Skip to Content
Release NotesInsightcloudsec22.1.4 Release Notes

Feb 15, 2022

InsightCloudSec is pleased to announce Minor Release 22.1.4

InsightCloudSec Software Release Notice - 22.1.4 Minor Release (02/16/2022)

Our latest Minor Release 22.1.4 is available for hosted customers on Wednesday, February 16, 2022. Availability for self-hosted customers is Thursday, February 17, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Release Highlights (22.1.4 )

InsightCloudSec is pleased to announce Minor Release 22.1.4. This minor release includes improved exception handling for Service Control Policies (SCPs), added support for IAM Policies and their attachments to Identity resources, and expanded Event-Driven Harvesting support of events for AWS’ System Manager Parameter - Stored Parameters. This release includes one new Insight and nine revised Insights with names that reflect the renaming of Azure Defender/Azure Security Center to Microsoft Defender for Cloud. 22.1.4 also adds three new Query Filters, updates to ten Query Filters, two new Bot actions, and fixes for eight bugs.

In addition, for our Cloud IAM Governance module, we have details around six feature enhancements and two bug fixes.

Contact us through the new unified Customer Support Portal with any questions.

User Interface Changes (22.1.4)

  • Users can now download all the resource details data as a JSON file in the resource blade. [ENG-11774]

Resources (22.1.4 )

AWS

  • Expanded our Event-Driven Harvesting support for additional events related to AWS Systems Parameters (normalized as Stored Parameters). Now you can capture these events–DeleteParameter, DeleteParameters, and PutParameter—in near real time and make Bots to generate appropriate notifications. [ENG-13479]
  • Improved exception handling with respect to Service Control Policies (SCPs). Separated ECS/Fargate harvesting from EKS. This is helpful for separating our harvesting strategies as well as handling which don’t allow one type but allow the other. [ENG-13448]
  • Added support for IAM Policies and their attachments to Identity resources. [ENG-13393]

Insights (22.1.4 )

AWS

  • Database Instance Not In Network - New Insight identifies RDS instances without a VPC configuration. [ENG-13346]

AZURE

  • Updated names throughout InsightCloudSec to reflect the changes made by Azure in renaming Azure Defender/Azure Security Center to Microsoft Defender for Cloud (in both our Query Filters and Insights). The following Insights were renamed [ENG-13281]:
    • Cluster With Azure Defender Disabled to Cluster With Microsoft Defender for Cloud Disabled
    • Container Registry With Azure Defender Disabled to Container Registry With Microsoft Defender for Cloud Disabled
    • Database With Azure Defender Disabled to Database With Microsoft Defender for Cloud Disabled
    • DNS Zone With Azure Defender Disabled to DNS Zone With Microsoft Defender for Cloud Disabled
    • Key Vault With Azure Defender Disabled to Key Vault With Microsoft Defender for Cloud Disabled
    • Instance With Azure Defender Disabled to Instance With Microsoft Defender for Cloud Disabled
    • Storage Container With Azure Defender Disabled to Storage Container With Microsoft Defender for Cloud Disabled
    • Web App With Azure Defender Disabled to Web App With Microsoft Defender for Cloud Disabled
    • Contains Insights which apply to Azure Security Center Recommendations to Contains Insights which apply to Microsoft Defender for Cloud Recommendations

GCP

  • Google Service Account With Admin Privileges - This Insight was updated to do a wildcard search for Admin and exact word search for Owner and Editor. [ENG-13447]

Query Filters (22.1.4 )

AWS

  • Identity Resource Exceeds Inline Policy Count (AWS) - New Query Filter identifies cloud groups, roles, and users that have more than a specified number of inline policies. [ENG-13405]
  • Hardened multiple filters to pass on AWS resources when they have malformed resource-based policies [ENG-12714]:
    • Message Queue Exposing Permissions To Public (AWS)
    • Notification Topic Exposing Permissions To Public (AWS)
    • Resource Specific Policy Action/Resource Search (AWS)
    • Resource Specific Policy Principal/Action Search (AWS)
    • Resource Specific Policy Principal Wildcard Search (AWS)
    • Resource Specific Policy Resource Wildcard Search (AWS)

AZURE

  • Route Table Route Destination Target ID (Azure) - New Query Filter identifies noncompliant Azure User Defined Routes (UDR). [ENG-13399]
  • Volume Network Access Configuration (Azure) - New Query Filter helps find Volumes based upon their endpoint, i.e., public, private, or deny. This support our harvesting network access configuration information for Azure disks. [ENG-13376]

GCP

  • Identity Resource Has Policy - This Query Filter was updated to include a new option, exact_key_words, so the filter supports a mixture of wildcard and exact matches. [ENG-13447]
  • Load Balancer With/Without Cloud Armor Policy (GCP) - This updated Query Filter excludes load balancers using TCP protocol as TCP backend resources are not supported by Cloud Armor. [ENG-13395]
  • Subnet Without Traffic Logging Configured - Query Filter was revised to evaluate GCP subnets for their purpose. For example, if a GCP subnet is allocated for load balancing, it cannot also be configured with flow logs; those subnets should not be reported as not having traffic logging configured. [ENG-13511]

MULTI-CLOUD/GENERAL

  • Resource Associated With Transit Gateway - This Query Filter was updated to include a ‘not in’ option to also surface resources that are not connected with a Transit Gateway. [ENG-13365]

Infrastructure as Code (IaC) New Support (22.1.4 )

  • Added CFT Infrastructure-as-Code support for SNS Subscriptions. [ENG-12394]
  • Updated our Infrastructure-as-Code support to analyze AWS Elasticache Replication Groups. [ENG-12383]

Bot Actions (22.1.4 )

AWS

  • “Disable Auto Assign Public IP” - New Bot action allows customers to disable the Auto Assign Public IP setting for AWS ECS container services. This Bot action pairs with the existing Insight and Query Filter, Container Service With Auto Assign Public IP, to find and remediate those container services. [ENG-12888]
  • “Delete Encryption Key” - New action, available via Bot and resource details, to delete an AWS KMS key. [ENG-13445]

Bug Fixes (22.1.4 )

  • [ENG-13758] Fixed error related to the value AWS:InstanceFlavorHarvest.
  • [ENG-13463] Added the missing permission ”Microsoft.Web/sites/privateEndpointConnections/read” to the Standard User custom role for Azure.
  • [ENG-13418] Removed unnecessary raising of exceptions when trying to delete a session that no longer exists. This had been causing intermittent failures for IaC.
  • [ENG-13364] Fixed an edge case, hardening the billable instance count API endpoint to handle rows with null values.
  • [ENG-13361] We have fixed an edge case that can occur when editing an Insight with exemptions. The session could become detached due to NewSession being used for both the Insight modification and exemption cleanup operations.
  • [ENG-13311] Fixed an issue in Tag Explorer involving column sorting for tag configurations that use the case insensitive option.
  • [ENG-13267] Fixed an issue where legacy Kubernetes containers returned the image tag rather than the digest.
  • [ENG-11675] Corrected messaging in the email concerning how in certain scenarios, existing scorecard subscriptions can fail to match any resource scopes.

Cloud IAM Governance (Access Explorer) Updates - 22.1.4 Minor Release (02/16/2022)

** The following updates are related to enhancements and bug fixes for our Cloud IAM Governance (Access Explorer) capabilities.**

Contact us at Customer Support Portal with any questions.

Cloud IAM Governance Features & Enhancements (22.1.4 )

  • We are now using a dot (.) to separate the service/action on the User Actions page to better distinguish between actions and IAM permissions. [ENG-13383]
  • For IAM Access Explorer, we have removed the deprecated “Authentication types” API Key and STS Role from the UI, when configuring CMDB/EIAM settings. [ENG-12868]
  • CloudTrail source rest APIs updated to use IDs instead of names. [ENG-12829]
  • GovCloud is now a selectable cloud type within both IAM settings and Cache Calculator. [ENG-13263]
  • When navigating through Access Explorer by way of the Applications tab, an “All” option has been added to the Resource type selector. [ENG-13254]
  • Deprecated the subjects endpoint and added three new endpoints (users, applications, and resources) in its place. Note that these new endpoints are still in active development and should not be considered stable at this time. [ENG-7922]

Cloud IAM Governance Bug Fixes (22.1.4 )

  • [ENG-13033] Fixed a bug where Access Explorer was showing all principal types when viewing “Principals having access to Application”.
  • [ENG-13033] Fixed a performance issue on the “Principals having Access to Application” view.