22.1.1 Release Notes

Jan 26, 2022

InsightCloudSec is pleased to announce Minor Release 22.1.1

InsightCloudSec Software Release Notice - 22.1.1 Minor Release (01/26/2022)

Our latest Minor Release 22.1.1 is available for hosted customers on Wednesday, January 26, 2022. Availability for self-hosted customers is Thursday, January 27, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal .

Release Highlights (22.1.1 )

InsightCloudSec is pleased to announce Minor Release 22.1.1. This minor release includes enhanced support for AWS DataSync Task, as well as GCP DataProc Clusters and Cloud Run services. 22.1.1 includes two new Insights, four enhanced Insights, two new query filters, nine enhanced query filters, and two updated Bot actions. In addition, this release also includes seven bug fixes.

Refer to this link for details on 22.1.0 - our first Major Release of 2022 .

Compliance Scorecard Export Changes

This notice is for users working with Compliance Scorecard exports. In an effort to provide more meaningful reporting and data, InsightCloudSec will be replacing an existing Compliance Scorecard export field, details are as follows:

Insight First Identified At (this field currently provides the date we first identified noncompliance)

In a future release (approximately two releases from now in 22.1.3) we will be replacing this export field with the following:

Noncompliance Identified On (this field will provide the most recent date when noncompliance was identified)

When released, this change will be enabled through a feature flag by default. If you have concerns specific to your environment or other custom configurations, it can be disabled by request.

For any questions on this pending update, reach out to your CSM or to customer support through the new unified Customer Support Portal .

New Permissions Required (22.1.1 )

⚠️

AWS Permissions

Note: 22.1.1 removes the permission “ssm:GetParameter” from our Standard (Read-Only) policy because it is not required for harvesting resources or for regular operations. It is required for a specific integration, which should be addressed on a case-by-case basis. Given the sensitivity around the permission, we suggest customers remove it if they have added it. [ENG-12891]

For AWS Standard (Read-Only) Users: “datasync:ListLocations”

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

MORE ON NEW AWS PERMISSION

“datasync:ListLocations” supports the updated data model for DataSyncTask resources referencing the location URI instead of the ARN. The location URI provides additional value by clarifying whether the location is an S3, EFS, or NFS resource. [ENG-12965]

User Interface Changes (22.1.1 )

Added the ability to sort by the severity/notes columns in the Insight Exemptions listing. [ENG-12970]

Resources (22.1.1 )

AWS

We have updated the data model for DataSyncTask resources to reference the location URI instead of the ARN. The location URI provides additional value by clarifying whether the location is an S3, EFS or NFS resource. New permission required is “datasync:ListLocations”. [ENG-12965]

GCP

We are harvesting additional properties for GCP Dataproc Clusters and Cloud Run services which can impact the public accessibility of the resources. These properties allow us to provide two new query filters (App Runner Service Is/Is Not Exposed To Public (GCP) and MapReduce Cluster IP Configuration (GCP)) and enhance a third query filter, Resource Is Exposed To Public. [ENG-12866]

Insights (22.1.1 )

AWS

AWS Credential Exfiltration Detection - New Insight triggers when AWS GuardDuty identifies credential exfiltration inside/outside of AWS. Note that this will only work on an installation that is connected to an AWS account with GuardDuty enabled. [ENG-12989]

AZURE

Web App Allowing a Configuration State of All Allowed - This new Insight identifies Web Apps with a configuration state of All Allowed. An attacker listening to traffic on a Wi-Fi network used by a remote employee or a corporate network could see login traffic in clear-text, which would then grant them full control of the code base of the app or service. If file transfer protocol (FTP) is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps. [ENG-12599]

GCP

Added GCP support for 2 container image Insights [ENG-12637]:
- Container Image With Critical Severity Vulnerability - The underlying filter in Container Image Vulnerability Severity Search, which already supports GCP.
- Container Image With High Severity Vulnerability - The underlying filter Container Image Vulnerability Severity Search already supports GCP.
Machine Learning Instance With Direct Internet Access Enabled - This Insight was updated to include GCP support. The underlying filter Machine Learning Instance Direct Access already has GCP support as of 22.1.0. [ENG-12958]

MULTI-CLOUD/GENERAL

Database Instance Publicly Accessible was renamed to Database Instance With Internet Routable IP Address - This Insight was renamed to better reflect what it actually does. [ENG-12830]

Query Filters (22.1.1 )

AZURE

Modified two query filters to support Distributed Table resources (ENG-11704]:
- Resource Allows Access From Unapproved Networks (Azure)
- Resource Allows Access From Unapproved Subnets (Azure)

GCP

We have expanded coverage of four existing Cache Instance filters to include GCP. The expanded filters are [ENG-12858]:
- Cache Instance Auth Token Disabled
- Cache Instance Auth Token Enabled
- Cache Instance Transit Encryption Enabled
- Cache Instance Transit Encryption Disabled
Added two new query filters to support harvesting additional properties for GCP Dataproc Clusters and Cloud Run services which can impact the public accessibility of the resources [ENG-12866]:
- App Runner Service Is/Is Not Exposed To Public (GCP)
- MapReduce Cluster IP Configuration (GCP)

MULTI-CLOUD/GENERAL

Database/Big Data/Broker Instance With Internet Routable IP Address was renamed to Database/Big Data/Broker Instance Is Publicly Accessible and description updated to better reflect what the filter does. [ENG-12830]
Database/Big Data/Broker Instance Without Internet Routable IP Address renamed to Database/Big Data/Broker Instance Is Not Publicly Accessible and description updated to better reflect what the filter does. [ENG-12830]
Resource Is Exposed To Public - Updated query filter to broaden existing support. [ENG-12866]

Bot Actions (22.1.1 )

AZURE

Expanded support for the Bot action “Modify Database/Big Data Instance Attribute” to include enabling or disabling public access for Azure resources. Previously, the action supported only AWS resources and, for some actions, AWS Redshift. [ENG-12966]

MULTI-CLOUD/GENERAL

“Send Email Summary With CSV” - Updated this Bot action to include in the CSV cloud-native language for the resource type. For example, we include a column that will mark ICS storage containers as:
- S3 Bucket when AWS
- Blob Storage Container when Azure
- Cloud Storage when GCP
- Object Storage Bucket when AliCloud
- Object Storage Bucket when Oracle This change should make it easier for non-ICS users to understand information they receive from ICS. [ENG-12931]

Bug Fixes (22.1.1 )

[ENG-12995] Fixed a bug where resources pending deletion were showing in a Bot’s noncompliance view.
[ENG-12962] Fixed a bug in the compliance scorecard export where the severity name was incorrectly reflected on Insights.
[ENG-12885] Fixed an issue where filters might fail to detect an integration agent’s existence.
[ENG-12870] Resolved an issue where identified_at column would not display Insight findings for Access List Rule Open to World.
[ENG-12706] Fixed an issue involving Resource Search on the Insight Findings/Results page.
[ENG-12571] Resolved an issue where GCP Storage Containers failed to display as public.
[ENG-12697] Fixed an issue where scorecard exports tags and badges were overriding the Insight link column.