Skip to Content
Release NotesInsightcloudsec22.1.3 Release Notes

Feb 08, 2022

InsightCloudSec is pleased to announce Minor Release 22.1.3

InsightCloudSec Software Release Notice - 22.1.3 Minor Release (02/09/2022)

Our latest Minor Release 22.1.3 is available for hosted customers on Wednesday, February 9, 2022. Availability for self-hosted customers is Thursday, February 10, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Release Highlights (22.1.3 )

InsightCloudSec is pleased to announce Minor Release 22.1.3. This minor release includes a new Compliance Pack for AWS Foundational Security Best Practices. We have enhanced our support for one AWS resource (AWS’ updated SQS offering of encryption using Managed SSE) and one GCP resource (GCP Cloud Run). In addition, this release includes three new Insights, three new Query Filters and one enhanced Query Filter, two new Bot actions and two enhanced Bot actions, and nine bug fixes.

Important Notices for 22.1.3

Azure EDH for Self-Hosted Customers

As of this release (22.1.3), Azure EDH is not supported for self-hosted customers unless you are using our Fargate ECS via Terraform deployment method.

If you are a self-hosted InsightCloudSec customer, reach out to us through your CSM or the Customer Support Portal before enabling and getting started with the configuration of this feature.

Compliance Scorecard Export Changes

This notice is for users working with Compliance Scorecard exports. In an effort to provide more meaningful reporting and data, InsightCloudSec is replacing an existing Compliance Scorecard export field, details are as follows:

  • Insight First Identified At (this field currently provides the date we first identified noncompliance)

22.1.3 replaces this export field with the following:

  • Noncompliance Identified On (this field will provide the most recent date when noncompliance was identified)

This change is enabled 22.1.3 through a feature flag by default. If you have concerns specific to your environment or other custom configurations, it can be disabled by request. For any questions on this pending update, reach out to your CSM or to customer support through the new unified Customer Support Portal. [ENG-12871]

Permissions (22.1.3 )

⚠️

AWS GovCloud Read-Only Permissions

For AWS GovCloud Read-Only Users:

Remove: “s3:Get*****”

Add: “s3:GetAccess*****”, “s3:GetAccountPublicAccessBlock”, “s3:GetBucket*****”, “s3:GetEncryptionConfiguration”, “s3:GetLifecycleConfiguration”, “s3:GetReplicationConfiguration”

Note: 22.1.3 replaces the permission “s3:Get*****” in the GovCloud Read-Only policy with the more explicit permissions “s3:GetAccess*****”, “s3:GetAccountPublicAccessBlock”, “s3:GetBucket*****”, “s3:GetEncryptionConfiguration”, “s3:GetLifecycleConfiguration”, and “s3:GetReplicationConfiguration”. Given the sensitivity around “s3:Get*****”, we suggest customers remove “s3:Get*****” from the GovCloud Read-Only policy and replace it with the more explicit s3 permissions noted here. [ENG-13283]

GCP Added permissions related to in-progress support for Google Cloud Asset Inventory. Our full support of this feature will be announced when available. New permissions are:

  • cloudasset.assets.listResource
  • cloudasset.assets.listIamPolicy

Additional information around these permissions can be found on our Projects (GCP) page. [ENG-12425, ENG-12898]

Features & Enhancements (22.1.3 )

AWS Foundational Security Best Practices Compliance Pack We are supporting a new compliance framework from AWS called Foundational Security Best Practices. This change aggregates & organizes the insights that support the framework into a Pack. Additional information can be referenced at AWS Foundational Security Best Practices controls - AWS Security Hub. [ENG-13088]

Other

  • Added the ability to use existing Custom Packs as the source when creating a new Custom Pack. This change makes it easier to refine or revise Custom Packs over time without having to build from scratch or baseline off BackOffice Packs as the source. [ENG-13117]
  • Updated our Jira integration to more flexibly work with different issue types, e.g., Story, Task, etc. [ENG-12964]

Resources (22.1.3 )

AWS

  • Updated our encryption at rest detection for Message Queues to match Amazon’s updated SQS offering of encryption using Managed SSE. [ENG-13327]

GCP

  • Added harvesting the ingress configuration for GCP Cloud Run resources and have added a corresponding filter, App Run Service Ingress Configuration (GCP), to match Cloud Run resources based upon their ingress configuration. [ENG-13257]

Insights (22.1.3 )

AWS

  • New AWS Foundational Security Best Practices - Compliance Pack - The AWS Foundational Security Best Practices Pack is a group of Insights that align with the AWS Foundational Security Best Practices standard. This standard is a set of controls that detect when your deployed AWS accounts and resources deviate from security best practices. We will continue to expand this pack in future release, for 22.1.3 this pack contains more than 60 Insights. Read more about the new Compliance Pack on the summary page.

  • Container Service With Auto Assign Public IP - New Insight supports AWS’s Foundational Security Best Practices. When a container service has a public IP assigned to it, it may be accessible from the Internet. If it is accessible from the Internet, it may allow unapproved access to the container application. We recommend disabling the auto-assign public IP setting for container services and removing public IPs from existing container services unless there is a clear use case supporting public access. [ENG-13115]

  • Encryption Key with Pending Deletion (AWS) - New Insight identifies KMS keys that are in a state of pending deletion or scheduled to be destroyed. [ENG-13332]

  • Systems Manager Document Publicly Accessible - New Insight identifies Systems Manager documents that are publicly accessible. [ENG-13337]

Query Filters (22.1.3 )

AWS

  • Resource Trusting Unknown Account - This Query Filter was enhanced for Storage Containers, updating how AWS-owned accounts are included as known accounts. [ENG–13098]

GCP

  • App Run Service Ingress Configuration (GCP) - New Query Filter support added harvesting of the ingress configuration for GCP Cloud Run resources, matching Cloud Run resources based upon their ingress configuration. [ENG-13257]

MULTI-CLOUD/GENERAL

  • Access List Rule Network Prefix (Security Group) - New Query Filter identifies security group rules that exceed a selected prefix size. The filter can be used to identify security groups with overly large network access. [ENG-13131]
  • Public IP In Use - New Query Filter identifies public IP addresses which are in use. [ENG-13242]

Infrastructure as Code (IaC) New Support (22.1.3 )

  • Addressed several IaC edge cases related to detecting public access via IAM policies. Both the CFT and TF drivers now use an updated centralized public policy method that improves performance. [ENG-13358]

Bot Actions (22.1.3 )

AWS

  • “Enable Delivery Stream Encryption” - New Bot action can be used to encrypt AWS Kinesis Firehose resources. [ENG-13042]
  • “Modify Airflow Environment Attribute” - New Bot action to update the Web Server mode for Managed Apache Airflow Environments. [ENG-13042]

MULTI-CLOUD/GENERAL

  • “Invoke Serverless Function” - Added the ability to skip duplicates when using the Bot action. [ENG-13101]
  • “Publish to Notification Topic With Target Selection” - Expanded this Bot action to support resources across all supported clouds. [ENG-12933]

Bug Fixes (22.1.3 )

  • [ENG-13341] Fixed a bug where an Insight exemption is created for a global Insight from an organization other than the one from which the Insight originated.
  • [ENG-13339] Fixed an issue related to harvesting GCP security checks from multiple sources.
  • [ENG-13321] Fixed a bug where IaC scans would time out during IaC-related background database operations.
  • [ENG-13271] Fixed a bug in the filter Container Image Vulnerability Search to include results with CVE identifiers that also include descriptive text.
  • [ENG-13241] Fixed a bug in the Query Filters Resource With Active Layer 7 Protection Enabled and Resource With No Active Layer 7 Protection Enabled to no longer include ephemeral public IP addresses in the evaluation.
  • [ENG-13119] Fixed a bug where the IaC scanner would treat some valid CFTs as invalid.
  • [ENG-12816] Fixed a bug related to Salesforce Contact us widget form fields to ensure all fields pass data correctly. [ENG-12816]
  • [ENG-12521] Fixed a conditional in the evaluation of the Query Filter Resource Is Associated With Public Subnet.
  • [ENG-10753] Resolved issues around Plugins not loading correctly. Refer to our updated documentation on the Plugins Overview page.