Latest 21.5 Release

Release Highlights (21.5.2)

InsightCloudSec is pleased to announce Minor Release 21.5.2. This minor release includes updates to resource support, and numerous new and enhanced filters - we now have nearly 1400 total. The release also includes enhanced Bot actions for Azure, and the usual handful of bug fixes.

In addition, for our add-on Cloud IAM Governance  module, we have details around two feature enhancements and one bug fix.

Skip ahead  to review all details for the general release, as well as details for Cloud IAM Governance. As always, contact us at support-insightcloudsec@rapid7.com with any questions.

InsightCloudSec Software Release Notice - 21.5.0 Major Release (07/21/2021)

Release Highlights (21.5.0)

Major Release 21.5.0 release includes support for services across several Cloud Service Providers: AWS Macie; Azure Batch Account and Batch Pool; and GCP Container Registry, Container Images, VPN Tunnels, VPN Gateways, Identity Platform Provider, and Logs Storage. We have also implemented new and enhanced query filters to support these new resources. This release includes 14 new insights (2 for AWS, 2 for GCP, and 10 for Azure), additional enhancements and improvements, and a handful of bug fixes.

As always, contact us at support-insightcloudsec@rapid7.com with any questions.

New Permissions Required (21.5.0)

MORE ON NEW AWS PERMISSIONS

• “macie2:GetFindings”, “macie2:ListFindings”, and “macie2:GetMacieSession” support AWS Macie findings. [ENG-7466]

MORE ON NEW AZURE PERMISSIONS

• “Microsoft.Batch/batchAccounts/read” and “Microsoft.Batch/batchAccounts/pools/read” are needed for the added support for Azure Batch Environment and Azure Batch Pool. [ENG-8923, ENG-8924]

MORE ON NEW GCP PERMISSIONS

• “cloudasset.assets.listResource” and “containeranalysis.occurrences.list”, which can be added by enabling “Cloud Asset API” and “Container Analysis API”, support the added GCP resources Container Registry and Container Images. [ENG-6574, ENG-6575]
• “compute.vpnTunnels.list” and “compute.targetVpnGateways.list” support added visibility into GCP VPN Tunnels and GCP VPN Gateways. [ENG-8911]
• “identitytoolkit.defaultSupportedIdpConfigs.list”, “identitytoolkit.inboundSamlConfigs.list”, and “identitytoolkit.oauthIdpConfigs.list” support added visibility into GCP Identity Platform Provider. [ENG-8912]
• “Logging.buckets.list” adds support for GCP Logging configurations. [ENG-8915]

User Interface Changes (21.5.0)

• Reworked the Resources page to use tabs for the resource categories instead of buttons. Added a new look and feel to the list of Resources when a filter is enabled. Sets active state to the category tab associated with the first resource group when adding a filter and when selecting a filter-supported chip. [ENG-8689, ENG-8690]

Features & Enhancements (21.5.0)

ALIBABA

• Improved detection of invalid credentials for Alibaba Clouds. [ENG-9063]

AWS

• Added support for harvesting AWS Macie findings. You can find AWS GuardDuty/Macie under the “Threat Findings” resource of the Identity & Management tab of the Resources main page. We’ve added 2 new filters to support this resource: Storage Container Exhibiting Suspicious Behaviour (AWS) and Cloud Account without Macie Enabled. Three new permissions are also required: “macie2:GetFindings”, “macie2:ListFindings”, and “macie2:GetMacieSession”. [ENG-7466]
• Expanded visibility into AWS Carrier IP and Bring Your Own IP (BYOIP) addresses. [ENG-9039]
• Added visibility into secondary public/private IP addresses within the Instances view and included a new filter to search them: Instance Public/Private IP Search. [ENG-8910]
• Added filter Resource Specific Policy Resource Search (AWS) to allow customers to inspect the resource property of policies attached directly to resources like S3, KMS, and SNS. The filter is flexible in that it allows some wildcard searches in addition to exact matches. It also provides an exclusion option to return resources with policies not matching the search conditions. [ENG-8447]

AZURE

• Added support for Azure Batch Account and Azure Batch Pool. These two resources can be found as two new resource types, both under the Compute category: ’Batch Environment’ and ‘Batch Pool’. Added 5 new query filters: Batch Environment Publicly Accessible (Azure), Batch Environment Using Encryption Type (Azure), Batch Pool Autoscaling Configuration (Azure), Batch Pool Inter Node Communication (Azure), and Batch Pool Instance Size (Azure). Updated tag filters to support the new resource types. New permissions required: “Microsoft.Batch/batchAccounts/read” and “Microsoft.Batch/batchAccounts/pools/read”. [ENG-8923, ENG-8924]
• Added harvesting support for custom domains configuration and SSL configuration for Azure App Services. Added new filter Web App Insecure Custom Domain Configuration (Microsoft Azure), which lets the user filter based on the new harvested configuration. [ENG-8973]

GCP

• Added support for GCP for Container Registry and Container Images (using Cloud Asset Inventory). These new resources are found under the Container category of the Resources page as the normalized resources ‘Container Registry’ and ‘Container Image’ respectively. Two new permissions are required: “cloudasset.assets.listResource” and “containeranalysis.occurrences.list”. These permissions can be added by enabling “Cloud Asset API” and “Container Analysis API”. The following filters were expanded to support GCP: Container Image Vulnerability Search, Container Image Vulnerability Severity Search, Container Image Push/Upload Date, Container Image Tag Search, and Container Image Finding Count. [ENG-6574, ENG-6575]

• Expanded GCP support, adding visibility into GCP VPN Tunnels and GCP VPN Gateways. These resources will be found in the Network category as Site-to-Site VPN and Virtual Private Gateway respectively. New permissions are required: “compute.vpnTunnels.list” and “compute.targetVpnGateways.list”. [ENG-8911]
• Added visibility into GCP Identity Platform Provider. This new resource will be under the Identity & Management category as the resource type Identity Providers. Expanded the filter Cloud Account Not Leveraging Identity Provider to include support for GCP. New permissions required are: “identitytoolkit.defaultSupportedIdpConfigs.list”, “identitytoolkit.inboundSamlConfigs.list”, and “identitytoolkit.oauthIdpConfigs.list”. [ENG-8912]
• Added visibility into GCP Logging configurations, Logs Storage. This resource will be found under the Identity & Management category as API Accounting Config. Added 2 new filters— API Accounting Retention Policy Threshold (GCP) and API Accounting Lock Setting (GCP)—and updated an existing filter API Accounting Is/Is Not Multi-Region (was API Accounting Is/Is Not Multi-Region (AWS)) to support this new resource. A new permission is required: “logging.buckets.list”. [ENG-8915]
• Expanded support for GCP Notebook Instance states; we now include corrupt/deleted states. [ENG-9044]
• Expanded GCP support by enhancing the query filter Cloud User Has Attached Policies to specify custom vs. managed policies. [ENG-8914]
• Expanded GCP support, adding visibility into GCP Service Account status (enabled vs disabled). [ENG-8913]

MULTI-CLOUD/GENERAL

• Added the ability to filter on a specific cloud when viewing activity logs. [ENG-8931]

Infrastructure-as-Code (IaC) New Support (21.5.0)

AZURE

• Added IaC support for Azure Log Analytics Workspace, no new permissions required. [ENG-7111]

MULTI-CLOUD/GENERAL

• Users can now favorite IaC Configurations. [ENG-7680]

Resources (21.5.0)

AWS

• Added support for harvesting AWS Macie findings. You can find AWS GuardDuty/Macie under the “Threat Findings” resource of the Identity & Management tab of the Resources main page. We’ve added 2 new filters to support this resource: **Storage Container Exhibiting Suspicious Behaviour (AWS) **and Cloud Account without Macie Enabled. Three new permissions are also required: “macie2:GetFindings”, “macie2:ListFindings”, and “macie2:GetMacieSession”. [ENG-7466]

AZURE

• Added support for Azure Batch Account and Azure Batch Pool. These two resources can be found as two new resource types, both under the Compute category: ’Batch Environment’ and ‘Batch Pool’. Added 5 new query filters: Batch Environment Publicly Accessible (Azure), Batch Environment Using Encryption Type (Azure), Batch Pool Autoscaling Configuration (Azure), Batch Pool Inter Node Communication (Azure), and Batch Pool Instance Size (Azure). Updated tag filters to support the new resource types. New permissions required: “Microsoft.Batch/batchAccounts/read” and “Microsoft.Batch/batchAccounts/pools/read”. [ENG-8923, ENG-8924]

GCP

• Added support for GCP for Container Registry and Container Images (using Cloud Asset Inventory). These new resources are found under the Container category of the Resources page as the normalized resources ‘Container Registry’ and ‘Container Image’ respectively. Two new permissions are required: “cloudasset.assets.listResource” and “containeranalysis.occurrences.list”. These permissions can be added by enabling “Cloud Asset API” and “Container Analysis API”. The following filters were expanded to support GCP: Container Image Vulnerability Search, Container Image Vulnerability Severity Search, Container Image Push/Upload Date, Container Image Tag Search, and Container Image Finding Count. [ENG-6574, ENG-6575]
• Added visibility into GCP VPN Tunnels and GCP VPN Gateways. These resources will be found in the Network category as Site-to-Site VPN and Virtual Private Gateway respectively. New permissions are required: “compute.vpnTunnels.list” and “compute.targetVpnGateways.list”. [ENG-8911]
• Added visibility into GCP Identity Platform Provider. This new resource will be under the Identity & Management category as the resource type Identity Providers. Expanded the filter Cloud Account Not Leveraging Identity Provider to include support for GCP. New permissions required are: “identitytoolkit.defaultSupportedIdpConfigs.list”, “identitytoolkit.inboundSamlConfigs.list”, and “identitytoolkit.oauthIdpConfigs.list”. [ENG-8912]
• Added visibility into GCP Logging configurations, Logs Storage. This resource will be found under the Identity & Management category as API Accounting Config. Added 2 new filters— API Accounting Retention Policy Threshold (GCP) and API Accounting Lock Setting (GCP)—and updated an existing filter API Accounting Is/Is Not Multi-Region (was API Accounting Is/Is Not Multi-Region (AWS)) to support this new resource. A new permission is required: “logging.buckets.list”. [ENG-8915]

Actions (21.5.0)

MULTI-CLOUD/GENERAL

• Updated the configuration of the “Lock Down Storage Container” action to filter on a single IP range and added a new boolean option Block that will block said IP range. [ENG-4642]
• “Publish to AWS CloudWatch Logs” - This action was added to allow the user to specify the account to which logs should be sent. We suggest using this new action. Note that the old action of the same name has been deprecated, “Publish to AWS CloudWatch Logs (DEPRECATED)”. [ENG-8752, ENG-8292]

Insights (21.5.0)

AWS

• **API Accounting Target Storage Container Without MFA Delete Protection (AWS) **- Identifies API accounting configurations where the target storage container, e.g., AWS S3 Bucket, does not support MFA delete on objects.
• Storage Container With MFA Delete Disabled (AWS) - Matches storage containers that do not have MFA Delete enabled.

AZURE

• Azure Datafactory supports Public Access (Azure) - Matches datastores that allow public network access over the Internet. *** Databricks Workspace Not Using Provider Managed Encryption (Azure) **- Matches Databricks Workspaces that are encrypted at rest with provider managed encryption keys.
• Data Factory Using Provider Managed Encryption (Azure) - Matches Data Factory resources that are encrypted at rest with provider managed encryption keys.
• Global Load Balancer With Health Probes enabled (Azure) - Identifies global load balancers without health probes enabled on all frontend endpoints.
• Global Load Balancer Without Routing Rule Accepted Protocol Set To HTTPS (Azure) - Identifies global load balancers without routing rule accepted protocols set to HTTPS.
• Global Load Balancer Without Routing Rule Forwarding Protocol Set To HTTPS (Azure) - Identifies global load balancers without routing rule forwarding protocols set to HTTPS.
• **Global Load Balancer Without Session Affinity Enabled (Azure) **- Identifies global load balancers without session affinity enabled on all frontend endpoints.
• Global Load Balancer Without Web Application Firewall Protection (Azure) - Identifies global load balancers without web application firewalls enabled.
• Instance Without JIT Access Control Enabled (Azure) - Matches instances without Just-in-Time access control enabled.
• Instance Management Ports Not Protected Using JIT Access Control (Azure) - Matches instances not controlling access to management ports (22, 3389, 5985, 5986) using Just-in-Time network access control.

GCP

• Load Balancer Without Cloud Armor Policy (GCP) - Identifies cloud accounts that have Defender disabled for the selected resources.
• Web Application Firewall With Allow Default Rule Policy (GCP) - Matches web application firewalls that have a default allow rule policy.

Query Filters (21.5.0)

AWS

• Cloud Account without Macie Enabled - New filter supports harvesting of AWS Macie findings. [ENG-7466]
• Instance Public/Private IP Search - New filter supports added visibility into secondary public/private IP addresses within the Instances view. [ENG-8910]
• Resource Specific Policy Resource Search (AWS) - New filter allows customers to inspect the resource property of policies attached directly to resources like S3, KMS, and SNS. The filter is flexible in that it allows some wildcard searches in addition to exact matches. It also provides an exclusion option to return resources with policies not matching the search conditions. [ENG-8447]
• Storage Container Exhibiting Suspicious Behaviour (AWS) - New filter supports harvesting of AWS Macie findings. [ENG-7466]

AZURE

• The following filters support the new Azure Batch resources, Batch Account and Batch Pool [ENG-8923, ENG-8924]:
  • Batch Environment Publicly Accessible (Azure)
  • Batch Environment Using Encryption Type (Azure)
  • Batch Pool Autoscaling Configuration (Azure)
  • Batch Pool Inter Node Communication (Azure)
  • Batch Pool Instance Size (Azure)
• Web App Insecure Custom Domain Configuration (Microsoft Azure) - New filter allows the user to filter based on the new harvested configuration. [ENG-8973]

GCP

• The following filters support visibility into GCP Logs Storage [ENG-8915]:
  • API Accounting Retention Policy Threshold (GCP)
  • API Accounting Lock Setting (GCP)
  • API Accounting Is/Is Not Multi-Region - this filter, formerly API Accounting Is/Is Not Multi-Region (AWS), was updated to support GCP
• **Cloud Account Not Leveraging Identity Provider **- This filter, previously named Cloud Account Not Leveraging Identity Provider (AWS), was expanded to support GCP Identity Platform Provider. [ENG-8912]
• Cloud User Has Attached Policies - Expanded the filter to allow specifying custom vs managed policies. [ENG-8914]
• The following filters were expanded to support addition of GCP Container Registry and Container Image [ENG-6574, ENG-6575]:
  • Container Image Finding Count
  • Container Image Push/Upload Date
  • Container Image Tag Search
  • Container Image Vulnerability Search
  • Container Image Vulnerability Severity Search

Bug Fixes (21.5.0)

AWS

• [ENG-9067] Fixed a bug that prevented event driven harvesting (EDH) from working on AWS GovCloud accounts which were not associated with an AWS Organization.
• [ENG-8752, ENG-8292] Fixed an error involving inability to identify organization service ID for Publish CW Logs action. Marked “divvy.action.publish_to_aws_cloudwatch_logs” as deprecated and created new action “divvy.action.publish_to_aws_cloudwatch_logs_updated” to specifically ask for which account you want to send the log to.

MULTI-CLOUD/GENERAL

• [ENG-9084, ENG-9071] Fixed a bug to prevent the user interface from breaking on refresh.
• [ENG-9040] Fixed a bug that prevented filters that support all resource types from working on the Threat Finding Resource asset type.
• [ENG-9038] Fixed a bug that would prevent routes from being saved if they were associated with a prefix list. Cloud IAM Governance (Access Explorer) Updates - 21.5.0 Major Release (07/21/2021)

Cloud IAM Governance Bug Fixes (21.5.0)

• [ENG-8862] Fixed a programming error encountered when a service control policy contains a NotAction element. We do not yet support NotAction in Service Control Policies (SCPs).
• [ENG-8801] Fixed a bug where SCPs could show up twice on the Effective Access page if the same account was harvested twice. InsightCloudSec Software Release Notice - 21.5.1 Minor Release (07/28/2021) Minor Release 21.5.1 includes a number of query filter enhancements for AWS, support for GCP Notebook Instances that are in a corrupt/deleted state, and the ability to download Exemptions in CSV format. As usual, this release also includes a number of bug fixes. As always, contact us at support-insightcloudsec@rapid7.com with any questions.

Features & Enhancements (21.5.1)

AWS

• Enhanced the filter Route Table Set As Main to identify AWS Route Tables that are not currently set as the main/primary route table. [ENG-9137]
• Updated the filter Content Delivery Network With Specified Security Policy (AWS) to include TLSv1.2_2021, the latest security policy added by AWS earlier this year. [ENG-9128]
• Expanded the filter **Database/Big Data Instance Manual Backup Age **to work with database clusters such as AWS Aurora. [ENG-9138]

GCP

• Added support for GCP Notebook Instances that are in a corrupt/deleted state. [ENG-9044]

MULTI-CLOUD/OTHER

• Added ability to download Exemptions in CSV format. [ENG-6888]

Query Filters (21.5.1)

AWS

• **Content Delivery Network With Specified Security Policy (AWS) **- Updated this filter to include TLSv1.2_2021, the latest security policy added by AWS earlier this year. [ENG-9128]
• **Database/Big Data Instance Manual Backup Age **- Expanded this filter to work with database clusters such as AWS Aurora. [ENG-9138]
• **Route Table Set As Main **- Enhanced filter to identify AWS Route Tables that are not currently set as the main/primary route table. [ENG-9137]

Bug Fixes (21.5.1)

ALIBABA

• [ENG-9083] Fixed an error involving our exception handling for Alibaba Cloud harvesting to handle a secondary location where we’re observing status codes.

MULTI-CLOUD/GENERAL

• [ENG-9229] Fixed a bug with Infrastructure-as-Code involving Security Group Open to World incorrectly failing.
• [ENG-9041] Fixed issue on the scheduler where we were failing to set the source as strategy.
• [ENG-9040] Fixed a bug that prevented filters that support all resource types from working on the Threat Finding Resource asset type.

Cloud IAM Governance (Access Explorer) Updates - 21.5.1 Minor Release (07/28/2021)

Cloud IAM Governance Features & Enhancements (21.5.1)

• Wildcard actions in Service Control Policies (SCPs) can now be properly resolved with wildcard actions in identity policies. We can now establish full support for conditional operators and context keys, independent of one another. [ENG-9176]
  • The following conditional operators are now fully supported in combination with all supported context keys:
    • ‘StringEquals’,
    • ‘ForAnyValue:StringEquals’,
    • ‘StringEqualsIgnoreCase’,
    • ‘StringLike’,
    • ‘StringNotEquals’,
    • ‘StringNotEqualsIgnoreCase’,
    • ‘ForAnyValue:StringNotEquals’,
    • ‘ForAnyValue:StringNotLike’,
    • ‘StringNotLike’
  • The following context keys are now supported in combination with any of the above conditional operators:
    • ‘aws:PrincipalTag’,
    • ‘aws:RequestedRegion’,
    • ‘aws:PrincipalAccount’,
    • ‘aws:PrincipalArn’,
    • ‘aws:PrincipalOrgPaths’
    • Improved error handling when parsing ARN’s. [ENG-9073]
• Updated underlying metadata to support the latest actions listed on AWS documentation (474 new actions). [ENG-9073]
• Additional enhancements [ENG-8935]:
  • Wildcard action’s hierarchy support for SCPs
  • Compressed Action Map into shorter string; this reduces memory usage in Redis, which can lead to cost savings
  • Better error handling for NotActions in SCPs

Cloud IAM Governance Bug Fixes (21.5.1)

• [ENG-9073] Fixed bug with unsupported principals. InsightCloudSec Software Release Notice - 21.5.2 Minor Release (08/04/2021) Minor Release 21.5.2 includes updates to resource support, numerous new and enhanced filters - we now have nearly 1400 total. The release also includes enhanced Bot actions for Azure, and the usual handful of bug fixes. As always, contact us at support-insightcloudsec@rapid7.com with any questions.

User Interface Changes (21.5.2)

• Updated Azure logo for all Microsoft Azure accounts. [ENG-9090]

Resources (21.5.2)

AWS

• Added visibility into the IP address type for AWS load balancers as well as the trusted signers associated with AWS CloudFront distributions. [ENG-9288]
• Added tag visibility and lifecycle support for AWS ECS Container Instances. [ENG-9217]
• Improved the way that the inactive API key count is calculated for the AWS root user. [ENG-9135]

AZURE

• Added the tenant ID to the list of available resource properties when viewing Cloud Accounts in the Resources interface as well as a new filter: Cloud Account Is Linked To Unapproved Tenant (Azure). [ENG-9219]
• Added visibility into the soft delete retention policy of Azure Blob Storage Containers. [ENG-9132]

Query Filters (21.5.2)

AWS

• Autoscaling Launch Configuration Using Image Older Than Threshold (AWS) - New filter checks the age of an Autoscaling Launch Config’s private image. [ENG-7223]
• **Content Delivery Network With Specified Security Policy **- Enhanced filter now supports the latest security policy from AWS (TLSv1.2_2021). [ENG-9031]
• Message Queue Encryption Transit Encryption Enforcement - New filter identifies AWS SQS queues that do not enforce transit encryption. [ENG-9145]
• Resource Is Not Encrypted - Expanded filter support to work with AWS Lambda Functions. [ENG-9284]
• **Storage Container Used As CDN Origin **- Expanded filter supports Not In which will identify AWS S3 buckets that are not used as a CDN Origin. [ENG-9281]

AZURE

• Cloud Account Is Linked To Unapproved Tenant (Azure) - New filter supports enhancement adding the tenant ID to the list of available resource properties when viewing Cloud Accounts in the Resources interface. [ENG-9219]
• Changed multiple filter names from ... (Microsoft Azure) to ... (Azure). [ENG-9133]

MULTI-CLOUD/GENERAL **Application Gateway With Firewall Protection **- Expanded the filter to work at the API Gateway Stage level. [ENG-9282] Application Gateway/Stage Without Firewall Protection - Expanded the filter to work at the API Gateway Stage level. [ENG-9282] **Network With/Without Network Interface **- New filter identifies networks with/without attached network interfaces. [ENG-8400]

Bot Actions (21.5.2)

AZURE

• “Scheduled Deletion” - Bot action expanded to work with Azure Databases. [ENG-9285]
• “Start Database Instance” - Bot action expanded to work with Microsoft Azure. [ENG-9283]
• “Stop Database Instance” - Bot action expanded to work with Microsoft Azure. [ENG-9283]

Bug Fixes (21.5.2)

AWS

• [ENG-9236] Fixed an issue with S3 “block public access” to ensure that the enabled block settings are additive.

AZURE

• [ENG-9266] Fixed an issue where Azure Batch Pools without a network configuration would cause harvesting to fail.

GENERAL

• [ENG-9316] Fixed a bug with Insight Exemptions not working with IaC scans.
• [ENG-9290] Fixed visibility for the filter Database/Big Data/Broker/Stream Security Group Exposing Access to now capture security groups having a rule with all ports/protocols in use. This enhancement may result in additional findings for Insights using this filter.
• [ENG-9260] Fixed a Bot looping issue with the Bot action “Set Public Access Block Settings” at the storage container level.
• [ENG-8987] Fixed an issue involving display of the Clear Search box under “Administration -> System Administration -> Logs”.
• [ENG-8804] Fixed a minor bug involving column sorting in “Scheduled Events -> Events History”.

Cloud IAM Governance (Access Explorer) Updates - 21.5.2 Minor Release (08/04/2021)

Cloud IAM Governance Features & Enhancements (21.5.2)

• Added a “finalizing” step to the IAM Cache Build to account for time spent building the indexes after all the computation is complete. [ENG-7471]
• Added a notification if the required permission for AWS Organizations harvesting, “organizations:ListPolicies”, is missing. [ENG-6772]

Cloud IAM Governance Bug Fixes (21.5.2)

• [ENG-8894] Fixed a bug involving orphaned overlays on timeout.