22.9.28 Release Notes

Sep 27, 2022

InsightCloudSec is pleased to announce Release 22.9.28

InsightCloudSec Software Release Notice - 22.9.28 Release (09/28/2022)

Our latest Release 22.9.28 is available for hosted customers on Wednesday, September 28, 2022. Availability for self-hosted customers is Thursday, September 29, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal .

New Release Versioning - Now Live

Beginning back on September 7, 2022 - InsightCloudSec implemented dates for our release versions. All releases have removed the Major/Minor designation and use the release date to allow us to focus on efficiently deploying features and bug fixes for every release.

Release Notes are now identified by the date and will be provided with each release.
Product documentation is now versioned by year/month (e.g., v22.9, v22.10 (yy.m/mm)) and will be updated to reflect content applicable to releases issued during the specified month. v22.9 is now live
Health of service for InsightCloudSec will be available as part of http://status.rapid7.com/ . If you have any questions or concerns, reach out to your Cloud Customer Success Specialist, or contact us through the Customer Support Portal.

Release Highlights (22.9.28)

InsightCloudSec is pleased to announce Release 22.9.28. This Release includes updates to the AWS Foundational Security Best Practices Compliance Pack and the introduction of Terraform Cloud/Enterprise Run Task integration for IaC scanning. Updates also include a new API Endpoint for triggering an Exemption rule scan and updates to Jinja2 support to take a JMESPath expression for improved functionality.

In addition, 22.9.28 includes three new Insights, seven updated Query Filters, one new Query Filter, one new Bot action, ten bug fixes, and three updates for Access Explorer.

Features & Enhancements (22.9.28)

MULTI-CLOUD

Added retroactive runs (up to one hour late) for daily or less frequent scheduled events after system boot. Enhanced Bot logging to allow linking with main job runs. [ENG-19902]
Updated Jinja2 support allows resource.serialize to take a JMESPath expression through the param jmespath to support filtering and transformations on the resource’s JSON. [ENG-18695]
Instance agent information is now included in the Resource Property panel as well as the resource details API call. [ENG-14959]
Added new query parameters to endpoint /v3/iam/principals/<path:principal_resource_id>/permissions:
- filter_by (key to filter by: ‘permission’ or ‘status’)
- filter (value to filter by)
- order (‘asc’ or ‘desc’)
- order_by (key to order by: ‘permission’ or ‘status’)
- page (positive integer)
- page_size (positive integer)
Additional information can be found in the API reference List Principal Permissions . [ENG-18141]

User Interface Changes (22.9.28)

We have added pagination controls to the bottom of tables across several sections of the product: Clouds, Bots, Query Filters, Tag Explorer results, and Insights. The pagination controls are only displayed at the bottom of the table if there’s more than one page to display. [ENG-19810]

Resources (22.9.28)

GCP

Implemented harvesting of GCP Tags and Badges. We now harvest tags at the org, folder, and project levels. [ENG-16643]

Insights (22.9.28)

AWS

Autoscaling Group not using Launch Template - New Insight updates our support of the AWS Foundational Security Best Practices Compliance Pack by adding the Autoscaling 9.0 control Autoscaling Group not using Launch Template. This new Insight identifies autoscaling groups that are not using a launch template. [ENG-19570]
Build Project With Privileged Mode Enabled - New Insight updates our support of the AWS Foundational Security Best Practices Compliance Pack by adding the CodeBuild 5.0 control Build Project With Privileged Mode Enabled. We are also adding a Query Filter Build Project Environment Privileged Mode Enabled/Disabled to support the Insight. [ENG-19615]
Cloud Policy with Full Access Attached - New Insight supports update to AWS CIS 1.2.0 to 1.5.0 compliance checks regarding the existence of policies with full access by also inspecting whether the policy is in use, i.e., it is attached to a resource such as a role. The new Insight Cloud Policy with Full Access Attached uses the existing Query Filter Cloud Policy With Full Access with the new filter option Policy is Attached. [ENG-19985]

Query Filters (22.9.28)

AWS

Build Project Environment Privileged Mode Enabled/Disabled - New Query Filter identifies build projects with environments with privilegedMode enabled or, optionally, disabled. New Query Filter supports updates to AWS Foundational Security Best Practices Compliance Pack by adding the CodeBuild 5.0 control Build Project With Privileged Mode Enabled. [ENG-19615]
Cloud Policy With Full Access - Updated Query Filter with the new filter option Policy is Attached supports update to AWS CIS 1.2.0 to 1.5.0 compliance checks regarding the existence of policies with full access by also inspecting whether the policy is in use, i.e., it is attached to a resource such as a role. [ENG-19985]

AZURE

Cloud User With MFA Enabled - Updated Query Filter now enabled for Azure Cloud users. [ENG-19724]
Cloud User Without MFA Enabled - Updated Query Filter now enabled for Azure Cloud users. [ENG-19724]

MULTI-CLOUD/GENERAL

Private Image Use - Modified Query Filter now has an “In Use” option. [ENG-19787]
Private Image Used In Launch Configuration - Modified Query Filter now has an “Include Orphaned Launch Configurations” option. [ENG-19787]
Private Image Used in Launch Template - Modified Query Filter now has an “Exclude Orphaned Launch Templates” option. [ENG-19787]
Resource Owned By User - Updated Query Filter selection drop down to display user names in alphabetical order. [ENG-19916]

Infrastructure as Code (IaC) (22.9.28)

Introduced Terraform Cloud/Enterprise Run Task integration for IaC scanning. Additional information can be found in Integrate with Terraform Cloud/Enterprise . [ENG-19492]

Bot Actions (22.9.28)

AWS

“Set Big Data Serverless Namespace Logging” - New Bot action allows customers to automate the logging configuration across all of their Redshift Serverless configurations. [ENG-19794]

Bug Fixes (22.9.28)

Fixed a bug with Insight Cloud Policy with Full Access giving false positives. We have updated the AWS CIS 1.2.0 to 1.5.0 compliance checks regarding the existence of policies with full access to also inspect whether the policy is in use, i.e., it is attached to a resource such as a role. The new Insight Cloud Policy with Full Access Attached uses the existing Query Filter Cloud Policy With Full Access with the new filter option Policy is Attached. [ENG-19985]
Resolved an issue with GCP Event Source Icon in Threat Findings being broken/missing. [ENG-19977]
Fixed an issue where the IdentitySummaryHarvester and StorageContainerPropertyHarvester were not enqueued when Event-driving Harvesting received DeleteAccountPublicAccessBlock or PutAccountPublicAccessBlock events. [ENG-19893]
Added fix for the VirtualPrivateGatewayHarvester where some VPC attachments did not have a VPC ID. We now check that this field exists before attempting to add it to the list of attachments. [ENG-19887]
Fixed an issue with the Bot action “Remove Storage Container Statement” when the statement removed is the only statement in the policy. The Bot action now deletes the policy if there are no valid statements. [ENG-19857]
Fixed a bug in the Bot Overview section that prevented the Insight direct link from opening in a new tab. [ENG-19820]
Updated the permissions related to downloading Event-driven Harvesting events and now Read-only Domain Admins and Basic Users can download events too. [ENG-19815]
Fixed an edge case for customers with multiple NICs where Public IP was not properly associating with Instance. [ENG-19809]
- We have updated how we determine the public address property of a Compute instance. To set the property, we assumed that clouds return NICs ordered by device index (e.g., eth0, eth1, etc.) and examined the primary NIC for the presence of a public address. In the case of AWS, however, NICs are returned alphabetically. This sort order means that the first element in the list may not be the primary NIC. We are now inspecting all NICs to surface public addresses, if there is one.
- Therefore, this update may change the public address property of AWS instances when those instances have a public address on a “secondary”, et al.. NIC when considering alphabetical sorting.
- Of note, there is no change in NIC harvesting nor dependency mapping, so the impact among the 9 instance Query Filters examining public IP is limited to 2 Query Filters and only when those 2 Query Filters are configured to ignore secondary network interfaces. Those Query Filters are Instance With Public IP Attached and Instance Without Public IP Attached.
Fixed an issue where the hyperlink displaying number of cloud accounts in the Organization listing could exceed the number of accessible cloud accounts by one. [ENG-19753]
Bug fix to show only top level resource types in the Query Filter blade’s Resource Type dropdown. [ENG-19490]

Access Explorer (Cloud IAM Governance) (22.9.28)

** The following updates are related to enhancements and bug fixes for our Cloud IAM Governance (Access Explorer) capabilities.**

Cloud IAM Governance Features & Enhancements (22.9.28)

For Azure ARM, now including assignable_scopes in the data collected for Roles in the document field of the ServiceManagedPolicyDocuments and ServicePolicyDocuments tables. [ENG-19894]
New IAM Query Filter Identity Resources with Effective Access to a Resource by Tags takes a key/value pair and returns the principals that have access to that resource. Users can determine any or all types of desired access: Read/Write/List/Tag/Permission/Unknown. [ENG-19476]
New IAM Query Filter Identity Resource With Effective Access To Resources takes a resource ARN or list of resource ARNs and returns the principals that have access to that resource. Users can determine any or all types of desired access: Read/Write/List/Tag/Permission/Unknown. [ENG-19277]