22.2.1 Release Notes

Mar 09, 2022

InsightCloudSec is pleased to announce Minor Release 22.2.1

InsightCloudSec Software Release Notice - 22.2.1 Minor Release (03/09/2022)

Our latest Minor Release 22.2.1 is available for hosted customers on Wednesday, March 9, 2022. Availability for self-hosted customers is Thursday, March 10, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal .

Release Highlights (22.2.1)

InsightCloudSec is pleased to announce Minor Release 22.2.1. In this minor release we have added support for two new AWS resources: AWS Storage Gateways and AWS EKS Node Groups. For Azure, this release updates the “ServiceEncryptionKeyVaultHarvester” to determine roles attached to access policies. For GCP, we’ve included visibility into the GCP Access Key status (active/inactive). This release also dramatically reduces the database CPU load for AWS and GCP load balancer harvesting. 22.2.1 includes changes to permissions for all three major cloud service providers AWS, Azure, and GCP (details for each are specified below). Finally, we have also included four new Query Filters and six modified Query Filters, one new Bot action and two updated Bot actions, as well as four bug fixes.

In addition, for our Cloud IAM Governance module, we have details around one feature enhancement and one bug fix.

New Permissions Required (22.2.1)

⚠️

New Permissions Required: AWS

For AWS Standard (Read-Only) Users: “eks:DescribeNodeGroup”, “eks:ListNodeGroups”, “storagegateway:DescribeGatewayInformation”, “storagegateway:ListGateways”

More on AWS Permissions

“eks:DescribeNodeGroup” and “eks:ListNodeGroups” support the new resource type, AWS EKS Node Groups. [ENG-13797]
“storagegateway:DescribeGatewayInformation” and “storagegateway:ListGateways” support AWS Storage Gateways. [ENG-14764]

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

⚠️

Update to Azure Permissions

We are removing “Microsoft.Storage/storageAccounts/listkeys/action” from the Standard (Read-Only) User role permissions list as it is no longer needed. [ENG-14687]

Azure permissions are changing, migrating from Azure AD Graph API to Microsoft Graph API. For the updated feature (“ServiceEncryptionKeyVaultHarvester”) to work successfully, the permission Directory.Read.All from the Microsoft Graph API is required. This permission is added as part of Configuring Microsoft Azure under App registration (see Step 8).

Note that this document outlines setting up permissions to Azure AD Graph API and not Microsoft Graph API. The Microsoft Graph permission should be added in addition to the Azure AD Graph permission for now, until we’ve finished migrating the rest of the code that uses the old API.

⚠️

Update to GCP Permissions

The following new permission is required for GCP: “cloudasset.assets.searchAllIamPolicies”

The following permission is no longer required and can be removed: “cloudasset.assets.listIamPolicy”

These changes are part of our continuing updates in support of GCP’s Cloud Asset Inventory. Refer to our documentation on GCP Projects and GCP Organizations for full details. [ENG-14616]

Features & Enhancements (22.2.1)

API Updates: Displayed list of filters now includes filters that require a feature license; however, users will not be able to view the source code for these filters or use them to create Insights or Bots if they do not have the feature license. [ENG-13108]
Dramatically reduced the database CPU load for AWS and GCP load balancer harvesting. [ENG-14711]

User Interface (UI) Changes (22.2.1)

InsightCloudSec will no longer display the New/Updated/Deprecated tags for filters on Filters page and will be hiding the creation time stamp located on the Filters page. [ENG-14336]

Resources (22.2.1)

AWS

Added support for AWS Storage Gateways. Storage Gateways are used to facilitate on-premise storage of data. Its configuration can include public access, which is a known security risk. Added the following filters to support compliance/security checks: Storage Gateway Software Expiration Threshold (AWS) and Storage Gateway Associated To Instance Without SSH Key (AWS). Two new permissions are required: “storagegateway:DescribeGatewayInformation” and “storagegateway:ListGateways”. AWS Storage Gateways can be found under the new Resource type Storage Gateway and Resource category Storage on the Resources main page. [ENG-14764]
Added support for AWS EKS Node Groups. Users should be able to see resource properties and relationships in Resource Listing and Details. In addition, we have included tag support; tag visibility and tag filter functionality are available as well. New permissions required are “eks:DescribeNodeGroup” and “eks:ListNodeGroups”. AWS EKS Node Groups can be found under the Containers category of the Resource page as the new Resource type ‘Container Node Group’. [ENG-13797]
Updated our load balancer actions (available via Bot and directly from the resource) to persist their changes locally so that their updated properties are reflected immediately rather than waiting for the next resource harvest. This can eliminate unnecessary Bot executions that are triggered by Resource Modified hookpoints. [ENG-14646]
Added a parent_resource_id property to Instance resources. This additional property, that walks instances back to Autoscaling Groups, now enables support of Query Filters like Parent Resource Contains Tag Key/Value Pair and the Bot action “Mirror Resource Tags From Parent”. [ENG-14662]

AZURE

Updated the “ServiceEncryptionKeyVaultHarvester” to determine roles attached to access policies. If a value of “unknown” is returned for a role, it can be forced to be scanned again using the environment variable “DIVVY_KEY_VAULT_POLICY_IGNORE_UNKNOWN=1”. [ENG-13403]
- Updated the filter Key Vault Access Is Not Restricted to a Federated Role to consider roles attached to access policies, and provided an option to ignore “unknown” roles in access policies.
- Azure permissions are changing, migrating from Azure AD Graph API to Microsoft Graph API. For the updated feature (“ServiceEncryptionKeyVaultHarvester”) to work successfully, the permission Directory.Read.All from the Microsoft Graph API is required. This permission is added as part of Configuring Microsoft Azure under App registration (see Step 8).
- Note that this document outlines setting up permissions to Azure AD Graph API and not Microsoft Graph API. The Microsoft Graph permission should be added in addition to the Azure AD Graph permission for now, until we’ve finished migrating the rest of the code that uses the old API.

GCP

Added visibility into GCP Access Key status (active/inactive). [ENG-14724]

Insights (22.2.1)

Insight App Service Not Requiring Authentication - We have revised the in-product steps around remediation to reflect the latest instructions. [ENG-14667]
Updated the Insight pack graph under “Show Report Breakdown” to graph the total counts of InsightCloudSec and Custom Insights and combine them for convenience. [ENG-14412]

Query Filters (22.2.1)

AWS

Storage Gateway Software Expiration Threshold (AWS) and Storage Gateway Associated To Instance Without SSH Key (AWS) - New Query Filters support compliance/security checks related to added support for AWS Storage Gateways. [ENG-14764]
Task Definition Latest Revision (AWS) - New Query Filter identifies the latest ECS Task Revision. [ENG-9611]

AZURE

Key Vault Access Is Not Restricted to a Federated Role - Updated Query Filter considers roles attached to access policies, and provides an option to ignore “unknown” roles in access policies. [ENG-13403]

MULTI-CLOUD/GENERAL

Cloud Region Without Default Encryption Enabled - Updated (and renamed) Query Filter to Cloud Region Without Default/Allow List Encryption Enabled. This change allows users to provide one or more key names/aliases and identify regions that are encrypted with something else. [ENG-14756]
Instance Associated With Internet-Accessible Load Balancer - New Query Filter identifies Compute instances that are behind an Internet-facing load balancer. These instances generally represent a greater security risk to an organization than internal instances. [ENG-14303]
Load Balancer With SSL Listener and Load Balancer Without SSL Listener - Updated these two Query Filters to only take application/classic load balancers into consideration. [ENG-12096]
Resource In Cloud With/Without Badge Key/Value - Query Filter was updated to permit a wildcard option. This option is useful when looking for cloud accounts using cloud organization folder structures. For example, searching for key=cloud_org_path and value=/AcmeBusinessUnit will include all resources in cloud accounts under actual folder /AcmeBusinessUnit and subfolders. [ENG-14729]
Storage Container not Forcing Encrypted Uploads - This Query Filter was updated to also consider bucket-level encryption. [ENG-14430]

Infrastructure as Code (IaC) New Support (22.2.1)

Added Secure Socket Layer (SSL) query filter support for Application Load Balancer resources in CloudFormation Templates (CFTs). [ENG-14731]
Addressed several IaC edge cases related to detecting public access via IAM policies. Both the CFT and Terraform (TF) drivers now use an updated centralized public policy method that increases efficiency. [ENG-13358]

Bot Actions (22.2.1)

AWS

“Modify Database/Big Data Instance Attribute” - This Bot action was updated to include the option to apply encryption at rest on AWS Redshift clusters using the default provider key. [ENG-14660]

MULTI-CLOUD/GENERAL

“Create Network Flow Log” - Updated this Bot action to provide the option to define the log format used. [ENG-14705]
“Force Delete Volume” - New Bot action, accessible via Bot and the resource, permits the forced deletion of a volume, i.e., the action will delete the volume even if it is attached to an instance. [ENG-14585]

Bug Fixes (22.2.1)

[ENG-14805] Added missing S3 prefix needed for classic load balancer access logging.
[ENG-14753] Fixed an issue where the Azure CIS 1.4.0 pack was locked.
[ENG-14752] Fixed a bug related to an integration check when using email to see if a global setting is in place (rather than an ICS organization setting).
[ENG-11698] Fixed a bug where the Clear Logs button (under System Administration/Logs section) wasn’t removing all system logs in certain situations.

Cloud IAM Governance (Access Explorer) Updates - 22.2.1 Minor Release (03/09/2022)

** The following updates are related to enhancements and bug fixes for our Cloud IAM Governance (Access Explorer) capabilities.** Contact us at Customer Support Portal with any questions.

Cloud IAM Governance Features & Enhancements (22.2.1)

Deprecated list_subjects API endpoint. [ENG-13465]

Cloud IAM Governance Bug Fixes (22.2.1)

[ENG-13436] Revised the behavior for the “ARN” and “Is Ignore” columns to prevent sorting and address an associated key sort error.