InsightCloudSec Software Release Notice - 22.4.0 Major Release (07/06/2022)

Release Highlights (22.4.0)

InsightCloudSec is pleased to announce Major Release 22.4.0. This Major Release provides two significant feature enhancements: support for the use of an additional external ID as part of best practices to address the AWS Confused Deputy issue, and a new Azure Least Privileged Access (LPA) feature that collects and presents the actions executed by a given user or role within a given time period.

Other feature enhancements include the addition of Badge details in a Resource CSV export and the ability to inspect vulnerabilities that are associated with Autoscaling Groups. (Check out the Features & Enhancements section for the full list of new features.)

In addition, 22.4.0 includes one updated Insight, three updated Query Filters, four new Query Filters, one updated Bot action, one new Bot action, and ten bug fixes.

• For our Cloud IAM Governance module scroll to the lower half of this page for details around one new feature enhancement.

• Contact us through the unified Customer Support Portal  with any questions.

Features & Enhancements (22.4.0)

CONFUSED DEPUTY

InsightCloudSec has updated our AWS Cloud onboarding to support the use of an additional external ID as part of best practices to address the AWS Confused Deputy issue. Refer to AWS’ documentation  for a more detailed explanation of this issue.

To summarize, the confused deputy problem is a security issue where an entity that doesn’t have permission to perform an action can coerce a more-privileged entity to perform the action. To prevent this, AWS provides tools that help companies protect their accounts when provided to third parties (known as cross-account) or other AWS services (known as cross-service) access to resources in their account.

InsightCloudSec 22.4.0 has been updated to generate a unique ExternalId for each customer as part of onboarding any new AWS Cloud accounts. The new ExternalId value will be used to assume a role to access data from that customer. The ExternalId value will be unique among InsightCloudSec customers and will be controlled by InsightCloudSec to prevent the InsightCloudSec platform from being a potential confused deputy and granting access to another account’s AWS resources.

Revised instructions are available under our AWS onboarding documentation AWS SaaS Configuration  and AWS Self-Hosted Configuration .

For any questions or concerns, reach out to your CSM or contact our support team.

AZURE LEAST PRIVILEGED ACCESS

InsightCloudSec’s new Azure Least Privileged Access (LPA) feature collects and presents the actions executed by a given user or role within a given time period. These logged actions are collected and analyzed to provide insights to the customer. After setting up Azure LPA, InsightCloudSec offers user and role activity views that are accessible from the Resources page of your InsightCloudSec platform.

Check out more about this feature, including setup and usage, in our Azure Least Privileged Access Documentation .

OTHER

• Customers can now filter cloud account scope by the account name or account ID in the following sections: Compliance Scorecard, Dashboard Summary & Exemption Rules. [ENG-17700]

• Customers can now inspect vulnerabilities that are associated with Autoscaling Groups. This visibility is brought by joining the instances that are linked to the autoscaling group and pulling a distinct list of those vulnerabilities. [ENG-17686]

• Added the ability to sort Bot noncompliance by the identification date. [ENG-17685]

• Added instance_name column to the Volume export for the Resources CSV Download. [ENG-17668]

• Added the ability to define an optional object storage prefix when exporting a Compliance Scorecard. [ENG-17404]

• Added the ability to include badges in the Resource Inventory export. [ENG-16338]

• Updated the service endpoint regions for the AWS harvesters. [ENG-10864]

Resources (22.4.0)

AWS

• Added visibility to load balancer association with Autoscaling Groups (ASGs) and a new Query Filter, Autoscaling Group Without Load Balancer Association to identify ASGs without any load balancer relationships. [ENG-17699]

AZURE

• Added surfacing of the public access boolean and the number of private endpoint connections for Azure Key Vaults. New Query Filter: Key Vault Without Private Endpoint Connection (Azure). Added Azure support for the Encryption Key Vault Is/Is Not Exposed To Public Query Filter and Key Vault support for Resource Is Exposed To Public Query Filter. [ENG-14967]

GCP

• Added visibility to GCP regional based quotas. To conserve storage space, only quotas that have utilization will be stored. [ENG-17698]

Insights (22.4.0)

Query Filters (22.4.0)

AWS

• Autoscaling Group Without Load Balancer Association - New Query Filter identifies Autoscaling Groups (ASGs) without any load balancer relationships. [ENG-17699]

• Kubernetes Cluster Engine Logging Enabled/Disabled (EKS) - Enhanced this Query Filter by adding a new option, “Match Any”. The “Match Any” option allows customers to match resources if any of the selected logging types are selected rather than all of the selected logging types. [ENG-15325]

• Web Application Firewall Contains Rule With Override Action - New Query Filter identifies AWS WAF resources with at least one rule that applies an override action. [ENG-17662]

AZURE

• Deny All IP Traffic to Web App (Azure) - New Query Filter checks if an Azure App Service has no Network Access Restrictions enabled. [ENG—14824]

• Encryption Key Vault Is/Is Not Exposed To Public - Enhanced this Query Filter by adding Azure support. [ENG-14967]

• Key Vault Without Private Endpoint Connection (Azure) - New Query Filter supports added surfacing of the public access boolean and the number of private endpoint connections for Azure Key Vaults. [ENG-14967]

• Resource Is Exposed To Public - Added Azure Key Vault support to this Query Filter. [ENG-14967]

Bot Actions (22.4.0)

AZURE

• “Deny All IP Traffic to Web App” - New Bot action to deny all IP Traffic to the selected Azure app service (web app). [ENG-14824]

MULTI-CLOUD

• “Assign Multiple Tags To Resource” - Bot action extended to allow custom delimiters. [ENG-17737]

Bug Fixes (22.4.0)

• [ENG-17738] Fixed a bug that improperly flagged GCP Cloud Functions that have allUsers/allAuthenticatedUsers set at the IAM policy level, but are configured to restrict ingress traffic to internal only as being public.

• [ENG-17736] Fixed a bug where EDH event history could not be accessed via the resource properties panel for AWS Application Load Balancers.

• [ENG-17684] Fixed a bug that prevented Exemptions from being sorted by the account name.

• [ENG-17654] Fixed an issue where Azure HSM keys did not have the correct origin set, leading to inconsistencies when using filter Encryption Key Using/Not Using HSM.

• [ENG-17639] Fixed a bug when harvesting Web Application Firewall Policy IDs in CDN Harvester.

• [ENG-17638] Bug fixed for WebAppHarvester for Azure.

• [ENG-17578] Fixed issue with S3 bucket tagging via Bots.

• [ENG-17563] Fixed an issue with the ServiceNow Incident Bot action in which the Contact Type was not properly mapped to the standard ServiceNow Contact Types.

• [ENG-15775] Fixed a bug with Container Instance harvesting for Azure China subscriptions.

• [ENG-15346] Fixed a bug where Azure databases were not finding their parent resource group.

Cloud IAM Governance (Access Explorer) Updates - 22.4.0 Major Release (07/06/2022)

Cloud IAM Governance Features & Enhancements (22.4.0)

• Added a new Query Filter Resource with PrincipalOrgID condition outside of ICS harvested Organizations (AWS) to match resources with policy condition PrincipalOrgID that is outside of ICS harvested organization. [ENG-17503]