InsightCloudSec Software Release Notice - 22.2.2 Minor Release (03/16/2022)

Release Highlights (22.2.2)

InsightCloudSec is pleased to announce Minor Release 22.2.2. This minor release includes expanded support for Azure Database For MySQL Flexible Servers and Azure Database For PostgreSQL Flexible Servers, added support for AWS resource-specific actions for tagging/untagging resources, and updates for a Jinja2 getter to allow for the inspection of tags associated with resource groups. In addition, 22.2.2 includes two updated Insights, five updated Query Filters, seven new Query Filters, and nine bug fixes.

For our Cloud IAM Governance  module, we have details around one bug fix.

Contact us through the new unified Customer Support Portal  with any questions.

New Permissions Required (22.2.2)

Features & Enhancements (22.2.2)

• Updated the Jinja2 getter get_tag_value to work in coordination with get_parent_resource_group to allow for the inspection of tags associated with resources’ resource groups. If customers attempted to use these getters in combination prior to this update, they would work as expected provided the resource was a member of a resource group. To use this feature, the customer should construct a getter like this: {{resource.get_tag_value(tag_key='Owner', walk_parent_resource_group=True)}}. This getter will return the tag values of resources tagged with the key of Owner and when those resources do not have a tag key of Owner, check to see if the resource’s Resource Group does, and if so, return that tag value. Additional information can be found in our Jinja2 - Reference . [ENG-14924]

• Added one new Bot action and two new resource actions for Azure resources. “Disable Storage Account Public Access” is a new Bot action that disables public access to Azure Blob Containers via the parent Storage Account. “Disable Public Access” and its complement “Enable Public Access” are two new resource actions that can be applied directly to Storage Account resources. [ENG-14835]

User Interface Changes (22.2.2)

• Updated the Clouds Listing page to include Cloud Domain Name and if applicable, Cloud Domain Nickname as new columns. This information will also be available in the download. [ENG-14850]

Resources (22.2.2)

AWS

• AWS has many resource-specific actions for tagging/untagging resources but is increasing its use of the TagResource and UntagResource as the generalized pattern. We have updated the resilience and efficiency of our support for this generalized approach when processing tagging/untagging events using EDH. [ENG-14936]

AZURE

• We have expanded Azure support to include two new database resources: Azure Database For MySQL Flexible Servers and Azure Database For PostgreSQL Flexible Servers. These added resources are covered in our navigation under the existing Compute category, Database Instance resource type, as Azure SQL Server and Azure Database for PostgreSQL/MySQL/MariaDB. The following permissions are now required [ENG-13790]:

  • “Microsoft.DBforMySQL/flexibleServers/administrators/read”,
  • “Microsoft.DBforMySQL/flexibleServers/configurations/read”,
  • “Microsoft.DBforMySQL/flexibleServers/firewallRules/read”,
  • “Microsoft.DBforMySQL/flexibleServers/keys/read”,
  • “Microsoft.DBforMySQL/flexibleServers/read”,
  • “Microsoft.DBforMySQL/flexibleServers/virtualNetworkRules/read”,
  • “Microsoft.DBforPostgreSQL/flexibleServers/administrators/read”,
  • “Microsoft.DBforPostgreSQL/flexibleServers/configurations/read”,
  • “Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read”,
  • “Microsoft.DBforPostgreSQL/flexibleServers/keys/read”,
  • “Microsoft.DBforPostgreSQL/flexibleServers/read”,
  • “Microsoft.DBforPostgreSQL/flexibleServers/virtualNetworkRules/read”

• Added several properties to Azure Storage Accounts to identify whether they allow SFTP, allow for cross tenant replication, and/or allow shared access keys or are configured as ADLSv2 (HierarchicalNamespace enabled). Five new Query Filters support this added capability [ENG-14902]:

  • Storage Account Access Tier (Azure)
  • Storage Account Configured For Data Lake v2 (Azure)
  • Storage Account With SFTP Enabled (Azure)
  • Storage Account With Cross Tenant Replication Enabled (Azure)
  • Storage Account With Shared Key Access Enabled (Azure)

• Added support for tags for Storage Containers in Azure. [ENG-10444]

Insights (22.2.2)

AWS

• Updated three Insights related to finding active root accounts. In each case, we reduced the scope of the Insight to only examine AWS commercial accounts as AWS China and AWS GovCloud do not support root access. Modified Insights are [ENG-14933]:
  • Cloud Account With Active Root Account
  • Cloud Root Account API Access Key Present
  • Cloud Account without Root Account MFA Protection

GCP

• API Keys Not Rotated Within 90 Days - Updated this Insight to add GCP to the supported clouds for the Insight. [ENG-14972]

Query Filters (22.2.2)

AWS

• Updated three Query Filters related to finding active root accounts. In each case, we reduced the scope of the Query Filter to only examine AWS commercial accounts as AWS China and AWS GovCloud do not support root access. Modified Query Filters are [ENG-14933]:

  • Cloud User Is Root
  • Cloud Account With MFA Protected Root Account (AWS)
  • Cloud Account Without MFA Protected Root Account (AWS)

• Resource With Clear Text Secret - Expanded the resource support of this Query Filter to include Build Projects (AWS CodeBuild Projects). We are adding the property contains_secrets to Build Project resources based upon their environment variables and using that evaluation for the Query Filter. [ENG-14818]

AZURE

• Access List Does Not Have Flow Logs Attached (Azure) - New Query Filter finds Azure Access Lists without Flow Logs enabled. This is the inverse of the existing Query Filter Access List Has Flow Logs Attached (Azure). [ENG-14829]

• Added two new query filters supporting Big Data Workspace, Database Instance, Memcache Instance, Message Queue, Service Encryption Key Vault, Storage Account, Stream Instance, and Web App resources for Azure [ENG-12968]:

• Resource Firewall Missing Approved Networks - New Query Filter returns all resources whose firewall rules do not contain all of the supplied approved networks.

• Resource Firewall Contains Unapproved Networks - New Query Filter returns all resources whose firewall contains any rules that are not in the list of supplied approved networks.

• Five new Azure Query Filters support additional properties for Azure Storage Accounts that identify whether they allow SFTP, allow for cross tenant replication, and/or allow shared access keys or are configured as ADLSv2 (HierarchicalNamespace enabled) [ENG-14902]:

  • Storage Account Access Tier (Azure)
  • Storage Account Configured For Data Lake v2 (Azure)
  • Storage Account With SFTP Enabled (Azure)
  • Storage Account With Cross Tenant Replication Enabled (Azure)
  • Storage Account With Shared Key Access Enabled (Azure)

MULTI-CLOUD/GENERAL

• Instance On Subnet With Default Route to Internet - This Query Filter was renamed from Instance On Subnet With Route To Internet Via Gateway identifies instances associated with a subnet whose route table’s default route directs traffic to the public internet. [ENG-13362]

Bot Actions (22.2.2)

• “Disable Storage Account Public Access” - New Bot action disables public access to Azure Blob Containers via the parent Storage Account. We have also added the resource actions, “Disable Public Access” with its complement “Enable Public Access”, directly to Storage Account resources. [ENG-14835]

• “Toggle Cloud Alarm Actions” - New Bot action allows customers to disable or enable actions associated with specific cloud alarms. For example, if a customer stops their instances every evening at 6pm, they do not need to be notified by an alarm that the instances have stopped as the state change was planned. In this example, the customer could disable the alarms in the evening and enable the alarms in the morning. [ENG-3401]

Bug Fixes (22.2.2)

• [ENG-14991] Resolves an issue where some S3 bucket properties may be marked as not visible.

• [ENG-14932] Fixed an issue where Query Filter Cloud Role Scoped To Separate Project (GCP) incorrectly returned GCP-generated Service Accounts that were created in the same project.

• [ENG-14923] Fixed an issue with the Bot action “Enable Regional AWS Config Recorder” to use the correct key when referencing the S3’s prefix. This update allows the Bot action to call a prefix instead of defaulting to the base folder.

• [ENG-14898] Fixed an issue with our two VPC flow log/S3 Query Filters. Updated Network Flow Log Not Logging To Storage Container (AWS) and Network Flow Log Logging To Storage Container (AWS), to take S3 bucket prefixes into consideration. Prior to this change, the filters yield correct matches when customers log directly to the bucket’s base and fails when logging to a prefix.

• [ENG-14820] Fixed an edge case for the Bot action “Enable Storage Container Logging” that manifests when more than one resource is used.

• [ENG-14779] Resolved a bug around updating resource properties. Changed the way we save resource properties when harvesting new resources based upon receipt of a create event. By updating resource properties immediately, we should make them available via Jinja2, e.g., resource.get_resource_property(‘divvy.creator’), in time to function when a Bot responds to a creation hookpoint.

• [ENG-14457] Fixed an issue with the Billable Resources graph in the License page that caused the Billable Resources to stop displaying after a certain date.

• [ENG-12155] Fixed an error around suspicious event parsing for S3 buckets to correctly handle updates of a single ACL grant.

• [ENG-11986] Fixed the name variable for SecureFileTransfer resources during IaC scanning.

Cloud IAM Governance (Access Explorer) Updates - 22.2.2 Minor Release (03/16/2022)

Cloud IAM Governance Bug Fixes (22.2.2)

[ENG-14723] Resolved Display issue for IAM Policy Explorer Search Icons where the Icons were not rendering/displaying properly.