Skip to Content
Release NotesInsightcloudsec22.9.7 Release Notes

Sep 06, 2022

InsightCloudSec is pleased to announce Release 22.9.7

InsightCloudSec Software Release Notice - 22.9.7 Release (09/07/2022)

Our latest Release 22.9.7 is available for hosted customers on Wednesday, September 7, 2022. Availability for self-hosted customers is Thursday, September 8, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

New Release Versioning

Date-Based Release Versioning Now Live

Beginning with this release, dated September 7, 2022 - InsightCloudSec will use dates for our release versions. All releases will remove the Major/Minor designation and use the release date to allow us to focus on efficiently deploying features and bug fixes for every release.

  • Release Notes are now identified by the date and will be provided with each release.
  • Product documentation is now versioned by year/month (e.g., v22.9, v22.10 (yy.m/mm)) and will be updated to reflect content applicable to releases issued during the specified month. v22.9 is now live
  • Health of service for InsightCloudSec will be available as part of http://status.rapid7.com/. If you have any questions or concerns, reach out to your Cloud Customer Success Specialist, or contact us through the Customer Support Portal.

Release Highlights (22.9.7)

InsightCloudSec is pleased to announce Release 22.9.7. This release adds support and visibility into AWS’ QuickSight Subscription resource. We have updated our Parent/Child relationships to include four additional resource types - allowing us to include these resources in additional Query Filters and Bot Actions. 22.9.7 adds AWS EDH support for Load Balancers, and provides the option to retain existing scheduled events when modifying Bots. We have improved the performance and attributes of an existing Jinja2 Reference, and enabled download capabilities for Principal Activity.

In addition, 22.9.7 includes one new Insight and one updated Insight, seven new Query Filters, two updated Query Filters, one renamed Query Filter, four extended Bot actions, and four bug fixes.

  • For our Cloud IAM Governance module scroll to the lower half of this page for details around one new feature enhancement and three bug fixes.

  • Contact us through the unified Customer Support Portal with any questions.

New Permissions Required (22.9.7)

⚠️

New Permissions Required: AWS

For AWS Standard (Read-Only) Users: “quicksight:DescribeAccountSettings”, “quicksight:DescribeAccountSubscription”, “quicksight:DescribeIpRestriction”, “quicksight:ListUsers”

For AWS Power Users: “quicksight:*****”

These new required permissions support the added visibility into AWS’ QuickSight Subscription resource. [ENG-17397]

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

Features & Enhancements (22.9.7)

  • We have updated our Parent/Child relationships to include Big Data Snapshots, Database Snapshots, Memcache Snapshots, and Log Groups. By adding these relationships, these resources are now supported by the Query Filters Resource Tag Mirrors Parent and Resource Tag Does Not Mirror Parent and can be used more effectively with the Bot action “Mirror Resource Tags From Parent”. [ENG-19232]

  • Updated Jinja function get_badge_value_by_key_for_parent_cloud to allow choosing case sensitivity and returning a default value. Refer to the Jinja 2 Reference documentation for details. [ENG-18891]

  • Added a download option to the Principal Activity blade, allowing download of remediation policy which will deny all but the permissions which are in active use by the principal. Additional information can be found at AWS LPA Usage and Azure LPA Usage. [ENG-18472]

  • Added a new API endpoint allowing download of remediation policy which will deny all but the permissions which are in active use by the principal. Additional information can be found on the endpoint’s reference page. [ENG-18471]

  • Provided customers the option to retain existing scheduled events when modifying Bots. [ENG-18171]

Resources (22.9.7)

AWS

  • Added visibility into AWS’ QuickSight Subscription resource. QuickSight Subscriptions are shown in the tool as the new Resource type Business Intelligence Subscription under the Identity & Management resource category. Several new Query Filters support this resource. New permissions are also required. [ENG-17397]

    • New Query Filters supporting this resource:
      • Business Intelligence Subscription Edition
      • Business Intelligence Subscription With IP Restriction
      • Business Intelligence Subscription With Public Sharing
      • Business Intelligence Subscription With Specified User Count
    • New required permissions for read-only policies:
      • “quicksight:DescribeAccountSettings”,
      • “quicksight:DescribeAccountSubscription”,
      • “quicksight:DescribeIpRestriction”,
      • “quicksight:ListUsers”
    • New required permissions for power-user policies:
      • “quicksight:*****”

  • Expanded AWS EDH support for Load Balancers by adding the ModifyListener event. [ENG-19183]

Insights (22.9.7)

  • Principals with Unused Permissions (AWS) - New Insight matches Principals that have more than 70 percent unused permissions within the last 90 days. [ENG-18205]

  • Encryption Key Exposed To Public - Insight updated to return encryption keys exposed to the public only if the encryption key is in an “Enabled” state. This means that if the encryption key is not in an enabled state, it may no longer be flagged as “exposed to public”. [ENG-19191]

Query Filters (22.9.7)

AWS

  • Cloud Role Type - New Query Filter identifies AWS IAM Roles based on their type (i.e. service-role or service-linked-role). [ENG-18865]

  • Cloud User or IAM Role That Has Unused Permissions - New Query Filter identifies Cloud users or IAM roles that have more than a specified percentage of unused permissions. [ENG-18157]

  • Four new Query Filters support the added visibility into AWS’ QuickSight Subscription resource [ENG-17397]:

    • Business Intelligence Subscription Edition - Identifies business intelligence subscriptions with the specified edition.

    • Business Intelligence Subscription With IP Restriction - Identifies business intelligence subscriptions by IP restrictions. By default, matches subscriptions without IP restrictions. Optionally, matches subscriptions with IP restrictions enabled and, further, match subscriptions allowing access outside of an approved list.

    • Business Intelligence Subscription With Public Sharing - Identifies business intelligence subscriptions with public sharing.

    • Business Intelligence Subscription With Specified User Count - Identifies business intelligence subscriptions by number of users.

AZURE

  • Cloud Account Missing Virtual Network/Network Watcher Pair - Query Filter renamed from Cloud Account Network Watcher in Region Without Network (Azure). [ENG-18131]

  • Cloud Account Network Watcher in Region Without Network (Azure) - Query Filter renamed to Cloud Account Missing Virtual Network/Network Watcher Pair. [ENG-18131]

  • Cloud Region Without Network Watcher Enabled - New Query Filter identifies specific cloud regions instead of full cloud accounts. [ENG-18131]

MULTI-CLOUD/GENERAL

  • Resource Tag Mirrors Parent and Resource Tag Does Not Mirror Parent - We have updated our Parent/Child relationships to include Big Data Snapshots, Database Snapshots, Memcache Snapshots, and Log Groups. By adding these relationships, these resources are now supported by the Query Filters Resource Tag Mirrors Parent and Resource Tag Does Not Mirror Parent and can be used more effectively with the Bot action “Mirror Resource Tags From Parent”. [ENG-19232]

Bot Actions (22.9.7)

AWS

  • We have updated the Bot action “Set Load Balancer SSL Policy Of Listener” to support Network Load Balancers (NLB) in addition to Application Load Balancers. Added the option to specify the listener port. By default, the listener port will still be 443, but multiple ports may now be used. [ENG-19165]

MULTI-CLOUD/GENERAL

  • Extended the Bot action “Update API Credentials” to work with GCP Service Accounts and Alibaba Cloud Users. [ENG-17930]

  • Added functionality to allow Data Collections to be used in Bot action “Remove Unknown Accounts From Assume Role Policy”. [ENG-19810]

  • “Mirror Resource Tags From Parent” - This Bot action can now be used more effectively due to our update of our Parent/Child relationships to include Big Data Snapshots, Database Snapshots, Memcache Snapshots, and Log Groups. By adding these relationships, these resources are now supported by the Query Filters Resource Tag Mirrors Parent and Resource Tag Does Not Mirror Parent and can be used more effectively with the Bot action “Mirror Resource Tags From Parent”. [ENG-19232]

Bug Fixes (22.9.7)

  • [ENG-19261] Fixed a bug that prevented tagging of ECS Container Instances.

  • [ENG-18774] Fixed a bug with the Insight Database Instance Minimum TLS Version that was incorrectly flagging Azure databases enforcing TLS 1.2.

  • [ENG-18423] Fixed an edge case where Bots launched from a core/custom Insight would be created when the Cancel button was clicked.

  • [ENG-18363] Fixed configuration errors for the Cloud Account Without Compartment In Root Tenancy and Cloud Account With Noncompliant Retention Period Insights.

Cloud IAM Governance (Access Explorer) Updates - 22.9.7 Release (09/07/2022)

** The following updates are related to enhancements and bug fixes for our Cloud IAM Governance (Access Explorer) capabilities.**

Contact us at Customer Support Portal with any questions.

Cloud IAM Governance Features & Enhancements (22.9.7)

  • Enabled the Differential Cache build by default. This removes the IAM Cache Status widget because the cache is now constantly running in a more “event driven” cadence. Also, if no accounts are explicitly allowlisted, we will treat all AWS/GovCloud/AWS-China accounts as allowlisted. Additional information can be found in IAM Settings. [ENG-19015]

Cloud IAM Governance Bug Fixes (22.9.7)

  • [ENG-19006] Cleaned up log output from building cache for Access Explorer.

  • [ENG-18990 Fixed principal explorer calculation of access with Service Control Policies (SCPs). Users will see more correct output in the principal explorer when SCPs and PBs are involved, particularly for complex syntax that includes NotAction or Condition.

  • [ENG-12361] Fixed an error in under-reporting access for services that support ***** in the ARN - API Gateway and CloudWatch. Some users may see more results for these resources in the Access Explorer.