InsightCloudSec Software Release Notice - 22.11.2 Release

Release Highlights (22.11.2)

InsightCloudSec is pleased to announce Release 22.11.2. This release includes added visibility and support for two new resources: AWS Sagemaker Training Job and GCP Cloud Domains. This release introduces two new Compliance Packs: Federal Financial Institutions Examination Council controls (FFEIC) and Center for Internet Security (CIS) - Azure 1.5.0. 22.11.2 includes two new Insights, more than 30 updated Insights, 11 updated Query Filters, five new Query Filters, two updated Bot actions, and nine bug fixes.

• Contact us through the unified Customer Support Portal  with any questions.

New Permissions Required (22.11.2)

Features & Enhancements (22.11.2)

• We are introducing a powerful new means of scoping bots in BotFactory, Badge Exclusions. As the name implies, Badge Exclusions allows customers to exclude cloud accounts based on badge assignment. This enhancement makes Bot scoping much more manageable at enterprise scale by permitting a combination of inclusions and exclusions of accounts using badges. [ENG-20598]

• Insight Exemptions created by Insight Exemption Rules will now inherit the description/notes associated with the rule. [ENG-20423]

• We have updated the license breakdown to include the organization name and account IDs for ease in analysis. This information is now in UI and in the CSV download. [ENG-20251]

• We are using cache values to speed the loading times of the Resources page and listing. [ENG-20829]

• Added Jinja support to ServiceNow Bot action fields. [ENG-20762]

• We have updated the descriptions on all Query Filters and Insights for diagnostic settings to ensure consistency. The remediation steps have been removed from these Insights and replaced with a link to the steps instead. The reference links have also been updated so that all links appear as linked text rather than bare hyperlinks. [ENG-20618]

User Interface Changes (22.11.2)

• We have improved the User Experience by allowing users to drill down into the supported resource types that the selected Query Filters and Insights support within the Resources section. [ENG-20730]

Resources (22.11.2)

AWS

• We have added visibility into AWS’ SageMaker Training Job resource. SageMaker Training Jobs are shown in the tool as the new Resource type Machine Learning Training Job under the Compute resource category. [ENG-17397, ENG-20467]
  • Several new Query Filters support this resource: ML Training Job With/Without Network Isolation, ML Training Job With/Without Inter Container Traffic Encryption, and ML Training Job With/Without Managed Spot Training.
  • Two new permissions for read-only policies are required: “sagemaker:DescribeTrainingJob” and “sagemaker:ListTrainingJobs”.

GCP

• We have added visibility and support for GCP Cloud Domains (Identity & Management resource category, DNS Domain resource type). [ENG-20257]
  • A new permission–“domains.registrations.list”, found in the Cloud Domains API—is required in order to harvest GCP Cloud Domains.
  • Two new Query Filters have been added: DNS Domain Without DNSSEC and DNS Domain With Registrant Privacy Protection Disabled.
  • Four existing Query Filters have been enhanced to support GCP Cloud Domains: DNS Domain With No Auto-renew, DNS Domain That Allows Transfer, DNS Domain Transfer Is Not Authorized, and DNS Domain Due To Expire Soon.

MULTI-CLOUD/GENERAL

• We have enhanced support for the DNS Domain resource type (GCP Cloud Domains and AWS Route53) by adding two new fields to the Service Domain resource in ICS that check for DNSSEC being enabled and whether the registrant’s details are privacy protected. [ENG-20257]
  • A new option has been added to the Query Filter DNS Domain That Allows Transfer which allows the user to exclude domains with address types that are currently unauthorized for transfer, regardless of whether or not these domains have a transfer lock.

Insights (22.11.2)

Insight Severity As a reminder, in order to improve consistency within InsightCloudSec and to provide better overall alignment with Rapid7 we are planning to update our Insight severities. Our new severities will align with several features, including InsightVM, Kubernetes Guardrails, and Layered Context. The plan is to implement this change in release 22.11.9 on November 9, 2022

We do not expect that customers will have an impact from the Insight severity changes. The following API Endpoints should only be using a number tied to severities and those numbers will remain the same:

• https://acmecorp.divvycloud.com/public/insights/set_severity 
• https://acmecorp.divvycloud.com/public/insights/csv 
• https://acmecorp.divvycloud.com/public/insights/  <source>/<insight_id>/<resource_type>/download
• https://acmecorp.divvycloud.com/public/score-card/export-data 
• https://acmecorp.divvycloud.com/public/packs/  <source>/<int:pack_id>/summary/get

The only changes are the names of the severity titles and they will be as follows:

If you have any questions about the change, please reach out and we will answer as soon as possible.

New Compliance Pack - Federal Financial Institutions Examination Council controls (FFEIC) 22.11.2 includes a new Compliance Pack, Federal Financial Institutions Examination Council controls (FFEIC). The Federal Financial Institutions Examination Council is a formal U.S. government interagency body composed of five banking regulators that is “empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions”.

We have also added a new Insight Resource with Recent Suspicious Event that identifies resources with an Event-Driven Harvesting event in the past 24 hours that is suspicious based upon the change or based upon the change in relation to the current cloud state.

As part of the pack, we also updated the names of several Insights for consistency. The old/new names are as follows [ENG-20710]:

• API Accounting not Exporting Logging to CloudWatch (AWS) has been renamed to API Accounting not Exporting Logging to CloudWatch

• API Accounting Target Storage Container Without MFA Delete Protection (AWS) has been renamed to API Accounting Target Storage Container Without MFA Delete Protection

• Cloud Root Account API Access Key Present has been renamed to Cloud Account Root API Access Key Present

• Cloud User Account without MFA (Azure) has been renamed to Cloud User without MFA (Azure)

• Data Analytics Workspace Exports to a Public Bucket (AWS) has been renamed to Data Analytics Workspace Exports to a Public Storage Container

• Data Analytics Workspace Exports To Unencrypted Bucket has been renamed to Data Analytics Workspace Exports to Unencrypted Storage Container

• Data Analytics Workspace Exports To Unknown Bucket has been renamed to Data Analytics Workspace Exports to Unknown Storage Container

• Data Analytics Workspace Unencrypted at Rest (AWS) has been renamed to Data Analytics Workspace Unencrypted at Rest

• Elasticsearch Instance does not Support Private Networking (AWS) has been renamed to Elasticsearch Instance does not Support Private Networking

• PostgreSQL Database Instance Log Retention Below Threshold has been renamed to Database Instance Log Retention Below Threshold (PostgreSQL)

• PostgreSQL Database Instance Not Enforcing Transit Encryption has been renamed to Database Instance not Enforcing Transit Encryption (PostgreSQL)

• Service Role Trusting Unknown Account has been renamed to Cloud Role Trusting Unknown Account

• We are also deprecating the following Insights as they are effectively duplicates. All Bots created using these Insights will be automatically migrated over to the other Insight:

  • Cloud Account Without Alarm For AWS Organizations Changes
  • Cloud Role Trusting Unknown Account
  • Instance With Serial Port Connectivity Enabled

New Compliance Pack - Center for Internet Security (CIS) - Azure 1.5.0 We have added a new Compliance Pack Center for Internet Security (CIS) - Azure 1.5.0. This CIS Microsoft Azure Foundations Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. The scope of this benchmark is to establish the foundation level of security for anyone adopting Microsoft Azure Cloud. The benchmark is, however, not an exhaustive list of all possible security configurations and architecture and should be understood as a starting point. [ENG-20585]

AZURE

• Access List Exposes High Risk UDP Ports to the Public - New Insight identifies access lists/security groups that expose commonly exploited UDP ports. [ENG-19731]

MULTI-CLOUD/GENERAL

• We have updated our Insights to use the terms “Cloud Managed Key” and “Customer Managed Key” in a more consistent fashion. The affected Insights are [ENG-20540]:

  • API Accounting Config Encrypted Using Cloud Managed Key Instead Of Customer Master Key has been renamed to API Accounting Config Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Azure Database Instance (SQL Server) Encrypted Using Provider Managed Key Instead of Customer Managed Key has been renamed to Database Instance Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Backup Vault is configured without a Customer Managed Key has been renamed to Backup Vault Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Big Data Instance Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Big Data Instance Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Big Data Snapshot Encrypted Using Cloud Managed Key Instead Of Customer Master Key has been renamed to Big Data Snapshot Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Broker Instance Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Broker Instance Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Build Project Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Build Project Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Cloud Dataset Without Customer Managed Encryption Key has been renamed to Cloud Dataset Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Data Analytics Workspace Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Data Analytics Workspace using Cloud Managed Key Instead of Customer Managed Key

  • Database Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Database Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Database Instance Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Database Instance Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Database Instance Not Configured to Use Customer Provided Key has been renamed to Database Instance Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Database Snapshot Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Database Snapshot Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Delivery Stream Encrypted Using Cloud Managed Key Instead of Customer Provided Key has been renamed to Delivery Stream Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Distributed Table Encrypted Using Provider Default Key Instead Of Customer Master Key has been renamed to Distributed Table Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Encryption Key Is Customer-managed Without Annual Rotation has been renamed to Encryption Key is Customer Managed Key without Annual Rotation

  • Encryption Keys Managed by Customer not Rotated Annually has been renamed to Encryption Key Older than Year

  • MapReduce Cluster Without Customer Managed Encryption Key has been renamed to MapReduce Cluster using Cloud Managed Key Instead of Customer Managed Key

  • Notification Topic Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Notification Topic Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Secret Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Secret Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Serverless Function Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Serverless Function Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Snapshot Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Snapshot Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Storage Account For Activity Logs Not Encrypted With Customer Master Key has been renamed to Storage Account Activity Logs Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Storage Account not using Customer Master Key (CMK) has been renamed to Storage Account Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Storage Container Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Storage Container Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Stored Parameter Encrypted With Provider Default Keys has been renamed to Stored Parameter Encrypted using Cloud Managed Key Instead of Customer Managed Key

  • Stream Instance Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Stream Instance Encrypted using Cloud Managed Key Instead of Customer Managed Key

• We are also deprecating the following Insights as they are effectively duplicates. All Bots created using the insights will be automatically migrated over to the new matching Insight. Deprecated Insights are ENG-20540]:

  • Database Instance Encrypted using Cloud Managed Key Instead of Customer Managed Key
  • Database Instance Encrypted using Cloud Managed Key Instead of Customer Managed Key
  • Volume Encrypted using Cloud Managed Key Instead of Customer Managed Key

Query Filters (22.11.2)

AWS

• Three new Query Filters support the added visibility into AWS’ SageMaker Training Job resource [ENG-20467]:
  • ML Training Job With/Without Inter Container Traffic Encryption - New Query Filter identifies ML Training Jobs with/without inter container traffic encryption.
  • ML Training Job With/Without Managed Spot Training - New Query Filter identifies ML Training Jobs with/without managed spot training.
  • ML Training Job With/Without Network Isolation - New Query Filter identifies ML Training Jobs with/without network isolation.

GCP

• Two new Query Filters support the added visibility for GCP Cloud Domains [ENG-20257]:
  • DNS Domain Without DNSSEC - Identifies DNS Domains that do not utilize DNSSEC.
  • DNS Domain With Registrant Privacy Protection Disabled - Identifies DNS Domains that do not limit the contact information available for a domain registrant that can be found through WHOIS queries.**

MULTI-CLOUD/GENERAL

• Four existing AWS Query Filters have been enhanced to support added visibility into GCP Cloud Domains resource [ENG-20257]:

  • DNS Domain With No Auto-renew - Identifies domains that will not automatically renew.
  • DNS Domain That Allows Transfer - Identifies domains that can be transferred. We have also added a new option to this Query Filter that allows the user to exclude domains with address types that are currently unauthorized for transfer, regardless of whether or not these domains have a transfer lock.
  • DNS Domain Transfer Is Not Authorized - Identifies domains for which the top-level domain does not allow transferring.
  • DNS Domain Due To Expire Soon - Identifies DNS Domains which are not set to auto-renew and are set to expire within a specified number of days.

• We have updated our Query Filters to use the terms “Cloud Managed Key” and “Customer Managed Key” in a more consistent fashion [ENG-20540]:

  • Resource Encrypted With Provider Default Keys has been renamed to Resource Encrypted With Cloud Managed Key
  • Resource Encrypted With Keys Other Than Provider Default has been renamed to Resource Encrypted With Customer Managed Key
  • Resource Not Encrypted Or Encrypted With Provider Default Keys has been renamed to Resource Not Encrypted Or Encrypted With Cloud Managed Key
  • Resource Not Running With Individual Encryption Key has been renamed to Resource Running With Shared Encryption Key
  • Resource Without Customer-Managed Encryption Key has been renamed to Resource Not Encrypted With Customer Managed Key

IAM (22.11.2)

• We have hidden several columns on the Resources page Cloud Roles and Cloud Users as they only apply to AWS resources. The columns are Matching Services, Allowed Services, and Allowed Actions. The column visibility can be toggled on. [ENG-18054]

Bot Actions (22.11.2)

AWS

• Broadened support for the Bot Action “Convert Snapshot Storage Tier” to include AWS China and AWS GovCloud. [ENG-20760]

MULTI-CLOUD/GENERAL

• Updated the Bot Action “Update Content Delivery TLS Settings” so that it can update the TLS setting of either the Viewer Certificate or Custom Origin Config of a content delivery network. [ENG-20801]

Bug Fixes (22.11.2)

• Fixed an issue where policies could not be detached from IAM roles, users, and groups. [ENG-20897]

• Fixed an issue with the Query Filter Web App Invalid Diagnostic Logging Configuration that would mistakenly evaluate against container based function applications. [ENG-20854]

• Fixed a bug that prevented the Azure Tenant/Application IDs from being pre-populated when modifying Azure Organization credentials. [ENG-20697]

• Improved exception handling for the AzureArmIdentityDetailHarvester. [ENG-20637]

• Resolved an issue with re-enabling background jobs that support Query Filters like Resource Specific Policy With/Without Specific Conditions. [ENG-20448]

• Fixed a NoneType error that would appear when running the AzureOrganizationHarvest job. [ENG-20206]

• Improved the UX for auto generated badges. These badges are automatically generated from cloud tags and cannot be removed from the system. [ENG-19754]

• Fixed configuration errors for the Cloud Account Without Compartment In Root Tenancy and Cloud Account With Noncompliant Retention Period Insights. [ENG-18363]

• Fixed issue with disabled plugins being reenabled on restart of scheduler. [ENG-15856]