InsightCloudSec Software Release Notice - 22.2.3 Minor Release (03/23/2022)

Release Highlights (22.2.3)

InsightCloudSec is pleased to announce Minor Release 22.2.3. This release includes a redesign with significant improvements to our filtering (Query Filters) capabilities within the Resources page. We have added harvesting and visibility for two additional properties for AWS Lambda functions (Container Images and Layers), as well as visibility and tag support for AWS SES Domain Identities. For Azure, we have support for Azure CDN Profiles and harvesting of additional service limits from Azure related to “Family vCPUs”. In addition, 22.2.3 includes one updated Insight, one updated Query Filter, seven new Query Filters, one enhanced Bot action, one new Bot action, and six bug fixes.

For our Cloud IAM Governance  module, we have details around improvements to support PrincipalOrgPaths context key and details around multiple bug fixes.

Contact us through the new unified Customer Support Portal  with any questions.

New Permissions Required (22.2.3)

Features & Enhancements (22.2.3)

Redesigned and Enhanced Filtering (Now Query Filters) Beginning with 22.2.3 InsightCloudSec has introduced some major improvements in how our filtering works:

• First we have taken the opportunity to update the naming for our filter capability to “Query Filters”, allowing us to differentiate between the InsightCloudSec feature “Query Filters” and general filtering behavior.
• Second, selecting “Query Filters” from the Resources page provides access to a redesigned filtering panel. The new Query Filter panel  offers a significantly improved experience; easily connecting you with the specific Query Filters you need to explore your cloud footprint, narrow the scope of your displayed resources, and use these scoped results to create Insights and automation.

Check out the revised documentation  for complete details on this new feature. [ENG-12118]

OTHER FEATURE ENHANCEMENTS

• Introduced ability to conditionally filter on the organization_service_id for customer-managed policy lookups. Resolves false positive findings in IaC results. [ENG-15150]
• Updated the InsightCloudSec integration with InsightVM to allow customers to connect multiple InsightVM accounts through a single integration. [ENG-14409]

User Interface Changes (22.2.3)

• Updated InsightCloudSec “Filters” to “Query Filters” throughout the platform. [ENG-12140]
• Changed ‘Clouds’ to ‘Cloud Types’ on Summary/Dashboard page dropdown. Check out the documentation on the Summary Page  for additional details. [ENG-10570]

Resources (22.2.3)

AWS

• Added harvesting and surfacing of two additional properties for AWS Lambda functions: Container Images and Layers. When Lambda functions leverage containers, they may introduce vulnerabilities from the container. When Lambda functions use layers, customers may inadvertently use a layer from an untrusted/unapproved third party. We have added relevant filters–Serverless Function Package Type, Serverless Function Leveraging Layer and Serverless Function Leveraging Layer From Unknown Account—to improve visibility into these issues. [ENG-15000]
• Added the property maintenance_actions (already added to AWS RDS instances) to AWS RDS Clusters. [ENG-14968]
• Added visibility and tag support for AWS SES Domain Identities. [ENG-14943]

AZURE

• Added harvesting of additional service limits from Azure related to “Family vCPUs”. [ENG-15097]
• Added visibility and tag support to Azure CDN Profiles. This asset type aligns to the Content Delivery Network resource type within ICS. Note that delete support has not been included in this update. New support will be found under existing resource Content Delivery Network in the Network category. New permission needed: “Microsoft.Cdn/profiles/read”. [ENG-9534]

Insights (22.2.3)

• Updated Insight descriptions for two Insights: Key Vault Is Not Recoverable (Azure) and Key Vault Is Not Recoverable. [ENG-12661]

Query Filters (22.2.3)

AWS

• Cloud Event Rule Enabled/Disabled (AWS) - New Query Filter finds Cloudwatch Rules that are in an enabled or disabled state. [ENG-14962]
• Container Cluster Type - Updated this Query Filter to find results for AWS Fargate clusters. [ENG-9622]
• Added three new Query Filters to support harvesting and surfacing of two additional properties for AWS Lambda functions: Container Images and Layers [ENG-15000]:
  • Serverless Function Package Type
  • Serverless Function Leveraging Layer
  • Serverless Function Leveraging Layer From Unknown Account

AZURE

• Key Vault Permissions Defined For User Or Unknown - New Query Filter to identify whether the Key Vault user is defined as User or Unknown. [ENG-14506]
• Resource With Log Analytics Workspace (Azure) - New Query Filter returns resources with a specified log analytic workspace name (and the inverse). [ENG-14577]

MULTI-CLOUD/GENERAL

• Container Image/Task Definition Associated Container Count - New Query Filter finds Container Images and Task Definitions based on the number of associated containers. [ENG-14911]

Infrastructure as Code (IaC) New Support (22.2.3)

• Updated IaC CloudFormation Template (CFT) parsing to properly scan multiple replication groups if they are supplied in the same template. [ENG-14994]

Bot Actions (22.2.3)

• Enhanced the Bot action for event “UpdateClusterConfig” to account for delays in AWS process times for Kubernetes updates via EDH. [ENG-14998]
• “Modify Container Service Desired Task Count” - New Bot action allows users to scale the number of task definitions associated with an ECS Container Service. This action can aid in cost reduction/optimization. [ENG-14912]

Bug Fixes (22.2.3)

• [ENG-15127] Fixed a bug where malformed resource IDs could occur during IaC analysis.
• [ENG-15104] Fixed an IaC CFT parsing bug with Load Balancer resources.
• [ENG-15084] Fixed an issue where a black background made text illegible.
• [ENG-15082] Fixed a download issue in Firefox & Safari around Bot- identified resources.
• [ENG-15061] Fixed a typo that impacted our ability to scan Internet Gateway resources in CloudFormation Template IaC.
• [ENG-15047] Fixed an issue involving Plugins not fully loading on upgrades; Plugin exceptions are now visible under Plugins section and rendered as Failed Plugins.

Cloud IAM Governance (Access Explorer) Updates - 22.2.3 Minor Release (03/23/2022)

Cloud IAM Governance Features & Enhancements (22.2.3)

• Dramatically improved our calculations that involve NotAction. A note for customers: we deliberately do not support “NotAction” with “Effect: Allow” in the access explorer because this use of NotAction is not a best practice. We want to more specifically call out these statements in the future instead of using them in our broader calculations. See Amazon’s caution  on this use of NotAction. [ENG-13319]
• Made improvements to support PrincipalOrgPaths context key. [ENG-13319]

Cloud IAM Governance Bug Fixes (22.2.3)

• [ENG-13319] Fixed numerous bugs as part of this release:
  • Fixed a bug that improperly shared state between Organizational Units, so that the Service Control Policies were occasionally impacting the calculation of organizational units to which they were not attached
  • Fixed multiple bugs for NotAction statements, especially when combined with other statements with “Action:*”
  • Fixed KeyError encountered during NotAction analysis
  • Fixed bug for Resource elements that should match log group resources
  • Completed multiple fixes for services without prefixes (like *:Get*)