Skip to Content
Release NotesInsightcloudsec22.11.16 Release Notes

Nov 15, 2022

InsightCloudSec is pleased to announce Release 22.11.16

InsightCloudSec Software Release Notice - 22.11.16 Release

Our latest Release 22.11.16 is available for hosted customers on Wednesday, November 16, 2022. Availability for self-hosted customers is Thursday, November 17, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Self-Hosted Customers Who Have Not Yet Upgraded to 22.11.2: Schema Update Requiring UI Downtime

Releases issued after 22.10.26 require a schema update to a frequently used database table. As a result, for users that have not yet updated from 22.10.26 - aquiring the necessary lock on this database table could prove difficult with users logged into the tool. To prevent table contention, we recommend scaling the interfaceserver tasks down to zero prior to performing the upgrade. Once the scheduler and/or worker tasks indicate that the schema update was successful, the interfaceserver tasks can be scaled back up to pre-upgrade levels. Please contact us through our Customer Support Portal if you have questions.

⚠️

Important Release Announcements

Updated Insight Severities In order to improve consistency within InsightCloudSec and to provide better overall alignment with Rapid7, this release contains updated Insight severities. Our new severities align with several features including InsightVM, Kubernetes Guardrails, and Layered Context (currently in EAP). This release (22.11.16) contains the updated Insights, refer to the Insights section below for a repost of the impacted Insights and additional details.

IAM - Effective Access Table Recompute This release includes a bugfix for our IAM feature where the IAM_EffectiveAccess table was not properly cleaning up data for delete resources, causing the table to grow infinitely. This release clears that table, forcing a recompute for Effective Access data, which should complete in under a day for even large customers.

No Release for 22.11.23 As next week will include the US Thanksgiving Holiday(s), we will not be providing a formal release for the week of 22.11.23. SaaS or self-hosted customers may have minor bug fixes applied via a hotfix, but any formal release will be held off until the following week’s release on 22.11.30 for both SaaS and self-hosted customers. Reach out to your CSM or InsightCloudSec support with questions or concerns.

Changes for Self-Hosted Customers and Images For any customers referencing Dockerhub for your InsightCloudSec images (e.g., divvycloud/divvycloud:XX.Y.Z) or this public ECR location (public.ecr.aws/divvycloud/divvycloud), these repositories are no longer being updated (as of 22.11.2). This repository will still be available to download older versions. The new locations for InsightCloudSec images will be public.ecr.aws/rapid7-insightcloudsec/ics/core and public.ecr.aws/rapid7-insightcloudsec/ics/edh-worker.

Release Highlights (22.11.16)

InsightCloudSec is pleased to announce Release 22.11.16. This release includes added support and visibility for two resources: AWS Aurora Global Database and Oracle Cloud’s SSL Certificate. 22.11.16 provides updates to our Insight Severities - announced in the callout above and with details provided under the Insights section below. Updates to our coverages also include thirteen new Insights as part of our expanded GCP CIS Compliance Pack. This release adds an Infrastructure as Code upgrade with an improved user interface overhaul and an update to the IaC CLI Scanning Tool (mimics). In addition, we have provided valuable improvements to our Identity capability through expanded data around trust relationships within our overall IAM analysis. In addition, 22.11.16 includes 16 new Insights, three updated Query Filters, two new Query Filters, eleven bug fixes, and one significant update for Access Explorer.

New Permissions (22.11.16)

⚠️

New Permission Required: AWS

For AWS Commercial and GovCloud Standard (Read-Only) Users: “rds:DescribeGlobalClusters”

The above permission supports the newly added AWS resource Aurora Global Database. [ENG-20281]

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

⚠️

New Permission Required: Oracle Cloud Infrastructure

“Allow group InsightCloudSec to read certificate-authority-family in tenancy”

This permission is required to support the newly added OCI SSL Certificate visibility. Refer to the Configuring Oracle Cloud Infrastructure (OCI) page for details on require policies. [ENG-21158]

Features & Enhancements (22.11.16)

IaC

  • The Infrastructure as Code feature in InsightCloudSec has been upgraded with a user interface overhaul and an update to the IaC CLI Scanning Tool (mimics). However, on-demand scans have been deprecated and are no longer available in the user interface. Review the Getting Started with IaC Security documentation for details.

AWS

  • We have added a new property to Task Definitions called contains_secret. It is a boolean that denotes whether the task definition has a secret in its environment variables. In addition, we have added a new Insight called Task Definition with Secret in Environment Variables that uses the Query Filter Resource With Clear Text Secret which now supports Task Definitions. [ENG-21112]

AZURE

  • Updated our Azure Message Queue data model to store the minimum TLS version configured on Azure Service Bus resources and update its transit encryption property. [ENG-21189]

MULTI-CLOUD/GENERAL

  • We have improved the efficiency of BotFactory filtering when evaluating hookpoints of linked resource types. For example, when evaluating whether a resource is exposing a port to the public, BotFactory does not examine the resource, but the resource’s connected Resource Access Lists. The update greatly improves the speed with which BotFactory can perform its evaluation and subsequent action. [ENG-21131]

  • In addition to tag visibility for Build Projects, we have added tagging support (add/delete). [ENG-21068]

  • We have updated our InactiveUser scan to also consider a user’s API activity. If a user is active via API, then that user will not be removed as inactive. [ENG-21156]

  • We have re-prioritized async downloads so that they are still worked on asynchronously, yet worked on first. [ENG-21266]

User Interface Changes (22.11.16)

We have made UI updates in the Compliance Scorecard [ENG-20216]:

  • The Last Modified By column was dropped because it is only a construct in Email subscriptions.

  • A new last_run column has been added to ComplianceExports so we can populate the Last Run column in the UI. Note that this will not populate retroactively and won’t have a value set until the next scheduled/on-demand run.

  • The error message is included in the error message tooltip instead of a static string.

  • Going forward, user information is stored when creating compliance exports (S3). User information for pre-existing compliance exports (S3) is added if the information is available via ApiActivity.

Resources (22.11.16)

AWS

  • We are adding Aurora Global Database support. The initial support is visibility only and it will be expanded upon subsequently with Query Filter and Insight support. A new permission– “rds:DescribeGlobalClusters”—is required for both AWS commercial and AWS GovCloud read-only users. The new resource can be found as Aurora Global Database, under the Storage category, Spanner resource type. [ENG-20281]

  • We have added a new property to Private Images called IMDS Support. It tracks whether the image supports AWS’s Instance Metadata Service V2 security enhancement. In addition, we have added two Query Filters and two Insights named Private Image Instance Metadata Service Version 2 Support and Resource with Image Missing IMDS Support. These Query Filters and Insights find 1) images without IMDSv2 support and 2) resources (instances, autoscaling launch configurations, and launch templates) that use images without IMDSv2 support. [ENG-20250]

  • We have enabled harvesting by default in regions where AWS has expanded regional support for Redshift Serverless and EKS. Additional information can be found in the following references [ENG-21132]:

ORACLE CLOUD Added support for SSL Certificate visibility to Oracle Cloud Infrastructure (found under Identity & Management > SSL Certificate). A new permission is required: “Allow group InsightCloudSec to read certificate-authority-family in tenancy”. This support also updates the following Insights and Query Filters [ENG-21158]:

  • Insights:

    • SSL Certificate Expired
    • SSL Certificate Set to Expire in 14 Days
    • SSL Certificate Set to Expire in 7 Days

  • Query Filters

    • SL Certificate Expiring Soon
    • SSL Certificate Creation Date
    • SSL Certificate Type
    • SSL Certificate Key Algorithm
    • SSL Certificate Duration Exceeds Threshold
    • SSL Certificate Status

Insights (22.11.16)

Insight Severity As a reminder, in order to improve consistency within InsightCloudSec and to provide better overall alignment with Rapid7, we have updated our Insight severities. Our new severities align with several features, including InsightVM, Kubernetes Guardrails, and Layered Context.

We do not expect that customers will have an impact from the Insight severity changes. The following API Endpoints should only be using a number tied to severities and those numbers will remain the same:

The only changes are the names of the severity titles and they will be as follows:

Current Severity NumberCurrent Severity NameNew Severity NumberNew Severity Name
1Minor1Info
2Moderate2Low
3Major3Medium
4Severe4High
5Critical5Critical

If you have any questions about the change, please reach out and we will answer as soon as possible.

AWS

  • Private Image Instance Metadata Service Version 2 Support - New Insight identifies private images that do not support IMDSv2. [ENG-20250]

  • Resource with Image Missing IMDS Support - New Insight identifies instances, autoscaling launch configurations, and launch templates that use a private image that does not support IMDS Version 2. [ENG-20250]

  • Task Definition with Secret in Environment Variables - New Insight identifies task definitions that may contain sensitive data embedded in their environment variables. [ENG-21112]

GCP We have updated our coverage to add 13 new Insights (listed below) that map to CIS Benchmarks and expand our CIS GCP 1.3.0 coverage. The new Insights are as follows:

  • Cloud User Assigned Service Account User/Service Account Token Creator Permissions
  • API Keys Not Rotated Within 90 Days
  • Cloud User Assigned Service Account User/Service Account Admin Permissions
  • Cloud User Without KMS Separation of Duties
  • Cloud Account With Cloud API Credentials Configured
  • Cloud Credential Accessible To Public
  • Cloud Credential Without Application Restrictions
  • Cloud Credential Not Rotated Within 90 Days
  • Storage Container Used for Exporting Logs Are Configured Without Bucket Lock
  • Instance Configured to Use Default Service Account With Full API Access
  • Database Instance Flag ‘cloudsql.enable_pgaudit’ Disabled
  • Database Instance Flag ‘user options’ Enabled
  • Cloud Dataset With Tables Not Configured To Use CMEK

[ENG-17174]

Standardized Naming of Compliance Packs We have standardized the naming of our Insight Compliance Packs to shorter names, e.g., CIS - AWS 1.5.0, to ease reading within lists and dropdown selection boxes. The Pack descriptions generally contain full names, e.g., Contains Insights which apply to the Center for Internet Security benchmark for AWS (Revision 1.5.0), to make discovery and selection easier. Refer to the documentation on Compliance Packs for details and a revised image of the updated page. [ENG-21136]

Query Filters (22.11.16)

AWS

  • Private Image Instance Metadata Service Version 2 Support - New Query Filter identifies private images that do not support IMDSv2. Optionally, identify private images that do support IMDSv2. [ENG-20250]

  • Private Image Purchased Through Marketplace - Updated Query Filter to examine private images. [ENG-21063]

  • Resource Image IMDSv2 Support - New Query Filter identifies instances, autoscaling launch configurations, and launch templates that use a private image that does not support IMDSv2. Optionally, identifies resources that use a private image that do support IMDSv2. IMPORTANT: Resources that use a public image or a deregistered (deleted) private image are not inspected. [ENG-20250]

  • Resource With Clear Text Secret - Upgraded Query Filter now supports Task Definitions. [ENG-21112]

AZURE

  • Message Queue Type - Updated Query Filter includes filtering for standard Azure queues. [ENG-21228]

MULTI-CLOUD/GENERAL

  • Storage Container Without Default Server Side Encryption - Updated Query Filter allows for AES-256 or KMS/Key vault to be specified for more granular filtering. [ENG-21191]

IAM (22.11.16)

  • We have added trust policies to effective analysis calculations for all IAM features, this analysis will provide significant value within our Identity capability. Users should expect to see additional visibility into resources which are accessible by Principals. This visibility will be through our recently launched IAM query filters, and for licensed customers, through Access Explorer. [ENG-20857]

    • For Access Explorer users, expect to see many more accessible resources listed when they select “IAM Role” in the “Resources” section.

    • For IAM users outside of the Access Explorer, you can view the effects of this change using the (existing) Query Filter Identity Resource With Effective Access To Resources with the value of any role ARN. Users may also use the select menu to narrow to Write actions. This will highlight actions that roles and users can take against other roles, including sts:assumerole and sts:assumerolewithsaml.

Bug Fixes (22.11.16)

  • Fixed a bug where the IAM_EffectiveAccess table was not properly cleaning up data for delete resources, causing the table to grow infinitely. This release clears that table, forcing a recompute for Effective Access data, which should complete in under a day for even large customers. [ENG-21317]

  • Fixed issue during Azure Organization onboarding where a missing Microsoft.Management/managementGroups/read permission isn’t properly raised in the job. Users can view the status of the AzureOrganizationHarvest job in System Administration > Background Jobs > Search: AzureOrganizationHarvest. [ENG-21269]

  • Fixed an issue with the https://docs.divvycloud.com/reference/detach-policy endpoint in which the policy was failing to be removed from a role. [ENG-21256]

  • Updated our TLS property information for AWS database instances by including the examination of system default values for non-SQL server engine types. Earlier versions of the default parameter groups had those settings “off”, so could be assumed to be unenforced. [ENG-21174]

  • Fixed a bug involving AzureArmIdentityDetailHarvester wiping the permissions portion from the document associated with ServicePolicyDocuments (for a certain configuration). [ENG-21142]

  • Improved error handling in AzureArmIdentityDetailHarvester. [ENG-21095]

  • Updated the Create/Update Jira Issue (With CSV attachment) action to ensure that the Jira ticket assignee is set properly. [ENG-20964]

  • Updated Splunk Event to ensure that valid JSON stays valid before it’s sent over to Splunk. [ENG-20753]

  • Fixed a bug that allowed Organization Admins to edit, create, or delete global authentication servers. Maintaining group mappings for JIT, within the admin’s organization is still supported. [ENG-20285]

  • Fixed an issue with Azure Public IPs Linked to Firewall reported as Orphaned. NetworkFirewallRules will be re-harvested the next time the NetworkFirewallHarvester runs. [ENG-18777]

  • Fixes an issue where the CloudMetaDataHarvester was failing for GCP projects, and not harvesting metrics and alert policies. [ENG-18660]

  • Fixed an issue with duplication of Azure key vault certificates also stored as secrets. [ENG-12967]

Access Explorer (Cloud IAM Governance) (22.11.16)

** The following updates are related to enhancements and bug fixes for our Cloud IAM Governance (Access Explorer) capabilities.**

Contact us at Customer Support Portal with any questions.

Cloud IAM Governance Features & Enhancements (22.11.16)

  • We have added trust policies to effective analysis calculations for all IAM features, this analysis will provide significant value within our Identity capability. Users should expect to see additional visibility into resources which are accessible by Principals. This visibility will be through our recently launched IAM query filters, and for licensed customers, through Access Explorer. [ENG-20857]

    • For Access Explorer users, expect to see many more accessible resources listed when they select “IAM Role” in the “Resources” section.

    • For IAM users outside of the Access Explorer, you can view the effects of this change using the (existing) Query Filter Identity Resource With Effective Access To Resources with the value of any role ARN. Users may also use the select menu to narrow to Write actions. This will highlight actions that roles and users can take against other roles, including sts:assumerole and sts:assumerolewithsaml.