InsightCloudSec Software Release Notice - 22.1.2 Minor Release (02/02/2022)

Release Highlights (22.1.2 )

InsightCloudSec is pleased to announce Minor Release 22.1.2. This minor release includes a half dozen feature and resource enhancements, four new Insights, and seven new Query Filters. 22.1.2 also includes one new Bot action, and four bug fixes.

For our Cloud IAM Governance  module, we have details around an important change to the Service Control Policy, one feature enhancement, and one bug fix.

Contact us through the new unified Customer Support Portal  with any questions.

Permissions (22.1.2 )

Features & Enhancements (22.1.2 )

• Added a new Jinja2 getter for container images/instances to include a summary report of CVEs that are associated with the resource in question. Use the following in a bot when inspecting instances or containers: {{resource.get_resource_cves(}). You can also limit CVEs to specific severities by including arguments, e.g., resource.get_resource_cves(severities=['CRITICAL', 'HIGH']). [ENG-13070]

• Added harvesting for AWS Kafka instances from newly supported regions af-south-1 and ap-northeast-3. [ENG-13034]

• Added new boolean properties, Copy Tags To Snapshot and Enhanced Monitoring, to RDS clusters and instances. Both properties are supported by new Query Filters (Database Cluster/Instance Copy Tags To Snapshot Status (AWS) and Database Cluster/Instance Enhanced Monitoring Status (AWS)). Similarly, added new boolean property, Allow Version Upgrade, to Big Data instances. That property is supported by a new Query Filter, too (Big Data Instance With/Without Automatic Version Updates (AWS)).The properties and Query Filters are IaC-supported. [ENG–13036]

• We are now harvesting whether Build Projects that store API access keys do so in plain text. Build Project environment variables can either be stored in plain text, as a parameter store property, or a secrets manager property. If in plain text, they should not include API access keys. Storing those keys in plain text could lead to unintended data exposure and unauthorized access. We have a new Query Filter, Build Project With Plain Text API Access Keys (AWS) to identify those Build Projects. We have a new corresponding Insight, Build Project With Plain Text API Access Keys. [ENG-13050]

• Added “Category” and “Subcategory” fields to ServiceNow integration. [ENG-12857]

Resources (22.1.2 )

AWS

• Added harvesting for AWS Kafka instances from newly supported regions af-south-1 and ap-northeast-3. [ENG-13034]
• We are now surfacing the Cluster ID for AWS RDS database instances in the UI. This addition should make it easier to coordinate work between ICS and AWS for reporting and remediation purposes. [ENG-13019]

Insights (22.1.2 )

AWS

• We have added two Insights that map to AWS’s Foundational Security Best Practices (FSBP) framework, helping our customers secure their CloudFront distributions and track with the compliance framework. These Insights are part of a new Compliance Pack that is currently in progress and will be announced in a future release. [ENG-13011]:

  • Content Delivery Network Without Default Root Object
  • Content Delivery Network Without Origin Access Identity

• Cloud Account Without Global API Accounting And Management Events - This new Insight (and corresponding Query Filter) fits into our upcoming AWS Foundational Security Best Practices pack. Identify accounts without API Accounting Config, such as AWS CloudTrail, enabled across all regions and tracking management events.

  • API Accounting Config records API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the specific cloud service. It includes API calls made via the management console, SDKs, command line tools, and other cloud services.
  • A multi-region trail helps to detect unexpected activity occurring in otherwise unused regions and helps to ensure logging is enabled for events generated by AWS global services.
  • Finally, retaining management events helps security analysis, resource change tracking, and compliance auditing of control plane operations. [ENG-13031]

• Build Project With Plain Text API Access Keys - Supports the new capability of harvesting whether Build Projects that store API access keys do so in plain text. Build Project environment variables can either be stored in plain text, as a parameter store property, or a secrets manager property. If in plain text, they should not include API access keys. Storing those keys in plain text could lead to unintended data exposure and unauthorized access. We have a new related Query Filter, Build Project With Plain Text API Access Keys (AWS) to identify those Build Projects. [ENG-13050]

Query Filters (22.1.2 )

AWS

• Big Data Instance With/Without Automatic Version Updates (AWS) - Supports the new boolean property added for RDS clusters and instances Allow Version Upgrade. [ENG-13036]
• Build Project With Plain Text API Access Keys (AWS) - New Query Filter identifies Build Projects that store API access keys do so in plain text. [ENG-13050]
• Cloud Account Without Global API Accounting And Management Events (AWS) - New Query Filter (and corresponding Insight) matches cloud accounts without API accounting, e.g., AWS CloudTrail, enabled across all regions with management events included nor are they members of organizations with a similar organization-wide API accounting enabled. [ENG-13031]
• Content Delivery Network Not Using ACM Managed Certificate (AWS) - New filter for Content Delivery Networks finds AWS CloudFront Distributions which do not use an ACM certificate. [ENG-13072]
• Content Delivery Network With/Without Default Root Object - New Query Filter supports CDNs handling use cases where the root URL is requested instead of an object in the distribution. When this happens, specifying a default root object can help avoid exposing the contents of your web distribution. [ENG-12977]
• Database Cluster/Instance Copy Tags To Snapshot Status (AWS) - Supports the new boolean properties added for RDS clusters and instances CopyTagsToSnapshots and Enhanced Monitoring. [ENG-13036]
• Database Cluster/Instance Enhanced Monitoring Status (AWS) - Supports the new boolean properties added for RDS clusters and instances CopyTagsToSnapshots and Enhanced Monitoring. [ENG-13036]

Bot Actions (22.1.2 )

• “Remove From Data Collection” - This new Bot action makes curating a Data Collection easier and more readily automated. [ENG-13022]

Bug Fixes (22.1.2 )

• [ENG-12773] Fixed scheduled harvest for certain long-running tasks in parallel accounts.
• [ENG-10371] Fixed a bug where NAT Gateway Public IPs were not included in the Query Filter Public IP Orphaned.
• [ENG-10783] Fixed Query Filter Instance and Autoscaling Launch Configuration Image Owner Account (AWS), which was returning incorrect results. Cloud IAM Governance (Access Explorer) Updates - 22.1.2 Minor Release (02/02/2022)

Cloud IAM Governance Features & Enhancements (22.1.2 )

• Enabled the parallel cache build by default. This change requires p3 workers to be configured on customer environments. (For SaaS or existing IAM customers there is no impact). For customers that are self-hosted and interested in deploying IAM you will need to ensure that you have the correct components before deploying, as usual reach out to your CSM or support with any questions. [ENG-6644]

Cloud IAM Governance Bug Fixes (22.1.2 )

• [Eng-12806] Fixed a bug causing exports from the Access Explorer to crash.