Latest 20.6 Release

Release Highlights (20.6.3) 03 December 2020

DivvyCloud is pleased to announce Minor Release 20.6.3. This minor release includes added visibility into AWS Service Control Policy Documents, the ability to identify Azure storage container logging and impaired visibility, as well as several bug fixes.

Skip ahead to review details  for the general release. As always, contact us at support@divvycloud.com with any questions.

Divvy Software Release Notice - 20.6 Major Release (11/05/2020) Major Release 20.6 includes support for Azure Resource Locking, deprecation of outdated Insights, some new and enhanced filters, and several bug fixes. In addition, this release includes two enhancements for our add-on Cloud IAM Governance  module.

New Permission Required (20.6)

MORE ON PERMISSIONS: AZURE This permission is now required to support the added visibility and lifecycle action to lock/unlock Azure resources, as well as identify resources which have a lock using the new filter Resource Has Azure Lock. You can find additional information on our support of Azure Resource Locking here . [ENG-5277]

Features & Enhancements (20.6)

INSIGHT DEPRECATION [ENG-5499] In an effort to remove duplicate Insights, we have made the following changes (note the correct name for the Insights that will be maintained in the table below on the right):

In addition, the following Insights will also be deprecated:

• As security center contacts no longer support adding a phone number, the following Insight will also be deprecated: Cloud Account Security Center Setting ‘Security Contact Phone Number’ Not Set
• The following Insight is built on a check that is no longer supported in Security center, so it will also be deprecated: Security Center JIT Network Access Recommendation Is Off

AWS

• Expanded AWS EDH support to cover private images. [ENG-5426]

AZURE

• Added the ability to execute stop/start lifecycle commands on Azure Kubernetes Service (AKS) managed clusters using Bots. [ENG-5447
• Added visibility and lifecycle action to lock/unlock Azure resources as well as identify resources which have a lock using the new filter Resource Has Azure Lock. A new permission, “Microsoft.Authorization/locks/read“, is required. You can find additional information on our support of Azure Resource Locking here . [ENG-5277]

GCP

• Improved divvy logging for when a GCP API is disabled. [ENG-5448]

MULTI-CLOUD/GENERAL

• Added a new filter, Network IP Address In Use, that allows users to supply a list of IP addresses and determine where they are in use across instances, network interfaces, elastic IPs and NAT gateway resources. [ENG-5445]
• Added an option to the filter Instance Running Image Shared From Another Account to only include images where the owner is unknown to the DivvyCloud installation. [ENG-5467]
• Included the configured filters in the Bot Overview screen. When viewing the Bot overview, the filters are now included along with the actions. [ENG-5466]
• Added tooltips to the Botfactory category icons. [ENG-5446]
• Added a new option to the Bot action “Scheduled Deletion” to skip final backup/snapshot creation as a part of the delete operation. [ENG-5443]

Actions (20.6)

AZURE

• Added visibility and lifecycle action to lock/unlock Azure resources as well as identify resources which have a lock using the new filter Resource Has Azure Lock. [ENG-5277]

MULTI-CLOUD/GENERAL

• Added a new option to the Bot action “Scheduled Deletion” to skip final backup/snapshot creation as a part of the delete operation. [ENG-5443]

Filters (20.6)

AZURE

• Resource Has Azure Lock - New filter identifies Azure resources which have a lock. [ENG-5277]

MULTI-CLOUD/GENERAL

• Instance Running Image Shared From Another Account - Added an option to this filter to only include images where the owner is unknown to the DivvyCloud installation. [ENG-5467]
• Network IP Address In Use - Allows users to supply a list of IP addresses and determine where they are in use across instances, network interfaces, elastic IPs and NAT gateway resources. [ENG-5445]
• Resource In Subnet - This filter was expanded to take all subnet dependencies of a web application into consideration. [ENG-5444]

Bug Fixes (20.6)

AWS

• [ENG-3496] Fixed worker role names that are not showing up in the System admin view when running on ECS using Task Roles.
• [ENG-4059] Fixed a bug that prevented the filter MapReduce Cluster Without Properly Configured Security Config from showing encryption w/CMK.

GCP

• [ENG-5487] Fixed an IaC bug that prevented the rotation period from being properly parsed for Google KMS keys.

MULTI-CLOUD/GENERAL

• [ENG-5450] Added the VPC network to the list of properties displayed in the resources view when viewing subnets.
• [ENG-5343] Fixed a bug that prevented dependencies from being viewed for cloud-managed policies.
• [ENG-5040] Improved visibility of tooltips on the Scorecard heatmap.
• [ENG-5021] Fixed a bug where only the oldest scorecard export was being processed when there are multiple.
• [ENG-4672] Fixed: BotFactory, “Send blank email” in send bulk email action was sending the recipient email instead of a “no resources found” message.

Cloud IAM Governance (Access Explorer) Updates - 20.6 Major Release (11/05/2020)

Cloud IAM Governance Features & Enhancements (20.6)

• Added the ability to filter IAM Access Explorer principals by a role to see which federated users can assume this role. [ENG-5264]
• Added persistence to selected tab in browser URL for bookmarking, link-sharing, and persistence while navigating Access Explorer. [ENG-5272] Divvy Software Release Notice - 20.6.1 Minor Release (11/12/2020) Minor Release 20.6.1 includes support for a new Azure resource (Azure Defender), a change to the AWS default harvesting strategy, multiple new features and enhancements to improve usability, one new Azure permission, as well as several more filters and bug fixes.

As always, contact us at support@divvycloud.com with any questions.

New Permissions Required (20.6.1)

MORE ABOUT THE NEW PERMISSION: This new permission is needed for the added support for Azure Defender alerts to Threat Detection resources. [ENG-4693]

Features & Enhancements (20.6.1)

AWS: Harvesting Strategy With this release, we have updated the default AWS harvesting strategy by changing the frequency of harvesting for many AWS resources. These changes will have no effect for customers using custom harvesting strategies nor for customers using event-driven harvesting.

We have reduced the maximum frequency of harvests for resources to twice per hour for compute-related resources or once per hour. With the introduction of event-driven harvesting, which provides near real-time updates based upon AWS events, there is no longer a need to harvest AWS resources as frequently as before by default. Plus, with the continued introduction of new AWS services and new AWS regions, the number of default harvest jobs has been multiplying. To accommodate this inevitable growth, we may update the default harvesting strategy again in the future.

As stated, these changes have no effect for customers using custom harvesting strategies nor for customers using event-driven harvesting. If you have any questions related to these changes, please contact customer support (support@divvycloud.com).[ENG-5534]

AWS: Other

• AWS EDH producers can now only be set up in regions which are configured at the consumer level. [ENG-5542]
• EDH Introduced two new options when adding or editing a producer in EDH: Automatically provision IAM resources, and Automatically provision Cloudwatch resources. Customers that prefer manual producer setup should alter their settings accordingly. [ENG-5340]
• Enabled the Threat Findings tab for all resources supported by AWS GuardDuty [ENG-5150]

AZURE

• Added support for Azure Defender alerts to Threat Detection resources Identity & Management category). Needs new permission for Azure: “Microsoft.Security/alerts/read”. Also enhanced Filters: Threat Finding Count Exceeds and Threat Finding Last Seen Date Threshold. [ENG-4693]

MULTI-CLOUD/GENERAL

• Added a new webserver flag (“—cors-mode”) to enable Cross-Origin Resource Sharing (CORS) support. WARNING: This change disables Cross-Origin Resource Sharing (CORS) support by DEFAULT. ANY FUNCTIONALITY that relies on CORS will break without use of the new flag. [ENG-3519]
• Added a new button to the System Administration page to flush the Redis cache. [ENG-5522]
• Health check notifications now account for NTP time drift of more than 60s. Time drift is an important component to validate as excess drift can result in the inability to harvest from cloud service providers. [ENG-5389]
• Administrators can now change the default harvest strategy for each cloud type. [ENG-5581]
• Added the ability to download the list of impacted users as a .CSV file when the server is getting deleted. [ENG-4342]
• Added the ability to include an optional category when using the get_last_event() method in Bot instruction sets. Read more here . [ENG-5498]
• On Exemptions, you can now view up to 200 results in a single page of results. [ENG-5179]
• Updated to use newer Insight cache implementation by default, which should help improve performance. [ENG-5404]
• Updated the resource type dropdown in the Filters/Insights sections of the tool to support searching by the cloud native asset type. [ENG-4782]

Resources (20.6.1)

We’ve added support for Azure Defender alerts to Threat Detection resources. A new permission for Azure is required: “Microsoft.Security/alerts/read”. Two enhanced filters also support this new resources: Threat Finding Count Exceeds and Threat Finding Last Seen Date Threshold. Azure Defender can be found under Threat Detection type resources under the Identity & Management category on the main Resources page of the tool. [ENG-4693]

Filters (20.6.1)

AZURE

• Threat Finding Count Exceeds - Enhanced filter adds support for Azure Defender alerts to Threat Detection resources. [ENG-4693]
• Threat Finding Last Seen Date Threshold - Enhanced filter adds support for Azure Defender alerts to Threat Detection resources. [ENG-4693]

MULTI-CLOUD/GENERAL

• Database Instance Engine was renamed to Database Instance/Cluster Engine and expanded it to work with database clusters. [ENG-5571]
• Resource Age At Most - New filter identifies resources that do not exceed a specific threshold. [ENG-5482]
• Resource Is In Network - Modified filter returns resources within any network when no values are provided. [ENG-5482]
• Storage Container Exposing Specific Permissions - This filter was expanded to allow customers to filter exclusively for access from all authenticate users. [ENG-5576]

Bug Fixes (20.6.1)

AWS

• [ENG-5590] Fixed some false negatives from filter Instance Uses Simple Networking (EC2 Classic).
• [ENG-5357] Fixed a bug that prevented AWS Lambda functions from being auto tagged with the Bot action “Assign Owner Tag”.
• [ENG-5340] Fixed a ‘CreatePolicyVersion’ error happening on manually configured Producer accounts.

GCP

• [ENG-5519] Fixed filter issue that prevented GCP from being included in the incomplete permission scanning job.

MULTI-CLOUD/GENERAL

• [ENG-5525] Fixed an issue with loading remote plugin that isn’t hosted by GitHub or BitBucket.
• [ENG-4342] Fixed: when an auth server is deleted, dependent users are now cleanly severed; the user authentication will be reset to local and their passwords will need to be reset.

Cloud IAM Governance (Access Explorer) Updates - 20.6.1 Minor Release (11/12/2020)

Cloud IAM Governance Features & Enhancements (20.6.1)

• Included additional Exports for the resources within the Effective Access page (Cloud IAM Governance Module required). [ENG-5390]
• Added resources counts to the Applications page in the IAM Access Explorer. These counts are based on the current application group. [ENG-5268]
• Users can now filter principals by roles that are able to be assumed by a Federated User. [ENG-5263] Divvy Software Release Notice - 20.6.2 Minor Release (11/19/2020) Minor Release 20.6.2 includes feature enhancements around EDH for AWS, added visibility into Google Cloud Platform, five new or enhanced filters, and several bug fixes.

In addition, for our add-on Cloud IAM Governance module , we have details around one feature enhancement and one bug fix.

As always, contact us at support@divvycloud.com with any questions.

Features & Enhancements (20.6.2)

AWS

• An encryption key name/alias can be associated with AWS EDH Consumers. This enables the queue to be set up with Server Side Encryption (SSE). [ENG-5582]
• Expanded AWS EDH support to work with AWS MQ Broker Instances. [ENG-5574]
• Expanded the Bot action “Modify Database Attribute” to work with AWS Redshift so that the publicly accessible and enhanced VPC routing actions can be updated. [ENG-5573]
• Added new Bot lifecycle actions across S3 buckets, CloudTrail, SQS, Elasticsearch, Kinesis, and CloudFront. [ENG-5652]
• Extended AWS Load Balancer support to the new Gateway Load Balancer type. [ENG-5603]
• Expanded the Bot action “Remove Snapshot Public Permission” to work with database snapshots [ENG-5572]

GCP

• Added visibility into Google Cloud Platform instances which are/are not associated with Managed Instance Groups. New Filter: Instance Associated With Managed Instance Group (GCP). [ENG-5199]
• Added the ability to execute a force delete on a GCP instance. [ENG-4108]

MULTI-CLOUD/GENERAL

• Renamed the filter Access List Rule Source Network to Access List Rule Source/Destination Network and added the ability to select between filtering at the source/destination level. [ENG-5368]
• Added a new optional separator input the Bot actions “Send Delayed Email” and “Send Bulk Email” that can be used to work around cloud services that do not allow semicolons for tag values. [ENG-5589]
• Added a new filter Resource Exposing Unauthorized Ports to identify resources which are exposing ports outside of a defined list of authorized ports (e.g., 443, 80). [ENG-5578]
• Added a new action to the Jira integration that creates a separate ticket/issue per resource finding. [ENG-5497]
• Enhanced our bot running logic to be more error tolerant within harvesters, so that one misconfigured bot can’t break other bots. [ENG-5395]
• Expanded the get_resource_dependencies() call to take in an optional list of resource types to isolate to. [ENG-5505]

Actions (20.6.2)

AWS

• Expanded the Bot action “Modify Database Attribute” to work with AWS Redshift so that the publicly accessible and enhanced VPC routing actions can be updated. [ENG-5573]
• Added new Bot lifecycle actions across S3 buckets, CloudTrail, SQS, Elasticsearch, Kinesis, and CloudFront. [ENG-5652]
• Expanded the Bot action “Remove Snapshot Public Permission” to work with database snapshots [ENG-5572]

MULTI-CLOUD/GENERAL

• Added a new action to the Jira integration that creates a separate ticket/issue per resource finding. [ENG-5497]

Filters (20.6.2)

GCP

• Instance Associated With Managed Instance Group (GCP) - Adds visibility into Google Cloud Platform instances which are/are not associated with Managed Instance Groups. [ENG-5199]

MULTI-CLOUD/GENERAL

• Access List Rule Exposes Non Web Ports - Updated this filter to accept a list of “good” ports to override the default of 80 and 443. [ENG-5396]
• Access List Exposes Non Web Ports (Security Groups) - Updated this filter to accept a list of “good” ports to override the default of 80 and 443. [ENG-5396]
• Access List Rule Source/Destination Network - This filter was renamed from Access List Rule Source Network and with added ability to select between filtering at the source/destination level. [ENG-5368]
• Resource Exposing Unauthorized Ports - Identifies resources which are exposing ports outside of a defined list of authorized ports (e.g., 443, 80). [ENG-5578]

New EDH Events/Enhancements (20.6.2)

AWS

• An encryption key name/alias can now be associated with AWS EDH Consumers. This enables the queue to be set up with Server Side Encryption (SSE). [ENG-5582]
• Expanded AWS EDH support to work with AWS MQ Broker Instances. [ENG-5574]

Bug Fixes (20.6.2)

AWS

• [ENG-5667] Added the missing lifecycle parsing for s3:PutBucketVersioning and properly links the encryption key used when S3 PutBucketEncryption is called.
• [ENG-5613] Fixed a bug with the filter Transit Gateway With An Attachment To Unknown Account that did not take all known accounts in the installation into consideration during the evaluation.
• [ENG-5711] Updated our mapping of Divvy-supported AWS resources that are also CFT-supported resources. See caution in above callout.
• [ENG-5589] - Fixed a bug related to email separator not working for AWS Organizations.
• [ENG-5577] Fixed a bug that prevented the modification timestamp from being updated for select S3 and IAM operations are processed via EDH.

MULTI-CLOUD/GENERAL

• [ENG-5650] Fixed issue where org admins were getting “SMTP not configured” error message on visiting Insight Pack Subscription Management page.
• [ENG-5597] Fixed bug that caused Create Bot API to add multiple slashes when used via the API.
• [ENG-5326] Fixed a bug where Insight ‘Container Image Not Scanned In Past 2 Days’ captured container images with a last scan within 2 days.
• [ENG-4530] Fixed a bug with the “last harvested” date for cloud resources.

Cloud IAM Governance (Access Explorer) Updates - 20.6.2 Minor Release (11/19/2020)

Cloud IAM Governance Features & Enhancements (20.6.2)

• Added a resource count indicator for Applications in Access Explorer. [ENG-5275]

Cloud IAM Governance Bug Fixes (20.6.2)

• [ENG-5600] Fixed a bug where Application Group Selector would get stuck. Divvy Software Release Notice - 20.6.3 Minor Release (12/03/2020) Minor Release 20.6.3 includes added visibility into AWS Service Control Policy Documents, the ability to identify Azure storage container logging and impaired visibility, as well as several bug fixes.

Skip ahead to review details for the general release. As always, contact us at support@divvycloud.com with any questions.

Features & Enhancements (20.6.3)

AWS

• Added visibility into AWS Service Control Policy documents. [ENG-5814]

AZURE

• Added the ability to identify Azure storage container logging and impaired visibility. [ENG-5562]

Bug Fixes (20.6.3)

AWS

• [ENG-5791] Fixed a bug that prevented harvesting of AWS Secrets that were associated with a Lambda function and did not have a rotation set.
• [ENG-5777] Fixed a bug that prevented the deletion of AWS ACM certificates outside of the us-east-1 region.
• [ENG-5762] Fixed a bug that would not properly reflect a value of zero for AWS Subnets that were completely exhausted of available IP addresses.

MULTI-CLOUD/GENERAL

• [ENG-5808] Fixes some IaC resources duplication issues.
• [ENG-5790] Fixed an edge case that prevented Insight Packs from being created while the core Insight harvesting job was in progress.