InsightCloudSec Software Release Notice - 22.4.7 Minor Release (08/24/2022)

Release Highlights (22.4.7)

InsightCloudSec is pleased to announce Minor Release 22.4.7. This Minor Release includes added visibility into AWS Redshift Serverless Namespace and AWS Redshift Serverless Workgroup, added visibility and lifecycle support for Azure Private Link Services, and two new compliance packs: a compliance pack to support AWS CIS 1.5 and a compliance pack to support New York State Department of Financial Services (NYDFS) Cybersecurity Regulation Part 500.

In addition, 22.4.7 includes ten updated Insights, five new Insights, two updated Query Filters, five new Query Filters, one new Bot action, and 14 bug fixes.

• This release does not contain any specific updates for our Cloud IAM Governance module.

• Contact us through the unified Customer Support Portal  with any questions.

New Permissions Required (22.4.7)

Features & Enhancements (22.4.7)

• Added functionality for the five new log categories for Azure DataBricks Diagnostic Settings [ENG-18573]:

  • Databricks DatabricksSQL
  • Databricks Delta Pipelines
  • Databricks Model Registry
  • Databricks Repos
  • Databricks Unity Catalog

• Updated the Clouds listing to be more explicit about the number of services that visibility is restricted to based on IAM permissions. The number of visibility issues now displays on the warning logo. [ENG-18465]

• Enhanced the list_insights API endpoint to allow users to restrict results to Insights in a given set of Insight packs. Check out List Insights for details. [ENG-18612]

• Updates to enhance the look and feel of the user profile page. Check out the User Configuration - Manage Your Profile page for updated documentation details. [ENG-17110]

Resources (22.4.7)

AWS

• Added visibility into Redshift Serverless resources (Namespace and Workgroup). Redshift Serverless Namespace and Redshift Serverless Workgroup are shown in the tool as new Resource types Big Data Serverless Namespace and Big Data Serverless Workgroup respectively, both under the Compute resource category. [ENG-18185]
  • A new Query Filter Big Data Serverless Namespace With Log Exports was added to support this resource.
  • An existing Query Filter Big Data Instance/Serverless Workgroup With/Without Enhanced Routing was updated to support this resource.
  • New permissions are also required: For read-only policies, they are “redshift-serverless:ListNamespaces” and “redshift-serverless:ListWorkgroups” and for power-user policies “redshift-serverless:*****”.

Alibaba Cloud

• Added harvesting support for Cache Instances of type Memcached for Alibaba Cloud. [ENG-18596]

AZURE

• Added visibility and lifecycle support for Azure Private Link Services. A new permission is required: “Microsoft.Network/privateLinkServices/read”. Azure Private Link Service will appear on the Resources page under category Network as resource type Network Endpoint Service and can be found using Azure terms “Private Link Service”. [ENG-18615]

Plugins (22.4.7)

• The “Plugins” part of the application will now display warnings emitted during plugin loading. This will show as a yellow hazard icon on the list page and a new section containing the actual warnings on the “Manage Plugin” page. [ENG-18811]

Insights (22.4.7)

**New Compliance Pack - NYDFS Cybersecurity Regulation Part 500 ** 22.47 includes a new Compliance Pack in support of the New York Department of Financial Services (NYDFS) Cybersecurity Regulation part 500. This Compliance Pack is applicable across all InsightCloudSec supported cloud types. The regulations included focus on repudiation, information disclosure, and risk assessment of cloud resources. This Compliance Pack takes advantage of several existing Insights to cover the following sections of the regulation:

• 500.2.b.1-3 Cybersecurity Program
• 500.5.b Penetration Testing and Vulnerability Assessments
• 500.6.b Audit Trail
• 500.7 Access Privileges
• 500.12.a Multi-factor authentication
• 500.13 Limitations on data retention
• 500.14.a Training and monitoring
• 500.15.a Encryption of nonpublic information [ENG-18636]

New Compliance Pack - AWS CIS v1.5 This release includes a new Compliance Pack in support of AWS CIS v1.5. This pack has updates from the previous version (CIS 1.4), that include:

• 2.1.4 Ensure all data in Amazon S3 has been discovered, classified, and secured when required.
• 2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
• 2.3.3 Ensure that public access is not given to RDS Instance
• 2.4.1 Ensure that encryption is enabled for EFS file systems
• 4.16 Ensure AWS Security Hub is enabled
• 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports

Other than control 2.1.4—which cannot be solved programmatically—InsightCloudSec has existing Insights for all of the new controls introduced in CIS 1.5. [ENG-18687]

AZURE

• Batch Environment Invalid Diagnostic Logging Configuration - New Insight matches the resource without the proper diagnostic configuration. [ENG-18573]

• Content Delivery Network Invalid Diagnostic Logging Configuration - New Insight matches Content Delivery Networks without the proper diagnostic configuration. [ENG-18413]

• Databricks Workspace Invalid Diagnostic Logging Configuration - New Insight matches the resource without the proper diagnostic configuration. [ENG-18573]

• Function App with Invalid Diagnostic Logging Configuration - New Insight matches the resource without the proper diagnostic configuration. [ENG-18573]

• Global Load Balancer Invalid Diagnostic Logging Configuration - New Insight matches the resource without the proper diagnostic configuration. [ENG-18573]

• Updated all Diagnostic Setting Logging Configuration Insights to improve/clarify remediation steps. [ENG-18573]

MULTI-CLOUD/GENERAL

• Enhanced the list_insights API endpoint to allow users to restrict results to Insights in a given set of Insight packs. Check out List Insights for details. [ENG-18612]

Query Filters (22.4.7)

AWS

• Big Data Instance/Serverless Workgroup With/Without Enhanced Routing - Updated Query Filter supports added visibility into Redshift Serverless resources (Workgroups and Namespaces). [ENG-18185]

• Big Data Serverless Namespace With Log Exports - New Query Filter supports added visibility into Redshift Serverless resources (Workgroups and Namespaces). [ENG-18185]

• Added two new Query Filters to identify both CDNs with cloud functions (Lambda@Edge or CloudFront Functions) associations and Serverless functions associated with CDNs [ENG-18343]:

  • Content Delivery Network Associated With Cloud Function - Identifies content delivery networks that are associated with a cloud function.
  • Serverless Function Associated With Content Delivery Network - Identifies serverless functions that are associated with a Content Delivery Network.

AZURE

• Content Delivery Network Invalid Diagnostic Logging Configuration - New Query Filter identifies Content Delivery Networks without the proper diagnostic configuration. [ENG-18413]

MULTI-CLOUD/GENERAL

• Resource Lifecycle State - Query Filter updated to include state Insufficient Capacity as well as a string field for entering any additional states. [ENG-18608]

Bot Actions (22.4.7)

• “Set Encryption Key Policy” - New Bot action replaces or modifies encryption key policies. Ensures that both success and failure messages are relayed under Scheduled Events. [ENG-16445]

Bug Fixes (22.4.7)

• [ENG-18704] Fixed an issue where downloads from the Resources page produced multiple copies of the same file.

• [ENG-18703] Fixed an edge case where multi-resource type CSV files for download

• [ENG-18673] Fixed a bug where multiple Query Filter blades were opened on click, causing loss of navigation.

• [ENG-18655] Fixed a bug where the CloudCredentialsHarvester was failing when a GCP API Key did not have a display name.

• [ENG-18650] Fixed a bug with Batch Environment harvester.

• [ENG-18649] Fixed a bug with Network Flow Log harvester (AWS).

• [ENG-18639] Fixed a display bug that prevented subnets without an IPv4 CIDR block from displaying.

• [ENG-18588] Fixed a bug involving Insight Load Balancer without SSL Listener showing false positives in Gov Cloud. We are harvesting listener configuration information for AWS GovCloud load balancers. Harvesting this information allows GovCloud load balancers to be evaluated for their listener configuration by Insights like Load Balancer Without SSL Listener.

• [ENG-18573] Fixed a bug involving Insight Web App with Invalid Diagnostic Logging Configuration.

• [ENG-18545] Implemented the condition intrinsic function for CFT templates. Refer to AWS CloudFormation - IaC Supported Resources for full details on AWS - CFT support.

• [ENG-18542] Fixed harvesting strategy config region dropdown for AWS China.

• [ENG-18490] Fixed an edge case where incorrect Terraform reference was provided.

• [ENG-17556] Improved error handling with AWS EDH in scenarios where sqs:ReceiveMessage permission exists but sqs:DeleteMessage permission is missing. Additionally improved error recovery when duplicate messages are received.

• [ENG-15718] Improved performance on Query Filter Instance Security Group Allows Access From Unknown Public IP.