4658] Fixed a scrollbar bug on the Resources view.
• [ENG-4167] Updating usage of “Event Driven” to “Event-Driven” throughout the product.
• [ENG-1262] - System health notification banner in UI will no longer report issue with cloud accounts from different organizations. Divvy Software Release Notice - 20.5.2 Minor Release (10/15/2020)

Release Highlights (20.5.2)

Minor Release 20.5.2 includes a new Resource - Network Address Group (which maps to AWS’ Managed Prefix List and Azure’s IP Group), new permissions for AWS and Azure, as well as several filters and bug fixes.

In addition, for our add-on Cloud IAM Governance module, we have details around several bug fixes. Details of those Cloud IAM Governance updates are here .

As always, contact us at support@divvycloud.com with any questions.

New Permissions Required (20.5.2)

MORE ABOUT THE NEW PERMISSIONS The new permissions support DIvvyCloud’s new resource type “Network Address Group”, which provides visibility into defined network address prefixes. This new resource type maps to AWS’ Managed Prefix List and Azure’s IP Group. [ENG-5140]

Features & Enhancements (20.5.2)

AWS

• Added a new filter Content Delivery Network Logging to Specified Bucket to identify AWS CloudFront resources which are not configured with at least one origin access identity. [ENG-5230]

MULTI-CLOUD/GENERAL

• We’ve added a new resource type “Network Address Group”, which provides visibility into defined network address prefixes. This new resource type maps to Azure’s IP Group and AWS’ Managed Prefix List. New permissions are required: “Microsoft.Network/ipGroups/read” for Azure, and “ec2:DescribeManagedPrefixLists” and “ec2:GetManagedPrefixListEntries” for AWS. This new resource type can be found under the Network category on the main Resources page. [ENG-5140]
• Allow email characters (and other special characters) in badge key/values when submitted in the workflow after adding a new cloud. Same goes for badges attached to pack subscriptions. [ENG-5038]
• Hid system messages for all byt domain admins. [ENG-5279]
• Included ‘API keys’ and ‘Last Api use’ columns in Users and Domain Admins download. [ENG-5015]
• Users are now redirected to the add cloud workflow if they currently have no clouds added. [ENG-819]

New Resource (20.5.2)

• We’ve added a new resource type “Network Address Group”, which provides visibility into defined network address prefixes. This new resource type maps to Azure’s IP Group and AWS’ Managed Prefix List. New permissions are required: “Microsoft.Network/ipGroups/read” for Azure, and “ec2:DescribeManagedPrefixLists” and “ec2:GetManagedPrefixListEntries” for AWS. This new resource type can be found under the Network category on the main Resources page. [ENG-5140]

Filters (20.5.2)

AWS

• Content Delivery Network Logging to Specified Bucket - Identifies AWS CloudFront resources which are not configured with at least one origin access identity. [ENG-5230]

MULTI-CLOUD/GENERAL

• Network Address Group Customer Managed - Supports new resource type Network Address Group (IP Groups for Azure, Managed Prefix Lists for AWS). [ENG-5140]

Bug Fixes (20.5.2)

AWS

• [ENG-5231] Fixed a bug that prevented the ability to determine the job encryption value for AWS Glue Security Configurations.
• [ENG-5287] Fixed a bug that prevented AWS ALBs from being harvested

MULTI-CLOUD/GENERAL

• [ENG-5225] Fixed a typo under the Whitelabel Settings located on the System Admin page

Cloud IAM Governance (Access Explorer) - 20.5.2 Minor Release (10/15/2020)

Cloud IAM Governance Bug Fixes (20.5.2)

• [ENG-5168] Significantly improved speed in the list principals view of the IAM Access Explorer.
• [ENG-5206] Improved speed of listing unscoped resources within the IAM Analyzer.
• [ENG-5283] Improved parallel cache processing by adding timeouts to the cache build job.
• [ENG-5125] Fixed a bug where Directory Services were incorrectly persisted in the database. Divvy Software Release Notice - 20.5.3 Minor Release (10/21/2020) Minor Release 20.5.3 includes several new features and enhancements, additional filters and bug fixes. For our add-on Cloud IAM Governance  module, we have details  around two feature enhancements.

As always, contact us at support@divvycloud.com with any questions.

Features & Enhancements (20.5.3)

AWS

• Expanded AWS EDH support for SQS. [ENG-5245]
• Reworked AWS EDH for IAM roles to be more performant at enterprise scale. For AWS EDH-enabled customers, we improved our processing of IAM Roles/Groups-related changes. These changes are now directly recorded to the database without a related harvest. This directly reduces the number of calls made to the database, and hence improves performance. [ENG-5222]

MULTI-CLOUD/GENERAL

• Expanded Compliance Scorecard subscriptions to support up to ten tags. [ENG-5299]

Enhanced Actions (20.5.3)

AWS

• Expanded Bot support for the actions “Scheduled Deletion” and “Time To Live Deletion” to work with SSH Key Pairs. [ENG-5300]

Filters (20.5.3)

AWS

• Resource Specific Policy Without Organization Deny Statement - Identifies resources which do not explicitly deny access from accounts outside of defined AWS Organizations . [ENG-5012]

AZURE

• Cache Instance Not Associated With Network - Identifies Microsoft Azure Redis Cache resources which were launched without a VNET association. [ENG-5310]

MULTI-CLOUD/GENERAL

• Database/Stream/Broker Security Group Exposing Access - Reworked filter is more performant. [ENG-5344]
• Resource Trusting Unknown Account - Updated filter no longer reports when the all accounts/public permission is set. [ENG-5327]

Bug Fixes (20.5.3)

AWS

• [ENG-5323] Fixed a bug in the filter SSL Certificate Is/Is Not In Use to properly detect orphaned AWS ACM certificates.
• [ENG-5281] Hardened EDH tagging to better handle integrity errors.

GCP

• [ENG-5324] Fixed a bug with adding a GCP account: set the GCP account number to the project ID when the organization service record is created.
• [ENG-5301] Fixed a bug with IaC parsing of global encryption keys within GCP.

MULTI-CLOUD/GENERAL

• [ENG-5328] Fixed a bug in the filter Volume Without Recent Snapshot.
• [ENG-5309] Fixed a bug with the filter Cloud Resource Type Count that returned incorrect results when filtering at the cloud region level.
• [ENG-5298] Improved error handling around Bot actions.
• [ENG-5273] Reworked the resource age filters to only leverage the discovered timestamp if the creation timestamp is not set.
• [ENG-4554] Fixed a bug with scorecard view in Safari and Firefox.
• [ENG-3523] Added a new --https-mode flag to the webserver which will make cookie handling more secure when running via HTTPS. Read more about Production Deployments .
• [ENG-3516] Fixed possible information disclosures in error messages dealing with database communication.

Cloud IAM Governance (Access Explorer) - 20.5.3 Minor Release (10/21/2020)

Cloud IAM Governance Features & Enhancements (20.5.3)

• For Permission Categories, changed “Unknown” to “Unrecognized”. [ENG-5270]
• Improved the Cloud IAM Governance (Access Explorer) experience for non-admin users: Disable cache build button for Read Only Admins and Users w/o Entitlement. [ENG-5139] Divvy Software Release Notice - 20.5.4 Minor Release (10/28/2020)

Release Highlights (20.5.4)

DivvyCloud is pleased to announce Minor Release 20.5.4. This minor release includes new features and enhancements, Bot actions, and several bug fixes.

In addition, for our commercial add-on Cloud IAM Governance module , we have included details on two feature enhancements.

Features & Enhancements (20.5.4)

MULTI-CLOUD/GENERAL

• [ENG-3524] Improved handling of cookies for security to prevent certain types of cross-domain attacks.
• [ENG-3475] Added a new --reverse-proxy command for the webserver. This command can be used for running Divvycloud behind a reverse proxy such as what the Docker container uses.

Actions (20.5.4)

AWS

• Added a new Bot action, “Remove/Disassociate Instance Profile,” to disassociate an IAM role from AWS EC2 instances. [ENG-5362]

AZURE

• Added new Bot action “Update Storage Account TLS Version” that can be used to enforce a minimum TLS version for Azure Storage Accounts. [ENG-5384]

Bug Fixes (20.5.4)

AWS

• [ENG-5355] Corrected spelling in filter: AWS Access Analyzer Not Enabled In Region.

MULTI-CLOUD/GENERAL

• [ENG-5382] Fixed error messaging on query resource CSV API call.
• [ENG-5306] Fixed bug where creating an Invalid exemption via API returned 200 status.
• [ENG-5234] Modified user table export columns to reflect the correct ‘Auth Server’ and show ‘Console Access’.
• [ENG-4546] Fixed click-target overlay in BotFactory navigation.
• [ENG-5425] Modification hookpoints are now fired when the permissions are modified for private images and database snapshots.
• [ENG-5378] IAC false alarm: Fixed an infrastructure-as-code bug that prevented ALB/NLB listeners from being evaluated. Cloud IAM Governance (Access Explorer) - 20.5.4 Minor Release (10/28/2020)

Cloud IAM Governance Features & Enhancements (20.5.4)

• Added SCPs to the Effective Access page for IAM. (Previously, these were being included in the access calculations but were not displayed.) [ENG-5276]
• Added ability to filter a principal’s entities by permission type (read, write, list, etc.) in the Cloud IAM Governance Module (Access Explorer). [ENG-4590]