22.3.4 Release Notes

May 24, 2022

InsightCloudSec is pleased to announce Minor Release 22.3.4

InsightCloudSec Software Release Notice - 22.3.4 Minor Release (05/25/2022)

Our latest Minor Release 22.3.4 is available for hosted customers on Wednesday, May 25, 2022. Availability for self-hosted customers is Thursday, May 26, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal .

Release Highlights (22.3.4)

InsightCloudSec is pleased to announce Minor Release 22.3.4. This Minor Release includes expanded support for AWS SQS and SNS resources, additional data harvesting for AWS Datasync, and EDH support for AWS Cloudwatch Log groups. This release also updates our direct linking capability to perform correctly and include Cloud Policies for Azure to match Azure updates. 22.3.4 adds support for GCP BigQuery DataSets and three new properties for GKE Container Clusters. In addition we’ve added support for two new Jinja getters, created two new Bot actions, added one new Insight, updated four Query Filters, added nine new Query Filters, and implemented fixes for six bugs.

New Permissions Required (22.3.4)

⚠️

New Permissions Required: AWS

For AWS Standard (Read-Only) Users We’ve added the following missing permissions for our AWS Standard (Read-Only) Policy [ENG-16637]: “appsync:ListDataSources”, “ecr:DescribeImageReplicationStatus”, “ecr:DescribePullThroughCacheRules”, “ecr:DescribeRegistry”, “ecr:GetAuthorizationToken”, “ecr:GetDownloadUrlForLayer”, “ecr:GetLifecyclePolicyPreview”, “ecr:GetRegistryPolicy”, “ecr:ListImages”

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

Features & Enhancements (22.3.4)

AWS

All vulnerability info for container images is now shown in the Vulnerability tab within the Resource Properties. The associated columns in the resource table (Last Scanned, Finding Count, High, Medium and Low) have been removed. The Query Filters Resource Vulnerable To Specific Vulnerability (CVE) and Resource Vulnerability Count now support the Container Images resource type. [ENG-15814]

AZURE

Updated Azure volume harvest calculation for encryption enabled to no longer rely on the date on which Azure started enabling encryption at rest by default, as this date is no longer relevant and disks created before that date are now encrypted now. [ENG-16636]

CONTAINER IMAGE VULNERABILITY ASSESSMENT

Added ability for customer to view missing permissions for Container Vulnerability Assessment (CVA) in the cloud accounts tab. Check out our CVA Docs for additional details about this feature [ENG-16223]

KUBERNETES

Added Insight titled Ensure that a unique Certificate Authority is used for etcd to support the use of a different certificate authority for etcd from the one used for Kubernetes. Refer to the previously issued Kubernetes Scanner Release Notes 2.0.2 here. [ENG-16359]

MULTI-CLOUD/GENERAL

Added a new Jinja getter resource.get_missing_permissions and a new Query Filter Cloud Account With Impaired Visibility which can be leveraged in Bots to help identify and remediate cloud accounts with missing IAM permissions that impair ICS visibility. Refer to details in our documentation . [ENG-16562]
Added a new Jinja getter resource.get_data_collection_value that can be used to retrieve a specific value from a target data collection. For more information on this, refer to our Jinja documentation . [ENG-15971]
Updated the Crowdstrike integration to include the Falcon agent version that’s associated with the device. [ENG-16486]
Custom Insights created by deleted users will now display the author’s name. [ENG-16384]
Added capability to allow domain administrators to update an Organization Admin to access multiple organizations, giving admins the ability to manage a subset of organizations within the installation. [ENG-15877]
Added delete lifecycle support for IAM. [ENG-16500]

Resources (22.3.4)

AWS

Encryption at rest can now be activated for AWS SQS and SNS resources directly from the resource property panel. [ENG-16506]
Added visibility into Federal Information Processing Standards (FIPS)-compliant SSL (secure sockets layer) for AWS Redshift instances. A new Query Filter Big Data Instance With/Without FIPS Compliant SSL Mode supports this added visibility. [ENG-16499]
Expanded AWS Datasync harvesting to show the target ARN for cross region/cross account destinations. [ENG-16498]
Added EDH support for AWS Cloudwatch Log Groups. [ENG-16476]
Added a new property to the AWS Configuration DB model and a new Query Filter Config Recorder Missing Specific Resource Types (AWS) to audit them. [ENG-16429]
Added visibility to AWS Simple Systems Manager (SSM) parameters with clear text secrets. [ENG-16257]
Added visibility to the Server Message Block (SMB) settings of AWS Storage Gateways as well as three additional Query Filters [ENG-14507]:
- Storage Gateway SMB Security Strategy
- Storage Gateway Visible File Shares Configuration
- Storage Gateway Guest Password Configuration

GCP

Expanded tag visibility and support for GCP BigQuery Datasets and KMS Crypto Rings. [ENG-16560]
Added harvesting of two new properties which can be enabled/disabled for GKE Container Clusters:
- Kubernetes with shielded GKE node disabled [ENG-16446]
- Kubernetes engine with secure boot disabled [ENG-16447]
Added a new property to denote a default service account in GCP for identifying GCP Instances, Functions, and Cloud Run resources using the default service account. [ENG-14427]

Insights (22.3.4)

Ensure that a unique Certificate Authority is used for etcd - New Insight supports the use of a different certificate authority for etcd from the one used for Kubernetes. Refer to the previously issued Kubernetes Scanner Release Notes 2.0.2 here. [ENG-16359]

Query Filters (22.3.4)

AWS

Big Data Instance With/Without FIPS Compliant SSL Mode - New Query Filter identifies Big Data instances that are or are not (default) enforcing FIPS Compliant SSL mode. [ENG-16499]
Config Recorder Missing Specific Resource Types (AWS) - New Query Filter audits new property added to the AWS Configuration DB model. [ENG-16429]
Resource Vulnerability Count - Updated Query Filter now supports the Container Images resource type. [ENG-15814]
Resource Vulnerable To Specific Vulnerability (CVE) - Updated Query Filter now supports the Container Images resource type. [ENG-15814]
Added three new Query Filters to support visibility into the SMB settings of AWS Storage Gateways [ENG-14507]:
- Storage Gateway SMB Security Strategy
- Storage Gateway Visible File Shares Configuration
- Storage Gateway Guest Password Configuration

GCP

Kubernetes Cluster Using/Not Using Integrity Monitoring - New Query Filter identifies Kubernetes clusters not using integrity monitoring Google Kubernetes Engine (GKE) node pool setting (default) with option to find those using integrity monitoring node pool setting. [ENG-16447]
Kubernetes Cluster Using/Not Using Secure Boot - New Query Filter identifies Kubernetes clusters not using secure boot Google Kubernetes Engine (GKE) node pool setting (default) with option to find those using secure boot node pool setting. [ENG-16447]
Kubernetes Cluster Using/Not Using Shielded Nodes - New Query Filter identifies Kubernetes clusters not using shielded Google Kubernetes Engine (GKE) nodes (default) with option to find those using shielded GKE nodes. [ENG-16447]
Resource Associated With Default Role - This Query Filter was renamed from Instance Associated With Default Role and modified to add a new property denoting a default service account in GCP; the Query Filter matches resources associated with a default role/service account. [ENG-14427]

MULTI-CLOUD/GENERAL

Cloud Account With Impaired Visibility - New Query Filter (and Jinja getter resource.get_missing_permissions) can be leveraged in Bots to help identify and remediate cloud accounts with missing IAM permissions that impair ICS visibility. [ENG-16562]
Resource Not In Cloud Account - Updated this Query Filter to support account lookups by name. [ENG—16437]

Bot Actions (22.3.4)

AWS

Added new actions to manage use of AWS Shield, “a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS”. These actions allow you to enable or disable DDoS protection for your resources. They are available as Bot actions, which you can use with the Resource Created hookpoint to automate the creation of DDoS protection as eligible resources are created. They can also be used to take bulk actions as required [ENG-14500]:
- Create DDoS Protection
- Delete DDoS Protection

Bug Fixes (22.3.4)

[ENG-16623] Fixed a bug that would show an impaired visibility icon for GCP Projects despite customers having all required permissions.
[ENG-16512] Fixed a bug that prevented tagging of AWS Transcribe jobs.
[ENG-16438] Fixed a display bug involving Kubernetes Secrets in the Bot creation wizard.
[ENG-15776] Fixed a bug in Insight Database Instance Azure Active Directory Admin Not Configured.
[ENG-15649] Updated the direct linking capability to Cloud Policies for Azure to match Azure’s update. Users should be able to directly link to Cloud Policies in Azure’s console.
[ENG-15638] Addressed an issue where storage bucket lifecycle policies were displayed in the UI with extra characters.
[ENG-12970] Fixed a bug related to sorting by the severity/notes columns in the Insight Exemptions listing.