21.7 Release Notes

Latest 21.7 Release

Release Highlights (21.7.7)

With our continuing rapid response to the Log4Shell vulnerability, InsightCloudSec is pleased to announce Minor Release 21.7.7. Following are the highlights from this release, as well as highlights from our other recent releases:

Minor Release 21.7.7 (12/23/2021) introduces a collection of bootstrap actions for AWS EMR clusters. These updates will help identify clusters that are missing specific scripts to harden against vulnerabilities such as Log4shell, including:

• New Insight: Map Reduce Cluster Without Bootstrap Mitigation For CVE-2021-44228
• New (AWS) Permission: elasticmapreduce:ListBootstrapActions
• New Filter: Map Reduce Cluster Bootstrap Actions (AWS)

Minor Release 21.7.6 (12/20/2021) includes added visibility into AWS container vulnerability harvesting, supporting enhanced monitoring (Inspector2). We include a new query filter to support this added visibility. We also include one bug fix. New AWS permissions for user policies are called out for this latest release.

Minor Release 21.7.5 (12/17/2021) includes one new GCP query filter and one bug fix.

Minor Release 21.7.4 (12/15/2021) provides updates to AWS and GCP (based on their recommendations). As part of our updates around the Log4Shell vulnerability we have also added visibility into the AWS OpenSearch service, two new Filters, and a new Bot action. This release also provides expanded support for AWS Lambda Layers, EDH support to work with AWS EFS/FSx, and support for storing the Amazon-side Autonomous System Number (ASN) for Transit Gateways. For GCP, we’ve changed the GCP Volume harvester to use Cloud Asset Inventory. This release also contains a total of five new filters, two new Bot actions, and four bug fixes.

Contact us through the new unified Customer Support Portal with any questions.

Update of “Support” Widget & Customer Support Portal

InsightCloudSec versions 21.7.2 and 21.7.3 temporarily removed the “Support” widget found inside the product UI. Versions prior to the 21.7.3 release may include the widget, but this form should no longer be used.

21.7.4 reenables the support widget inside the product UI to connect users with the new internal form and associated SalesForce support portal.

Beginning with the introduction of SalesForce in 21.7.4, we will also be deprecating email support. Any user that contacts support via email will receive an auto-response instructing them to contact the team through the unified Customer Support Portal. Check out our Getting Support Page for complete details on support options.

Many customers have already been contacted about creating credentials to access the new support portal. If you are new to this portal, simply click the “Haven’t activated your account?” link to create a new account to contact support.

New Permissions Required (21.7.0)

MORE ON AWS PERMISSIONS

• "glue:GetDatabases", "glue:ListCrawlers", and "glue:ListRegistries" - Support the expanded Insights ETL Data Catalog Connection Passwords Without Encryption and ETL Data Catalog Objects Without Encryption to only report violations when AWS Glue is in use. [ENG-11372]
• "ssm:DescribeInstanceInformation" - Supports harvesting information about AWS EC2 SSM agents and have corresponding filters to determine whether an EC2 has the agent install and, if so, whether it is the latest version. [ENG-11401]

MORE ON GCP PERMISSION

• "compute.firewallPolicies.list" - Supports the added harvesting for GCP deny firewall rules at the organization/folder level to provide a more accurate picture of resource access. [ENG-11446]

Features & Enhancements (21.7.0)

Azure Event-Driven Harvesting With this release, InsightCloudSec is introducing expanded support for our Event-Driven Harvesting (EDH) capabilities to include Azure. Used to augment our standard polling-based harvesting, EDH pulls data from the control-plane change events using Azure’s EventGrid to trigger harvesting. This dynamic approach to data collection not only improves InsightCloudSec's cadence for providing resource visibility and opportunities for remediation, but also enriches the data with lifecycle changes that enable auditing capabilities. Read more about Azure Event-Driven Harvesting in our documentation. [ENG-7319]

Kubernetes Guardrails As part of 21.7.0, InsightCloudSec is pleased to announce the general availability release of our Kubernetes Security Guardrails (or K8s Guardrails) feature. K8s Guardrails enables you to harden your production environment by auditing your Kubernetes cluster, nodes, and pods configuration. Taking advantage of this feature allows you to continuously deploy and monitor your K8s deployment for policy violations and get actionable recommendations.

**Compliance Scorecard & K8s ** As part of our expanded support for Kubernetes Guardrails Security, InsightCloudSec has introduced expanded capabilities around our Compliance Scorecard. The Compliance Scorecard now includes filtering options to display findings around Clusters and Namespaces. You can check out the Compliance Scorecard documentation for details on the expanded filtering capabilities. [ENG-9481]

Kubernetes Security Guardrails - Compliance Scorecard API Endpoint Changes As part of our 21.7.0 updates - including the introduction of our Kubernetes Security Guardrail features and revisions to our Compliance Scorecard capabilities - we have also made changes to the following API Endpoints. Refer to the linked documentation for details.

• Get Featured Insight Compliance Packhttps://domain/v2/compliance/score-card/backoffice/pack_id
• Get Custom Insight Compliance Packhttps://domain/v2/compliance/score-card/custom/pack_id
• Download Featured Pack Compliance Scorecardhttps://domain/v2/compliance/score-card/export?pack_ids=backoffice:pack_id
• Download Custom Pack Compliance Scorecardhttps://domain/v2/compliance/score-card/export?pack_ids=custom:pack_id
• Get Compliance Scorecard Custom Export (JSON) https://domain/v2/compliance/score-card/export-data?pack_ids=pack_id

**CLI Tool for IaC Scanning ** Included in 21.7.0 is InsightCloudSec’s IaC CLI scanning tool, which provides DevOps with the ability to scan IaC templates via the command line before configurations become part of the CI/CD pipeline. Having a CLI tool saves time and enables teams to support a shift left strategy as part of their Infrastructure as Code approach. Check out the documentation for details on setup. [ENG-10190]

Cloud Overview Page Recent revisions to InsightCloudSec provide you with the ability to view detailed information for individual cloud accounts, including summary information for key resources, curated Best Practices and Recommendations, and at-a-glance harvesting status information. Take a look at our documentation to review the details available on this new page.

Event-Driven Harvesting Overview In addition to our expanded support for EDH for Azure, InsightCloudSec has also introduced a revised overview page for Event-Driven Harvesting. Available as the landing page for EDH, this new page provides an event overview for your entire organization or an individual cloud account. It includes great details like event counts for the previous 5 days with a graph to view trends, a summary of suspicious events, and top events by type. Check out our updated Event Driven Harvesting Reports page for complete details.

OTHER

• Added "Resource ID" column to the Exemptions CSV download. [ENG-11451]
• Basic users are now able to see the Badge Summary page, which can help them understand the organization's cloud badging strategy. [ENG-11383]
• Added Insight metadata to the Overview sheet of the Compliance Scorecard download. [ENG-11347]
• Added Image SHA to be viewable on the Container Image resource screen. [ENG-10757]

User Interface Changes (21.7.0)

• Updated the usage language for Azure Cloud Checks to better reflect what we get from Azure. [ENG-10856]
• Added metrics of #ofScans and Type to UI. [ENG-10708]

Resources (21.7.0)

AWS

• Expanded support for AutoScaling Groups (ASGs) by adding visibility into ASGs configured with Warm Pool Instances. [ENG-11473]
• We are harvesting information about AWS EC2 SSM agents and have corresponding filters to determine whether an EC2 has the agent install and, if so, whether it is the latest version. New Filters : Instance With AWS SSM Agent Configured, Instance Without AWS SSM Agent Configured, and Instance Not Running Latest AWS SSM Agent. New permission required: “ssm:DescribeInstanceInformation”. [ENG-11401]
• Added sensitive user data detection for AWS Autoscaling Launch Configurations. The filter Instance With Sensitive User Data (AWS) was renamed to Instance/Launch Configuration With Sensitive User Data (AWS) and now supports Launch Configurations. [ENG-11384]
• Expanded AWS EDH support to capture the event “ModifySecurityGroupRules”. [ENG-11381]
• Added visibility into drift status for AWS CloudFormation templates via new filter Stack Template Drift Status (AWS) that supports AWS, AWS Gov, and AWS China. [ENG-9467]
• Added support for harvesting tags for OpenSearch Service (formerly Elasticsearch Instance) and Elasticache Reserved Instances. Tag create, update, and delete are not supported yet by AWS. [ENG-7413]

GCP

• Added harvesting for GCP deny firewall rules at the organization/folder level to provide a more accurate picture of resource access. This requires the permissions "compute.firewallPolicies.list", which is in the already-enabled Compute API. [ENG-11446]

MULTI-CLOUD/GENERAL

• Expanded get_untrusted_accounts() compatibility to work with private images, snapshots and systems manager documents. These resource types also now include the trust account listing in the resource properties when pulled via the API. [ENG-11266]

Insights (21.7.0)

AWS

• ETL Data Catalog Connection Passwords Without Encryption and ETL Data Catalog Objects Without Encryption - These Insights were expanded to only report violations when AWS Glue is in use. Note that this requires updated IAM permissions. Please reference the IAM changes in the release notes and ensure that you have that visibility in place. New permissions for read-only policy: "glue:GetDatabases", "glue:ListCrawlers", and "glue:ListRegistries". New permission for GovCloud read-only policy: "glue:List*". [ENG-11372]

GCP

• We have expanded cloud support for the Insight Notification Topic Exposed to Public to include GCP projects. [ENG-11432]

Query Filters (21.7.0)

AWS

• Added four new filters that can be used on the AWS Config resource type [ENG-11346]:
  • Config Recording Enabled/Disabled (AWS)
  • Config Recording to Unknown Account (AWS)
  • Config Recording Global Resource Types Enabled/Disabled (AWS)
  • Config Recording All Resource Types Enabled/Disabled (AWS)
• DNS Zone Without SPF Record - New filter identifies Route53 zones which are missing an SPF record. [ENG-11284]
• Instance With AWS SSM Agent Configured, Instance Without AWS SSM Agent Configured, and Instance Not Running Latest AWS SSM Agent - New filters support harvesting information about AWS EC2 SSM agents. [ENG-11401]
• Instance/Launch Configuration With Sensitive User Data (AWS) - This filter was renamed from Instance With Sensitive User Data (AWS) and now supports Launch Configurations in line with the added sensitive user data detection for AWS Autoscaling Launch Configurations. [ENG-11384]
• Resource Access List Association Count - New filter identifies access lists based on the number of resources they are associated with. [ENG-11284]
• Resource Is Associated With Public Subnet - Expanded filter to work with Elasticsearch Domains, Memcache Instances, and Map Reduce Clusters. [ENG-11284]
• Stack Template Drift Status (AWS) - New filter supports added visibility into drift status for AWS CloudFormation templates, supports AWS, AWS Gov, and AWS China. [ENG-9467]

Bot Actions (21.7.0)

AWS

• Added a new Bot action “Invoke Serverless Function” that can be used to trigger an AWS Lambda directly. [ENG-11385]

Bug Fixes (21.7.0)

• [ENG-11482] Fixed a bug on the Insight page rendering values for Total Findings.
• [ENG-11437] Fixed a bug where GCP Service Roles weren't being harvested when they weren't scoped to the project.
• [ENG-10739] Removed GCP as a supported cloud for the Insight Storage Container Without Access Logging as it does not apply.
• [ENG-10710] Fixed an issue where IVM vulnerability metadata became stale over time.
• [ENG-10123] Fixed a bug impacting performance for filters Storage Account Allows Access From World and Snapshot Accessible To Public. [ENG-10123]
• [ENG-9949] Fixed an issue where Bot was not matching the same counts and Insight violations.

Cloud IAM Governance Bug Fixes (21.7.0)

• [ENG-11409] Removed the display of Resource Types counts to improve performance.
• [ENG-10827] Fixed an issue on Access Explorer related to columns disappearing after adding new columns and switching tabs.

InsightCloudSec Minor Release 21.7.1 minor release includes two new compliance packs: a HITRUST Compliance Pack and a Kubernetes CVE Compliance Pack. We have added support for visibility into GCP Secrets and enhanced support for GCP Public Storage Container analysis, which now accounts for Organization-, Folder-, and Project-level policies when evaluating public access. 21.7.1 includes a new resource download capability and also adds IaC support for three additional AWS CloudFormation resources. In addition we’ve enhanced one query filter, added one new Bot action, and included six bug fixes.

As always, contact us at support-insightcloudsec@rapid7.com with any questions.

New Permissions Required (21.7.1)

MORE ON AWS PERMISSION

• "ec2:SearchTransitGatewayRoutes" fixes a bug involving a missing permission. [ENG-11702]

MORE ON GCP PERMISSIONS

• "orgpolicy.policies.list” supports the added capability for GCP Public Storage Container analysis for Organizations, Folders, and Projects in evaluating public access. [ENG-11578]
• "resourcemanager.projects.get" supports both the added capability for GCP Public Storage Container analysis [ENG-11578], as well as the added capability to harvest GCP Secrets [ENG-11498]. This permission is part of our existing recommended GCP APIs (Cloud Resource Manager).
• "secretmanager.secrets.list" supports the added capability to harvest GCP Secrets. "secretmanager.secrets.list" is part of the Cloud Secrets Manager API, which must be connected for this functionality to work. [ENG-11498]

Features & Enhancements (21.7.1)

**HITRUST Compliance Pack ** InsightCloudSec's new HITRUST Common Security Framework (HITRUST CSF) Pack includes InsightCloudSec Insights that can map to the HITRUST CSF requirements. This pack is important for organizations that are required to align with the Payment Card Industry Data Security Standards. [ENG-10733]

Other

• Added suspicious event detection for the StopLogging and DeleteTrail AWS events. [ENG-11518]
• Added a new inventory export in the Resources section. This capability can be leveraged to pull a single, unified inventory export of assets matching the configured scope. Read more details on using the Download Resources feature. [ENG-11497]

Resources (21.7.1)

AZURE

• Added Azure EDH Setup Dialog with details and a link to external documentation. [ENG-11340]

GCP

• Added visibility into GCP Secrets. This resource can be found on the Resources page, Identity & Management category, as the resource type Secret. Two new permissions are needed: "resourcemanager.projects.get" from the Resources Manager API (which should already be connected) and "secretmanager.secrets.list" from the Cloud Secrets Manager API, which you should connect if you have not already done so. [ENG-11498]
• GCP Public Storage Container analysis now accounts for Organization-, Folder-, and Project-level policies when evaluating public access. The following permissions are required: "orgpolicy.policies.list" and "resourcemanager.projects.get". You can read more on inheritance of this setting (basically, set at top/Organization, but can be overridden by lower level/Project) here. [ENG-11578]

Insights (21.7.1)

• Created a new Insight called Volume Encryption Not Enabled For Boot Device. [ENG-11492]
• Added the Insight Identity Resource Unused for 90 Days to the IAM Security (without Access Explorer) pack. [ENG-11417]

Query Filters (21.7.1)

AWS

• Expanded support for AWS CloudWatch Log Groups for the Query Filters Resource Encrypted With Provider Default Keys and Resource Encrypted With Keys Other Than Provider Default. [ENG-11699]

MULTI-CLOUD/GENERALResource Name Regular Expression Exclusion (Regex) - Enhanced Query Filter with a new option to exclude resources without a name from evaluation. [ENG-10610]

Infrastructure as Code (IaC) New Support (21.7.1)

• Added IaC CFT support for Backup Vault (AWS) resource type. [ENG-11407]
• Added IaC CFT support for AWS API Gateway and API Gateway V2 resources. [ENG-11406]
• Added IaC CFT support for Amazon Certificate Manager (ACM) Certificates. [ENG-11405]

Check out the full list of supported IaC CFT Resources.

Bot Actions (21.7.1)

AWS

• We have added a Bot action, “Set Load Balancer SSL Policy Of Listener (AWS)”, to upload the SSL policy of AWS application load balancers listeners for port 443. This action will allow customers to automate the migration from older policies, e.g., ELBSecurityPolicy-TLS-1-2-2017-01, to new policies, e.g., ELBSecurityPolicy-TLS-1-2-Ext-2018-06. [ENG-9152]

Bug Fixes (21.7.1)

• [ENG-11685] Fixed an issue where an optional field in a Guardrails report was handled incorrectly in the backend, causing possible report processing to fail.
• [ENG-11624] This change fixes issues with our hookpoint generation across several resource types.
• [ENG-11580] Fixed GCP harvesting issues: GCP Spanner resources without nodes will no longer report an error when harvesting; GCP Bucket resources with requester pays enabled will no longer report an error when harvesting.
• [ENG-11579] Fixed a bug that prevented harvesting of AWS DataSync Tasks without a name.
• [ENG-10573] Expanded the logic used to identify AWS member accounts that are/are not configured with the CIS CloudWatch Alarm checks (Section IV). This fixes a defect in our platform that yields false positives with these Insights because we aren't properly handling member accounts with the alarms configured within the payer account.
• [ENG-8704] Resolved an issue where selecting hidden Insight Packs (both Custom Packs and Compliance Packs) generated errors.

Cloud IAM Governance Bug Fixes (21.7.1)

• [ENG-11588] Fixed a performance issue relating to tag searching in the Access Explorer.

Minor Release 21.7.2 release includes support for three new resources: AWS Step Functions, AWS Transcription Jobs, and Azure App Registrations. We have added support for four additional CFT services for our IaC capability, enhanced one Bot action, included four new query filters and one renamed filter. This version also includes two bug fixes.

New Permissions Required (21.7.2)

MORE ON NEW AWS PERMISSIONS

• The new ‘states’ permissions (e.g., "states:DescribeStateMachine" and "states:ListStateMachines") support the added visibility, tag, and lifecycle support for AWS Step Function State Machines. [ENG-11334]
• The new ‘transcribe’ permissions ("transcribe:GetMedicalTranscriptionJob", "transcribe:GetTranscriptionJob", etc.) support the AWS Transcription Jobs resource. [ENG-9564]

Features & Enhancements (21.7.2)

• Added a new Harvesting Failure Message to notify users of issues with harvesting associated with AWS Service Control Policies. Refer to our Harvesting Failure Messages page for details. [ENG-11642]

Resources (21.7.2)

AWS

• Added visibility, tag, and lifecycle support for AWS Step Function State Machines. This resource can be found under the Compute category as the new Resource type Step Function. New permissions are required: "states:" for both commercial and GovCloud Power users, "states:Describe" and "states:List*****" for GovCloud Read Only users, and "states:DescribeStateMachine" and "states:ListStateMachines" for commercial Read-Only users. [ENG-11334]
• Added support for AWS Transcription Jobs. This resource can be found under the Compute category as the new Resource type Transcription Job. New permissions are required: "transcribe:GetMedicalTranscriptionJob", "transcribe:GetTranscriptionJob", "transcribe:ListMedicalTranscriptionJobs", and "transcribe:ListTranscriptionJobs" for commercial Read-Only users; "transcribe:Get*****" and "transcribe:List*****" for GovCloud Read-Only users; and "transcribe:*****" for both commercial and GovCloud Power users. [ENG-9564]

AZURE

• Added support for Azure App Registrations for configuring authentication and authorization workflows for a variety of different client types. This new resource is part of the Identity & Management resource category, resource type Cloud App. No new permissions required. [ENG-11386].

GCP

• Added visibility into resource level permissions for GCP Storage, Pub/Sub, BigQuery, and Functions. Modified the filter Resource Trusting Unknown Account By Badge to include support for GCP for the following resources: Database Snapshot, Private Image, and Snapshot. Added new filter Resource With Direct Access From Unauthorized Domain (GCP) for GCP only to match resources that grant access to users/groups by domain (default) or by unauthorized domain when using the optional setting. This applies to the following GCP resources: Notification Topic, Serverless Functions, Service Dataset, and Storage Container. [ENG-11681]

Query Filters (21.7.2)

GCP

• 'Resource Trusting Unknown Account By Badge' - modified the filter to include support for GCP in identifying resources that have a trust relationship with an account not badged with the provided badge key and value. [ENG-11681]

• Resource With Direct Access From Unauthorized Domain (GCP) - New filter for GCP only matches resources that grant access to users/groups by domain (default) or by unauthorized domain when using the optional setting. This applies to the following GCP resources: Notification Topic, Serverless Functions, Service Dataset, and Storage Container. [ENG-11681]

MULTI-CLOUD/GENERAL

• Instance On Public Subnet - Renamed this query filter to a more wordy, but more accurate Instance On Subnet With Route To Internet Via Gateway. The change conveys that the instance has a route to the Internet via a gateway of some type (and that type of gateway can be specified). The filter also now has a "Not In" option so you can see all instances that do not have a route to the Internet via different types of Gateways. [ENG-11674]

• Instance On Subnet With Route To Internet Via Gateway - Filter renamed from Instance On Public Subnet. The change conveys that the instance has a route to the Internet via a gateway of some type (and that type of gateway can be specified). The filter also now has a "Not In" option so you can see all instances that do not have a route to the Internet via different types of Gateways. [ENG-11674]

• Introduced several new filters to support FedRAMP audit requirements [ENG-11721]:

  • Message Queue With/Without VPC Endpoint Entry In Region (AWS)
  • Notification Topic Without Subscriptions (AWS)
  • Notification Topic With/Without VPC Endpoint Entry In Region (AWS)
  • Container Cluster/Service support for filter Resource Is Associated With Public Subnet (AWS)
  • Shared Filesystem Mount Target Threshold

Infrastructure as Code (IaC) New Support (21.7.2)

• Added IaC CFT support for AWS CloudFront SSM Parameter. [ENG-11414]
• Added IaC CFT support for Amazon Elastic MapReduce (EMR). [ENG-11412]
• Added IaC CFT support for Amazon Cognito. [ENG-11411]
• Added IaC CFT support for Amazon CloudFront Distributions. [ENG-11408]

Refer to the AWS CloudFormation - IaC Supported Resources Page for complete details.

Bot Actions (21.7.2)

• “Splunk Event” - We have added the option to "Skip previously identified results" to the Bot action, "Splunk Event". When selected, the Bot will not create duplicate Splunk events for resources previously marked non-compliant by that Bot. [ENG-11673]

Bug Fixes (21.7.2)

• [ENG-11408] Fixed the following issues for Terraform CloudFront resources:

  • Fixed false positives in the Content Delivery Network With Trusted Signers (AWS) query filter where 'default_cache_behavior.trusted_signers` was an empty list.
  • Fixed false positives on the Content Delivery Network Without Origin Access Identity query filter.
  • Fixed false negatives on the Content Delivery Network Using Default SSL Certificate Insight.

• [ENG-11325] Fixed a bug involving query filter Cloud Region Without Access Analyzer Enabled (AWS) not considering Zone of Trust and causing false positives. Added Zone of Trust (either account or org level) as an attribute to Access Analyzers. Changed filter to account for this new zone of trust attribute.

Cloud IAM Governance Features & Enhancements (21.7.2)

• Improved the way we treat conditional operators we do not yet support (such as Bool or IpAdddress) to be more like our analysis of context keys we do not yet support (such as aws:ResourceTag). We now remove conditionality in both cases, to surface the most Allowed actions that otherwise could have been suppressed by unknown conditionals. This change in behavior will be most noticeable when the unsupported condition is attached to a Deny, and another statement Allows the same action. We now suppress the Deny conditional on logic we do not recognize so that the user can see the (potentially) allowed action. [ENG-10611], [ENG-10415]

Cloud IAM Governance Bug Fixes (21.7.2)

• [ENG-11294] Fixed a bug in our evaluation of tag-based context keys (currently only aws:PrincipalTag) in combination with string-based conditional operators, such as StringEquals.

InsightCloudSec Minor Release 21.7.3 contains numerous enhancements in support of announcements from last week’s AWS re:Invent 2021, including updates to a dozen supported AWS resources and expansions for the related query filters, updates to Insights, and updates to Bot actions. You can read details for all of the re:Invent inspired updates on our blog here. 21.7.3 also includes more than 100 new Insights in support of our Kubernetes Security Guardrails feature. This release contains eight new query filters, two new Bot actions, one renamed and expanded Bot action, and four bug fixes.

As always, contact us at support-insightcloudsec@rapid7.com with any questions.

New Permissions Required (21.7.3)

MORE ABOUT NEW AWS PERMISSIONS

• "athena:ListQueryExecutions" supports the added "in use" indicator for Athena workspaces that surfaces where there are any queries executed. [ENG-11930]
• "kafka:ListClustersV2" supports newly-announced features of AWS’ MSK Serverless. [ENG-12071]
• The "rbin" permissions (e.g., "rbin:GetRule" and "rbin:ListRules") support visibility into the added resource AWS Recycle Bin Rules. This resource is new enough that it is not yet included in AWS’ Read-Only policy; therefore, our supplemental policy must be updated to include “rbin:GetRule” and “rbin:ListRules”. [ENG-12041]
• "s3:GetBucketOwnershipControls" support the new property, filter, and Insight related to S3 access of objects. [ENG-12071]
• "ssm:DescribeDocument" will be needed for anticipated additional support for SSM Documents. [ENG-12169]

Features & Enhancements (21.7.3)

SUPPORT FOR 12 NEW SERVICES ANNOUNCED AT re:INVENT InsightCloudSec version 21.7.3 includes support for 12 new services announced at re:Invent 2021 [ENG-12069]:

• The New Amazon Inspector
• S3 Object Ownership
• Recycle Bin
• EBS Archive Mode
• FSx for OpenZFS
• On-Demand Kinesis Data Streams
• MSK Serverless
• Redshift Serverless
• VPC Network Access Analyzer
• DynamoDB Standard-Infrequent Access Class
• CloudWAN
• Amazon RDS Custom for SQL Server

You can read all the details in our Blog here.

Kubernetes CVE Compliance Pack The Kubernetes CVE Compliance Pack (CVEs for Kubernetes and ISTIO)contains Insights designed to assess and report known Kubernetes and Istio vulnerabilities. Check out the Kubernetes CVE Compliance Pack Summary Page for additional details on the Insights in this pack.

OTHER

• Introduced an integration for SumoLogic. [ENG-12008]

Resources (21.7.3)

AWS

• Expanded resource support around AWS Glacier to add a new public property to Cold Storage resources that can be used to detect if these resources are exposed to the public due to an overly permissive policy. This also includes a new filter Cold Storage Is Exposed To Public. [ENG-12093]
• We have added an "in use" indicator for Athena workspaces that surfaces where there are any queries executed. We have added a corresponding filter, Data Analytics Workspace In Use (AWS), that can surface resources in use or not in use. A new permission is required: "athena:ListQueryExecutions". [ENG-11930]
• Added visibility into MSK serverless clusters with new filter Stream Instance Serverless Configuration. [ENG-12071]
• Added visibility into the newly supported OpenZFS for FSx. [ENG-12071]
• Added visibility into newly released AWS S3 Object Ownership. A new filter was created to identify S3 buckets based on the value of this property, and the team has also expanded the core Insight Storage Container Without Uniform Bucket Level Access to work across AWS, AWS GovCloud, and AWS China. New Filter: Storage Container Object Ownership (AWS). [ENG-12071]
• Added visibility into the new stream mode property for AWS Kinesis data streams. New filter: Data Stream Mode (AWS). [ENG-12071]
• Added visibility into AWS Recycle Bin Rules. New Action: “Convert Snapshot Storage Tier To Archive”. New Filters: Cloud Region With/Without Recycle Bin Rules (AWS) and Snapshot Storage Tier (AWS). New permissions required: "rbin:GetRule" and "rbin:ListRules" for commercial Standard (Read-Only) Users, "rbin:Get*****" and "rbin:List*****" for GovCloud Read-Only Users, and "rbin:*****" for both commercial and GovCloud Power Users. This new resource can be found under the Storage category as the new Resource type Recycle Bin Rule. [ENG-12041]

MULTI-CLOUD/GENERAL

• The record count column is now sortable when viewing DNS Zones. [ENG-11952]

Insights (21.7.3)

AWSStorage Container Without Uniform Bucket-Level Access - We have broadened this Insight to include AWS. In addition to supporting AWS, the underlying filter can find storage containers with or without uniform bucket-level access. This feature is important because (from the Insight) we recommend using uniform bucket-level access to unify how access is granted to AWS S3 and GCP Cloud Storage resources. Both cloud providers support a uniform permission system. AWS has a capability known as Object Ownership and GCP Cloud Storage has a feature known as uniform bucket-level access. Enabling these features with the correct configuration disables legacy Access Control Lists (ACLs) for the individual objects and ensures that IAM policies control all access to data within the storage containers. [ENG-12162, ENG-12071]

KUBERNETES SECURITY GUARDRAILS 21.7.3 includes over 100 new Insights related to our Kubernetes Security Guardrails feature, launched in 21.7.0. Some are included in our Kubernetes Common Vulnerabilities and Exposures (CVE) Compliance Pack and some are included in our Kubernetes Security Recommended Compliance Pack (comprising both CVE Insights and best practice Insights). Refer to Kubernetes Security Guardrails for additional information. For a complete list feel free to reach out to your CSM or support!

• Added new Kubernetes Insight “CVE-2021-25742” to the Insight Pack “CVEs for Kubernetes and ISTIO” that assists in preventing situations where users with some configuration capabilities upload a custom configuration snippet that could allow access to sensitive information. This insight contains two checks: one can detect an old Nginx version (before this issue was patched) and one can detect a missing configuration, potentially denoting a custom config. Note that Ingress and Nginx-Ingress have an endless number of non-standard deployment structures, so the checks that were added will only detect relatively standard deployments. [ENG-11279]

• Provided a new Compliance Pack, “Kubernetes Security Recommended”, for Kubernetes Guardrails that includes 42 new Kubernetes Insights. These Insights are combined with the 64 existing Insights that are included in the Kubernetes CVE Compliance Pack to offer a more generalized "Best Practices" pack for Kubernetes Security Guardrails. For more information on this feature check out our Kubernetes Security Guardrails documentation. [ENG-10138]

Query Filters (21.7.3)

AWS

• Cloud Region With/Without Recycle Bin Rules (AWS) - New filter supports added visibility into AWS Recycle Bin Rules. [ENG-12041]
• Cold Storage Is Exposed To Public (AWS) - New filter supports expanded resource support around AWS Glacier to add a new public property to Cold Storage resources that can be used to detect if these resources are exposed to the public due to an overly permissive policy. [ENG-12093]
• Data Stream Mode (AWS) - New filter supports added visibility into the new stream mode property for AWS Kinesis data streams. [ENG-12071]
• Distributed Table Class (AWS) - New filter supports additional visibility into Distributed Tables. [ENG-12071]
• Snapshot Storage Tier (AWS) - New filter supports added visibility into AWS Recycle Bin Rules. [ENG-12041]
• Storage Container Object Ownership (AWS) - New filter supports visibility into the newly released AWS S3 Object Ownership. [ENG-12071]
• Stream Instance Serverless Configuration - New filter supports added visibility into MSK serverless clusters. [ENG-12071]

MULTI-CLOUD/GENERAL

• DNS Zone Record Search - New filter identifies DNS Zones that contain one or more supplied DNS records. [ENG-11937]

Infrastructure as Code (IaC) New Support (21.7.3)

• Added CFT support in IaC for resource type Secure File Transfer (i.e., AWS SFTP Server). [ENG-11415]

Bot Actions (21.7.3)

AWS

• “Convert Snapshot Storage Tier To Archive” - New action supports added visibility into AWS Recycle Bin Rules. [ENG-12041]
• “Enable Regional Volume Encryption (Provider Keys)” renamed to “Enable Default EBS Volume Encryption (AWS)” and expanded support to allow for target KMS keys. The action was also updated to work in AWS GovCloud and AWS China. This expanded Bot action is available to Power Users only; it requires new permissions ("ec2:EnableEbsEncryptionByDefault", "ec2:ResetEbsDefaultKmsKeyId, and "ec2:ModifyEbsDefaultKmsKeyId"), all of which are covered in the commercial and GovCloud Power User policies as "ec2:*****". [ENG-11918]
• “Update Distributed Table Class” - New action updates the configured table class for one or more distributed tables. [ENG-12071]

Bug Fixes (21.7.3)

• [ENG-12045] Resolved configuration issue to ensure that Kubernetes Compliance Pack for CVE displays in the Insights Compliance Pack section as expected.
• [ENG-11923] Fixed issue whereby HITrust pack did not always render on compliance pack page.
• [ENG-11643] Fixed an issue with Elasticsearch Instance type information not updating after harvest.
• [ENG-11582] Fixed an issue to correctly reflect namespace name of the impacted/exempt resources in the scorecard exports.

Cloud IAM Governance Bug Fixes (21.7.3)

• [ENG-11932] Fixed issue with deleted resource policy condition when unsupported key is found.

InsightCloudSec Minor Release 21.7.4 includes our rapid response to the Log4Shell vulnerability, which includes updates to AWS and GCP (based on provider recommendations). We have also added visibility into the AWS OpenSearch service, two new Filters, and a new Bot action. This release also provides expanded support for AWS Lambda Layers, EDH support to work with AWS EFS/FSx, and support for storing the Amazon-side Autonomous System Number (ASN) for Transit Gateways. For GCP, we’ve changed the GCP Volume harvester to use Cloud Asset Inventory. This release also contains a total of five new filters, two new Bot actions, and four bug fixes.

Contact us through the new unified Customer Support Portal with any questions.

New Permissions Required (21.7.4)

MORE ON NEW AWS PERMISSIONS

• "lambda:GetLayerVersionPolicy" and "lambda:ListLayers" support the added visibility into AWS Lambda Layers. [ENG-12300]

Features & Enhancements (21.7.4)

**AWS (Updates Supporting the Log4j Security Issue) **

• Added new WAF query filters to identify WAFs based on version and the presence of specific rules by name. AWS recommends that customers apply two managed rules to all WAF ACLs. We are introducing support for auditing rules by name. Note that these new rules appear to only be available on WAFv2, which is why the version filter has also been included so customers can filter out false positives.

  • To improve detection and mitigation relating to the recent Log4j security issue, customers of CloudFront, Application Load Balancer (ALB), API Gateway, and AppSync can optionally enable AWS WAF and apply two AWS Managed Rules (AMR): AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList.
  • AWSManagedRulesKnownBadInputsRuleSet inspects request uri, body, and commonly used headers, while AWSManagedRulesAnonymousIpList helps block requests from services that allow the obfuscation of viewer identity. You can apply these rules by creating an AWS WAF web ACL, adding one or both rulesets to your web ACL, and then associating the web ACL with your CloudFront distribution, ALB, API Gateway or AppSync GraphQL APIs.
  • We continue to iterate the AWSManagedRulesKnownBadInputsRuleSet Rule Group as we learn more. To receive automatic updates to the AWSManagedRulesKnownBadInputsRuleSet please choose the default version. For customers using AWS WAF Classic, you will need to migrate to AWS WAF or create custom regex match conditions. Customers can use AWS Firewall Manager which enables you to configure AWS WAF rules across multiple AWS accounts and resources from a single place. You can group rules, build policies, and centrally apply those policies across your entire infrastructure.
  • For assistance with any of the capabilities identified above, feel free to reach out to your CSM or our Customer support team through the Customer Support Portal [ENG-12396]

• Added visibility into a property of the AWS OpenSearch service that denotes if the domain requires a service software upgrade. As a part of the Log4Shell vulnerability response, AWS is requiring customers to upgrade their domains to the latest software release. Customers who leverage OpenSearch need to upgrade to {{R20211203-P2}}, as noted at the bottom of this reference. If they don't do it themselves, AWS will automatically update in the next two weeks. [ENG-12363]

  • New Bot action: “Update Elasticsearch Service Software”.

  • Two new query filters: **Elasticsearch/OpenSearch Instance Eligible For Service Software Update (AWS)**and Elasticsearch/OpenSearch Instance Eligible For Specific Service Software Update (AWS).

• Due to customer adoption of repeated deployment of ephemeral Access Keys, we are no longer treating the AWS event "CreateAccessKey" as a suspicious event. Originally, we marked "CreateAccessKey" as suspicious to capture the creation of long-term credentials being used instead of the more secure AssumeRole. The use case of repeated deployment of ephemeral keys makes this approach less useful in identifying events worthy of further investigation and tracking. [ENG-12256]

**GCP (Updates Supporting the Log4j Security Issue) **

• Added visibility into DataProc image creation date to help investigate log4j exposure in GCP. This change introduces a new property that we can use to identify GCP Dataproc clusters that require patching as a part of remediating log4j across customer environments. Additional information can be referenced here. [ENG-12387]

MULTI-CLOUD/GENERAL

• The Zendesk support has been replaced with our in-house support form. Customers can also contact support directly through the unified customer support portal. Check out the Getting Support page for details on all of our support options. [ENG-11603]

Resources (21.7.4)

AWS

• Added support for AWS Lambda Layers. Two new permissions are required for this new resource: "lambda:GetLayerVersionPolicy” and “lambda:ListLayers". [ENG-12300]
• Added a new property to the ContentDeliveryNetworks object so we can store the origin information. This will allow customers to look for ContentDeliveryNetworks which are leveraging TLSv1 and/or TLSv1.1 instead of enforcing TLSv1.2. [ENG-12299]
• We have added inspection of "trusted accounts" to Redshift snapshots, aka, Big Data Snapshots. We have likewise expanded the Bot action "Remove Snapshot/Image Shared Permission From Unknown Account" to include Redshift Snapshots. [ENG-12282]
• Expanded EDH support to work with EFS/FSx and updated our ElasticSearch support to cover the new OpenSearch actions that were introduced earlier this year. Additional information can be found here. [ENG-12239]
• Added support for storing the Amazon-side Autonomous System Number (ASN) for Transit Gateways. The ASN is a private parameter for the Amazon side of a Border Gateway Protocol (BGP) session, which identifies a BGP router. ASNs must be specified when creating an AWS Transit Gateway and cannot be changed later. The range of valid ASNs is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs. The default is 64512. We have also added two filters for Transit Gateways.
  • The first, Transit Gateway Auto Accepts Shared Attachments, allows you to find Transit Gateways that do or do not auto accept shared attachments. If this setting is enabled, then any VPC that attempts to attach to the Transit Gateway will be accepted without requesting authorization and the account that owns the Transit Gateway will not receive a request for authorization.
  • The second filter, Transit Gateway State, surfaces Transit Gateways by their state, e.g., “available”, “modifying”, etc., and can be used to trigger notifications if a Transit Gateway changes from its available state. [ENG-12115]

GCP

• Changed the GCP Volume harvester to use Cloud Asset Inventory. [ENG-9915]

Query Filters (21.7.4)

AWS

• Elasticsearch/OpenSearch Instance Eligible For Service Software Update (AWS) and Elasticsearch/OpenSearch Instance Eligible For Specific Service Software Update (AWS) - These new filters are part of the Log4Shell vulnerability response, supporting the added visibility into a property of the AWS OpenSearch service that denotes if the domain requires a service software upgrade. [ENG-12363]
• Transit Gateway Auto Accepts Shared Attachments - Supports added capability for storing the Amazon-side Autonomous System Number (ASN) for Transit Gateways, allowing you to find Transit Gateways that do or do not auto accept shared attachments. If this setting is enabled, then any VPC that attempts to attach to the Transit Gateway will be accepted without requesting authorization and the account that owns the Transit Gateway will not receive a request for authorization. [ENG-12115]
• Transit Gateway State - Supports added capability for storing the Amazon-side Autonomous System Number (ASN) for Transit Gateways, surfacing Transit Gateways by their state, e.g., “available”, “modifying”, etc., and can be used to trigger notifications if a Transit Gateway changes from its available state. [ENG-12115]

MULTI-CLOUD/GENERAL

• Compute Instance Running Private Image (Regular Expression) - New query filter identifies compute instances running noncompliant images based on the age of the image or a regular expression pattern. [ENG-12301]

Bot Actions (21.7.4)

AWS

• "Remove Snapshot/Image Shared Permission From Unknown Account" - Expanded this Bot action to include Redshift Snapshots. This supports the added inspection of "trusted accounts" to Redshift snapshots, a.k.a. Big Data Snapshots. [ENG-12282]
• “Update Elasticsearch Service Software” - This new Bot action is part of the Log4Shell vulnerability response, supporting the added visibility into a property of the AWS OpenSearch service that denotes if the domain requires a service software upgrade. [ENG-12363]

Bug Fixes (21.7.4)

• [ENG-12302] Fixed an issue with navigating between Insights listing and Insights detail pages.
• [ENG-12229] Fixed a parsing error in Terraform plans with drifted resources.
• [ENG-12095] Fixed a bug related to the browser's page title.
• [ENG-7443] Fixed an issue involving newly added cloud accounts not triggering Bots configured to react to the Resource Created event.

InsightCloudSec Minor Release 21.7.5 continues our rapid response to the Log4Shell vulnerability, including one new GCP query filter and one bug fix.

Query Filters (21.7.5)

GCP

• Web Application Firewall Rules Contain Expression (GCP) - New query filter allows customers to filter WAFs that have rules that match/do not match a phrase or regular expression. [ENG-12403]

Bug Fixes (21.7.5)

• [ENG-12411] Fixed an issue involving rebuilding the instance relationship. Expanded the Crowdstrike Integration to leverage the MAC address and private IP as a fallback mechanism to build the instance relationship. This should dramatically increase efficacy with the filters: Instance With Crowdstrike Falcon Agent Configured and Instance Without Crowdstrike Falcon Agent Configured.

Minor Release 21.7.6 includes added visibility into AWS container vulnerability harvesting, supporting enhanced monitoring (Inspector2). We include a new query filter to support this added visibility. We also include one bug fix.

New Permissions Required (21.7.6)

MORE ON NEW AWS PERMISSIONS

• "ecr:GetRegistryScanningConfiguration", "inspector2:ListCoverage", and "inspector2:ListFindings" support the updated AWS container vulnerability harvesting for enhanced monitoring (Inspector2). [ENG-12499]

Resources (21.7.6)

AWS

• Updated AWS container vulnerability harvesting to support enhanced monitoring (Inspector2). New Filter: Container Registry Scan Type (AWS). New permissions required: "ecr:GetRegistryScanningConfiguration", "inspector2:ListCoverage", and "inspector2:ListFindings". [ENG-12499]

Query Filters (21.7.6)

AWS

• Container Registry Scan Type (AWS) - New filter support the updated AWS container vulnerability harvesting for enhanced monitoring (Inspector2). [ENG-12499]

Bug Fixes (21.7.6)

• [ENG-12498] Fixed an issue that prevented sorting of Clouds.

Minor Release 21.7.7 introduces a collection of bootstrap actions for AWS EMR clusters. This will help identify clusters that are missing specific scripts to harden against vulnerabilities such as Log4shell.

New Permissions Required (21.7.7)

New Insight (21.7.7)

New Insight: Map Reduce Cluster Without Bootstrap Mitigation For CVE-2021-44228 [ENG-12526]

Query Filters (21.7.7)

AWS New Filter: Map Reduce Cluster Bootstrap Actions (AWS), which helps to identify bootstrap actions for AWS EMR clusters missing certain. [ENG-12526]