InsightCloudSec Software Release Notice - 22.11.30 Release

Release Highlights (22.11.30)

InsightCloudSec is pleased to announce Release 22.11.30. This release includes added support for AWS’ ACM Private Certificate Authority resource as well as added support for GCP’s Cloud CDN. For Azure, we have added the ability to store any Password Policies assigned to an Azure Cloud User account. For Alibaba Cloud accounts, we have added the ability to detect missing IAM permissions. This release includes a new NIST 800 171 Compliance Pack (containing 322 Insights) to align with the NIST 800-171 Rev 2 requirements. In addition, InsightCloudSec now supports a new Rapid7 Platform Login for InsightCloudSec users.

Release 22.11.30 also includes three new Insights, 12 updated Query Filters, 18 new Query Filters, two updated Bot actions, two new Bot actions, and 15 bug fixes.

• Contact us through the unified Customer Support Portal  with any questions.

New Permissions Required (22.11.30)

Features & Enhancements (22.11.30)

ALIBABA CLOUD

• We have added the ability to detect missing IAM permissions for Alibaba Cloud accounts. By clicking on the Visibility icon under Cloud Listings, users can view specific permissions, if any, that are missing from the account in order to harvest all resources and all resource properties. [ENG-21496]

AZURE

• Added a new field called “Password Policies” to the Cloud User type. This field stores any Password Policies assigned to an Azure Cloud User account. In addition this change includes a new Query Filter called Cloud User with Set Password Policies and a new Insight called Cloud User with Password Expiration Disabled. [ENG-18461]

GCP

• We have expanded GCP support as follows:
  • Expanded Query Filter Private Image Exposed To Public to work for GCP Private Images.
  • Query Filter Provider Secret Is/Is Not Exposed To Public now supported by GCP.
  • Insight Serverless Function Trusting Unknown Account now supported by GCP.
  • Snapshot permissions for GCP should now harvest using the SnapshotPermissionHarvester.
  • Added support for the following Query Filters for GCP Artifact Registries, Container Registries, Secrets, and Service Encryption Keys:
    • Resource Trusting Unknown Account
    • Resource Trusting Account Outside Of Allowed List
    • Resource Supporting Cross Account Access
    • Resource Trusting Unknown Account By Badge
• EDH support has been added for GCP Artifact Registries. [ENG-21451]

MULTI-CLOUD/GENERAL

New Rapid7 Platform Login for InsightCloudSec

• Updated the Rapid7 Platform to provide SaaS customers with the ability to log on to their InsightCloudSec platform through the Rapid7 Platform login. Refer to details in our documentation  and reach out to your CSM or support with any questions. [ENG-18609]

**Updates to Insights for “Risky Permissions” **

• For Custom Insights created using the Query Filters “Identity Resource Usage of Risky Permissions” or “Identity Resource Allows Permission”, which also use the ‘riskypermissions’ tag set, we now will consider the mentioned permissions in the “Identity Resource Allows Permission” Query Filter, and will return their used status. (Note: This only works if the account has LPA enabled).
  • For a newly created Custom insight, expect a delay in the Query Filter returning results for the corresponding permissions, as the background job will need to process this during the next run. [ENG-20541]

User Interface Changes (22.11.30)

• The Principal Explorer view can now be accessed from Resources/Identity & Management/Cloud Role/scope via a new URL instead of opening in a modal. [ENG-20175]

Resources (22.11.30)

AWS

• Added support for “Source Documents” detail under Resources. For supported resources (currently select AWS Resource types) this additional detail provides raw data about the resource harvested directly from the CSP. Check out additional details (including what is currently supported) in the docs under the Resources page.  [ENG-16261]

• Added visibility into AWS’ ACM Private Certificate Authority resource. ACM Private Certificate Authorities are shown in the tool as the new Resource type SSL Certificate Authority under the Identity & Management resource category. Two new Query Filters support this resource. New permissions are also required. [ENG-20906]

  • New Query Filters supporting this resource:
    • Service Certificate Authority Security Standard
    • Service Certificate Authority State

• New required permissions for AWS Commercial and GovCloud Standard (Read-Only) Users read-only policies:

  • “acm-pca:GetPolicy”
  • “acm-pca:ListCertificateAuthorities”

• AWS EDH now supports SES, specifically the following events [ENG-17050]:

  • ‘CreateConfigurationSet’,
  • ‘CreateCustomVerificationEmailTemplate’,
  • ‘CreateEmailIdentity’,
  • ‘CreateEmailTemplate’,
  • ‘DeleteConfigurationSet’,
  • ‘DeleteCustomVerificationEmailTemplate’,
  • ‘DeleteIdentity’,
  • ‘DeleteTemplate’

• Added visibility into the AWS ARN for AWS ETL Data Catalog resources. [ENG-21584]

AZURE

• Added visibility into the Azure Logic App plan resource to see the plan type. [ENG-18132]

GCP

• We have added a new GCP resource, GCP Cloud CDN (Network category, Content Delivery Network resource type).

  • We have updated the following Query Filters for Content Delivery Networks to now support GCP:

    • Content Delivery Network With Specified Security Policy
    • Content Delivery Network Not Using WAF
    • Content Delivery Network Using Specified WAF Rule
    • Content Delivery Network Not Requiring HTTPS
    • Content Delivery Network With Object Storage Origin

  • We have added a new Query Filter Content Delivery Network With Specific Origin Type for checking the origin type of a Cloud CDN.

  • Five new fields have been added to the Content Delivery Network Resource: CDN Policy, Origin Type, and three resource ID fields for possible associated Storage Containers, Backend Services, and Web Application Firewalls.

  • The permission “cloudasset.assets.listResource” supports this new capability; this permission which is already needed for other GCP resources. [ENG-19606, ENG-21554]

Insights (22.11.30)

NIST 800 171 Compliance Pack

• This new Compliance Pack contains 322 Insights that align with the NIST 800-171 Rev 2 requirements. NIST 800-171 provides security requirements for controlled unclassified information in non-federal systems and organizations. [ENG-20018]

AZURE

• Cloud User with Password Expiration Disabled - New Insight identifies Azure cloud user accounts with Password Expiration disabled. This new Insight supports the added “Password Policies” field for the Cloud User type. This field stores any Password Policies assigned to an Azure Cloud User account. [ENG-18461]

MULTI-CLOUD/GENERAL

• Serverless Function Configured With Deprecated Runtime - New Insight identifies serverless functions that are configured to use a runtime that has been deprecated by the cloud provider. [ENG-14904]

• Serverless Function Not Configured With Latest Runtime - New Insight identifies serverless functions that are configured to use a runtime that is not the latest available from the cloud provider. [ENG-14904]

Query Filters (22.11.30)

AWS

• Cloud User With Active Signing Certificate - New Query Filter identifies Cloud users who have an active signing certificate. [ENG-15455]

• Cloud User With Signing Certificate Threshold - New Query Filter identifies Cloud user or IAM role that has more than a specified percentage of unused permissions [ENG-15455]

• ML Instance Supports Minimum IMDS Version - New Query Filter identifies machine learning instances that support a minimum version of IMDS (​​Instance Metadata Service). [ENG-21427]

• Resource Violation Identified By IAM Access Analyzer - New Query Filter identifies resources that have been flagged by AWS IAM Access Analyzer as having a specific violation type with three options: public, cross account, or unknown account. [ENG-20826]

• Added three new Query Filters for ECS Task Definition resources, these Query Filters leverage their child container definitions [ENG-21302]:

  • Task Definition Container Definition Read-only Root File System Setting - New Query Filter identifies ECS task definitions that have a container definition with read-only root file system disabled. Optionally, identifies ECS task definitions when the setting is enabled. Of note, only one container definition needs to match to return the ECS task definition.
  • Task Definition Container Definition Username - New Query Filter identifies ECS task definitions that have a container definition specifying a given username.
  • Task Definition Container Definition With Elevated Privileges - New Query Filter identifies ECS task definitions that have a container definition with elevated privileges. Optionally, identify ECS task definitions without elevated privileges.

• Transfer Server Security Policy. - New Query Filter identifies transfer servers configured with a specific security policy. This Query Filter supports expanded visibility in the protocols and security policies associated with AWS Transfer Family servers. [ENG-21494]

• Transfer Server Supporting Specified Protocol - New Query Filter identifies transfer servers configured to support a specific protocol. This Query Filter supports expanded visibility in the protocols and security policies associated with AWS Transfer Family servers. [ENG-21494]

AZURE

• Cloud Account Legacy Activity Log Profile Not Configured for All Regions (Azure) - This Query Filter was renamed from Cloud Account Activity Log Profile Not Configured for All Regions (Azure) as this feature is now a legacy feature. [ENG-18167]

• Cloud Account without Activity Log Diagnostic Setting Enabled (Azure) - New Query Filter identifies cloud accounts which do not have an activity log diagnostic setting configured to export logs. [ENG-18167]

  • Customers are advised to use the new Query Filter Cloud Account without Activity Log Diagnostic Setting Enabled (Azure) to check for the presence of log exporting. If they still use Log Profiles, they are advised to use a combination of both Cloud Account without Activity Log Diagnostic Setting Enabled (Azure) and Cloud Account Legacy Activity Log Profile Not Configured for All Regions (Azure). [ENG-18167]

• Cloud Users with Set Password Policies - New Query Filter identifies Cloud Users with selected password policies. This new Query Filter supports the added “Password Policies” field for the Cloud User type. This field stores any Password Policies assigned to an Azure Cloud User account. [ENG-18461]

• Database Instance Is Inaccessible - New Query Filter checks for database instances that are currently inaccessible. [ENG-18124]

GCP

• Access List Type - Expanded this Query Filter to include a new option for GCP Firewalls. [ENG-21413]

  • Content Delivery Network With Specific Origin Type - New Query Filter checks the origin type of a Cloud CDN. [ENG-19606, ENG-21554]

• We have updated the following Query Filters for Content Delivery Networks to now support GCP [ENG-19606, ENG-21554]:

  • Content Delivery Network With Specified Security Policy
  • Content Delivery Network Not Using WAF
  • Content Delivery Network Using Specified WAF Rule
  • Content Delivery Network Not Requiring HTTPS
  • Content Delivery Network With Object Storage Origin

MULTI-CLOUD/GENERAL

• Encryption Key In Use By Resource Type - New Query Filter matches encryption keys that are used by a resource of a specific type. Note that an encryption key can be used by more than one resource type. [ENG-16444]

• Added two new Query Filters for customers to use with AWS/GCP Notebook Instances [ENG-21355]:

  • Machine Learning Instance Environment
  • Machine Learning Instance Environment Version

• Resource Vulnerability Count By Severity - Query Filter renamed from Resource Vulnerability Count to be more descriptive and better aligned with other Query Filters. [ENG-21410]

• Serverless Function Using/Not Using Deprecated Runtime - New Query Filter identifies serverless functions that are using a deprecated runtime. Optionally, identify serverless functions that are not using a deprecated runtime. [ENG-14904]

• Serverless Function Using/Not Using Latest Runtime - New Query Filter identifies serverless functions that are not using the latest available runtime from the cloud provider. Optionally, identifies serverless functions that are using the latest runtime. [ENG-14904]

• Storage Container Logging/Not Logging To Specific Storage Container - Updated Query Filter now includes the ability to search for the Regex within the bucket name. [ENG-20324]

• Added Container Instance to supported resources for Resource Is In Subnet and Resource Is In Network. [ENG-13074]

• Added a ‘Not in’ option to the Resource Orphaned Query Filter to identify resources in use. This option is helpful when combined with other Query Filters, such as Resource with Threat Finding by Regex, to focus attention on the most relevant threat findings. [ENG-21477]

IAM (22.11.30)

AWS

• Expanded visibility in the protocols and security policies associated with AWS Transfer Family servers. We added supporting Query Filters Transfer Server Supporting Specified Protocol and Transfer Server Security Policy. [ENG-21494]

• Added search functionality to AWS LPA Cloudtrail sources table. [ENG-18627]

GCP

• Added a hyperlink in the Recommendation table to the affected resource. [ENG-19921]

• Added an action to the serviceuser and servicerole blade to apply all recommendations which affect that resource. [ENG-20047]

• Added harvesting and storage of extra field content, i.e., count of permissions, in RecommendationFinding harvester. [ENG-21333]

Bot Actions (22.11.30)

AWS

• “Cleanup Resource Access Policy” - Bot action expanded to work with AWS Lambda functions. [ENG-21567]

• “Modify Database/Big Data Instance Attribute” - Bot action expanded to support two new RDS attributes and one new Redshift attribute, specifically:

  • RDS: Enable/Disable Allow Major Version Upgrade (AWS RDS Only)
  • RDS: Enable/Disable Allow Minor Version Upgrade (AWS RDS Only)
  • Redshift: Enable.Disable Allow Version Upgrade (AWS Redshift Only) [ENG-21493]

• “Set Risky Permission Remediation Policy” - New Bot action evaluates the effective access for a given principal and adds an inline policy to the user or role which denies any of the “risky” permissions which are allowed for all resources. [ENG-18816]

GCP

• “Apply Recommendation” - New Bot can be used to apply GCP recommendations. [ENG-19923]

Bug Fixes (22.11.30)

• Fixed an issue where Domain Viewers could not list harvesting strategies. [ENG-21561]

• Fixed an issue with EtlDataCatalog storing policies as strings instead of JSON. [ENG-21538]

• Fixed a display issue with newly added cloud accounts where it could take up to an hour to see resource counts display on the main Resources page. [ENG-21487]

• Updated Query Filters Encryption Key Rotation Disabled and Encryption Key With Automatic Rotation Enabled/Disabled to exclude keys that are in pending deleted/deleted states. [ENG-21478]

• Fixed an issue where the GCP DomainZoneHarvester was failing. [ENG-21475]

• Fixed an issue with Bot action “Remove Notification Topic Policy Public Permissions” that would cause all SNS Topic statements to be removed, causing an error when running this action. [ENG-21410]

• Improved visibility into encryption configuration for Azure Service Bus Namespace/Queue resources. [ENG-21365]

• Bugfix for AzureArmIdentityDetailHarvester prevents harvester failing in absence of AuditLog.Read.All permission, which is only needed for one value. [ENG-21354]

• Fixed a bug that prevented basic users from viewing resource details in the Compliance Report Card view. [ENG-21187]

• Fixed a bug that prevented users from being able to add an LPA Remediation Policy to a resource from the resources page. [ENG-21034]

• FIxed a bug where users would see a 500 error when opening the principal activity blade on a cloud user/role. The bug was caused by contention in the backend over a specific DB table. [ENG-20920]

• Fixed parsing error comparing log group ARNs. This edge case occurred when comparing log group ARNs with /s in them to a policy with a resource element with a log group pattern that might contain a trailing :***** but still be equivalent for the purposes of effective access. Customers may see more log group results in the list of accessible resources in Identity Management. [ENG-20641]

• Removed “Download” button in Principal Activity blade for role service-linked-role. [ENG-19587]

• Bugfix: Removed chip on text search within principal activity blade. This is overlapping the search box, but is not needed as only one search item is available at a time. [ENG-18269]

• Fixed an issue with Azure legacy Activity Log Profile by creating a new Query Filter Cloud Account without Activity Log Diagnostic Setting Enabled (Azure). Customers are advised to use the new Query Filter Cloud Account without Activity Log Diagnostic Setting Enabled (Azure) to check for the presence of log exporting. If they still use Log Profiles, they are advised to use a combination of both Cloud Account without Activity Log Diagnostic Setting Enabled (Azure) and Cloud Account Legacy Activity Log Profile Not Configured for All Regions (Azure) . [ENG-18167]

• Updated the AzureArmDatabaseInstanceHarvest Job to skip firewall rule harvesting when the database is inaccessible. In addition, added a new Query Filter Database Instance Is Inaccessible to check for database instances that are currently inaccessible. [ENG-18124]