22.2.5 Release Notes

Apr 05, 2022

InsightCloudSec is pleased to announce Minor Release 22.2.5

InsightCloudSec Software Release Notice - 22.2.5 Minor Release (04/06/2022)

Our latest Minor Release 22.2.5 is available for hosted customers on Wednesday, April 6, 2022. Availability for self-hosted customers is Thursday, April 7, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal .

Release Highlights (22.2.5)

InsightCloudSec is pleased to announce Minor Release 22.2.5. This Minor Release includes added visibility into AWS CloudTrail resources with/without Insight selectors and added visibility into AWS ECR public repositories. For Azure Public IP, users can now view the SKU type that the IP address uses. This release also updates the Azure ServiceAppHarvester from Azure AD Graph to Microsoft Graph. For GCP Projects, we have added the ability to harvest Single Project badges which were not added as part of an Organization. Release 22.2.5 includes three new Insights, one updated Insight, one new Query Filter, seven updated Query Filters, one new Bot action, and 16 bug fixes.

For our Cloud IAM Governance module, we have details around two bug fixes.

New Permissions Required (22.2.5)

⚠️

New Permissions Required: Azure

For Azure Standard (Read-Only) Users: “Microsoft.Security/assessments/*****/read”

Note: This permission is added to support display of vulnerabilities for Azure containers. [ENG-14602]

⚠️

New Permissions Required: AWS

**For AWS Standard (Read-Only) Users:

“cloudtrail:GetInsightSelectors”, “ecr-public:DescribeImages”, “ecr-public:DescribeRepositories”

For AWS Power Users: “ecr-public:*****”

Also for AWS Power Users: 22.2.5 updates the iam permissions in our Power User policy with a lengthy list of specific permissions that will ensure forward compatibility as well as allow Power Users to take the actions they need to take now. These permissions can be customized to your specific security requirements. In addition, we are replacing the permission “inspector2:*****”” with “inspector2:ListCoverage” and “inspector2:ListFindings”. Details can be found in the Power User section of our AWS Policy documentation . [ENG-15425]

More on AWS Permissions

“cloudtrail:GetInsightSelectors” supports the added visibility into AWS CloudTrail resources with/without Insight selectors. [ENG-10464]
“ecr-public:DescribeImages” and “ecr-public:DescribeRepositories” for Standard (Read-only) users, as well as “ecr-public:*****” for Power users, support the expanded AWS ECR visibility to public repositories. (This resource is not currently supported for AWS GovCloud.) [ENG-15385]

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

Resources (22.2.5)

AWS

Added support for capturing the minimum TLS version being enforced for select RDS engine types and have updated the filter Database Instance Minimal TLS Version accordingly. For additional information, check out the AWS references Amazon RDS for SQL Server Supports Disabling Old Versions of TLS and Ciphers and Customizing security parameters on Amazon RDS for SQL Server . [ENG-14913]
Added visibility into AWS CloudTrail resources with/without Insight selectors. The Query Filter API Accounting Insight Selector Configuration can be used to audit specific selectors. A new permission, “cloudtrail:GetInsightSelectors”, is required for this added visibility. [ENG-10464]
Expanded AWS ECR visibility to public visibility repositories. This visibility requires additional IAM permissions: “ecr-public:DescribeImages” and “ecr-public:DescribeRepositories”. There are no impacts for GovCloud as that resource is not supported. [ENG-15385]
Added the display of Threshold, Comparison Operator, and Period in resource properties for service alarms, e.g., AWS CloudWatch Alarm. [ENG-15410]
Updated tooltips for two of our harvest jobs (ECS/Fargate harvesting vs EKS) to clarify which resource types they harvest. [ENG-15322]

AZURE

For Azure Public IP, added visibility into the SKU (type) that the IP address uses. This SKU mirrors the capabilities that you get with AWS IPs (EC2 vs VPC). [ENG-15290]
ServiceAppHarvester for Azure has been updated from Azure AD Graph (deprecating in June 2022) to Microsoft Graph. [ENG-13449]

GCP

Added ability to harvest Single Project badges for GCP Projects which are not added as part of an Organization. Read more on our page about Auto Badging (GCP). [ENG-14374]
Improved handling of Cloud Asset Inventory (CAI) quota errors by adding backoff period for CAI calls when quota is reached. [ENG-15011]

Insights (22.2.5)

CVE-2022-0811 (CVSS 8.3) - New Insight provides check and Insight for CVE-2022-0811 (CRI-O container runtime engine vulnerability). Overview for this Insight is “A flaw introduced in CRI-O version 1.19 which an attacker can use to bypass the safeguards and set arbitrary kernel parameters on the host. As a result, anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime can abuse the “kernel.core_pattern” kernel parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.” [ENG-15192]
CVE-2022-0185 (CVSS 7.8) - Added check and Insight for CVE-2022-0185, the Linux kernel vulnerability that enables attackers to escape containers and get full control over the node. [ENG-13366]
Database Instance Minimal TLS Version - New Insight is powered by the updated Query Filter Database Instance Minimal TLS Version. The Insight checks to see if Database Instances are requiring TLS 1.2 or higher. [ENG-15393]
Updated the behavior of inspecting findings from the Insight Library. Previously, when clicking on “Findings” when the count is greater than zero, you are taken to the Resources section to see the resources with scoping information related to the Insight. This change makes the experience consistent when clicking on “Findings” and the count is zero, i.e., you are taken to the Resources section where there will be zero resources listed but you still see scoping information related to the Insight. In that way, it makes it easier to update the Insight to find the resources sought but not found. [ENG-15344]

Query Filters (22.2.5)

AWS

Database Instance Minimal TLS Version - Updated Query Filter now additionally supports AWS, checking whether Database Instances are requiring TLS 1.2 or higher. [ENG-14913]
Network Associated With Virtual Gateway - New Query Filter allows customers to identify AWS VPCs that are Virtual Gateways. As Transit Gateways are the successor for Virtual Gateways, customers may want to identify where they haven’t fully migrated off of Virtual Gateways. In addition, it also offers the option to identify VPCs that are using both Virtual and Transit Gateways. [ENG-14677]
Resource Specific Policy Principal Wildcard Search (AWS) - Enhanced Query Filter updated to include the option to ignore statements in resource-based policies that are protected by Condition properties. While the Query Filter is intended to find policies with statements providing overly permissive access, if the statement is protected by a Condition, then it is likely sufficiently secured and can be ignored. [ENG-15059]

MULTI-CLOUD/GENERAL

Added support for API Gateway Stages to the following Query Filters [ENG-10334, ENG-10350]:
- Application Gateway/Stage Authorizer Caching TTL
- Application Gateway/Stage Without Authorizers
- Application Gateway/Stage Authorizer Serverless Listing
Resource Encrypted With Provider Default Keys and Resource Encrypted With Keys Other Than Provider Default - Updated Query Filters to more accurately reflect how Azure volumes are encrypted. [ENG-14447]

Bot Actions (22.2.5)

“Enable Storage Account Default Encryption At Rest” - New Bot action converts Azure Storage Accounts to leverage MMK (Microsoft Managed Keys) for encryption at rest. [ENG-15367]

Bug Fixes (22.2.5)

[ENG-15397] Fixed a bug that was not removing stale IAM policy documents from the IaC database, thus impacting IaC analysis for IAM based checks.
[ENG-15357] Updated the Insight Resource Audit Not In Continental US to not return Azure’s latest region in the western US, “westus3”.
[ENG-15323] Fixed an accessibility bug in the Query Filter blade; Escape can now be used to close the dropdown in query filters.
[ENG-15268] Fixed an issue with non-configurable Query Filters that blocked users from being moved to the correct tab on the Resource page.
[ENG-15248] Fixed a bug around Query Filters persisting across page navigation.
[ENG-15197] Added error handling for an edge case around the state StorageAccountIsNot Provisioned.
[ENG-15167] Fixed a bug so that Query Filter blade no longer automatically reopens when editing a Query Filter for the resources section.
[ENG-15023] Fixed an EDH tag processing bug when a single tag is added/updated on an EKS cluster.
[ENG-14754] Fixed an issue where AWS credentials might expire during long harvest jobs; this fix allows users to retry harvesting with fresh credentials before harvest is marked as failed.
[ENG-14745] Fixed an issue with the Query Filter Container Image Push/Upload Date by changing its age comparison logic.
[ENG-14602] Fixed an issue around the display of vulnerabilities for Azure containers. A new permission is required: “Microsoft.Security/assessments/*/read”.
[ENG-12633] Hardened scheduler response to regions disabled through the harvest strategy.
[ENG-12506] Fixed a bug where Bots scoped to Cloud Accounts would not trigger on the “Resource Modified” event when account-level changes were made to S3 Block Public Access settings.
[ENG-10741] Fixed an issue where the Cloud Provider Resource ID Not in List Query Filter timed out.
[ENG-10469] Fixed multiple bugs related to password reset issues.
[ENG-9211] Resolved an issue where added clouds might take a day to harvest for the first or second time by updating the dynamic harvesting setting for a job, which will be ignored until the job succeeds, or for the first 24 hours after adding the cloud if it fails.

Cloud IAM Governance (Access Explorer) Updates - 22.2.5 Minor Release (04/06/2022)

** The following updates are related to enhancements and bug fixes for our Cloud IAM Governance (Access Explorer) capabilities.**

Cloud IAM Governance Bug Fixes (22.2.5)

[ENG-15179] Fixed a bug where the Resource Specific Policy With/Without Specific Conditions (AWS) Query Filter would continue to match resources whose policies had been updated or deleted.
[ENG-15041] Resolved an Access Explorer issue preventing updating whitelisted cloud accounts if a previously allowlisted account has been deleted.