Skip to Content
Release NotesInsightcloudsec22.4.2 Release Notes

Jul 19, 2022

InsightCloudSec is pleased to announce Minor Release 22.4.2

InsightCloudSec Software Release Notice - 22.4.2 Minor Release (07/20/2022)

Our latest Minor Release 22.4.2 is available for hosted customers on Wednesday, July 20, 2022. Availability for self-hosted customers is Thursday, July 21, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Release Highlights (22.4.2)

InsightCloudSec is pleased to announce Minor Release 22.4.2. This Minor Release includes added visibility into the password last changed property for AWS users, and expanded support for AWS Log Groups. We have expanded details in the Bot CSV download for Bot hookpoints, improved wildcard search capabilities for Insight Exemptions, and added support for GCP Directory. This release updates two Insights and adds them to the current AWS CIS 1.4 Compliance Pack.

In addition, 22.4.2 includes five updated Query Filters, four new Query Filters, one updated Bot action, two new Bot actions, and seven bug fixes.

Features & Enhancements (22.4.2)

  • Added support for Google Directory to get visibility into Google user last login, MFA status, group association and more. Note to gain access to this added visibility additional configuration changes are required. Refer to the new GCP Directory Support page for details. [ENG-8652]

  • We have expanded the information available for the Bot CSV download to include the Bot hookpoints, if any, and next scheduled run, if on a schedule. [ENG-17926]

  • We have expanded the search fields for Insight Exemption searching to include the notes. Further, we also support more specific wild card searching by optionally treating the * as a wildcard character. [ENG-17219]

  • We have updated the instructions and location of the file for our AWS SaaS CFT deployment. Refer to our SaaS AWS Cloud Setup-Organization documentation for the updates and new location for this file. [ENG-17992]

Resources (22.4.2)

AWS

  • Added visibility into the password last changed property for AWS users. This property is available via the AWS Credential Report. A new Query Filter Cloud User Without A Recent Password Change was also added to help customers identify user accounts that exceed a password age threshold. [ENG-17909]

  • We have expanded support of Log Groups to identify and link them to their parents. Log Group parents may not be obvious because Log Groups are often created by AWS by default when creating a resource, like Lambda. In addition, AWS does not remove these Log Groups when removing the parent resource, so the parent-child relationship becomes even more obscure and, over time, the number of orphaned Log Group resources increases. [ENG-17861]

    • We have also updated our Resource Orphaned Query Filter to identify orphaned Log Groups and added a Query Filter specific to Log Groups Log Group Orphaned.

    • We have added support for Log Groups to the Bot action “Mirror Resource Tags From Parent”. The Bot action should allow better identification and tracking of Log Groups as their tags can mirror the resource they track.

  • As a part of our continued efforts on supporting AWS Confused Deputy support, we’ve made an update to the API endpoint /v2/prototype/cloud/<organization_service_id>/update. When the credentials for AWS accounts are updated via this API endpoint the external ID associated with the installation will be used by default to ensure consistency and best align with AWS security best practices. [ENG-17809]

Insights (22.4.2)

  • Storage Container With MFA Delete Disabled - Updated Insight and added as control to the AWS CIS 1.4 compliance pack controls Storage 2.1.3. [ENG-16443]

  • Storage Container Without Block Public Access Protection - Updated Insight and added as control to the AWS CIS 1.4 compliance pack controls Storage 2.1.5. [ENG-16443]

Query Filters (22.4.2)

AWS

  • Cloud User Without A Recent Password Change - New Query Filter identifies user accounts that exceed a password age threshold. [ENG-17909]

  • Load Balancer Not Logging To Specified Storage Container and Load Balancer Logging To Specified Storage Container - Query Filters updated to inspect Load Balancer’s logging attribute as well as target bucket attribute. This update is necessary because when a Load Balancer logging to S3 is deactivated, AWS updates the Load Balancer’s logging attribute as expected, but keeps its target bucket attribute in place. [ENG-15426]

  • Log Group Orphaned - New Query Filter, specific to Log Groups, identifies orphaned Log Groups. [ENG-17861]

  • Resource Orphaned - Query Filter updated to identify orphaned Log Groups. [ENG-17861]

  • Web Application Firewall Contains Rule With Noncompliant Actions - New Query Filter identifies AWS Web Application Firewalls that have one or more rules with a noncompliant override action. [ENG-14424]

GCP

  • Cloud Account with Audit Logging Enabled (GCP) - New Query Filter checks for three types (Admin Read Logging, Data Read Logging, Data Write Logging) of audit logging at project level for GCP projects. [ENG-14799]

MULTI-CLOUD/GENERAL

  • Resource Tag Does Not Mirror Parent and Resource Tag Mirrors Parent - These two Query Filters were updated to allow finer inspection of resources tags. User can now specify a list of tags to inspect. Also broadened support for these filters to additional parent-child resources [ENG-17948]:
    • Autoscaling groups — Instances
    • Instances — Images
    • Networks — Route Tables
    • Networks — Subnets
    • Spanners — Spanner Databases
    • Users — Access Keys

Bot Actions (22.4.2)

  • “Enable Public Access Prevention” - New Bot action which can be used to help customers prevent unnecessary exposure of Google Storage Buckets to the public. [ENG-17748]

  • “Assign Badge To Cloud Account” - New Bot action supports automated segmentation by allowing Bots to badge cloud accounts based on user-specified filters. [ENG-17388]

  • “Mirror Resource Tags From Parent” - Added support for AWS Log Groups to this Bot action to allow better identification and tracking of Log Groups as their tags can mirror the resource they track. [ENG-17861]

  • Expanded Bot delete capabilities to work with AWS Storage Gateway File Shares and ECS Container Services. [ENG-17976]

Bug Fixes (22.4.2)

  • [ENG-18040] Fixed an issue involving GCP Domain Groups not showing proper membership counts/relationships; expanded GCP Directory visibility into service account group membership.

  • [ENG-17991] Corrected the Azure Console remediation steps for the Insight App Service Not Requiring Authentication.

  • [ENG-17872] Fixed a bug involving improper evaluation of transit encryption enforcement during Terraform IaC analysis of SQS resources.

  • [ENG-17871] Fixed an issue when scanning AWS database instances and option groups through the IAC Terraform scanner.

  • [ENG-17822] Added a catch for NoneTypes when running the Azure Instance Ip Harvester.

  • [ENG-17801] Fixed an issue when harvesting Azure Application Gateways to include Virtual Machines and Virtual Machine Scale Sets in our Load Balancer Orphaned logic.

  • [ENG-17512] Fixed an issue where system logs failed to display after selecting a cloud to filter by in “Cloud Search” dropdown.