InsightCloudSec Software Release Notice - 22.11.9 Release

Release Highlights (22.11.9)

InsightCloudSec is pleased to announce Release 22.11.9. This release includes significantly expanded support for Alibaba Cloud, including updates to permissions, expanded Query Filters and Insights, and a new CIS 1.0.0 Compliance Pack for Alibaba Cloud. This release also provides support for the AWS’ Code Commit resource, the Azure Template Specs resource, and an update to our Parent/Child relationships to include Task Definitions/Tasks. In addition, 22.11.9 includes four new Insights, eight updated Insights, a dozen renamed Insights, ten updated Query Filters, seven new Query Filters, one updated Bot action, and 11 bug fixes.

• Contact us through the unified Customer Support Portal  with any questions.

New Permissions Required (22.11.9)

Features & Enhancements (22.11.9)

Enhanced Support for Alibaba Cloud We have added initial support for the CIS 1.0.0 Compliance Pack for Alibaba Cloud. We have added several new Insights, specifically:

• API Accounting without Global Log Exports
• Cloud Account Password Policy does not Enforce Maximum Login Attempts
• Kubernetes Cluster without Terway Network Plugin
• Storage Container Public Access Via Resource Access Policy

We have broadened the support of these existing Insights to include Alibaba Cloud:

• Database Instance Flag 'log_connections' Disabled
• Database Instance Flag 'log_disconnections' Disabled
• Database Instance Flag 'log_duration' Disabled
• Database Instance not Encrypted
• Database Instance not Enforcing Transit Encryption
• Database Instance not Enforcing Transit Encryption (MySQL) - (and now supporting AWS too)
• Database Instance not Enforcing Transit Encryption (PostgreSQL) - (and now supporting AWS and GCP too)

We have broadened support for these Query Filters to include Alibaba Cloud]:

• Database Instance/Cluster/Snapshot Engine
• Database Instance Without Required Flag
• Database Instance Without SSL Enforced [ENG-14843]

Additional Features & Enhancements

• Added the ability to inspect and navigate resource dependencies in the following sections:

  • Compliance Scorecard
  • Exemptions
  • Threat Findings [ENG-20818]

• We have updated our Parent/Child relationships to include Task Definitions/Tasks. With this update, the Bot Action “Mirror Resource Tags From Parent” and the following Query Filters can now work when examining Tasks:

  • Parent Resource Not In Resource Group
  • Parent Resource Contains Tag Key
  • Parent Resource Contains Tag Key/Value Pair
  • Resource Tag Does Not Mirror Parent
  • Resource Tag Mirrors Parent [ENG-20933]

• Azure Users and Groups that have federated access to AWS SSO via Azure AD are now capable of being viewed on the Resources page under Identity & Management (Federated User/Federated Group) once harvested by the new FederatedPrincipalHarvester. [ENG-18745]

Resources (22.11.9)

AWS

• Expanded AWS support for visibility into me-central-1 (UAE). [ENG-20998]

• Added visibility into AWS’ Code Commit resource. Code Commit Repositories are shown in the tool as the new Resource type Code Repository under the Identity & Management resource category. New permissions are required for the AWS commercial and GovCloud Standard (Read-Only) user policies: “codecommit:BatchGetRepositories”, “codecommit:ListBranches”, and “codecommit:ListRepositories”. AWS commercial and GovCloud Power Users will need “codecommit:*****”. [ENG-20840]

AZURE

• Added visibility and support for Azure Template Specs, the Azure equivalent of Cloudformation Templates. These are used to repeatedly and consistently deploy resources. Azure Template Specs is found under the Compute category as the new resource type Template Spec. Five new Query Filters were created to support this resource type:
  • Template Spec Contains Secret - Identifies templates for which the default value for parameters contains a secret.
  • Template Spec Includes/Excludes Regular Expressions (Regex) - Identifies templates that include/exclude singular or multiple regex expressions.
  • Template Spec Launches Resource Type - Identifies templates that launch a particular ICS/Divvy Resource type.
  • Template Spec with Multiple Versions - Identifies templates for which multiple versions exist.
  • Template Spec with Particular Resource Group - Identifies templates launching resources into a particular resource group.

This new resource requires the “Microsoft.Resources/templatespecs/versions/read” permission. [ENG-19263]

Insights (22.11.9)

Alibaba Cloud

• We have added four new Insights to support the initial CIS 1.0.0 Compliance Pack for Alibaba Cloud [ENG-14843]:

  • API Accounting without Global Log Exports - New Query Filter identifies API accounting configurations that are not multi-region and not configured to log exports to a storage container.
  • Cloud Account Password Policy does not Enforce Maximum Login Attempts - New Query Filter identifies cloud accounts that do not enforce a maximum of five incorrect logon attempts before blocking the account.
  • Kubernetes Cluster without Terway Network Plugin - New Query Filter identifies Kubernetes clusters without the Terway network plugin which enables multiple IP addresses and network policy features.
  • Storage Container Public Access Via Resource Access Policy - New Insight identifies storage containers that have been flagged as public due to their resource-based access policy. Alibaba Cloud and AWS. [ENG-14843]

• We have broadened the support of these existing Insights to include Alibaba Cloud [ENG-14843]:

  • Database Instance Flag 'log_connections' Disabled
  • Database Instance Flag 'log_disconnections' Disabled
  • Database Instance Flag 'log_duration' Disabled
  • Database Instance not Encrypted
  • Database Instance not Enforcing Transit Encryption

MULTI-CLOUD/GENERAL

• Compute Region Without Default Volume Encryption - Insight renamed to Cloud Region without Default Volume Encryption and updated to only identify regions with active volumes. [ENG-20817]

• Storage Container Public Access Via Resource Access Policy - New Insight identifies storage containers that have been flagged as public due to their resource-based access policy. Alibaba Cloud and AWS. [ENG-14843]

• We have broadened the support of these existing Insights to include multi-clouds as follows [ENG-14843]:

  • Database Instance not Enforcing Transit Encryption (MySQL) - Now supports Alibaba Cloud and AWS.
  • Database Instance not Enforcing Transit Encryption (PostgreSQL) - Now supports Alibaba Cloud, AWS, and GCP.

• Related to our work for the CIS 1.0.0 Compliance Pack for Alibaba Cloud, we have updated Insight names and descriptions for consistency. The renamed (Old Name ⇒ New Name) Insights are [ENG-14843]:

  • Cloud Account Missing Log Metric Filter And Alerts For Cloud Storage IAM Permission Changes ⇒ Cloud Account without Alert for Cloud Storage IAM Permission Changes
  • Cloud Account Missing Log Metric Filter And Alerts For SQL Instance Configuration Changes ⇒ Cloud Account without Alert for SQL Instance Configuration Changes
  • Cloud Account Missing Log Metric Filter And Alerts For VPC Network Changes ⇒ Cloud Account without Alert for Network Changes
  • Cloud Account Missing Log Metric Filter And Alerts For VPC Network Route Changes ⇒ Cloud Account without Alert for Network Route Changes
  • Cluster not using Role-Based Access Control ⇒ Kubernetes Cluster not using Role-Based Access Control
  • Database Instance not Encrypted (AWS) ⇒ Database Instance not Encrypted
  • Instance Does Not have Endpoint Protection Installed (Azure) ⇒ Instance does not have Endpoint Protection Installed
  • Instance Management Ports Not Protected Using JIT Access Control (Azure) ⇒ Instance Management Ports not Protected Using JIT Access Control
  • Instance Not in Private Network (AWS) ⇒ Instance Not in Private Network
  • Instance Without JIT Access Control Enabled (Azure) ⇒ Instance without JIT Access Control Enabled
  • Kubernetes Cluster Engine Logging Disabled (AWS) ⇒ Kubernetes Cluster Engine Logging Disabled
  • Network without DDoS Protection Enabled (Azure) ⇒ Network without DDoS Protection Enabled

Query Filters (22.11.9)

Alibaba Cloud

• We have broadened support for these Query Filters to include Alibaba Cloud [ENG-14843]:
  • Database Instance/Cluster/Snapshot Engine
  • Database Instance Without Required Flag
  • Database Instance Without SSL Enforced

AWS

• Cloud Region Without Default/Allow List Encryption Enabled - Query Filter updated to provide an option to exclude regions that do not have any EBS volumes in place. [ENG-20817]

• Content Delivery Network Using Default SSL Certificate - Enhanced Query Filter by adding the “Not In” option to allow users to find any AWS CDNs not using the default SSL certificate. [ENG-21028]

• Identity Resource Usage of Risky Permissions - New Query Filter returns Cloud Roles and Users (AWS only) that have the provided risky permission, access type and status. The Query Filter will not return results if the permission is not risky. [ENG-20575]

  • Risky permissions can be found on Insights with the “riskypermissions” tag.
  • For example, if the Query Filter is used to find permission=iam:passrole, access_type=any, and status=used then it will only return cloud users and roles that have used the iam:passrole permission on any resource.

AZURE

• Five new Query Filters were created to support Azure Template Specs [ENG-19263]:
  • Template Spec Contains Secret - Identifies templates for which the default value for parameters contains a secret.
  • Template Spec Includes/Excludes Regular Expressions (Regex) - Identifies templates that include/exclude singular or multiple regex expressions.
  • Template Spec Launches Resource Type - Identifies templates that launch a particular ICS/Divvy Resource type.
  • Template Spec with Multiple Versions - Identifies templates for which multiple versions exist.
  • Template Spec with Particular Resource Group - Identifies templates launching resources into a particular resource group.

MULTI-CLOUD/GENERAL

• Resource With Recent Cloud Advisor Check Finding - New Query Filter identifies resources that are failing Cloud Advisor checks. [ENG-13478]

• The following Query Filters have can now work when examining Tasks [ENG-20933]:

  • Parent Resource Not In Resource Group
  • Parent Resource Contains Tag Key
  • Parent Resource Contains Tag Key/Value Pair
  • Resource Tag Does Not Mirror Parent
  • Resource Tag Mirrors Parent

Bot Actions (22.11.9)

• “Mirror Resource Tags From Parent” - This Bot action can now work when examining Tasks as we have updated our Parent/Child relationships to include Task Definitions/Tasks. [ENG-20933]

Bug Fixes (22.11.9)

• Added fix for Compliance Scorecard inability to render non-compliant Autoscaling Group resources due to issues with the resource_id field. Resource IDs for Autoscaling Groups will now consistently be represented with a ”|” between the resource group and resource name. [ENG-20982]

• For JIT provisioning using SAML fixed a problem where role changes for existing users based on changes to group mappings might fail. [ENG-20956]

• Fixed a bug where AWS Storage Container Harvesters were failing due to a legacy region construct being returned by AWS. [ENG-20921]

• Fixed an issue in the Threat Findings Harvester where findings with no remediation steps were causing harvesting to fail. [ENG-20896]

• Fixed an error in the new Azure Source Backend implementation of the Network Endpoint Harvester where virtual networks without subnets were not harvested successfully. [ENG-20895]

• Fixed an error in the Logic App Harvester where apps with no connections were not harvested successfully. [ENG-20893]

• Fixed a bug where incorrect “affected_resource_id” and “affected_resource_type” were attached to a recommendation. [ENG-20786]

• Added handling for race condition that can exist when Big Data Serverless Workgroups are harvested before Big Data Serverless Namespaces. [ENG-20552]

• Fixed an issue with light/dark mode behavior to work in conjunction with the OS system setting. [ENG-19964, ENG-20458]

• Fixed too long container id in DB that prevented updates to container status after changes in the workload. [ENG-20417]

• Set CosmosDB’s with IP Rules to not be marked as public. [ENG-19460]