21.6 Release Notes

Latest 21.6 Release

Release Highlights (21.6.11)

InsightCloudSec is pleased to announce Minor Release 21.6.11. This minor release includes significant performance improvements to the Insights Listing page around the findings view, expanded Jinja2 support to include today() and utcnow(), and expanded support for AWS ECS tasks and AWS WAF associations. In addition, this release includes three updates for Insights, four expanded query filters, three enhancements to Bot actions, and one new Bot action. 21.6.11 also provides support around four issues related to our IaC capability as well as a dozen bug fixes.

In addition, for our Cloud IAM Governance module, we have details around one feature enhancement and five bug fixes.

Skip ahead to review the new AWS permissions, details for the general release, as well as details for Cloud IAM Governance. As always, contact us at support-insightcloudsec@rapid7.com with any questions.

Release Highlights (21.6.0)

Major Release 21.6.0 includes two new AWS resources (AWS App Runner and Amazon Timestream) and expanded visibility into AWS, Azure, and GCP resources. We have also expanded our Event-driven Harvesting support to include Graph API (AWS AppSync API). For the Compliance Scorecard, we’ve refreshed the user interface and user experience. This release also includes two new filters and two expanded filters, two new Bot actions, an expanded Bot action and one bug fix.

As always, contact us at support-insightcloudsec@rapid7.com with any questions.

New Permissions Required (21.6.0)

MORE ON AWS PERMISSIONS

• "apprunner:DescribeService" and "apprunner:ListServices" support the added visibility, tag, and lifecycle support for AWS App Runner services. [ENG-9347]
• "timestream:ListDatabases" supports the newly added Amazon Timestream resource. [ENG-9301]

Features & Enhancements (21.6.0)

• For the export of Resources, added the ability to sort by the creation time, discovered time, and last modified time and included these columns in the CSV export. [ENG-9348]
• Added support for Jinja2 templating on the recipient field in delayed email. Additional information can be found here. [ENG-5950]
• The existing Compliance Scorecard subscription views can now be updated post-creation with different filters. The “Manage Subscriptions” interface has also undergone a visual refresh. The Manage Subscriptions page is now a list of all your subscriptions (instead of cards), and you can now both update the settings of an existing subscription (e.g., name, frequency, recipients, storage location) and the actual Scorecard (e.g., insight packs, filters, severities, resource types, etc.). You can then preview the updated scorecard and save it, replacing the old scorecard you had originally configured. Review the Compliance Scorecard documentation for all the details. [ENG-7520]

User Interface Changes (21.6.0)

Resources (21.6.0)

AWS

• Added visibility into IAM/ACM SSL Certificates in AWS GovCloud. [ENG-9376]
• Added visibility, tag, and lifecycle support for AWS App Runner services. AWS App Runner is a fully managed service that makes it easy for developers to quickly deploy containerized web applications and APIs, at scale and with no prior infrastructure experience required. This new resource can be found under the Container category as “App Run Service”. New permissions required are: "apprunner:DescribeService” and "apprunner:ListServices". [ENG-9347]
• Added support for Amazon Timestream, a service that we model into a new resource type “Timeseries Database” in the Storage resource category. This enhancement includes visibility and tag support as well as the ability to delete the resource from within the tool as well as via Bot automation. A new permission is required: “timestream:ListDatabases“. [ENG-9301]
• Expanded our Event-driven Harvesting support to include Graph API (AWS AppSync API). Supported events include: CreateGraphqlApi, UpdateGraphqlApi, and DeleteGraphqlApi. When those events are harvested, we will propagate the associated changes triggering notifications and bot executions as appropriate. [ENG-9310]

AZURE

• Expanded support for direct linking to the Azure console for our Storage resources. Now, when viewing Azure storage resources, you can click on a link to the resource directly in the Azure console by accessing the resource's details. [ENG-7883]

GCP

• Added GCP Access Lists to the "global" region; ResourceAccessListRules for GCP region set to 'global'. [ENG-9185]

Query Filters (21.6.0)

AWS

• Resource Is Associated With Public Subnet (AWS) - Added a new filter to identify ASGs, RDS, Redshift, EC2, ELBs/ALBs, Lambda, EFS, MSK, and Elastic Beanstalk resources which are running on a public subnet. [ENG-9357]
• Resource Specific Policy Principal/Action Search - Expanded the filter to work with AWS IAM roles. [ENG-9358]
• Route Table Without VPC Endpoint Route Entry (AWS) - New filter identifies AWS route tables with a missing VPC Endpoint route. [ENG-9353]

MULTI-CLOUD/GENERAL

• **Resource Lifecycle State Exceeds Threshold **- This is a rename of the existing filter Instance Lifecycle State Exceeds Threshold to more accurately reflect that multiple resource types are supported. In addition, we added an option to include the Deallocated lifecycle state when filtering for the Stopped lifecycle state. This option allows customers to find all stopped Azure instances, regardless of deallocation state. [ENG-9233]

Bot Actions (21.6.0)

AWS

• “Attach/Associate Instance Profile” - New Bot action can be used to associate an IAM role with a Compute instance. [ENG-9354]
• “Enable Data Analytics Workspace Encryption” - New Bot Action allows customers to enable and enforce encryption at rest standards in AWS Athena. [ENG-9352]
• **"Modify Volume" **- This Bot Action was expanded to work with general purpose storage (gp3) and added the ability to set the throughput. [ENG-9351]

Bug Fixes (21.6.0)

• [ENG-9473] Fixed an issue where the special handling of terraform iam_policy_document datasources was accidentally mutating the principal identifier values in the dictionary and resulting in a false positive/negative in a custom insight using the resource_policy_principal_action_search resource to look for principals with *.

Cloud IAM Governance Features & Enhancements (21.6.0)

• New Columns in the Resource Page [ENG-7803] - When you are on the Resources page and choose Cloud Role or Cloud User views, you will see these 3 new columns [ENG-7803]:

  • Matching Services: this shows you the number of services that each principal has for which they have greater than a threshold quantity of actions in each service. The default threshold is at least 90% actions allowed. You can change that threshold with either of these filters: **Principal has Wildcard Access to Services with Denied Actions Count Below Threshold (AWS) **or Principal has Effective Access to Services with Allowed Actions Count Above Threshold (AWS).
  • Allowed Services: This is the number of Services that that Principal has any access to.
  • Allowed Actions: This is the total number of actions that the principal is granted across all services.

• New Principal Explorer [ENG-7095] - When a user finds a Principal with a high number of Wildcard Services using the “Matching Services” column as described above, that user can then drill down and answer questions like “Which Services?” and “Which Actions?” by opening the New Principal Explorer (accessed by clicking on one of the numbers in the three new columns described above). The Principal Explorer is similar to the Principal/Resource Explorer with the difference that you are only exploring a Principal, not a Principal/Resource pair. The Principal Explorer has a Policy Stack panel on the left showing all the policies in play for this Principal and a Policy Viewer in the middle that allows searching. On the right is the complete list of Services and Actions granted to the Principal. The Services that match the threshold are indicated with a “Matching” symbol.

• Added a tooltip to explain the counts difference between cache build logs and access explorer window. Tooltip reads, “The numbers reported below for Principals, Applications and Resources won’t necessarily match the numbers reported in Access Explorer: In Access Explorer, we include Federated Users in Principal count whereas here they are excluded; InsightCloudSec supports multi-tenancy by way of organizations. The Cache Build stats count across all organizations, whereas Access Explorer is only looking at one organization.” [ENG-9034]

• Improved memory usage in the cache build job. [ENG-9011]

Cloud IAM Governance Bug Fixes (21.6.0)

• [ENG-9360] Fixed handling of global services with RequestedRegion context keys and conditional operators with Not, such as StringNotLike.
• [ENG-8843] Fixed a bug so that the Principal Explorer feature is no longer locked behind a feature flag.
• [ENG-7660] Fixed bug in evaluating principals with permission boundaries and with NotAction in an identity policy.
• [ENG-5934] Fixed bug in evaluating statements with multiple conditions prepended with "ForAnyValue" that contain the same context key.

Minor Release 21.6.1 includes updates to two AWS resources and one GCP resource, a handful of new features, over half a dozen new or revised filters, and one update to our platform UI. 21.6.1 also includes some updates to Bot actions and several bug fixes. In addition, for our add-on Cloud IAM Governance module, we have details around one enhancement and one bug fix.

Features & Enhancements (21.6.1)

MULTI-CLOUD/GENERAL

• Added the ability to set a user-friendly nickname/label for Cloud Organizations and filter clouds managed by the organization on this nickname. [ENG-9422]
• Added an optional input that Bot authors can use to include a message body in the Bot action Send Email Summary With CSV. [ENG-9610]
• Added a new Jinja getter for use within Bot notifications to pull the provider IDs of associated dependencies for a resource: resource.get_dependency_ids(). [ENG-9492]

User Interface Changes (21.6.1)

Removed all system-generated warning banners (e.g., “The System is in an impaired state…”) from the product to provide a better overall user experience.

Resources (21.6.1)

AWS

• Added visibility in the Threat Finding Resource into S3 Objects that are affected by a Macie finding. Also added a direct link column to the "Impacted Resources" table in the threat finding resource. Links in this column take you to the Object/Bucket in the AWS Console. [ENG-8944]
• Updated AWS visibility to include Osaka (ap-northeast-3) support for the following services [ENG-9495]:
  • Directory Services
  • DynamoDB Accelerators
  • AppSync
  • Data Sync
  • FSx
  • CodeBuild
  • MQ
  • Athena

GCP

• GCP Cloud Asset Inventory calls now used for Cloud Keys and Cloud Key Vaults, as well as getting enabled APIs. [ENG-9294]

Query Filters (21.6.1)

AWS

• Resource Specific Policy Action/Resource Search (AWS) - New query filter inspects access policies attached to resources like KMS and S3 for permitted actions like s3:PutObject or for wildcard * access. . [ENG-8446]
  • Allows the user to further refine the search by examining policies with specific resources whether * or a resource ARN.
  • Optionally surfaces resources that do NOT match the provided search terms.
• Expanded the filter Resource Specific Policy Principal/Action Search (AWS) to support deny statements. [ENG-9494]
• Expanded the filter Cloud Account Resource Type Count to work with AWS CloudWatch Event Rules and added a new filter Cloud Event Rule With Invalid JSON Pattern to identify CloudWatch Event Rules with invalid rule patterns. [ENG-9493]

AZURE

• New filter Database Instance Vulnerability Assessment Without Email Notifications to Admins (Azure) [ENG-8828]
• New filter Database Instance Vulnerability Assessment Without Recurring Scans (Azure) [ENG-8827]
• New filter Database Instance Vulnerability Assessment Not Associated with Storage Account (Azure) [ENG-8826]
• New filter Database Instance Vulnerability Assessment Without Configured Email Notifications (Azure) [ENG-8828, ENG-8830]

Bot Actions (21.6.1)

MULTI-CLOUD/GENERAL

• Added an optional input that Bot authors can use to include a message body in the Bot action Send Email Summary With CSV. [ENG-9610]
• Expands our Bot action capabilities with a new action to disassociate a public IP address from a compute instance. This is an action that existed in the product, but it could only be executed in an on-demand fashion and not via Bot automation. This ticket provides this capability via automation. [ENG-9465]

AWS

• Added support via Bot Action for deleting AWS CloudWatch Alarms. [ENG-9416]

Bug Fixes (21.6.1)

AWS

• [ENG-9419] Fixes an issue where we are not always correctly handling partially available message queues (missing data). Puts a default cap to message queues we can harvest per region. Default is set to 500k

MULTI-CLOUD/GENERAL

• [ENG-9179] Fixed an issue where clearing a selection in "Security --> Insights" was not clearing properly.
• [ENG-9726] Fixed a bug with the filter Network Interface Orphaned to no longer report branch interfaces as orphaned.
• [ENG-9445] Solves issue where closed accounts in an AWS organization are added back.
• [ENG-9292] Resolved an issue where load balancers were not harvesting as expected.
• [ENG-9207] Solves an issue where "Enqueue Now" from the harvester info page was not updating metrics and intervals.

Cloud IAM Governance Features & Enhancements (21.6.1)

• Improved the Analyzer [ENG-9434]:
  • Hardened cache behavior to improve performance
  • Added conditionals ArnLike and ArnNotLike.

Cloud IAM Governance Bug Fixes (21.6.1)

• [ENG-9392] Fixed a bug related to Access Explorer’s whitelisted accounts and org-switching.

InsightCloudSec Minor Release 21.6.2 includes added support for GCP’s Container service Cloud Run (CR) and some updates to AWS permissions. In addition, we have one filter expanded for GCP support, one updated Bot action, and the usual handful of bug fixes.

As always, contact us at support-insightcloudsec@rapid7.com with any questions.

New Permissions Required (21.6.2)

MORE ON NEW AWS PERMISSIONS

• The “fsx:” and “transfer:” permissions fix a missing permissions bug for AWS GovCloud. [ENG-9905]

Features & Enhancements (21.6.2)

AWS

• The serial number is now harvested and visible for AWS ACM certificates. [ENG-9818]
• Expanded support for the enable/disable deletion protection to work with AWS Compute Instances. [ENG-9596]

MULTI-CLOUD/GENERAL

• This update allows the scheduling of the Bot action "Post Request to URL" by adding a new "schedule" field to delay the action by a number or fraction of hours. [ENG-9604]

Resources (21.6.2)

GCP

• Added support for harvesting GCP service ‘Cloud Run’ (CR). This new resource can be found on the Resources main page under ‘App Run Service’, a Container resource. No new permissions are required--they’re already included in the Cloud Asset API. [ENG-9091]

MULTI-CLOUD/GENERAL

• Added the ability to view the source of a Compute image when inspecting its properties. [ENG-9819]

Query Filters (21.6.2)

GCP

• Load Balancer Scheme - This filter was expanded to support GCP. [ENG-9876]

Bot Actions (21.6.2)

• Marked the old Bot Action "Publish To Cloud Notification action" as deprecated and added a new action by the same name that requires a target account number to send the message to. Note that currently only standard SNS topics are supported. [ENG-8752]

Bug Fixes (21.6.2)

AWS

• [ENG-9841] Fixed an issue where a BigQuery dataset might be incorrectly labelled as not publicly accessible due to a missing permission check.
• [ENG-9934] Fixed an issue where the wrong parameter was being supplied when attempting to delete an AWS IAM user with an MFA device.
• [ENG-9875] Fixed issue where in some cases AWS Managed Policies were not included in the blade view policies' tab.
• [ENG-9905] Added missing GovCloud permissions and removed Shield harvesting for GovCloud. Missing permissions are “fsx:” and “transfer:” for the Power User policy and “fsx:DescribeFileSystems”, "transfer:DescribeServer", "transfer:DescribeUser", "transfer:ListServers", and "transfer:ListUsers" for the Standard (Read Only) User policy.

GCP

• [ENG-9782] Resolves an issue with harvesting the Google compute engine load balancer to prevent a previous error.

MULTI-CLOUD/GENERAL

• [ENG-9997] A previous update to Jinja2 templating for delayed email recipients to the delayed email Bot action introduced issues for pre-existing instances that used the Bot Action and did not have the new config field. This resolves that issue for customers who had previously implemented the Bot Action before the new field was introduced.
• [ENG-9951] Fixed a UI bug under Bot actions where supported resource types were falsely showing up as non-supported under resource type ‘All’.
• [ENG-8752] Marked the old Bot Action Publish To Cloud Notification action as deprecated and added a new action by the same name that requires a target account number to send the message to. Note that currently only standard SNS topics are supported.
• [ENG-8968] Fixed a bug with not being able to use badges for an Insight subscription.

Cloud IAM Governance Features & Enhancements (21.6.2)

• Hid the resource menu unless it contains more than one item. [ENG-9769]

Cloud IAM Governance Bug Fixes (21.6.2)

• [ENG-9791] Fixed a bug when scoping clouds by badge on the resources page.
• [ENG-9455] Fixed a bug where service control policies and AWS organizational unit structure could cross (InsightCloudSec) organization boundaries if the same AWS Account was added twice in different (InsightCloudSec) organizations.

InsightCloudSec Minor Release 21.6.3 includes expanded support for direct linking to the Azure console for our Azure Network resources as well as new support for AWS Batch Compute Environment. This release updates the way we harvest AWS EC2 instances (refer to the detailed note below). We’ve added or improved two Bot actions, added 5 new query filters, and enhanced 4 additional query filters. There are also a half-dozen bug fixes.

As always, contact us at support-insightcloudsec@rapid7.com with any questions.

New Permission Required (21.6.3)

MORE ON NEW AWS PERMISSION

• "batch:DescribeComputeEnvironments" - Supports the newly added AWS Batch Compute Environment. [ENG-9087]

Features & Enhancements (21.6.3)

AZURE

• Added Azure support for InsightVM integration. [ENG-10116]
• We have expanded support for direct linking to the Azure console for our Network resources. Now, when viewing Azure network resources, you can click on a link to the resource directly in the Azure console by accessing the resource's details. [ENG-7884]

MULTI-CLOUD/GENERAL

• Updated the Compliance Scorecard so that results can be viewed using the system badge system.cloud_organization. [ENG-9861]

Resources (21.6.3)

AWS

• Added support for AWS Batch Compute Environment that helps you manage the capacity and instance types of the compute resources within your AWS Compute environment. This new AWS resource is found under the Compute resource category, as Resource type Batch Environment. New permission required is "batch:DescribeComputeEnvironments". [ENG-9087]

Query Filters (21.6.3)

AWS

• API Accounting Management Event Configuration (AWS) - New filter to detect AWS CloudTrail resources based on their event selector configuration. [ENG-9935]
• Route Table With/Without VPC Endpoint Route Entry - Filter enhanced to implement additional options, including DynamoDB, to the filter [ENG-9990]

MULTI-CLOUD/GENERAL

• Added core filters for Email Service Domains [ENG-9930]:
  • Email Service Domain Verification Status
  • Email Service Domain DKIM Enabled
  • Email Service Domain Mail From Domain
  • Email Service Domain Policies
  • Instance Security Group Has Unapproved Networks - Improved the efficiency of the filter to be more performant at scale. [ENG-9263]
• Resource Name Multiple Regular Expressions - Filter was modified to allow the use of ‘Or’ statements. [ENG-9933]
• Resource Not Running With Individual Role - Modified filter to add an option that takes the region where the resource is provisioned into consideration when looking for duplicate role usage. [ENG-9932]

Bot Actions (21.6.3)

AZURE

• The Stop, Start, and Delete lifecycle controls can now be executed from the resource property panel for Azure Database Instances. [ENG-9931]

MULTI-CLOUD/GENERAL

• Added a new action “Cleanup Public Security Group Rules” that can be used to clean up public facing security group rules from a security group that's associated with a Compute instance. [ENG-9186]

Bug Fixes (21.6.3)

AWS

• [ENG-10014] Fixed threat findings not harvested if AWS Macie is not enabled.
• [ENG-9991] Fixed a bug that would improperly flag AWS FSx Lustre file systems as being unencrypted at rest if a provider-managed key was used.
• [ENG-9848] Fixed a parsing bug for AWS EC2 Terraform analysis where the IMDS metadata options were not being analyzed properly for the Insight: Instance Allows Use Of Vulnerable IMDSv1 Protocol.

AZURE

• [ENG-9450] Fixed bug in Cloud Scope of Resource Group search.

GCP

• [ENG-10151] Fixed an issue where Service Encryption Key Vault harvesting may fail in GCP due to missing data.
• [ENG-10060] Fixed a bug that results in a harvesting error when GCP Memorystore Instances do not have a display name set.
• [ENG-10059] Fixed an edge case where harvesting would fail for GCP Load Balancers if a UDP load balancer was used within the project.
• [ENG-10056] Fixed an edge case that would result in GCP pagination issues when reading KMS keys from the Cloud Asset Inventory (CAI).

MULTI-CLOUD/GENERAL

• Fixed issue for bot action delayed email returning system error. [ENG-10084]

Cloud IAM Governance Features & Enhancements (21.6.3)

• Improved Access Explorer's caching status update. [ENG-9826]
• In the Principal Explorer, for each Service we show two numbers: granted actions and total actions for the Service. When AWS adds new Services or Actions, we can observe policies with more granted actions than the total actions known to the tool until the next Services/Actions database update. In these cases, we increase the total actions count to make it always at least as large as the granted actions count. We added a tooltip to convey that information. [ENG-9808]
• Added support for new AWS services and actions. [ENG-9806]

Cloud IAM Governance Bug Fixes (21.6.3)

• [ENG-10018] Fixed a cache build error that sometimes caused cache builds to never complete.
• [ENG-9956] Fixed “Download Debug Data” excessive load times.
• [ENG-9759] Fixed a bug involving services with the same actions under multiple prefixes.
• [ENG-9447] Added a tooltip indicator to the Cloud Role and Cloud User Resource page's table columns.
• [ENG-9161] Fixed a bug where IAM CacheBuild logs were printed twice.

InsightCloudSec Minor Release 21.6.4 includes a new Insight and Filter, both named Compute Instance With Open Management Interface (OMI) Ports Exposed, to address the recently-identified Azure vulnerability for Linux-based virtual machines that use the Open Management Interface (OMI). We have introduced support for two new resources--AWS’ MemoryDB and GCP’s Stackdriver Sink; and a number of enhancements to currently supported resources for AWS, Azure, and GCP, all detailed below. There are also 8 new query filters, enhancements to 4 additional filters, enhancements to two Bot Actions, and more than a dozen bug fixes.

As always, contact us at support-insightcloudsec@rapid7.com with any questions.

New Permissions Required (21.6.4)

MORE ABOUT AWS PERMISSIONS

• "memorydb:DescribeClusters", "memorydb:DescribeSubnetGroups", and "memorydb:ListTags" support the added visibility and tag lifecycle support for AWS MemoryDB Clusters. [ENG-9936]

Features & Enhancements (21.6.4)

Harvesting

• Enhanced the DiagnosticSettingsHarvester to run more quickly and improve some rate-limiting issues some customers experienced. [ENG-10244]
• Added the ability to manually enqueue harvesting for multiple jobs (or resources) under a single cloud account. Under an individual cloud, select “Harvest Info” and then select the jobs you want to enqueue before selecting the “Enqueue Selected” button. Read more here. [ENG-10193]

User Interface Changes (21.6.4)

Added the ability to manually enqueue harvesting for multiple jobs (or resources) under a single cloud account. Under an individual cloud, select “Harvest Info” and then select the jobs you want to enqueue before selecting the “Enqueue Selected” button. Read more here. [ENG-10193]

Resources (21.6.4)

AWS

• Added visibility and tag lifecycle support for AWS MemoryDB Clusters. This new resource can be found under the Compute resources category as Cache Database Cluster. New permissions are required: "memorydb:DescribeClusters", "memorydb:DescribeSubnetGroups", and "memorydb:ListTags". [ENG-9936]
• Added ability to harvest ACM certificates of types beyond RSA_2048, including RSA_1024, RSA_3072, RSA_4096, EC_prime256v1,EC_secp384r1, and EC_secp521r1. [ENG-10068]
• Changed the number of S3 Objects returned by AWS Macie Threat findings to 1000 objects per finding. [ENG-10167]
• The EDH CloudTrail features we now support include EDH CloudTrail files repository additions, logging volume reduction enhancements, and filtered events list generation. If you are a Lambda-based EDH consumer and want to use the new EDH CloudTrail features we’ve added in this release, please contact your CSM for support-insightcloudsec@rapid7.com. [ENG-9228]

AZURE

• With this update, ICS will now harvest CIDR associations that have an AzureVNET. This behavior will be consistent with how InsightCloudSec currently harvests CIDR associations with AWS and GCP. [ENG-10110]

GCP

• Added visibility into GCP Stackdriver Sink. This new resource is found under the Identity & Management resource category as Stackdriver Sink. Three new filters have been added to support this resource: Stackdriver Sink Is Not Default (GCP), Stackdriver Sink Destination Type (GCP), and Stackdriver Sink Exporting To Unknown Project (GCP). [ENG-10100]

New Insight (21.6.4)

AZURE

• Compute Instance With Open Management Interface (OMI) Ports Exposed - New Insight discovers virtual machines (VMs) with the recently-identified Azure vulnerability for Linux-based VMs that use the Open Management Interface (OMI). [ENG-10332]

Query Filters (21.6.4)

AWS

• Added 2 filters to support AWS Batch [ENG-9088]:
  • Batch Environment Allocation Type (AWS) - Filters based on allocation_type (UNMANAGED / MANAGED).
  • Batch Environment Pool Type (AWS) - Filters based on pool_type ( FARGATE, EC2, SPOT, FARGATE_SPOT).
• Batch Environment Publicly Accessible - Filter was renamed from Batch Environment Publicly Accessible (AZURE) as it was modified to now additionally support AWS Batch. [ENG-9088]

AZURE

• Compute Instance With Open Management Interface (OMI) Ports Exposed - New filter discovers virtual machines (VMs) with the recently-identified Azure vulnerability for Linux-based VMs that use the Open Management Interface (OMI). [ENG-10332]

GCP

• SSL Certificate Is/Is Not In Use (GCP) - New filter added to find whether the resource is linked to SSL certificate. [ENG-7000]
• The following three new filters support the added visibility into GCP Stackdriver Sink [ENG-10100]:
  • Stackdriver Sink Destination Type (GCP)
  • Stackdriver Sink Exporting To Unknown Project (GCP)
  • Stackdriver Sink Is Not Default (GCP)

MULTI-CLOUD/GENERAL

• New filters for App Run Services [ENG-9092]:
  • App Run Service Repository Type - Filters on repository_type.
  • App Run Service Repository Regular Expression (Regex) - Filter allows users to use Regex to match repository.
  • Batch Environment Publicly Accessible - Filter was renamed from Batch Environment Publicly Accessible (AZURE) as it was modified to now additionally support AWS Batch. [ENG-9088]
• Instance Exposing All Ports - Improved the filter to be more performant. [ENG-9157]
• Updated the Serverless Function runtime language options. These languages were added to the filter, Serverless Function By Runtime Language [ENG-10209]:
  • Python 3.9
  • Custom Runtime Amazon Linux 2
  • .NET Isolated Process (Microsoft Azure)
  • Node.js 10 LTS (Microsoft Azure)
  • Node.js 12 LTS (Microsoft Azure)
  • Node.js 14 LTS (Microsoft Azure)
  • Python (Microsoft Azure)
  • Powershell (Microsoft Azure)

Bot Actions (21.6.4)

AWS

• “Scheduled Deletion” action now supports the deletion of CloudWatch Rules. [ENG-10102]

MULTI-CLOUD/GENERAL

• Added the option ‘Skip Previously Identified Resources’ to the Bot action “Publish to Cloud Notification Topic With Target Selection”. [ENG-9592]

Bug Fixes (21.6.4)

AWS

• [ENG-8714] Fixed a bug with ServiceCheck harvesting to ensure impacted resources are correctly linked for load balancers.

AZURE

• [ENG-10030] Fixed issue with Azure Organizations re-onboarding disabled or deleted subscriptions.

GCP

• [ENG-10242] Fixed a bug for the Insight Cloud Account Not leveraging Identity Provider that was causing false positives for GCP accounts.
• [ENG-10114] Fixed egress GCP Firewall rules not being harvested.
• [ENG-9971] Fixed a bug with GCP Load Balancer harvesting.

MULTI-CLOUD/GENERAL

• [ENG-10236] Fixed a bug where the trusted account listing was not updated when the ‘PutKeyPolicy’ event was taken on an EDH enabled installation.
• [ENG-10222] Fixed a bug that prevented the inspection of Threat Finding details on an individual resource through the property panel.
• [ENG-10158] Fixed a bug that caused the harvesting strategy override values to reset when dynamic harvesting is enabled.
• [ENG-10109] Fixed a bug that did not surface the last harvest time for globally-harvested resources such as AWS S3 and Azure VNETs.
• [ENG-9970] Fixed a bug that prevented roles with a path from being attached to instances when using the Bot action "Attach/Associate Instance Profile".
• [ENG-9756] Fixed large logo image in subscription emails.
• [ENG-9096] Fixed an issue where Kubernetes Security Filters were incorrectly categorized in the resource blade view.
• [ENG-8724] Added more unauthorized call errors that can use the environment variable DIVVY_LOG_UNAUTHORIZED_ERRORS.

Cloud IAM Governance Bug Fixes (21.6.4)

• [ENG-9900] Fixed programming error when resolving maximum boundaries (service control policies and permission boundaries) with identity based policies.
• [ENG-9490] Fixed bug listing all services in principal explorer.
• [ENG-9435] Fixed programming error encountered when a context key we do not yet support appears in a trust policy.
• [ENG-9953] Fixed bug in processing conditional context keys in tag format.

InsightCloudSec Minor Release 21.6.5 includes expanded support for the Azure OMIGOD vulnerability in the form of a new Insight and Filter to identify Azure Virtual Machines running a version of the OMS extension that is vulnerable to OMIGOD. In addition to these updates, we have 6 new query filters, enhancements to 4 filters, and a new Bot action. As usual this release also includes a couple of bug fixes. As always, contact us at support-insightcloudsec@rapid7.com with any questions.

Permissions (21.6.5)

For AWS Customers Using Our Supplemental PolicyNote: We recommend our AWS Standard (Read-Only) Users employ AWS' managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS' continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy. For 21.6.5 we have also updated our supplemental policy to remove duplicate permissions.

Features & Enhancements (21.6.5)

• Improved the performance of adding exemptions to an Insight. Clients at large scale will notice reduced processing times when creating exemptions. [ENG-10381]

Resources (21.6.5)

AWS

• We expanded the dependency mapping for API Gateways/API Gateway Domains to include VPC Endpoints. You should be able to see this dependency under the Resource Details > Dependencies tab when viewing specific resources. [ENG-10241]

Insights (21.6.5)

AZURE

• Compute Instance Running Vulnerable Version of OMS - This new Insight identifies Azure Virtual Machines running a version of the OMS extension that is vulnerable to OMIGOD. To support our customers with their OMIGOD investigation and remediation efforts, InsightCloudSec now captures the Azure OMS extension version. Last week Microsoft released version 1.13.40 of the software agent which patches CVE-2021-38647, the Open Management Infrastructure Remote Code Execution Vulnerability. [ENG-10427]

Query Filters (21.6.5)

AWS

• Cloud Accounts without AWS Config Enabled(AWS) - New filter to check cloud accounts without Config enabled. [ENG-10052]:
  • You can apply filter for specific regions to check if the account is without AWS config enabled by selecting particular regions in region settings
  • If you apply the filter with multi-region settings as default, it will list all the cloud accounts without config enabled in any region
• Instance Allows Use Of Vulnerable IMDSv1 Protocol (AWS) and
• Instance IMDS Protocol Version (AWS) - These Filters were modified to account for the HTTP endpoint status. [ENG-10403]
• Resource Specific Policy Principal Wildcard Search (AWS) - New Filter matches resources whose direct policy either contains or is missing desired target principal statements. This filter allows more generalized searches for principals in roles with the expected primary use case being the inspection of role trust policies. Note that this filter only inspects direct policies, such as S3 policies or KMS policies, and IAM Role trust policies. It does not inspect cloud managed policies. In addition, the filter defaults to exact matches, e.g., searching for an asterisk returns an asterisk. You can generalize the search in two ways:
  • Using % at the end of a search term will find all matches that start with the search term, e.g., arn:aws:iam:123456789012:role/% finds principal statements like arn:aws:iam:123456789012:role/ssoUser
  • Using an ***** in a search term will find all matches that begin and end with the terms provided, e.g., arn:aws:iam:*:role/ssoAdmin finds principal statements like arn:aws:iam:123456789012:role/ssoAdmin and arn:aws:iam:987654321098:role/ssoAdmin. [ENG-10358]

AZURE

• Access List Has Flow Logs Attached (Azure) - Enhanced Filter by adding a new field to Access Lists, has_flow_logs. Will appear in the UI as "Flow Logs Present". [ENG-7986]
• Compute Instance Running Vulnerable Version of OMS (Azure) - New Filter identifies Azure Virtual Machines running a version of the OMS extension that is vulnerable to OMIGOD. [ENG-10427]

GCP

• Kubernetes Cluster Configured With/Without Autopilot (GCP) - New filter to identify Kubernetes clusters configured in autopilot mode with option to find those not configured in autopilot mode. [ENG-10310]

MULTI-CLOUD/GENERAL

• Access List Contains Public Addresses Outside Of Known IPs - Enhanced Filter properly supports CIDR blocks, breaking each block out into the range. [ENG-9752]
• Container Cluster Type - New Filter finds clusters of different types, e.g., AWS Elastic Kubernetes Service or Google Kubernetes Engine, by themselves or in combination. [ENG-9822]

Infrastructure as Code (IaC) New Support (21.6.5)

• Changed occurrences of "DivvyCloud" to "InsightCloudSec" in console outputs related to IaC scans. This change has also been made to the subject line for email and Slack notifications of IaC scan results. [ENG-10235]

Bot Actions (21.6.5)

• "Add To Data Collection" - New Bot action allows customers to automate the addition of resources to Data Collections. For example, if you would like to ensure that your volumes are using approved customer-managed keys for encryption, you can use a Bot to build a data collection that serves as an "Allow List" of encryption keys. [ENG-10106]

Bug Fixes (21.6.5)

AZURE

• [ENG-7544] Fixed a bug with Filter Cloud Account Subscription With/Without Policy Assignment (Azure) so that only Azure Policy Assignments that are scoped at the subscription level will be matched when using this filter.

GCP

• [ENG-10310] Fixed an issue in the filter Kubernetes Cluster Engine Does Not Use Container-Optimized OS to support GKE clusters leveraging COR_CONTAINERD.

MULTI-CLOUD/GENERAL

• [ENG-10237] Fixed issue where the export on the Bots listing page would populate Bots filters under the “Actions” column and actions under the “Filters” column.

InsightCloudSec Minor Release 21.6.6 has several feature enhancements including a new integration with Crowdstrike, expanded Jinja2 reference support, and improvements to the Compliance Scorecard export data. We have included two small UI improvements, expanded support for resource types across AWS and GCP, added four new filters and improved one existing filter. In addition, this release includes nearly a dozen bug fixes.

As always, contact us at support-insightcloudsec@rapid7.com with any questions.

Permissions Required (21.6.6)

MORE ON AWS PERMISSIONS

• "route53:GetDNSSEC" - Fixes a bug. [ENG-10567]
• "ssm:DescribeDocument" - Supports added visibility into the content that's associated with an AWS Systems Manager Document. [ENG-10596]

Features & Enhancements (21.6.6)

• We have added a new integration with Crowdstrike which can be used to identify AWS, GCP, and Azure assets which have the Crowdstrike Falcon agent installed/missing. [ENG-10428]
• The “Section” column of the Compliance Scorecard export now includes the compliance rule for custom packs that inherit from a core compliance framework such as CIS, HIPAA, and PCI. [ENG-10476]
• We have added Jinja2 support to the "Target Bucket" and "Target Prefix" fields in the Bot action, "Enable Storage Container Logging". This support will allow a single Bot to enable logging to buckets in each region and account provided they follow a standard naming convention. For example ics-target-bucket-<region_name>-<account_id> can now be enabled using Jinja2 and the following format: ics-target-bucket-{{resource.common.region_name}}-{{resource.get_organization_service().account_id}}. [ENG-10357]

User Interface Changes (21.6.6)

• UI messaging updated to provide accurate notification prior to executing an on-demand Bot run. [ENG-10471]
• When generating an API key from the user's profile screen, a pop-up will now display the API key instead of a CSV download. Note that you cannot view the API key again once the pop-up has been closed and will be warned of this in the dialog. [ENG-9640]

Resources (21.6.6)

AWS

• Added visibility into the content that's associated with an AWS Systems Manager Document. This requires a new permission for the AWS Standard (Read-Only) policy: “ssm:DescribeDocument”. [ENG-10596]
• Expanded the dependency mapping for API Gateways/API Gateway Domains to include VPC Endpoints. You should be able to see this dependency under the Resource Details > Dependencies tab when viewing specific resources. [ENG-10241] Note: This item was added as part of our 21.6.5 release and the corresponding release notes have been revised to include this update.

GCP

• Updated the region for dual-region and multi-region GCP storage buckets to reflect the correct value instead of global. Information on these location types can be found [here] (https://cloud.google.com/storage/docs/locations). Note that this will result in multi-region buckets being recreated in our database as their region name property was previously set to global. [ENG-10220]
  • Introduced a new GCP-specific Filter: Storage Container Location Type (GCP), that can be used to identify GCP buckets based on their location configuration.
  • Updated the Insight Resource Audit Not In Continental US to include OCI support and include the GCP multi-region/dual-region US option.

Insights (21.6.6)

AWS

• Cloud Account without Macie Enabled - New Insight matches cloud accounts without Macie enabled. [ENG-9695]

GCP

• Resource Audit Not In Continental US - This Insight was updated to include OCI support and include the GCP multi-region/dual-region US option. [ENG-10220]

Query Filters (21.6.6)

AWS

• API Accounting Is/Is Not An Organization Trail (AWS) - Updated filter options for API Accounting Is/Is Not An Organization Trail (AWS) to provide clearer details/instructions to implement. [ENG-9182]

GCP

• Storage Container Location Type (GCP) - New GCP-specific filter to identify GCP buckets based on their location configuration. [ENG-10220]

MULTI-CLOUD/GENERAL

• Resource Engine Version Parser - New filter identifies resources by their engine version using parsing. For example, this filter can parse the third value in this engine version to confirm that 14.00.3381.3.v1 is greater in value than 14.00.3356.20.v1. This filter can be used multiple times to inspect multiple string elements. It inspects integer equivalents only. [ENG-9845]
• Identity Threat Finding Source - New filter for ThreatFindings identifies the source of a Threat Finding. [ENG-10367]

Infrastructure as Code (IaC) New Support (21.6.6)

• In the IaC Analyzer, added support for provider-level default_tags for the Terraform AWS provider. [ENG-10134]
• Updated our Terraform (TF) IaC analysis for AWS Elasticsearch Domains to properly build the network_resource_id, subnets, and groups. [ENG-10479]

Bug Fixes (21.6.6)

AWS

• [ENG-10567] Added a missing permission, “route53:GetDNSSEC”, to the commercial Standard Read-Only User policy.
• [ENG-8817] Fixed a bug where the cluster logging configuration was not being properly evaluated as a part of AWS Infrastructure-as-Code analysis in the Terraform driver.

AZURE

• [ENG-8992] Resolves a bug where Azure Managed SQL instances incorrectly displays no data, rather than 0, for retention policy.

MULTI-CLOUD/GENERAL

• [ENG-10685] Fixed an issue where EDH job runs were pushing out next run time of periodic (non EDH) harvesting jobs. [ENG-10606] Fixed a bug that occurred when going from the Insights view to the resources view with a scoped resource group. The resource group now loads properly.
• [ENG-10600] Fixed an issue with the Subscription Processor that allowed the same report to be sent multiple times in an hour.
• [ENG-10597] Fixed a bug that prevented globally-scoped Insight Packs from being used in the Compliance Scorecard across organizations outside of the organization where it was created.
• [ENG-10483] Fixed an error when performing IaC scans on RestApiAuthorizer issues.
• [ENG-10481] Updates the Insight Storage containers not enforcing transit encryption Remediation/Description section information to include better detail.
• [ENG-10478] When using Firefox the “MFA Token” field of the login screen now enforces that autocomplete is disabled.
• [ENG-10470] Fixed an edge case that would show the incorrect total count for the Compliance Scorecard pagination controls.
• [ENG-10237] Fixed issue where the export on the Bots listing page would populate Bots filters under the “Actions” column and actions under the “Filters” column. *Note: This fix was included with the 21.6.5 release and has been updated in the previous release notes. *
• [ENG-10171] Fixed an issue in the filter Instance Image Age Exceeds Threshold where instances using an image that matches the criteria were not returned.
• [ENG-7153] Fixed a bug so that an IaC scan template being scanned will now persist if user wants to check results and navigate back to it.

InsightCloudSec Minor Release 21.6.7 includes expanding AWS Event-Driven Harvesting support to include CloudTrail and expanding AWS SES harvesting support to the ap-northeast-3 region. 21.6.7 also includes visibility into the DNS setting associated with Azure Public IPs. This release also includes four new Filters, two enhanced Filters, and one new Bot action. We have included support for two additional Infrastructure-as-Code (IaC) items and the resolution for eight bug fixes.

Contact us at support-insightcloudsec@rapid7.com with any questions.

Features & Enhancements (21.6.7)

MULTI-CLOUD/GENERAL

• Next scheduled harvest time calculation now accounts for manual enqueuing. [ENG-10400, ENG-10305]
• Added controls to the scheduler process so that when a scheduler is restarted, jobs previously marked for execution will be remembered and will run at their next scheduled time. [ENG-10265]
• Scheduler now restores job's “latest next run time” on restart. Harvester job successes and failure timestamps persist after restart. [ENG-9766]

User Interface Changes (21.6.7)

• For the InsightVM integration, the vulnerability counts found on the Resources page have been updated to match the counts found in the Resources Properties panel. [ENG-10556]

Resources (21.6.7)

AWS

• Added visibility into the launch template that an AWS Autoscaling Group is associated with and added two new Filters: Autoscaling Launch Configuration In Use and Autoscaling Group Launch Type. [ENG-10598]
• Expanded AWS EDH support to CloudTrail. The following events are supported: CreateTrail, DeleteTrail, UpdateTrail, StopLogging, and StartLogging. [ENG-10595]
• Expanded AWS SES harvesting to support Osaka (ap-northeast-3). [ENG-10559]
• Following AWS's guidance, we are updating our documentation when referencing AWS's Customer Master Keys (CMK). CMKs are now called AWS keys. [ENG-10318]

AZURE

• This change adds visibility into the DNS setting that is associated with an Azure Public IP. This is an optional setting that you can configure for each IP address in an Azure subscription. A new filter has also been included to audit IP addresses with/without the FQDN value populated: Public IP With/Without DNS Record. [ENG-10623]

Query Filters (21.6.7)

AWS

• Autoscaling Group Launch Type (AWS) - New Filter identifies autoscaling group resources based on their launch type. [ENG-10598]
• Autoscaling Launch Configuration In Use (AWS) - New Filter identifies autoscaling launch configurations which are attached to an autoscaling group. [ENG-10598]
• DNS Zone with AWS alias record - New filter matches DNS zones with AWS Alias records. [ENG-7983]
  • Note: This change updates our DNS Zone Record IDs, so customers may see records being deleted and recreated on first harvest. This is expected. If the customer has any automation around DNS Zones, they may be affected.
• Resource Trusting Unknown Account - This Filter was expanded to work with AWS Search Clusters. [ENG-10560]
• Search Cluster Publicly Accessible - This Filter was expanded to work with AWS Search Clusters. [ENG-10560]

AZURE

• Public IP With/Without DNS Record - New filter audits IP addresses with/without the FQDN value populated. [ENG-10623]

Infrastructure as Code (IaC) New Support (21.6.7)

• Expanded AWS Terraform IaC analysis to validate S3 transit encryption enforcement. [ENG-10697]
• Enhanced our AWS Terraform IaC support to include analysis for S3, RDS, and Neptune transit encryption enforcement. [ENG-10677]

Bot Actions (21.6.7)

AWS

• Added a new Bot action “Enable Regional AWS Config Recorder”. [ENG-10599]

Bug Fixes (21.6.7)

AWS

• [ENG-9022] Fixed a bug that prevented AWS policies from other accounts from being linked to IAM roles during IaC analysis.

MULTI-CLOUD/GENERAL

• [ENG-10700] Fixed UI bug that prevented harvester status info reporting back success or failures on Clouds page and Botfactory.
• [ENG-10695] Fixed a bug in the DataBrickWorkspace sort.
• [ENG-10640] Fixed an issue where Diagnostic Settings of the same name, in the same resource group, weren't being harvested.
• [ENG-10620] Fixed Badges select dropdown on Summary page; users can now deselect all Badges.
• [ENG-10544] Fixed an issue with Compliance calculations for Insights to correctly use the Insight supported cloud type, limiting compliance breakdown counts to the supported clouds.
• [ENG-9746] Fixed a bug on the Resources page where searching by Resource Type and applying a tag-based Filter might incorrectly change the tab (Resource category) from the Resource type being searched.
• [ENG-9024] Fixed an issue with Subscription page refresh when Organization is changed to reflect correct subscription data and counts.

Cloud IAM Governance Features & Enhancements (21.6.7)

• Added the ability to correctly evaluate the intersection of permission boundaries and service control policies when one boundary implicitly denies an action allowed by the other. [ENG-10021]

Cloud IAM Governance Bug Fixes (21.6.7)

• [ENG-10517] Fixed an issue where once a user selected a tab and loading commenced, no other tabs could be selected.
• [ENG-10455] Fixed bug in evaluating ARN context keys (aws:PrincipalTag) with string conditional operators (such as StringEquals).
• [ENG-10361] Fixed principal expansion logic in case of show_conditionals = False to correctly resolve statements that unconditionally allowed actions with statements that conditionally allowed the same action.
• [ENG-10339] Fixed bug involving “aws:PrincipalTag” with “Not” condition (such as “StringNotLike”) for principals without tags. Previously, we were treating this case as passing the condition, but AWS documentation and our tests show that such a principal fails the condition.
• [ENG-10128] Fixed bug supporting conditional operators with “Not” and “ForAnyValue”.
• [ENG-10154] Fixed bug resolving action wildcards in identity policies with actions allowed in service control policies.
• [ENG-10154] Fixed bug that improperly threw out resource ARNs in the Resource or NotResource policy elements whose service did not match the action prefix in the same statement. This is part of our work in improving accuracy of permissions whose prefix does not always match the ARN in the service (KMS, STS, and EC2 are frequent examples).
• [ENG-10090] Fixed bug handling action Star (*****) in identity policies when service control policies are more restrictive.

InsightCloudSec Minor Release 21.6.8 includes an update to the Distributed Table Insight(s) to clarify applicability to AWS's DynamoDB or DAX. This release adds Jinja2 support for our Bot action, “ServiceNow Incident”, so that you can now use Jinja2 for assignment groups. We have also updated our Amazon Managed Workflows for Apache Airflow (MWAA) support to include the Canada, London, Paris, São Paulo, Seoul, and Mumbai regions. 21.6.8 includes two new Filters, a new Bot action, and five bug fixes. Contact us at support-insightcloudsec@rapid7.com with any questions.

Resources (21.6.8)

AWS

• We have updated our Amazon Managed Workflows for Apache Airflow (MWAA) support to include Canada, London, Paris, São Paulo, Seoul, and Mumbai regions. [ENG-10125]

Insights (21.6.8)

AWS

• We have updated our Distributed Table Insights to clarify that those Insights apply to AWS's DynamoDB or DAX. [ENG-10760]

Query Filters (21.6.8)

AWS

• Network Endpoint With Private DNS Enabled/Disabled (AWS) - New Filter more easily identifies Network Endpoints with sought properties. [ENG-10593]
• Network Endpoint With/Without Public Access (AWS) - New Filter more easily identifies Network Endpoints with sought properties. [ENG-10593]

Infrastructure as Code (IaC) New Support (21.6.8)

• Improved scan time performance across all IaC drivers. [ENG-10726]
• Updated IaC default values for certain properties of an Autoscaling Group (ASG) that are not required and would trigger the message "Failed to process template. Please double-check your template or contact support.” [ENG-10722]

Bot Actions (21.6.8)

We have added Jinja2 support for our Bot action, “ServiceNow Incident”, so that you can now use Jinja2 for assignment groups. [ENG-10762] For example, if you have assignments based upon different cloud accounts defined by how they are badged, e.g.,

badge key = SNOW_assignment_group
badge value = production_cloud_team

then you can use this jinja2 to dynamically assign the group based upon the badge

{{resource.get_badge_value_by_key_for_parent_cloud('SNOW_assignment_group')}}

Bug Fixes (21.6.8)

AZURE

• [ENG-10664] Fixed a sorting error for GraphQL API.

MULTI-CLOUD/GENERAL

• [ENG-10800] Fixed an issue where Bot action "Mirror Tags From Parent" is used with 1) no tags specified and 2) additive_only option selected.
• [ENG-10607] Fixed a bug where long SNS subscription names could break IaC modeling.
• [ENG-10537] Fixed an issue where some entries in the hookpoint cache were suppressed, preventing some reactive bots from working correctly.
• [ENG-10491] Enhanced handling of big payloads on the scheduled events loader.
• [ENG-8072] Fixed bug which stops re-selection of date after the filters have been cleared.

Cloud IAM Governance Features & Enhancements (21.6.8)

• Included a Unique ID column for Federated Users in the Access Explorer. [ENG-10527]
• Increased log retention to 45 days, so more information will be available for debugging issues. [ENG-10526]
• Increased the timeout value to avoid RefreshIAMData job timing out. [ENG-10521]

Cloud IAM Governance Bug Fixes (21.6.8)

• [ENG-10516] Fixed a bug where applications included in the CMDB.csv upload would be removed if there were no resources in those applications.
• [ENG-10397] Renamed following endpoints:
  • /v3/iam/settings/set-whitelisted-organization-services renamed to /config/<setting_name>/delete
  • /setting/<setting_name>/delete renamed to /config/<setting_name>/delete
  • /setting/<setting_name>/get renamed to /config/<setting_name>/get

Minor Release 21.6.9 includes a few small updates to existing resource support, including adding a webhook health check option for Microsoft Teams. We’ve included a handful of new filters: one specific to Azure, one for AWS, and four that are applicable across cloud providers. 21.6.9 also includes a number of bug fixes, contact us at support-insightcloudsec@rapid7.com with any questions.

Resources (21.6.9)

AWS

• Adds support for AWS Route Tables Type to existing support for Route Table (as part of existing support for AWS Transit Gateway). This update includes a new type column to store standard/transit gateway routes in the table. [ENG-10634]
• Added new memory and performance optimization for AWS volume snapshot harvesting in regions with very large numbers of snapshots. [ENG-9053]

AZURE

• We now harvest diagnostic settings for Databricks Workspaces. This includes a new Filter:Databricks Workspace Invalid Diagnostic Logging Configuration (Azure). [ENG-10661]
• MS Team webhooks available for health check along with existing health check notifications for Slack. Read more about health check notifications here. [ENG-10284]

Query Filters (21.6.9)

AWS

• We have expanded the supported resource types for the filter Cloud Role Using Policy With Negation Key (AWS) to include Cloud Users and Cloud Groups. Accordingly, we have updated its name to now be Identity Resource Using Policy With Negation Key (AWS). [ENG-9601]

AZURE

• Databricks Workspace Invalid Diagnostic Logging Configuration (Azure), this new Filter supports harvesting diagnostic settings for Databricks Workspaces. [ENG-10661]

MULTI-CLOUD/GENERAL

• We have added several filters to help customers manage their badge policy for their cloud accounts. We have added these filters: Cloud Account With/Without Badge KeysCloud Account With/Without Badge ValuesCloud Account With/Without Any Badge PairsCloud Account With/Without All Badge Pairs [ENG-10663]

Bug Fixes (21.6.9)

• [ENG-10872] Fixed the Documentation link for the CrowdStrike integration.
• [ENG-10830] Fixed parsing/modeling bugs in Terraform scanning for AWS Neptune and DocumentDB.
• [ENG-10417] Fixed the large logos that do not load correctly in Outlook.
• [ENG-8952] Fix a bug with the back button on the resources page.

Cloud IAM Governance Features & Enhancements (21.6.9)

• General IAM Analyzer improvements including:
  • Improvements to handling unsupported conditions
  • Improvements to ARN handling in the analyzer
  • Improvements to wildcard handling [ENG-10159]

Cloud IAM Governance Bug Fixes (21.6.9)

• [ENG-10794] Fixed search by Federated User type.

InsightCloudSec Minor Release 21.6.10 includes expanded region support for AWS MemoryDB to match the AWS’ region offering and support for AWS Kendra in AWS GovCloud. This release also includes a number of performance improvements for: Insight severity, Compliance Scorecard export details for Namespace IDs, and IAM policy details. We have added two new Bot actions and updated seven filters (four of which have been expanded to support GCP). 21.6.10 also includes eight bug fixes.

As always, contact us at support-insightcloudsec@rapid7.com with any questions.

New Permissions Required (21.6.10)

MORE ON AWS PERMISSIONS

• "kendra:DescribeIndex" and "kendra:ListIndices" support AWS's Kendra service in AWS GovCloud. This service was just announced recently by AWS. [ENG-10931]

Features & Enhancements (21.6.10)

• Added the ability to reset the severity level for an Insight to its default value. [ENG-11210]
• Added "Namespace ID" value of AWS and Azure resources to the download/export of compliance scorecards. Namespace IDs are unique identifiers for resources by specifying account, region, and ID. [ENG-9846]
• Updated some descriptive text around the EmailServiceDomain property, policy_names, to clarify that the policies are not IAM policies per se but policies around authorization to use resources to send email. [ENG-8515]

Resources (21.6.10)

AWS

• Expanded regional support of AWS's MemoryDB to match their recently announced support. [ENG-10934]
• We are now supporting AWS's Kendra service in AWS GovCloud. This service was just announced recently by AWS. Of note, adding this support to your GovCloud account requires updating your Power User or Read Only policies with the appropriate permissions (“kendra:DescribeIndex” and “kendra:ListIndices”) to allow harvesting. [ENG-10931]

Insights (21.6.10)

AZURE

• We have updated our documentation on the following four Insights to inform customers that they are being deprecated by Microsoft in favor of the CIS 1.3.0 benchmarks and to provide more up to date remediation resources [ENG-10922]:
  • Cloud Account Security Center NSGs Recommendation Not Enabled
  • Security Center Automatic Provisioning Of Monitoring Agent Is Off
  • Security Center SQL Auditing & Threat Detection Recommendation Is Off
  • Security Center Standard Pricing Tier Not Selected

MULTI-CLOUD/GENERAL

• We have updated the text, specifically the remediation steps, of our Insights when there is remediation support offered by the bot action "Modify Elasticsearch Instance Attributes". In this case, the bot action can help remediate problems found by the following Insights [ENG-11189]:
  • ElasticSearch Cluster Without HTTPS Enforcement
  • Elasticsearch Instance Doesn't Enforce Encryption at Rest
  • Elasticsearch Instance Without Node-to-Node Encryption
  • Elasticsearch Instances With Insecure Transit Encryption Configuration

Query Filters (21.6.10)

AWS

• Expanded the following filters to support AWS GovCloud and AWS China [ENG-10875]:
  • Load Balancer With HTTP Listener Not Redirecting To HTTPS (AWS)
  • Load Balancer Not Managed By AWS Certificate Manager (AWS)

GCP

• Expanded support to Google Cloud Platform (GCP) for the following filters [ENG-11247]:
  • Serverless Function Contains Specific Environment Variables
  • Serverless Function Contains Specific Environment Variables (Regex)
  • Serverless Function With Environment Variables
  • Serverless Function Without Environment Variables

MULTI-CLOUD/GENERAL

• Access List In Use - This updated filter refines results to only access lists connecting to a public subnet. As security risks are much higher for public-facing resources, narrowing down inspection to access lists connecting to public subnets help focus priorities. [ENG-10761]

Infrastructure as Code (IaC) New Support (21.6.10)

• Added support for AWS Launch Configurations to Terraform IaC. [ENG-8818]

Bot Actions (21.6.10)

• "Set Notification Topic Policy" and "Remove Notification Topic Policy Public Permissions" - These two new Bot actions will allow customers to set IAM access policies for their notification topics by either setting them, amending them, and/or removing statements that provide public access. [ENG-10936]

Bug Fixes (21.6.10)

• [ENG-11235] Fixed an issue where Google API statuses were taking some time to refresh.
• [ENG-11204] Fixed a bug with the filter Instances Running 24x7 that resulted in false positives.
• [ENG-10909] Fixed an issue with IaC scan failing with exemption.
• [ENG-10882] Fixed a bug in the filter Application Gateway X-Ray Tracing Enabled that would count results multiple times per Application Gateway Stage.
• [ENG-10524] Fixed an issue where some GCP harvester jobs were not showing in the UI after APIs getting enabled.
• [ENG-10133] Fixed a bug where Azure Databricks Workspaces weren't harvesting.
• [ENG-6647] Fixed an issue where incorrect harvest sequence of EDH tag events might lead to local tag errors.

Cloud IAM Governance Features & Enhancements (21.6.10)

• We added Filtering by Principal Type to the Principals tab in Access Explorer. And we provide the count of each Principal Type in the drop down menu where you pick the Principal Type. [ENG-10815]
• We added Filtering by Resource Type to the Resources tab in Access Explorer. And we provide the count of each Resource Type in the drop down menu where you pick the Resource Type. [ENG-10814]
• When cache needs to be rebuilt, a warning banner displays, but we’ve updated the cache status widget from red to green, indicating that the existing cache build status is good. [ENG-10531]

Cloud IAM Governance Bug Fixes (21.6.10)

• [ENG-10532] Fixed a performance issue with autocompletion of tag keys within the Access Explorer.

InsightCloudSec Minor Release 21.6.11 includes significant performance improvements to the Insights Listing page around the findings view, expanded Jinja2 support to include today() and utcnow(), and expanded support for AWS ECS tasks and AWS WAF associations. In addition, this release includes three updates for Insights, four expanded query filters, three enhancements to Bot actions, and one new Bot action. 21.6.11 also provides support around four issues related to our IaC capability as well as a dozen bug fixes.

As always, contact us at support-insightcloudsec@rapid7.com with any questions.

New Permissions Required (21.6.11)

MORE ON AWS PERMISSIONS

• "ec2:DescribeTransitGatewayRouteTables" supports our added ability to harvest 'transit_gateway_route_tables'. [ENG-11292]

Features & Enhancements (21.6.11)

• Significantly improved the performance of the Insights Library and simplified the finding view. [ENG-10900]
• We have expanded our Jinja2 support to include today() and utcnow(). Both functions can be used via event.get_date() and event.get_timestamp() Jinja2 functions respectively. In combination with a tagging strategy, these functions can be used to provide context such as indicating when a resource was tagged with time-relevant keys, e.g., "Owner notified of impending delete", "30 day exemption granted", etc. The query filters Resource Tag Date Comparison and Resource Tag Date/Time Comparison now allow customers to inspect those tags and make decisions (sending notifications, shutting down instances, deleting roles, etc.) based on them. [ENG-8109]
• Events in the EDH history view now show the response elements associated with a change. [ENG-11275]
• Granted Admins the ability to update a User to an authentication server. Note: Once a User is updated, the User cannot be reverted back. [ENG-9810]

User Interface Changes (21.6.11)

• Our improvements to the Insights Library involves the following changes to the User Interface [ENG-10900]:
  • The Insights page now shows "Total Findings" instead of fractions of resources in "scope".
  • Hovering over a value in the "Total Findings" column will show the supported clouds for that Insight.
  • On the Insights page, the "Severity" column has been moved closer to the "Total Findings" column.
• Added new Scan Type (CLI Scan) to IaC Scan List options on the list of available filters. [ENG-10376]

Resources (21.6.11)

AWS

• Added tag visibility into our tool for AWS ECS tasks and task definitions. [ENG-11351]
• We now harvest 'transit_gateway_route_tables'. This enhancement requires the “ec2:DescribeTransitGatewayRouteTables” permission. [ENG-11292]
• Expanded visibility for AWS WAF associations to include AppSync resources. [ENG-11173]

Insights (21.6.11)

AWS

• Updated the Insight Data Analytics Workspace Without Encryption At Rest to remove the default Athena workspaces called primary, which are unencrypted. As these workspaces are unencrypted by default and present in every region, surfacing them in this Insight detracts from its purpose of finding workspaces that are unexpectedly unencrypted. [ENG-11302]
• Expanded the Insight Instance Allows Use Of Vulnerable IMDSv1 Protocol to work with AWS GovCloud. [ENG-10462]

GCP

• Expanded support for the Insight Serverless Function Exposed To Public to Google Cloud Platform. [ENG-10765]

Query Filters (21.6.11)

AZURE

• Cache instance exposed to the public (Azure) - Filter updated to account for private endpoints. For additional information refer to Microsoft’s documentation for this issue. [ENG-10917]

MULTI-CLOUD/GENERAL

• Resource Is Not Encrypted - Expanded filter to support container registries. [ENG-11348]
• Resource Tag Date Comparison and Resource Tag Date/Time Comparison - These Filters now allow customers to inspect today() and utcnow() and make decisions (sending notifications, shutting down instances, deleting roles, etc.) based on them. [ENG-8109]

Infrastructure as Code (IaC) New Support (21.6.11)

• Expanded AWS Terraform IaC analysis to validate S3 transit encryption enforcement. [ENG-10697]
• Added new Scan Type (CLI Scan) to IaC Scan List options on the list of available filters. [ENG-10376]
• Expanded Terraform IaC support for resource type aws_wafv2_web_acl_association to gain visibility into WAF attachments for Application Load Balancers (ALBs). [ENG-11185]
• Added tag visibility and support for AWS KMS keys for Terraform IaC analysis. [ENG-9914]

Bot Actions (21.6.11)

• Added Jinja2 field supports to the Bot action “Create Network Flow Log”. This support allows user to dynamically assign S3, S3 folder, and/or Cloudwatch Logs based on related properties, e.g., a badge of the resource’s cloud, the region of the resource, and/or the name of the resource. [ENG-11304]
  • For example, this Jinja2 will create a flow log targeted at a standard S3 bucket for flowlogs by account and region and use a different folder defined by network ID. arn:aws:s3:::aws-networkflowlogs-{{resource.get_organization_service().account_id}}-{{resource.common.region_name}}/{{resource.common.provider_id}}/
• Added the ability to retrieve the Insight severity that's associated with a Bot using the Jinja bot.insight_severity. [ENG-11301]
• Added two new Jinja getters that can be used to enrich Bot notifications [ENG-11291]:
  • resource.get_cloud_organization_id() - This will retrieve the cloud specific organization ID that's defined at the top level.
  • resource.get_cloud_organization_nickname() - This will retrieve the human readable nickname that's associated with the Organization within InsightCloudSec.
• We have added a new Bot action, “Update Kubernetes Logging”, to support compliance and, specifically, the Insight "Kubernetes Cluster Engine Logging Disabled". The new Bot action allows you to enable different logging types, e.g., API server, Audit, Authenticator, etc. via Bot action. [ENG-10876]

Bug Fixes (21.6.11)

• [ENG-11371] Fixed an issue where the Insight Encryption Keys Managed By Customer (CMKs) Not Rotated Annually (Oracle) was showing results for cloud types other than OCI.

• [ENG-11274] Fixed a bug that prevented the Insight CSV download from yielding the correct results when the pack was scoped to a badge key/value pair containing the & character.

• [ENG-11260] Fixed a bug where GCP instances in a suspended state didn't show the correct lifecycle status in the Resources section of the product.

• [ENG-11241] Fixed a bug involving AWS KMS keys with invalid JSON policy documents failing IaC Terraform analysis.

• [ENG-11236] Fixed a bug that prevented the action “Publish to Cloud Notification Topic With Target Selection” from working within Google Cloud Platform.

• [ENG-11199] Fixed an edge case that would result in Terraform IaC false negatives for the Insight **Content Delivery Network Without Web Application Firewall ProtectionI **.

• [ENG-11184] Fixed a false positive for the filter Transfer Servers Without Logging when it is used during IaC analysis of AWS Transfer Servers.

• [ENG-10916] Fixed a bug that displayed the incorrect value for the cache_data_encrypted property of Application Stages.

• [ENG-10855] Fixed a missing check: added a check for Google's storage.publicAccessPrevention setting under {{iamConfiguration}} when evaluating whether a storage container is publicly accessible. If this setting is false, then we will no longer identify the container as public. For additional information see Google’s documentation for this issue. [ENG-10855]

• [ENG-10740] Fixed a bug where the Scopes button was not active when viewing a custom Insight with an associated badge scope.

• [ENG-10640] Fixed an issue where Diagnostic Settings of the same name, in the same resource group, weren't being harvested.

• [ENG-10373] Fixed an issue where AWS Policy Simulator was causing incorrect account visibility status. Service Control Policies with condition statements are no longer included when evaluating visibility for AWS accounts.

Cloud IAM Governance Features & Enhancements (21.6.11)

• Updated tag filters within the Access Explorer to allow all characters for tag keys (including the colon ":" character). [ENG-10087]

Cloud IAM Governance Bug Fixes (21.6.11)

• [ENG-11191] Fixed a bug on the Resources page where certain combinations of filters and sorts could cause a crash.
• [ENG-10935] Fixed a bug where non-AWS roles/users could show up in the Access Explorer.
• [ENG-10912] Service Expansion bug fixes: Made multiple internal stability improvements to the analysis engine.
• [ENG-10802] Fixed a bug so that users can now search Applications by Account Name in Access Explorer.
• [ENG-10586] Fixed a bug by removing Total Account and Total Resources as filter options in Access Explorer.