Our latest Release 22.11.2 is available for hosted customers on Wednesday, November 2, 2022. Availability for self-hosted customers is Thursday, November 3, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.
Release 22.11.2 requires a schema update to a frequently used database table. As a result, aquiring the necessary lock on this database table could prove difficult with users logged into the tool. In order to prevent table contention, we recommend scaling the interfaceserver tasks down to zero prior to performing the upgrade. Once the scheduler and/or worker tasks indicate that the schema update was successful, the interfaceserver tasks can be scaled back up to pre-upgrade levels. Please contact us through our Customer Support Portal if you have questions.
Important Notifications
Changes for Self-Hosted Customers
If you’re currently referencing Dockerhub for your InsightCloudSec images (e.g., divvycloud/divvycloud:XX.Y.Z) or this public ECR location (public.ecr.aws/divvycloud/divvycloud), these repositories are now no longer being updated. This repository will still be available to download older versions. The new locations for InsightCloudSec images will be as follows:
Insight Severities
In order to improve consistency within InsightCloudSec and to provide better overall alignment with Rapid7 we are planning to update our Insight severities. Our new severities will align with several features including InsightVM, Kubernetes Guardrails, and Layered Context (currently in EAP). We are planning to implement this change before the end of the quarter. Refer to the Insights section below to read more.
Release Highlights (22.11.2)
InsightCloudSec is pleased to announce Release 22.11.2. This release includes added visibility and support for two new resources: AWS Sagemaker Training Job and GCP Cloud Domains. This release introduces two new Compliance Packs: Federal Financial Institutions Examination Council controls (FFEIC) and Center for Internet Security (CIS) - Azure 1.5.0. 22.11.2 includes two new Insights, more than 30 updated Insights, 11 updated Query Filters, five new Query Filters, two updated Bot actions, and nine bug fixes.
For AWS Commercial and GovCloud Standard (Read-Only) Users:
"sagemaker:DescribeTrainingJob",
"sagemaker:ListTrainingJobs"
The above permissions support the newly added resource AWS SageMaker Training Job. [ENG-20467]
Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS' managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS' continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.
New Permission Required: GCP
The following new permission is required for GCP:
"Domains.registrations.list"
This addition supports the added visibility into GCP Cloud Domains. This permission is found in the Cloud Domains API. Refer to our documentation on GCP Projects and GCP Organizations for full details. [ENG-20257]
Features & Enhancements (22.11.2)
We are introducing a powerful new means of scoping bots in BotFactory, Badge Exclusions. As the name implies, Badge Exclusions allows customers to exclude cloud accounts based on badge assignment. This enhancement makes Bot scoping much more manageable at enterprise scale by permitting a combination of inclusions and exclusions of accounts using badges. [ENG-20598]
Insight Exemptions created by Insight Exemption Rules will now inherit the description/notes associated with the rule. [ENG-20423]
We have updated the license breakdown to include the organization name and account IDs for ease in analysis. This information is now in UI and in the CSV download. [ENG-20251]
We are using cache values to speed the loading times of the Resources page and listing. [ENG-20829]
Added Jinja support to ServiceNow Bot action fields. [ENG-20762]
We have updated the descriptions on all Query Filters and Insights for diagnostic settings to ensure consistency. The remediation steps have been removed from these Insights and replaced with a link to the steps instead. The reference links have also been updated so that all links appear as linked text rather than bare hyperlinks. [ENG-20618]
User Interface Changes (22.11.2)
We have improved the User Experience by allowing users to drill down into the supported resource types that the selected Query Filters and Insights support within the Resources section. [ENG-20730]
Resources (22.11.2)
AWS
We have added visibility into AWS' SageMaker Training Job resource. SageMaker Training Jobs are shown in the tool as the new Resource type Machine Learning Training Job under the Compute resource category. [ENG-17397, ENG-20467]
Several new Query Filters support this resource: ML Training Job With/Without Network Isolation, ML Training Job With/Without Inter Container Traffic Encryption, and ML Training Job With/Without Managed Spot Training.
Two new permissions for read-only policies are required: "sagemaker:DescribeTrainingJob" and "sagemaker:ListTrainingJobs".
GCP
We have added visibility and support for GCP Cloud Domains (Identity & Management resource category, DNS Domain resource type). [ENG-20257]
A new permission–"domains.registrations.list", found in the Cloud Domains API—is required in order to harvest GCP Cloud Domains.
Two new Query Filters have been added: DNS Domain Without DNSSEC and DNS Domain With Registrant Privacy Protection Disabled.
Four existing Query Filters have been enhanced to support GCP Cloud Domains: DNS Domain With No Auto-renew, DNS Domain That Allows Transfer, DNS Domain Transfer Is Not Authorized, and DNS Domain Due To Expire Soon.
MULTI-CLOUD/GENERAL
We have enhanced support for the DNS Domain resource type (GCP Cloud Domains and AWS Route53) by adding two new fields to the Service Domain resource in ICS that check for DNSSEC being enabled and whether the registrant's details are privacy protected. [ENG-20257]
A new option has been added to the Query Filter DNS Domain That Allows Transfer which allows the user to exclude domains with address types that are currently unauthorized for transfer, regardless of whether or not these domains have a transfer lock.
Insights (22.11.2)
Insight Severity
As a reminder, in order to improve consistency within InsightCloudSec and to provide better overall alignment with Rapid7 we are planning to update our Insight severities. Our new severities will align with several features, including InsightVM, Kubernetes Guardrails, and Layered Context. The plan is to implement this change in release 22.11.9 on November 9, 2022
We do not expect that customers will have an impact from the Insight severity changes. The following API Endpoints should only be using a number tied to severities and those numbers will remain the same:
The only changes are the names of the severity titles and they will be as follows:
Current Severity Number
Current Severity Name
New Severity Number
New Severity Name
1
Minor
1
Info
2
Moderate
2
Low
3
Major
3
Medium
4
Severe
4
High
5
Critical
5
Critical
If you have any questions about the change, please reach out and we will answer as soon as possible.
New Compliance Pack - Federal Financial Institutions Examination Council controls (FFEIC)
22.11.2 includes a new Compliance Pack, Federal Financial Institutions Examination Council controls (FFEIC). The Federal Financial Institutions Examination Council is a formal U.S. government interagency body composed of five banking regulators that is "empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions".
We have also added a new Insight Resource with Recent Suspicious Event that identifies resources with an Event-Driven Harvesting event in the past 24 hours that is suspicious based upon the change or based upon the change in relation to the current cloud state.
As part of the pack, we also updated the names of several Insights for consistency. The old/new names are as follows [ENG-20710]:
API Accounting not Exporting Logging to CloudWatch (AWS) has been renamed to API Accounting not Exporting Logging to CloudWatch
API Accounting Target Storage Container Without MFA Delete Protection (AWS) has been renamed to API Accounting Target Storage Container Without MFA Delete Protection
Cloud Root Account API Access Key Present has been renamed to Cloud Account Root API Access Key Present
Cloud User Account without MFA (Azure) has been renamed to Cloud User without MFA (Azure)
Data Analytics Workspace Exports to a Public Bucket (AWS) has been renamed to Data Analytics Workspace Exports to a Public Storage Container
Data Analytics Workspace Exports To Unencrypted Bucket has been renamed to Data Analytics Workspace Exports to Unencrypted Storage Container
Data Analytics Workspace Exports To Unknown Bucket has been renamed to Data Analytics Workspace Exports to Unknown Storage Container
Data Analytics Workspace Unencrypted at Rest (AWS) has been renamed to Data Analytics Workspace Unencrypted at Rest
Elasticsearch Instance does not Support Private Networking (AWS) has been renamed to Elasticsearch Instance does not Support Private Networking
PostgreSQL Database Instance Log Retention Below Threshold has been renamed to Database Instance Log Retention Below Threshold (PostgreSQL)
PostgreSQL Database Instance Not Enforcing Transit Encryption has been renamed to Database Instance not Enforcing Transit Encryption (PostgreSQL)
Service Role Trusting Unknown Account has been renamed to Cloud Role Trusting Unknown Account
We are also deprecating the following Insights as they are effectively duplicates. All Bots created using these Insights will be automatically migrated over to the other Insight:
Cloud Account Without Alarm For AWS Organizations Changes
Cloud Role Trusting Unknown Account
Instance With Serial Port Connectivity Enabled
New Compliance Pack - Center for Internet Security (CIS) - Azure 1.5.0
We have added a new Compliance Pack Center for Internet Security (CIS) - Azure 1.5.0. This CIS Microsoft Azure Foundations Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. The scope of this benchmark is to establish the foundation level of security for anyone adopting Microsoft Azure Cloud. The benchmark is, however, not an exhaustive list of all possible security configurations and architecture and should be understood as a starting point. [ENG-20585]
AZURE
Access List Exposes High Risk UDP Ports to the Public - New Insight identifies access lists/security groups that expose commonly exploited UDP ports. [ENG-19731]
MULTI-CLOUD/GENERAL
We have updated our Insights to use the terms "Cloud Managed Key" and "Customer Managed Key" in a more consistent fashion. The affected Insights are [ENG-20540]:
API Accounting Config Encrypted Using Cloud Managed Key Instead Of Customer Master Key has been renamed to API Accounting Config Encrypted using Cloud Managed Key Instead of Customer Managed Key
Azure Database Instance (SQL Server) Encrypted Using Provider Managed Key Instead of Customer Managed Key has been renamed to Database Instance Encrypted using Cloud Managed Key Instead of Customer Managed Key
Backup Vault is configured without a Customer Managed Key has been renamed to Backup Vault Encrypted using Cloud Managed Key Instead of Customer Managed Key
Big Data Instance Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Big Data Instance Encrypted using Cloud Managed Key Instead of Customer Managed Key
Big Data Snapshot Encrypted Using Cloud Managed Key Instead Of Customer Master Key has been renamed to Big Data Snapshot Encrypted using Cloud Managed Key Instead of Customer Managed Key
Broker Instance Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Broker Instance Encrypted using Cloud Managed Key Instead of Customer Managed Key
Build Project Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Build Project Encrypted using Cloud Managed Key Instead of Customer Managed Key
Cloud Dataset Without Customer Managed Encryption Key has been renamed to Cloud Dataset Encrypted using Cloud Managed Key Instead of Customer Managed Key
Data Analytics Workspace Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Data Analytics Workspace using Cloud Managed Key Instead of Customer Managed Key
Database Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Database Encrypted using Cloud Managed Key Instead of Customer Managed Key
Database Instance Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Database Instance Encrypted using Cloud Managed Key Instead of Customer Managed Key
Database Instance Not Configured to Use Customer Provided Key has been renamed to Database Instance Encrypted using Cloud Managed Key Instead of Customer Managed Key
Database Snapshot Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Database Snapshot Encrypted using Cloud Managed Key Instead of Customer Managed Key
Delivery Stream Encrypted Using Cloud Managed Key Instead of Customer Provided Key has been renamed to Delivery Stream Encrypted using Cloud Managed Key Instead of Customer Managed Key
Distributed Table Encrypted Using Provider Default Key Instead Of Customer Master Key has been renamed to Distributed Table Encrypted using Cloud Managed Key Instead of Customer Managed Key
Encryption Key Is Customer-managed Without Annual Rotation has been renamed to Encryption Key is Customer Managed Key without Annual Rotation
Encryption Keys Managed by Customer not Rotated Annually has been renamed to Encryption Key Older than Year
MapReduce Cluster Without Customer Managed Encryption Key has been renamed to MapReduce Cluster using Cloud Managed Key Instead of Customer Managed Key
Notification Topic Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Notification Topic Encrypted using Cloud Managed Key Instead of Customer Managed Key
Secret Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Secret Encrypted using Cloud Managed Key Instead of Customer Managed Key
Serverless Function Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Serverless Function Encrypted using Cloud Managed Key Instead of Customer Managed Key
Snapshot Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Snapshot Encrypted using Cloud Managed Key Instead of Customer Managed Key
Storage Account For Activity Logs Not Encrypted With Customer Master Key has been renamed to Storage Account Activity Logs Encrypted using Cloud Managed Key Instead of Customer Managed Key
Storage Account not using Customer Master Key (CMK) has been renamed to Storage Account Encrypted using Cloud Managed Key Instead of Customer Managed Key
Storage Container Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Storage Container Encrypted using Cloud Managed Key Instead of Customer Managed Key
Stored Parameter Encrypted With Provider Default Keys has been renamed to Stored Parameter Encrypted using Cloud Managed Key Instead of Customer Managed Key
Stream Instance Encrypted Using Cloud Managed Key Instead Of Customer Provided Key has been renamed to Stream Instance Encrypted using Cloud Managed Key Instead of Customer Managed Key
We are also deprecating the following Insights as they are effectively duplicates. All Bots created using the insights will be automatically migrated over to the new matching Insight. Deprecated Insights are ENG-20540]:
Database Instance Encrypted using Cloud Managed Key Instead of Customer Managed Key
Database Instance Encrypted using Cloud Managed Key Instead of Customer Managed Key
Volume Encrypted using Cloud Managed Key Instead of Customer Managed Key
Query Filters (22.11.2)
AWS
Three new Query Filters support the added visibility into AWS' SageMaker Training Job resource [ENG-20467]:
ML Training Job With/Without Inter Container Traffic Encryption - New Query Filter identifies ML Training Jobs with/without inter container traffic encryption.
ML Training Job With/Without Managed Spot Training - New Query Filter identifies ML Training Jobs with/without managed spot training.
ML Training Job With/Without Network Isolation - New Query Filter identifies ML Training Jobs with/without network isolation.
GCP
Two new Query Filters support the added visibility for GCP Cloud Domains [ENG-20257]:
DNS Domain Without DNSSEC - Identifies DNS Domains that do not utilize DNSSEC.
DNS Domain With Registrant Privacy Protection Disabled - Identifies DNS Domains that do not limit the contact information available for a domain registrant that can be found through WHOIS queries.**
MULTI-CLOUD/GENERAL
Four existing AWS Query Filters have been enhanced to support added visibility into GCP Cloud Domains resource [ENG-20257]:
DNS Domain With No Auto-renew - Identifies domains that will not automatically renew.
DNS Domain That Allows Transfer - Identifies domains that can be transferred. We have also added a new option to this Query Filter that allows the user to exclude domains with address types that are currently unauthorized for transfer, regardless of whether or not these domains have a transfer lock.
DNS Domain Transfer Is Not Authorized - Identifies domains for which the top-level domain does not allow transferring.
DNS Domain Due To Expire Soon - Identifies DNS Domains which are not set to auto-renew and are set to expire within a specified number of days.
We have updated our Query Filters to use the terms "Cloud Managed Key" and "Customer Managed Key" in a more consistent fashion [ENG-20540]:
Resource Encrypted With Provider Default Keys has been renamed to Resource Encrypted With Cloud Managed Key
Resource Encrypted With Keys Other Than Provider Default has been renamed to Resource Encrypted With Customer Managed Key
Resource Not Encrypted Or Encrypted With Provider Default Keys has been renamed to Resource Not Encrypted Or Encrypted With Cloud Managed Key
Resource Not Running With Individual Encryption Key has been renamed to Resource Running With Shared Encryption Key
Resource Without Customer-Managed Encryption Key has been renamed to Resource Not Encrypted With Customer Managed Key
IAM (22.11.2)
We have hidden several columns on the Resources page Cloud Roles and Cloud Users as they only apply to AWS resources. The columns are Matching Services, Allowed Services, and Allowed Actions. The column visibility can be toggled on. [ENG-18054]
Bot Actions (22.11.2)
AWS
Broadened support for the Bot Action “Convert Snapshot Storage Tier” to include AWS China and AWS GovCloud. [ENG-20760]
MULTI-CLOUD/GENERAL
Updated the Bot Action “Update Content Delivery TLS Settings” so that it can update the TLS setting of either the Viewer Certificate or Custom Origin Config of a content delivery network. [ENG-20801]
Bug Fixes (22.11.2)
Fixed an issue where policies could not be detached from IAM roles, users, and groups. [ENG-20897]
Fixed an issue with the Query Filter Web App Invalid Diagnostic Logging Configuration that would mistakenly evaluate against container based function applications. [ENG-20854]
Fixed a bug that prevented the Azure Tenant/Application IDs from being pre-populated when modifying Azure Organization credentials. [ENG-20697]
Improved exception handling for the AzureArmIdentityDetailHarvester. [ENG-20637]
Resolved an issue with re-enabling background jobs that support Query Filters like Resource Specific Policy With/Without Specific Conditions. [ENG-20448]
Fixed a NoneType error that would appear when running the AzureOrganizationHarvest job. [ENG-20206]
Improved the UX for auto generated badges. These badges are automatically generated from cloud tags and cannot be removed from the system. [ENG-19754]
Fixed configuration errors for the Cloud Account Without Compartment In Root Tenancy and Cloud Account With Noncompliant Retention Period Insights. [ENG-18363]
Fixed issue with disabled plugins being reenabled on restart of scheduler. [ENG-15856]