22.2.6 Release Notes

Release Highlights (22.2.6)

InsightCloudSec is pleased to announce Minor Release 22.2.6. This Minor Release includes two new GCP resources (GCP Unattended Project Recommendations and GCP Unattended Project Insights), as well as expanded visibility into the recently announced AWS Lambda URL configurations. 22.2.6 includes four new Insights, one updated Insight, seven new Query Filters, one updated Query Filter, one new Bot action, one updated Bot action, and 13 bug fixes. We also provide expanded support for the Bot and resource action “Cleanup Resource Access Policy” to apply this action to additional AWS resources beyond our existing support for S3 buckets and SQS message queues.

For our Cloud IAM Governance module, we have details around one feature enhancement and two bug fixes.

Contact us through the new unified Customer Support Portal with any questions.

New Permissions Required (22.2.6)

Features & Enhancements (22.2.6)

• Added the ability to allow Basic Users with a specific role to perform the Delete Cloud action. This permission is separate from the existing permission to Add/Update Clouds. [ENG-15068]
• Provided an additional state RESOURCE_EXEMPTED to both Bot Factory and Scheduled Events to notify that a scheduled event is no longer actionable due to resources being exempted. [ENG-9947]
• Extended the reach of Resource Modification hookpoints from users/roles/groups through their attached policies to the policy documents. Now, if a policy document is changed, its modification will propagate to its policy and then onwards to any attached resources (users/roles/groups). [ENG-15551]
• AzureArmIdentityDetailHarvester has been updated to utilize GraphClient over GraphRBAC (which is being deprecated). Customers should not notice any change to functionality or harvested data. [ENG-13077]

User Interface Changes (22.2.6)

• Added a slider (top right corner of Resources page) to change resource ordering from horizontal to vertical to gauge customer preference. [ENG-9829]

Resources (22.2.6)

AWS

• Added visibility to AWS Lambda URL Configurations, which AWS recently announced. Added a new Query Filter Serverless Function URL Configurations to find Lambda functions based upon their URL configuration. Added an Insight Serverless Function URL Configurations Open to the World that looks for Lambda functions with URL configurations where no authorization is required. Added Event-driven Harvesting (EDH) support to discover and harvest when any URL configuration-related event during the ICS 60-second EDH cadence. A new permission is required for users: “lambda:GetFunctionUrlConfig”. [ENG-15632]

• Improved WAF analysis, updating the data model for WAF storage to include rule-related improvements. Three new Query Filters support this update: Web Application Firewall In Use (which supports both AWS and GCP), Web Application Firewall Centrally Managed (AWS), and Web Application Firewall Contains Managed Rule Names (AWS). [ENG-13102]

• We have updated our EDH event processing to include processing “TagResource” and “UntagResource” events for Container Cluster resources. Now those tagging events are reflected locally and immediately without the need to harvest down resources. [ENG-15524]

GCP

• Added visibility and support for two GCP resources, GCP Unattended Project Recommendations and GCP Unattended Project Insights. Unattended Project Recommendations can be found in the Compute resource category as part of the new resource type ‘Recommendation’, Machine-generated product and resource usage optimizations. Unattended Project Insights can be found in the Compute resource category as part of the new resource type ‘Recommendation Finding’ for important patterns and details about your resource usage. A new Query Filter Cloud Account with Recommendation Attached (GCP) supports the added visibility for these resources. New permissions are required: "recommender.resourcemanagerProjectUtilizationRecommendations.list" and "recommender.resourcemanagerProjectUtilizationInsights.list"]. [ENG-13414]

Insights (22.2.6)

AWS

• AWS Security Bulletin - AWS-2022-004 - Information Exposure from RDS Service Credentials - New Insight helps detect deprecated RDS instances based on AWS Security Bulletin AWS-2022-004. [ENG-15745]
• Serverless Function URL Configurations Open to the World - New Insight support added visibility to AWS Lambda URL Configurations. [ENG-15632]

GCP

• Cloud Account With Cleanup Project Recommendation - New Insight identifies GCP Projects that have a recommendation to cleanup the project. [ENG-15036]
• Cloud Account With Reclaim Project Recommendation - New Insight identifies GCP Projects that have a recommendation to reclaim the project. [ENG-15036]
• Serverless Function Exposed to the Public - Removed “(AWS)” from the name of the Insight Serverless Function Exposed to the Public (AWS), as the Insight now also supports GCP; updated the description/remediation notes to include GCP Functions as well. [ENG-15523]

KUBERNETES

• Added a new Compliance pack to provide a list of related Insights and mapping to the different sections of the recently released National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) Kubernetes Hardening Guide version 1.1. The pack is based on Kubernetes Guardrails Insights, so a prerequisite is that the Kubernetes Scanner (k8s_scanner) is installed on the clusters that are to be assessed. [ENG-15444]

Query Filters (22.2.6)

AWS

• AWS Security Bulletin - AWS-2022-004 - Information Exposure from RDS Service Credentials - New Query Filter helps detect deprecated RDS instances based on AWS Security Bulletin AWS-2022-004. [ENG-15745]
• Serverless Function URL Configurations - New Query Filter supports added visibility to AWS Lambda URL Configurations. [ENG-15632]
• Web Application Firewall Centrally Managed (AWS) - New Query Filters support updated WAF analysis that includes rule-related improvements. [ENG-13102]
• Web Application Firewall Contains Managed Rule Names (AWS) - New Query Filters support updated WAF analysis that includes rule-related improvements. [ENG-13102]
• Web Application Firewall Rule Name Regular Expression Search (AWS) - New Query Filter matches WAF resources using one or more regular expressions that will search across standard, managed and pre/post rule names. [ENG-13102]

GCP

• Cloud Account with Recommendation Attached (GCP) - New Query Filter supports the added visibility for GCP Unattended Project Recommendations and GCP Unattended Project Insights. [ENG-13414]

MULTI-CLOUD/GENERAL

• Network Flow Log Logging To Storage Container - Enhanced Query Filter to support target bucket names for additional validation. [ENG-15521]
• Web Application Firewall In Use - New Query Filter supports updated WAF analysis that includes rule-related improvements. Query Filter applies to both AWS and GCP. [ENG-13102]

Infrastructure as Code (IaC) New Support (22.2.6)

• Added support to the following intrinsic CFT functions in IaC scanning:

  • If
  • And
  • Not
  • Or
  • Cidr
  • Sub Not supported: Transform and ImportValue. [ENG-15292]

• Added support for parameter mapping for scanning CloudFormation templates with IaC. Users can provide values both for pseudo parameters and for parameters specified in the template itself. [ENG-15291]

• Added a new flag --parameters for CLI scanning tool (mimics), enabling parameter mapping support. [ENG-15462]

Bot Actions (22.2.6)

AWS

• “Cleanup Resource Access Policy” - Added support for this existing Bot and resource action to many AWS resources beyond existing support for S3 buckets and Simple Queue Service (SQS) message queues. See callout above for details. [ENG-13306]

AZURE

• “Disable Data Factory Public Access” - New Bot action allows disabling of public network access for Azure Data Factories. [ENG-14828]

Bug Fixes (22.2.6)

• [ENG-15699, ENG-15637] Fixed a regression where delete events for certain resources were not properly propagated.

• [ENG-15676] Fixed an issue that prevented InsightCloudSec from properly refreshing Azure credentials.

• [ENG-15642] Fixed a bug with the Delete hookpoint for Bots.

• [ENG-15619] Fixed the mod count in the harvest result logs that included duplicate IDs in some cases.

• [ENG-15591] Fixed users occasionally seeing a resource modification count in harvesting logs when no resources were actually modified.

• [ENG-15532] Fixed an issue involving IaC scan errors with (depending on Terraform version) DocumentDB/Neptune and storage_encrypted property.

• [ENG-15510] Fixed an issue with GCP projects missing from harvest.

• [ENG-15496] Fixed an issue with the Insight Private Subnet Not Associated with an Access List to point to the correct Query Filter and adjusted appropriate details.

• [ENG-15495] Fixed a bug with the Query Filter Application Gateway With Unencrypted Caching that included Application Gateway Stages that had cache clustering disabled in the evaluation.

• [ENG-15124] Improved readability of supported resource types in Query Filters search blade on Resources page.

• [ENG-14540] Resolved issue where large admin numbers generated an error with the harvester for the Cloud User resource for Azure.

• [ENG-14473] Fixed issue with Report Card when there are no relevant findings.

• [ENG-11891] Fixed an issue where the Qualys agent filters weren't returning cloud agents.

• [ENG-14777] Fixed an issue where in some cases resource counts are not appearing as expected after editing an Insight.

Cloud IAM Governance (Access Explorer) Updates - 22.2.6 Minor Release (04/13/2022)

Cloud IAM Governance Feature Enhancements (22.2.6)

• Increased visibility of permissions that do not support resource specificity in IAM. This enhancement was actually introduced in 22.2.5 (04/06/2022). [ENG-15277]

Cloud IAM Governance Bug Fixes (22.2.6)

• [ENG-15709] Fixed a slow query causing timeout errors during the IAM Cache Build.
• [ENG-10083] Changed references of "whitelist" to "included" (within Access Explorer) and "allowlist" (within SMTP settings page) as per Rapid7's updated style guide.