Skip to Content
Release NotesInsightcloudsec22.10.26 Release Notes

Oct 25, 2022

InsightCloudSec is pleased to announce Release 22.10.26

InsightCloudSec Software Release Notice - 22.10.26 Release

Our latest Release 22.10.26 is available for hosted customers on Wednesday, October 26, 2022. Availability for self-hosted customers is Thursday, October 27, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

⚠️

Self-Hosted Customers

If you’re currently referencing Dockerhub for your ICS images (e.g., divvycloud/divvycloud:XX.Y.Z) or this public ECR location (public.ecr.aws/divvycloud/divvycloud), these repositories will be shutdown on November 2, 2022. The new locations for ICS images will be public.ecr.aws/rapid7-insightcloudsec/ics/core and public.ecr.aws/rapid7-insightcloudsec/ics/edh-worker.

Release Highlights (22.10.26)

InsightCloudSec is pleased to announce Release 22.10.26. This release includes visibility and support for two new resources: Azure API Management Services and GCP URL Maps. For AWS support, we have updated Serverless Functions by adding two properties: Signing Job ARN and Signing Profile Version ARN, and expanded our Event-Driven Harvesting (EDH) support for App Stream Fleets to include two more events: StartFleet and StopFleet. In addition, 22.10.26 includes two new Insights, six updated Query Filters, two new Query Filters, one updated Bot action, and 10 bug fixes.

New Permissions Required (22.10.26)

⚠️

New Permission Required: Azure

For Azure Standard (Read-Only) Users: “Microsoft.ApiManagement/service/read”

For Azure Power Users: “Microsoft.ApiManagement/*****”

This permission supports the newly added resource Azure API Management Services. [ENG-15085]

⚠️

New Permission Required: GCP

The following new permission is required for GCP: “cloudasset.assets.listResource”

This addition supports the added visibility into GCP URL maps. This permission is already included in the recommended API “Cloud Asset API”. Refer to our documentation on GCP Projects and GCP Organizations for full details. [ENG-19653]

Features & Enhancements (22.10.26)

  • On the BotFactory Overview page, under Info & Settings, we have updated the Scheduled Enabled field to indicate whether the schedule is hourly, daily, weekly, or monthly when it is enabled. For additional information, see Managing Bots: Info & Settings. [ENG-20600]

  • Within IAC - made small language changes clarifying the difference between “Run Tasks” in Terraform Cloud/Enterprise and “Run Task” Integrations in InsightCloudSec. [ENG-20511]

Resources (22.10.26)

AWS

  • Updated Serverless Functions by adding two properties: Signing Job ARN and Signing Profile Version ARN. These two properties determine whether a Serverless Function has code signing authority. We have also added a new Query Filter Serverless Function With/Without Code Signing Enabled to identify Serverless Functions according to that property. [ENG-20594]

  • Expanded our Event-Driven Harvesting (EDH) support for App Stream Fleets to include two more events: StartFleet and StopFleet. [ENG-20525]

AZURE

  • Added visibility and support for Azure API Management Services (Network category, Application Gateway resource type). Added Diagnostic Settings support for this new resource, as well as a new Query Filter and Insight, both named API Management Service Invalid Diagnostic Logging Configuration. A new permission is required: “Microsoft.ApiManagement/service/read”. [ENG-15085]

GCP

  • Added visibility and support for GCP URL maps. This new resource–URL Maps–is part of the Network category of resources. A new permission: “cloudasset.assets.listResource” is required. This permission is already included in the recommended API “Cloud Asset API”. [ENG-19653]

Insights (22.10.26)

AWS

  • Serverless Function not Limited to Private Network Resources - This Insight was retired as AWS Best Practices now state that VPC access to Lambda functions should be configured only when necessary. [ENG-16220]

AZURE

  • API Management Service Invalid Diagnostic Logging Configuration - New Insight identifies API Management Services without proper diagnostic configuration. This new Insight supports the added visibility for Azure API Management Services. [ENG-15085]

  • Cloud Account Owner without MFA Enabled - New Insight identifies cloud users with subscription/owner permissions which do not require multi-factor authentication. [ENG-19874]

Query Filters (22.10.26)

AWS

  • Serverless Function Contains Specific Environment Variables - Updated Query Filter that identifies serverless functions which have one or more specific environment variables to allow partial matches. The partial matches option can be used in conjunction with the ‘case sensitive’ and ‘match all’ options. [ENG-20657]

  • Serverless Function With/Without Code Signing Enabled - New Query Filter identifies functions with/without code signing enabled. By default, serverless functions without code signing enabled are identified. [ENG-20594]

AZURE

  • API Management Service Invalid Diagnostic Logging Configuration - New Query Filter supports the added visibility for Azure API Management Services. [ENG-15085]

  • Storage Container Blob Soft Delete Retention Threshold - Updated Query Filter to work with the Storage Account resource type. [ENG-20654]

  • Storage Container Soft Delete Retention Threshold - Updated Query Filter to work with the Storage Account resource type. [ENG-20654]

MULTI-CLOUD/GENERAL

  • We have broadened the support of these Query Filters to all cloud types:

    • Cache At Rest Encryption Disabled
    • Cache At Rest Encryption Enabled
    • Cache Instance Engine

    In addition, we are excluding Memcached resources from at-rest encryption evaluation as that engine does not support at-rest encryption. [ENG-20599]

  • Resource With Expiring/Expired SSL Certificate Attached - Updated Query Filter to also examine the SSL Certificates of Application Gateway Domains. [ENG-20326]

IAM (22.10.26)

  • Added the ability to apply GCP Recommendations directly from within the ICS tool. Currently supported Recommender subtypes are:

    • REMOVE_ROLE
    • REMOVE_ROLE_STORAGE_BUCKET
    • REPLACE_ROLE
    • REPLACE_ROLE_STORAGE_BUCKET
    • SERVICE_AGENT_WITH_DEFAULT_ROLE
    • SERVICE_AGENT_WITHOUT_DEFAULT_ROLE

    You will need permissions to “view”, “apply”, and “dismiss recommendations” as documented to fully use this feature. [ENG-19920]

Bot Actions (22.10.26)

  • We have updated the Bot Action “Update Content Delivery Network Attributes” to allow for the update of custom origin configuration properties. In particular, this update will allow for the automated enforcement of minimum SSL protocols in use. [ENG-20595]

Bug Fixes (22.10.26)

  • Fixed an issue when adding an Azure Management Group, where permission errors are not being properly surfaced. [ENG-20789]

  • Fixed a bug where the K8 ContainerInstanceHarvester was failing when the node’s status conditions were None. [ENG-20735]

  • Fixed the modified timestamp property for Storage Container export to CSV. [ENG-20699]

  • GCP cloud accounts that are deleted in Google and are not onboarded via Organizations will now automatically be disabled. [ENG-20643]

  • Updated the Bot Action “Send Bulk Email” by removing brackets that unnecessarily encompass the main message body. [ENG-20578]

  • Fixed an edge case with bot action “Cleanup Exposed Storage Container” that prevented the action from working on AWS S3 buckets with a canned ACL. [ENG-20555]

  • Disabled region ap-southeast-3 harvester for EmailServiceDomainHarvester, SecureFileTransferHarvester, DatabaseProxyHarvester as these are not supported in region ap-southeast-3. [ENG-20546]

  • Fixed how we harvest the ManagedUpdatesEnabled property of AWS Elastic Beanstalk, which corresponds to Web Apps “automatic patching”, to provide more accurate results for the Query Filter Web App With Automatic Patching Disabled. [ENG-20470]

  • Removed Azure support from the Query Filter and Insight Message Queue Encryption At Rest Disabled as Azure resources have rest encryption enabled by default and this can’t be disabled. Additional information can be found in Azure’s documentation for this feature. [ENG-20442]

  • Updated how we store the password policy for Alibaba Cloud accounts to allow us to apply password policy filters and Insight evaluations consistent with our AWS evaluations. [ENG-20055]