Skip to Content
Release NotesInsightcloudsec22.4.6 Release Notes

Aug 16, 2022

InsightCloudSec is pleased to announce Minor Release 22.4.6

InsightCloudSec Software Release Notice - 22.4.6 Minor Release (08/17/2022)

Our latest Minor Release 22.4.6 is available for hosted customers on Wednesday, August 17, 2022. Availability for self-hosted customers is Thursday, August 18, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Release Highlights (22.4.6)

InsightCloudSec is pleased to announce Minor Release 22.4.6, which includes the ability to scan Kubernetes-related Infrastructure as Code (IaC) with the command line interface scanning tool. 22.4.6 also updates seven Query Filters to significantly improve the performance—from 2x-10x faster results—of the Query Filters themselves and any Insights or Bots that use these Query Filters. In addition, 22.4.6 includes one new Insight, one updated Insight, one new Query Filter, and eight bug fixes.

  • For our Cloud IAM Governance module scroll to the lower half of this page for details around two new feature enhancements.

  • Contact us through the unified Customer Support Portal with any questions.

New Permissions Required (22.4.6)

⚠️

New Permissions Required: Alibaba Cloud

For Alibaba Cloud Standard (Read-Only) Users: “kms:ListResourceTags”, “rds:DescribeTags”

These two new permissions are required to enable the added tag visibility for Alibaba Cloud for four resources: Cache Instances, Database Instances, Storage Containers, and Encryption Keys. [ENG-18586]

⚠️

New Permissions Required: AWS

For AWS Commercial Standard (Read-Only) Users: “s3:GetBucketNotification”

For AWS GovCloud Standard (Read-Only) Users: “s3:GetBucketNotification”

The “s3:GetBucketNotification” permission supports the new Query Filter Serverless Function Triggered by a Storage Container. [ENG-17316]

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

Features & Enhancements (22.4.6)

  • Updated seven Query Filters to improve query and Insight performance. Customers should see from 2x-10x faster results for the following Query Filters as well as any Insights or Bots that use these Query Filters [ENG-18496]:

    • Instance Without Ephemeral Public IP Attached
    • Instance With Reserved Public IP Attached
    • Instance Exposing Specific Port/Protocols
    • Instance Exposing Specific Ports
    • Instance Exposing All Ports
    • Database/Big Data/Broker/Stream Security Group Exposing Access
    • Compute Instance Allowing Specific Network Traffic In

  • Introduced new ability to scan Kubernetes-related Infrastructure as Code (IaC), e.g., Helm charts, Kustomize overlays, and YAML manifest files, using the CLI scanning tool. See the CLI scanning tool documentation for more details. [ENG-14350]

  • Added a checkbox to the Harvest Strategy edit modal to mark resources from disabled regions for deletion. Made the scheduler reactive to the regions disabled on the Strategy in real-time. [ENG-18344]

  • Added capability to download a JSON file containing an AWS or Azure principal’s used permissions from the Cloud User or Cloud Role resource view. A prerequisite for this feature is to enable LPA. See AWS LPA - Setup & Config. [ENG-17112]

  • Added a system setting named feedback_widget_allowlist which stores an array of emails. When set, only the users with an email in the list will see the support widget displayed. Otherwise, all users will see the support widget. [ENG-15339]

  • Added an environment variable DIVVY_SCORECARD_EXPORT_INSIGHT_NOTES_DISABLED to control whether “Insight Notes” sheet is included in the Scorecard compliance export. A value of 1 disables (does not include) the notes, a value of 0 (or not set) includes the notes. [ENG-16747]

  • Increased the maximum tag limit in the Tag Explorer from 10 to 15 tags. [ENG-17319]

  • Increased the maximum tag limit on the Resources page from 10 to 20 tags. [ENG-18248]

User Interface Changes (22.4.6)

  • We updated the UI in the clouds listing to clarify that visibility is impaired when harvesting is impaired. [ENG-18050]

Insights (22.4.6)

⚠️

Modified AWS Insight

  • Instance Allows Use Of Vulnerable IMDSv1 Protocol - Removed the Query Filter Instance Associated With Role from Insight Instance Allows Use Of Vulnerable IMDSv1 Protocol to align with the AWS Foundational Security Best Practices EC2.8 compliance pack control. Note: Customers will likely see an increase in Insight results because of this change. [ENG-17621]

AWS

  • Load Balancer With HTTP Listener Not Redirecting To HTTPS (AWS) - New Insight identifies load balancers with HTTP listeners that do not redirect to HTTPS. [ENG-18385]

Query Filters (22.4.6)

AWS

  • Serverless Function Triggered by a Storage Container - New Query Filter identifies serverless functions that are triggered by a storage container. Note: This new Query Filter requires a new permission “s3:GetBucketNotification”, which we have added to our standard read-only policies for AWS Commercial and AWS GovCloud. [ENG-17316]

Bug Fixes (22.4.6)

  • [ENG-18586] Fixed tag visibility for Alibaba Cloud for four resources: Cache Instances, Database Instances, Storage Containers, and Encryption Keys. Two new permissions are required to enable this tag visibility: “kms:ListResourceTags” and “rds:DescribeTags”.

  • [ENG-18531] Fixed an issue where AWS S3 buckets might incorrectly display “Impaired Visibility” for the “Encryption” property.

  • [ENG-18516] Fixed a bug where Tenable agents were not showing the agent version.

  • [ENG-18488] Fixed an issue that prevented EDH events from being consumed by AWS China consumers.

  • [ENG-18423] Fixed an edge case where Bots launched from a core/custom Insight would be created when the Cancel button was clicked.

  • [ENG-17794] Updated the Azure Resource Vulnerability harvester to be a global harvester rather than per region.

  • [ENG-17696] Removed Azure support for Query Filter Container Image Last Scanned and fixed a bug where it wasn’t working correctly for AWS.

  • [ENG-17507] Enhanced bot creation/edition to check configured resource groups in selection fields.

Cloud IAM Governance (Access Explorer) Updates - 22.4.6 Minor Release (08/17/2022)

** The following updates are related to enhancements and bug fixes for our Cloud IAM Governance (Access Explorer) capabilities.**

Contact us at Customer Support Portal with any questions.

Cloud IAM Governance Features & Enhancements (22.4.6)

  • Metadata updated to align with the latest supported permissions via policy sentry as of June 30th. [ENG-18145]

  • Effective Access calculation now includes cross-service permissions. We’ve added the ability to surface effective access for actions with a prefix that may not have a one-to-one relationship with the service as it appears in the resource ARN. For example, permissions with the prefix “sts” affect resources in the IAM service. [ENG-17719]