Oct 11, 2022

InsightCloudSec is pleased to announce Release 22.10.12

InsightCloudSec Software Release Notice - 22.10.12 Release

ℹ️

Our latest Release 22.10.12 is available for hosted customers on Wednesday, October 12, 2022. Availability for self-hosted customers is Thursday, October 13, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

⚠️

Self-Hosted Customers

If you’re currently referencing Dockerhub for your ICS images (e.g., divvycloud/divvycloud:XX.Y.Z) or this public ECR location (public.ecr.aws/divvycloud/divvycloud), these repositories will be shutdown on November 2, 2022. The new locations for ICS images will be public.ecr.aws/rapid7-insightcloudsec/ics/core and public.ecr.aws/rapid7-insightcloudsec/ics/edh-worker.

Release Highlights (22.10.12)
Copy link

InsightCloudSec is pleased to announce Release 22.10.12. This release includes expanded Event-Driven Harvesting (EDH) coverage for EBS Snapshots and CloudTrail and the ability to filter exemptions by status field (enabled or disabled). We have also added user retrieval performance improvements, surfaced transit encryption for AWS Aurora database clusters, and added the ability to remove users based on the number of days they have been inactive.

In addition, 22.10.12 includes two new Insights, three updated Insights, two new Query Filters, one updated Query Filter, and 15 bug fixes.

Permissions Required (22.10.12)
Copy link

⚠️

New Permissions Required: GCP

The following new permissions are required for GCP: “apikeys.keys.get” “apikeys.keys.list”

These permissions support the updated harvester CloudCredentialsHarvest for GCP to significantly reduce the latency in harvesting API keys. Refer to our documentation on GCP Projects and GCP Organizations for full details. [ENG-18807]

The new permissions are included in the recommended API “API Keys API”.

Features & Enhancements (22.10.12)
Copy link

  • We have made a performance improvement to speed the retrieval of users when operating at large scale. The improvement supports user interface and API retrieval. [ENG-20297]

  • We are able to surface the transit encryption information for database instances that are part of AWS Aurora clusters. AWS Aurora clusters running MySQL and PostgreSQL can enforce transit encryption if they use custom database cluster parameter groups. [ENG-20280]

  • We added a new processor that, when enabled, will remove inactive users based on customer criteria. [ENG-19811]

  • We have added the ability to filter Exemptions by status field (enabled or disabled). This change surfaces in the Exemptions listing view as a new option in the Filters menu. It is also an update to API endpoint /v2/public/exemptions/list, which will now accept a new POST body parameter “enabled” that is either true or false. Additional information can be found in the reference documentation. [ENG-20032]

  • Exemptions, Compliance Scorecard, and IAM now use the same common resource panel as the Threat Findings features. [ENG-19610]

Resources (22.10.12)
Copy link

AWS

  • We have added support for harvesting two events via Event-Driven Harvesting (EDH): SharedSnapshotCopyInitiated and SharedSnapshotVolumeCreated. Further, we inspect these events to see if they are being used to copy snapshots by an unknown account, and if so, flag those events as suspicious. Additional reference is provided here. [ENG-20059]

  • We expanded our CloudTrail EDH coverage support to work with BidEvictedEvent, an event generated by AWS and triggered when a spot instance has been outbid and will be terminated. [ENG-20247]

Insights (22.10.12)
Copy link

AWS

  • Container Cluster with Private Access Disabled was renamed from EKS Container Cluster with Private Access Disabled (AWS). [ENG-20248]
  • Container Cluster without Envelope Encryption for Secrets - New Insight identifies AWS EKS Clusters that are not leveraging KMS for secrets encryption. [ENG-20248]

AWS & Alibaba Cloud

  • Container Cluster with Public Access Enabled was renamed from EKS/ACK Container Cluster With Public Access Enabled. [ENG-20248]

AZURE

  • Cloud User Account without MFA (Azure) - New Insight Azure cloud user accounts that do not require two-factor authentication. [ENG-18717]
  • Storage Account with Infrastructure Encryption Disabled - New Insight identifies Cloud Accounts that have Infrastructure Encryption disabled for the selected resources. [ENG-18837]

Query Filters (22.10.12)
Copy link

AWS

  • Compute Resource Allows Action - New Query Filter identifies Compute resources that are associated with principals who can perform a given action. [ENG-19969]

  • Principals with Unused Permissions (AWS) - Updated the Query Filter. Previously, when the “percentage threshold” was provided, only principals that surpassed that threshold were returned (greater than). Now, principals that equal or surpass that threshold are returned (equal to or greater than). [ENG-20252]

AZURE

  • Storage Account Infrastructure Encryption Status - New Query Filter identifies storage accounts that have infrastructure encryption enabled/disabled. [ENG-18837]

Bug Fixes (22.10.12)
Copy link

  • Fixed a bug that would append the text (Copy) to Botss that are created from an Insight. [ENG-20372]

  • Fixed a race condition in EDH AWS Consumer configuration. [ENG-20381]

  • We updated permissions in our AWS Harvest Role Member CFT to match all supported resources. [ENG-20359]

  • Improved the validation error messages in the Azure EDH consumer configuration forms. Error messages now display the desired format when validation fails. [ENG-20301]

  • Resolved an issue where Toggling Boundary Policies on/off in IAM Policy Explorer was incorrectly updating the Effective Access and Allowed Actions. [ENG-20298]

  • Fixed an issue with the Bot action “Update Content Delivery Network Attribute” that mistakenly set the prefix to a / instead of an empty string “. [ENG-20289]

  • Fixed a viewer permissions issue that allowed basic users to see events for resources that they didn’t have access to view, e.g., a basic user with permission to view Bots could, when viewing a Bot created by a domain or org admin, see the Bot’s scheduled events. Those events might have included resources beyond the basic user’s viewer permissions. [ENG-20288]

  • Fixed a bug that would lock the Query Filters resource type selection when searching for a resource within the global inventory search screen. [ENG-20286]

  • Fixed an issue with JIT for ActiveDirectory where escaped commas (/,) were incorrectly processed. [ENG-20244]

  • Migrated legacy K8s cloud harvesters to supported client libraries, maintaining fallbacks where possible, to fix harvesting Ingress resources. For more information, see the Kubernetes Deprecated API Migration Guide. [ENG-20235]

  • Updated harvester AzureArmIdentityDetailHarvester to correctly harvest the namespace ID. [ENG-20145]

  • Updated harvester ContainerRegistryHarvester to allow the harvesting of private Azure Container Registries. Of note, due to Azure permissions restrictions, we cannot provide an accurate count of private Azure Container Images. [ENG-19790]

  • Fixed a bug involving Classic Load Balancers showing multiple SSL policies. When harvesting classic load balancer properties from AWS, AWS returns the resource’s history of SSL policies. We have updated our harvesting to retain only the SSL policy in use. [ENG-19659]

  • Updated the harvester CloudCredentialsHarvest for GCP to significantly reduce the latency in harvesting API keys. This change requires two new permissions, “apikeys.keys.get” and “apikeys.keys.list”. [ENG-18807]