Skip to Content
Release NotesInsightcloudsec22.9.21 Release Notes

Sep 20, 2022

InsightCloudSec is pleased to announce Release 22.9.21

InsightCloudSec Software Release Notice - 22.9.21 Release (09/21/2022)

Our latest Release 22.9.21 is available for hosted customers on Wednesday, September 21 2022. Availability for self-hosted customers is Thursday, September 22, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

New Release Versioning - Now Live

Beginning back on September 7, 2022 - InsightCloudSec implemented dates for our release versions. All releases have removed the Major/Minor designation and use the release date to allow us to focus on efficiently deploying features and bug fixes for every release.

  • Release Notes are now identified by the date and will be provided with each release.
  • Product documentation is now versioned by year/month (e.g., v22.9, v22.10 (yy.m/mm)) and will be updated to reflect content applicable to releases issued during the specified month. v22.9 is now live
  • Health of service for InsightCloudSec will be available as part of http://status.rapid7.com/. If you have any questions or concerns, reach out to your Cloud Customer Success Specialist, or contact us through the Customer Support Portal.

Release Highlights (22.9.21)

InsightCloudSec is pleased to announce Release 22.9.21. This release includes support for AWS’ App Stream 2.0 resource - App Stream Fleets, support for GCP Dataflow Jobs, and for Azure - we have added a check to determine whether two-factor authentication is enabled.

In addition, 22.9.21 includes three new Insights, many updated Query Filters - including all resource tag-related Query Filters now supporting Oracle Cloud and all key rotation-related Query Filters now supporting Azure, five new Query Filters, one updated Bot action, 12 bug fixes, and five updates for Access Explorer.

New Permissions Required (22.9.21)

⚠️

New Permissions Required: AWS

For AWS Commercial and GovCloud Standard (Read-Only) Users: “appstream:DescribeFleets”

For AWS Commercial and GovCloud Power Users: “appstream:*****”

The above permissions support the newly added resource AWS App Stream 2.0. [ENG-17296]

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

⚠️

New Permission Required: Azure

The following new permission is required for Azure: “AuditLog.Read.All”

This permission supports the added check on AzureArmIdentityDetailHarvester to determine if a user’s account has two factor authentication enabled. The check returns the new MFA value.

This permission is available in the Microsoft Graph API. References for adding this permission, similar to adding the permission “Directory.Read.All”, can be found in Steps 8 and 9 of Azure Setup - Single Cloud and Azure Setup - Organization. [ENG-18468]

⚠️

New Permission Required: GCP

The following new permissions are required for GCP: “dataflow.jobs.get” “dataflow.jobs.list”

These additions support the added visibility into GCP Dataflow Jobs. The new permissions are included in the recommended API “Dataflow API”. Refer to our documentation on GCP Projects and GCP Organizations for full details. [ENG-18338]

Features & Enhancements (22.9.21)

AWS

  • Implemented a soft error fail-over when calling AWS region us-east-2 during S3 bucket harvesting to avoid having SCPs block the StorageContainerHarvester job. [ENG-19512]

MULTI-CLOUD

  • New Scan Exemption Rule API Endpoint which updates InsightCloudSec to include an endpoint to trigger on-demand Insight Exemption Rule scan jobs. Check out the linked documentation on the endpoint for requirements and details. [ENG-17154]

Resources (22.9.21)

AWS

  • Added visibility into AWS’ App Stream 2.0 resource. App Stream Fleets are shown in the tool as the new Resource type App Steam Fleet under the Compute resource category. New permissions are also required: “appstream:DescribeFleets” (for read-only policies) and “appstream:*****” (for power-user policies). [ENG-17296]

  • Added support for harvesting AWS Elasticache Clusters in Paris and Milan as AWS announced support for those services on September 7th. [ENG-19571]

  • Expanded parent/child resource relationships to include:

    • Application Gateways: Application Stages
    • Big Data Serverless Namespaces: Big Data Serverless Workgroups
    • Database Clusters: Database Instances
    • Private Networks: Internet Gateways

    This expansion broadens the support of the following Query Filters:

    • Parent Resource Contains Tag Key/Value Pair
    • Parent Resource Contains Tag Key
    • Resource Tag Does Not Mirror Parent
    • Resource Tag Mirrors Parent
    • Parent Resource Not In Resource Group

    This expansion also broadens support for the Bot Action “Mirror Resource Tags From Parent”. [ENG-19506, ENG-19347]

AZURE

  • Added a check on AzureArmIdentityDetailHarvester to determine if a user’s account has two factor authentication enabled. The user will require the “AuditLog.Read.All” permission (available in the Microsoft Graph API) within Azure to return the new MFA value. References for adding this permission, similar to adding the permission “Directory.Read.All”, can be found in Steps 8 and 9 of Azure Setup - Single Cloud and Azure Setup - Organization. [ENG-18468]

  • Added support for harvesting ‘key_rotation’ and ‘rotation_period’ values for keys in Azure. Added new Query Filter Encryption Key With/Without Automatic Rotation Enabled for checking automatic rotation in keys. Existing Query Filters that query key rotation now have Azure in their list of supported clouds. [ENG-18897]

GCP

  • Added visibility into GCP Dataflow Jobs. These resources are shown in the tool as the new Resource type Dataflow Job under the Compute resource category. We have added three new Query Filters related to Dataflow Jobs:

    • Dataflow Job Using Default Service Account (GCP)
    • Dataflow Job Using Workers with Public IPs (GCP)
    • Dataflow Job with Specific Job State (GCP)

    This new resource type requires the “dataflow.jobs.get” and “dataflow.jobs.list” permissions. Both permissions are included in the Dataflow API. [ENG-18338]

Insights (22.9.21)

AWS

  • Launch Template IMDSv2 Response Hop Limit - New Insight is part of AWS’s Foundational Security Best Practices compliance pack (AutoScaling.4) and supports AWS, AWSGovCloud, and AWS China. It focuses on secure network configuration by flagging launch templates that permit their EC2 IMDS secret token to travel more than one network hop, thereby allowing the token to leave the EC2. [ENG-19614]

IaC

  • Two new Insights are provided for the added IaC support for the new Dataflow Jobs [ENG-18340]:
    • Dataflow Job Uses Default Service Account
    • Dataflow Job With Public Worker IP Configuration

Query Filters (22.9.21)

AWS

  • Launch Template IMDSv2 Response Hop Limit - New Query Filter supports Insight of the same name, part of AWS’s Foundational Security Best Practices compliance pack (AutoScaling.4) for AWS, AWSGovCloud, and AWS China. It focuses on secure network configuration by flagging launch templates that permit their EC2 IMDS secret token to travel more than one network hop, thereby allowing the token to leave the EC2. [ENG-19614]

  • Broadened support of the following Query Filters to reflect expanded parent/child resource relationships, including Application Gateways: Application Stages, Big Data Serverless Namespaces: Big Data Serverless Workgroups, Database Clusters: Database Instances, and Private Networks: Internet Gateways [ENG-19506, ENG-19347]:

    • Parent Resource Contains Tag Key/Value Pair
    • Parent Resource Contains Tag Key
    • Resource Tag Does Not Mirror Parent
    • Resource Tag Mirrors Parent
    • Parent Resource Not In Resource Group

AZURE

  • Encryption Key With/Without Automatic Rotation Enabled - New Query Filter checks automatic rotation in keys, supporting harvesting of ‘key_rotation’ and ‘rotation_period’ values for keys in Azure has been added. [ENG-18897]

  • Existing Query Filters that query key rotation now have Azure in their list of supported clouds. [ENG-18897]

GCP

  • The following new Query Filters support the new resource Dataflow Jobs [ENG-18338]:
    • Dataflow Job Using Default Service Account (GCP) - Identifies Dataflow Jobs which are using the default service account.
    • Dataflow Job Using Workers with Public IPs (GCP) - Identifies Dataflow Jobs using workers with public IP addresses.
    • Dataflow Job with Specific Job State (GCP) - Identifies Dataflow Jobs with specified job state. If no state is selected, all jobs will be returned.

OCI (Oracle Cloud Infrastructure)

  • We have updated our resource tag-related Query Filters to support Oracle Cloud resources. We provide tag support for the following Oracle Cloud resources [ENG-19496]:
    • Cloud User
    • Database Instance
    • Distributed Table
    • Encryption Key Vault
    • Instance
    • Notification Subscription
    • Notification Topic
    • Private Network
    • Private Subnet
    • Public IP
    • Resource Access List
    • Secret
    • Shared File System
    • Snapshot
    • Storage Container
    • Volume

Infrastructure as Code (IaC) New Support (22.9.21)

  • This change adds IaC support for the new GCP Dataflow Jobs resource as well as two new Insights [ENG-18340]:
    • Dataflow Job With Public Worker IP Configuration
    • Dataflow Job Uses Default Service Account

Bot Actions (22.9.21)

AWS

  • “Mirror Resource Tags From Parent” - This Bot action’s support has been broadened through the expanded parent/child resource relationships [ENG-19506, ENG-19347]:
    • Application Gateways: Application Stages
    • Big Data Serverless Namespaces: Big Data Serverless Workgroups
    • Database Clusters: Database Instances
    • Private Networks: Internet Gateways

Bug Fixes (22.9.21)

  • [ENG-19817] Fixed a bug with the Query Filter Instance Has No Instances.
  • [ENG-19730] Added fix for the Database/Big Data/Broker/Stream Security Group Exposing Access query filter so that it now accounts for the AllowAllWindowsAzureIps setting for database instances. This was causing the Database Instance with Access List Attached Exposed to the Public Insight to report incorrectly for database instances using this setting.
  • [ENG-19718] Fixed a pagination issue for several resource types that limited visibility to a maximum of 1,000 resources per asset class within an Azure subscription.
  • [ENG-18898] Fixed a bug that showed the wrong visibility status for Kubernetes Guardrails accounts.
  • [ENG-18763] Resolves a bug that existed when creating exemptions from the impacted resources of a scorecard cell (report view). In this case when a user choose to ‘select all items’ to create exemptions, it would only create exemptions for the current page size of resources (even though there might be many pages of results). This fix loads all results when ‘select all items’ is chosen and creates the correct number of exemptions.
  • [ENG-18652] Fixed a bug with the DDoS Protection Harvester that would cause it to return a NonType error.
  • [ENG-18487] Fixed the NYDFS Compliance Pack findings to remove some licensed Insight findings and enable all customers to use this Compliance Pack without any additional changes or features.
  • [ENG-18383] Update to API, endpoint: /v3/iam/iam-explorer/actions-per-service. Error response will be returned if a Federated User is sent in the body
  • [ENG-18071] Fixed a bug that was causing false positive results when the Database Instance Vulnerability Assessment Without Configured Email Notifications (Azure) Query Filter was applied.
  • [ENG-17664] For Azure, we have enhanced our Public Access analysis for Resource Access List to include connections to subnets in addition to connections to network interfaces. This update means that security groups that are attached solely via subnet will now be assessed when looking for resources exposing ports to the Internet. This analysis will surface additional resources that may be publicly exposed given this alternative security configuration.
  • [ENG-14450] GCP CIS 4.3 control has two exceptions to the check for whether an instance is at risk because it does not have its Block project-wide SSH keys setting enabled. The first is whether it has OS Login is enabled. If so, then the Block project-wide SSH keys setting is irrelevant. The second is whether the instance was created by Google Kubernetes Engine (GKE). If so, it can be safely ignored too. This update removes instances from the Insight’s non-compliance if they meet either of the other two criteria.
  • [ENG-11420] Updated label in the scorecard to indicate on y-axis that the value displayed is the number of impacted resources.

Access Explorer (Cloud IAM Governance) (22.9.21)

** The following updates are related to our Cloud IAM Governance (Access Explorer) capabilities.** Contact us at Customer Support Portal with any questions.

Cloud IAM Governance Bug Fixes (22.9.21)

  • [ENG-19503] Resolved error on Explorer page of principals with at least one statement with NotAction and Effect:Allow and at least one other statement with Action that impact the same permission, at least one of which has syntax that must be resolved on a per resource basis (because of a resource-specific Condition, Resource value other than ”*****”, or a NotResource element).

  • [ENG-19475] Provided more graceful handling of service control policies that contain conditions that we do not yet support. Some users may have noticed errors logged in these situations. The impact on effective access calculations was minimal.

    • When in doubt, we ignore these conditional statements with Deny effects, which lets any Allow statements surface. Previously, we were skipping the summary of the entire organizational unit or account, which in most cases has a similar effect on final calculations since SCPs can only restrict access. Some customers may notice more precise results for principals in organizational units with multiple SCPs attached, at least one of which has conditions that we do not yet support and at least one other statement or policy further restricting access. Previously, we would have ignored the effect of the latter statement, and it will now be included in the full effective access calculation.

  • [ENG-19440] Performance enhancement and minor bug fix in building full IAM cache for Access Explorer: Fixed bug in IAM cache build that involved NotAction statements applied to resources that may be affected by permissions from multiple services. In some cases, the NotAction statements that applied to one of the action prefixes were applied to another action prefix captured in the effective access calculation for that resource/principal pair.

  • [ENG-19431] Removed erroneous log message “Condition marked as supported but not yet implemented”.

  • [ENG-19320] Fixed a bug in Access Explorer where the same principal may have policies with Allow star and other policies with conditionals or non-star Resource elements.