InsightCloudSec Software Release Notice - 22.10.5 Release

Release Highlights (22.10.5)

InsightCloudSec is pleased to announce Release 22.10.5. This release includes an expansion of our Event-Driven Harvesting (EDH) for Google Cloud Platform (GCP). With this update, EDH support is now available for GCP, Azure, and AWS. Improvements in this release also include a new version of the NIST 800-63 Compliance Pack (Rev 5), which aligns to NIST 800-53 Revision 5 requirements and includes over 300 Insights. Release 22.10.5 provides an update to our Query Filter functionality to include the description as a searchable field and improvements to our overall search response time. Finally we have also expanded our general IAM support by removing licensing requirements for certain features including Principal Activity, the Principal Explorer, and some Query Filters.

In addition, 22.10.5 includes three new Insights, five updated Query Filters, five new Query Filters, one updated Bot action, and eight bug fixes.

• Contact us through the unified Customer Support Portal  with any questions.

New Permissions Required (22.10.5)

Features & Enhancements (22.10.5)

GCP EDH

Beginning with 22.10.5 InsightCloudSec is pleased to announce the release of Event-Driven Harvesting (EDH) for Google Cloud Platform (GCP). With this release EDH support is now available for GCP, Azure, and AWS. For GCP EDH support InsightCloudSec subscribes to real-time notifications about resource and policy changes using GCP’s Cloud Asset Inventory feed, which triggers targeted harvesting via Pub/Sub.

This dynamic approach to data collection both improves InsightCloudSec’s cadence for providing resource visibility and opportunities for remediation as well as enriches the data with lifecycle changes that enable auditing capabilities. With EDH-provided data, identifying how a resource entered a noncompliant state becomes much easier at scale.

Check out our documentation for details on:

• GCP Event-Driven Harvesting
• [EDH - Supported Resources for GCP] (doc:edh-supported-resources-gcp)
• Check out our Harvesting & Event-Driven Harvesting Overview page for general details on InsightCloudSec harvesting and EDH.
• Read the blog post on Real-Time Risk Mitigation in Google Cloud Platform  and how EDH supports this.

Additional EDH Updates

With the launch of GCP EDH, 22.10.5 also includes updates to overall EDH behaviors to simplify the process for all EDH supported CSPs. Refer to our EDH Docs for Azure and AWS for specific details (including revised images). The EDH Event Summaries and Reports page includes details about the renamed functions associated with EDH that are visible on under “Cloud → Clouds” in InsightCloudSec.

Review AWS Event-Driven Harvesting for more information on EDH with AWS. Review Azure Event-Driven Harvesting for more information on EDH with Azure.

General

• We have updated our analysis of the ModifySnapshotAttribute event to identify sharing with unknown accounts. When the ModifySnapshotAttribute is harvested via Event-driven Harvesting (EDH), we inspect the request parameters to see if it expands permissions and whether it includes another account. If it includes another account, we then examine whether that account is known or unknown to ICS. If unknown, we flag the event as suspicious and add the description “Snapshot shared with unknown account” to the event for an explanation as to why. [ENG-20060]

• We added the total count and percentage to the Threat Findings table. [ENG-19780]

• Improved the experience when modifying/viewing Cloud Organizations settings for AWS and Azure. [ENG-20034]

User Interface Changes (22.10.5)

• Expanded the Query Filter search to include the description as a searchable field and improved search response time. [ENG-20033]

Insights (22.10.5)

• We have a new version of the NIST 800-63 Compliance Pack, NIST 800-53 Rev 5 Compliance Pack, which aligns our Insights to NIST 800-53 Revision 5 requirements and includes updates to meet 100 NIST requirements and now includes over 300 Insights. [ENG-16627]

AWS

• The following new Insights were added to the AWS Foundational Security Best Practices Compliance Pack [ENG-18133]:
  • Access List Exposes High Risk Port to the Public
  • Build Project Without Logging Configuration

AZURE

• Storage Account Allows Public Blob Access (Azure) - New Insight identifies storage accounts allowing anonymous public read access. Insight supports Azure_ARM, Azure_China, and Azure_Gov. [ENG-14844]

MULTI-CLOUD

• Access List Exposes High Risk Port to the Public - New Insight identifies access lists (security groups) that expose any high risk port to the public. [ENG-18133]

• Build Project Without Logging Configuration - New Insight identifies build projects with environments without logging enabled. [ENG-18133]

Query Filters (22.10.5)

AWS

• Big Data Serverless Namespace With/Without Log Exports - Updated Query Filter now includes a “Without” option. [ENG-20026]

• Cloud Role With Trust Policy With Self-Referential Assume Role - New Query Filter identifies AWS IAM Roles that do/do not allow for self referential assume role operations. Refer to this link  for details. [ENG-20010]

GCP

• Cloud Role Management Type - New Query Filter matches on @<project-id>.iam.gserviceaccount.com for User Managed service accounts. This picks up user managed Service Accounts created and used within a project and Service Accounts that are created in one project but granted additional cross-project privileges. This Query Filter can also be used to identify Google managed service accounts, outside of the Insight Google Service Account with Admin Privileges (GCP). [ENG-19423]

IAM

• Identity Resources with Effective Access to a Resource by Tags - New IAM Query Filter takes a key/value pair and returns the principals that have access to that resource. Users can determine any or all types of desired access: Read/Write/List/Tag/Permission/Unknown. [ENG-19476]

• Identity Resource With Effective Access To Resources - New IAM Query Filter takes a resource ARN or list of resource ARNs and returns the principals that have access to that resource. Users can determine any or all types of desired access: Read/Write/List/Tag/Permission/Unknown. [ENG-19277]

• Resource Granting Effective Access To Identity Resources - New IAM Query Filter matches resources that grant a user-defined level of access to a provided list of identity resources (users or roles). User-defined access can be a combination of Read, Write, List, Tag, Permission, or Unknown. Identity resources are identified by their Amazon Resource Names (ARNs). [ENG-19278]

MULTI-CLOUD/GENERAL

• Parent Resource Contains Tag Key - Updated Query Filter to allow the input of multiple tag keys including the use of Data Collection in order to examine parent resources using more than a single key. In addition, the update allows the user to combine the search using OR or AND options. [ENG-20025]

• Resource In/Not In Cloud Account - This Query Filter was renamed from Resource Not In Cloud Account and expanded to identify resources that are in cloud account(s) matching the specified criteria. [ENG-20105]

• Resource Tag Mirrors Parent and Resource Tag Does Not Mirror Parent - Updated Query Filters include the option to compare only tag keys, as opposed to comparing both a tag key and a tag value. This update can be useful, for example, when compliance with a tagging strategy is more important than the specific tag values. [ENG-20024]

• Expanded the Query Filter search to include the description as a searchable field and improved search response time. [ENG-20033]

IAM (22.10.5)

• Removed the IAM License requirement for the following features [ENG-18848]:

  • The following IAM-related Query Filters:

    • Cloud Policy Or IAM Principal Allows Actions for All Resources
    • Cloud Policy Or IAM Principal Allows Actions for Wildcard Resource
    • Cloud Policy Or IAM Principal Allows All Actions
    • Cloud Policy Or IAM Principal Allows Wildcard Actions
    • Cloud User or IAM Role That Has Unused Permissions
    • Identity Resource Allows Permission
    • Identity Resource Boundary Policy Allows All Actions (AWS)
    • Identity Resource Unused
    • Principal has Effective Access to Services with Allowed Actions Count above Threshold (AWS)
    • Principal has Effective Wildcard Access to Resources (AWS)
    • Principal has Wildcard Access to Services with Denied Actions Count below Threshold (AWS)
    • Resource Specific Policy With No Conditions (AWS)
    • Resource Specific Policy With/Without Specific Conditions (AWS)
    • Resource With Specific Action and Missing Condition (AWS)

  • Principal Activity panel (Least-privileged Access; accessed from the action menu on the Cloud Users and/or Cloud Roles resources)

  • Principal Explorer (accessed from the action menu on the Cloud Users and/or Cloud Roles resources)

Note: To use these features, Self-hosted customers will need to add at least one AWS EC2 P3 worker to their InsightCloudSec environment (see Access Explorer - Setup for more information). Workers are automatically managed for SaaS customers, so these features will be available after you upgrade to version 22.10.5. In a future release (November 2022), this requirement will be removed and these features will rely on an existing worker pool.

Bot Actions (22.10.5)

• “Update API Credentials” - Bot Action extended to work with GCP Service Accounts and Alibaba Cloud Users. [ENG-17930]

• Users are now able to pause/archive Bots that have an invalid configuration. (For example, If a Query Filter or Insight has been updated and is now invalid, you can pause or archive that Bot. ) [ENG-20021]

Bug Fixes (22.10.5)

• Fixed a bug where Service Encryption Key Vault harvesting would fail if the correct permissions for obtaining key rotation policies were not granted. Added these key rotation permissions to the permissions list in the frontend file. A new permission is required: “Microsoft.KeyVault/vaults/keyrotationpolicies/read”. [ENG-20139]

• Fixed a bug where getting the key rotation policy fails on keys managed by Key Vault. [ENG-20124]

• Updated our source document S3 lifecycle policy harvest. AWS had a special error when an S3 did not have a lifecycle policy NoSuchLifecycleConfiguration. We were incorrectly flagging that error as an impaired visibility error. [ENG-20067]

• Fixed an issue with light/dark mode behavior to work in conjunction with the OS system setting. [ENG-19964]

• Fixed an issue where GCP projects were deleted when hitting an exception within the CloudAccountProcessor, which we were previously passing. We now fail the job when any domain/folder harvesting exceptions are met. [ENG-19751]

• Fixed an issue with the format of AWS Container Instance ARNs. [ENG-19442]

• Fixed an issue with Insight Google Service Account with Admin Privileges (GCP) to resolve false positives in the Google Service Account with Admin Privileges (GCP) Insight. Previously this Insight used the Resource Name Regular Expression (Regex) Query Filter to extract Service Account names that end in iam.gserviceaccount.com. This returned both user managed/created Service Accounts as well as default/Google managed Service Accounts. [ENG-19423]

  • The new Query Filter Cloud Role Management Type was created to match on @<project-id>.iam.gserviceaccount.com for User Managed service accounts. This picks up user managed Service Accounts created and used within a project and Service Accounts that are created in one project but granted additional cross-project privileges. This Query Filter can also be used to identify Google managed service accounts, outside of this Insight.
  • This Insight/QF has the following limitation: If customers have service accounts that are created in a project that is not harvested by ICS, and these service accounts are granted additional privileges in projects that are managed by ICS, we will not be able to identify these as user managed. This is because we will not have access to the origin project’s account ID information that forms the base of this query.

• Fixed a bug that resulted in false positive analysis of AWS CIS Benchmark 4.1 - 4.15 rules when set up on an account with Organization CloudTrail resources. [ENG-14306]