22.12.7 Release Notes

Dec 06, 2022

InsightCloudSec is pleased to announce Release 22.12.7

InsightCloudSec Software Release Notice - 22.12.7 Release

Release Highlights (22.12.7)

InsightCloudSec is pleased to announce Release 22.12.7. This release includes significant resource enhancements and expanded support related to last week’s AWS re:Invent, those details are summarized under Features and Enhancements below. We have provided support for a new Azure resource, Azure’s Service Fabric Cluster, in response to the vulnerability CVE-2022-30137. For GCP we have added support for GCP Cloud Data Loss Prevention (DLP) Inspection Jobs.

In addition, 22.12.7 includes four new Insights, four updated Query Filters, 15 new Query Filters, and six bug fixes.

Self-Hosted Deployment Updates (22.12.7)

Release availability for self-hosted customers is Thursday, December 8, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal .

Terraform Templates Our latest Terraform template (static files and modules) can be found here .

Modules can be updated with the terraform get -update command

P3 Workers P3 workload/service is now enabled by default. The following files have been updated to support this change:

MODULES
modules/aws/divvy_server/variables.tf line 57
STATIC
variables.tf line 246

Auto-Scaling Auto-scaling is now the default behavior for this workload/service. The following files have been updated to support this change:

MODULES modules/aws/autoscale/main.tf lines 90-183 modules/aws/autoscale/variables.tf lines 33-55 modules/aws/divvy_server/fargate.tf lines 335-408 modules/aws/divvy_server/variables.tf lines 156-159, 497-499
STATIC main.tf lines 216, 336, 339, 342-343 variables.tf lines 721-728

New Permissions Required (22.12.7)

⚠️

New Permissions Required: AWS

For AWS Commercial Standard (Read-Only) Users: “aoss:BatchGetCollection”, “aoss:GetSecurityPolicy”, “aoss:ListCollections”, “aoss:ListSecurityPolicies”, “docdb-elastic:GetCluster”, “docdb-elastic:ListClusters”, “oam:GetSinkPolicy”, “oam:ListLinks”, “oam:ListSinks”, “s3:GetMultiRegionAccessPointPolicy”, “s3:GetMultiRegionAccessPointPolicyStatus”, “s3:ListMultiRegionAccessPoints”, “ssm:GetParameter”

For AWS Commercial Power Users: “aoss:”, “docdb-elastic:”, “oam:*****”,

For Supplemental Policy to AWS-Managed Commercial Standard (Read-Only) User Policy: “aoss:BatchGetCollection”, “aoss:GetSecurityPolicy”, “aoss:ListCollections”, “aoss:ListSecurityPolicies”, “docdb-elastic:GetCluster”, “docdb-elastic:ListClusters”, “oam:GetSinkPolicy”, “oam:ListLinks”, “oam:ListSinks”

These permissions support the added visibility into Amazon OpenSearch Serverless, AWS DocumentDB Elastic Clusters, AWS CloudWatch Observability, and AWS Multi-Region S3 Access Points. [ENG-21710, ENG-21798, ENG-21795, ENG-21772, ENG-21887]

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

⚠️

New Permission Required: Azure

The following new permission is required for Azure: “Microsoft.ServiceFabric/clusters/read”

This permission supports the harvesting of Azure’s Service Fabric Cluster, this in response to the vulnerability CVE-2022-30137. [ENG-18645]

⚠️

New Permission Required: GCP

The following new permission is required for GCP: “dlp.jobs.list”

This addition supports the added visibility into GCP Cloud Data Loss Prevention (DLP) Inspection Jobs. This permission is found in the Cloud Data Loss Prevention (DLP) API. Refer to our documentation on GCP Projects and GCP Organizations for full details. [ENG-20254]

Resource Enhancements in Response to AWS re:Invent 2022

We are now harvesting resource vulnerabilities for AWS Lambda Functions/Layer Vulnerabilities via Inspector2. [ENG-21683]
We have added visibility into a new AWS preview service, Amazon OpenSearch Serverless , supporting run search and analytics workloads without managing clusters. This preview service was announced on Day Two at re:Invent 2022.
- New permissions are required for access to this preview service: “aoss:BatchGetCollection”, “aoss:GetSecurityPolicy”, “aoss:ListCollections”, and “aoss:ListSecurityPolicies”.
- A new Insight Elasticsearch Serverless Collection Exposed to Public identifies elasticsearch serverless collections exposed to the public based upon their use of public networking type.
- A new Query Filter Elasticsearch Serverless Collection Networking Type identifies elasticsearch serverless collections based on their networking type. This new service can be found in the resource Compute category under the new resource type Elastic Serverless Collection. [ENG-21710]
Added visibility, tag, and delete lifecycle support for AWS DocumentDB Elastic Clusters (Storage category, new resource type Elastic Cluster). These were just announced at re:Invent last Wednesday. New permissions required: “docdb-elastic:GetCluster” and “docdb-elastic:ListClusters”. [ENG-21798]
Added visibility and lifecycle support for AWS Multi-Region S3 Access Points (resource Storage category, new resource type Cloud Global Access Point). We’ve also added a new Query Filter Cloud Global Access Point Allows Access From World to support this resource. This new resource requires the following new permissions: “s3:GetMultiRegionAccessPointPolicy”, “s3:GetMultiRegionAccessPointPolicyStatus”, and “s3:ListMultiRegionAccessPoints”. [ENG-21772]
Added visibility and support into AWS CloudWatch Observability Sinks . This capability, nested within AWS CloudWatch, was announced at re:Invent 2022.
- New permissions are required: “oam:GetSinkPolicy”, “oam:ListLinks”, and “oam:ListSinks”.
- This new resource is found in the Identity & Management resource category as a Sink resource type.
- A new Query Filter support this added visibility: Cloud Region Configured With CloudWatch Observability Access - Identify cloud account regions that have a sink configuration in place with one or more monitoring accounts. [ENG-21795]
Added support for AWS EFS Elastic Throughput, expanding AWS EFS file system visibility to support the throughput mode that’s configured. Added a new Query Filter Shared File System Throughput Mode to support this visibility. [ENG-21646]
Expanded AWS EFS file system visibility to the recently announced 1-Day Lifecycle Management Policy . [ENG-21645]
Added visibility into the new AWS Data Protection Status for Cloudwatch Log Groups. A new Query Filter Log Group Data Protection Status supports this added visibility. [ENG-21644]

Resources (22.12.7)

AWS

-We’ve expanded our secret detection to cover AWS SSM Parameters. Note that this requires an additional AWS API permission, ssm:GetParameter, and that the API call will not be attempted for parameters of type SecureString. [ENG-21887]

Included the replication policy for AWS S3 buckets in the resource details API response. [ENG-21585]
Added a new field to the ResourceAccessLists table: namespace_id. This field is populated for AWS rules, using the value for its Security Group Rule ID found on AWS. Additional information can be found in the AWS article rule IDs . [ENG-15296]

AZURE

Introduced the harvesting of Azure’s Service Fabric Cluster, this in response to the vulnerability CVE-2022-30137. This new resource appears under the category Containers within the resources view, as a new resource type Service Fabric Cluster.
- Support for this includes five new Query Filters: Service Fabric Clusters by Endpoint Type and Port Service Fabric Clusters Not In Ready State Service Fabric Clusters with Manual Upgrade Mode (CVE-2022-30137) Service Fabric Clusters With Selected Operating System(s) Service Fabric Clusters with Selected Upgrade Mode
- Support also includes one new Insight: Service Fabric Clusters with Manual Upgrade Mode (CVE-2022-30137) [ENG-18645]
Added support for updating the tags on an Azure Load Balancer resource through ICS. [ENG-21715]

GCP

Added support for GCP Cloud Data Loss Prevention (DLP) Inspection Jobs. DLP Jobs scan for and identify PII and can take action to anonymise this data so that it isn’t used in business processes. This new resource requires the “dlp.jobs.list” permission from the Cloud Data Loss Prevention (DLP) API . GCP DLP Inspection Jobs can be found in the Compute resource category under the new resource type DLP Jobs.
- We have added five new Query Filters to support DLP Jobs: DLP Job Takes/Does Not Take Specified Action - Identifies jobs taking/not taking specific actions such as de-identification or export to Security Command Center. DLP Job With Specified Job State - Identifies jobs based on current state, e.g., running/failed/canceled. DLP Job With Specified Minimum Likelihood - Identifies jobs based on their minimum likelihood threshold, E.g. possible/very likely. DLP Job Searches for Info Type (Regex) - Identifies jobs based on the types of sensitive information that they scan for, e.g., credit card numbers or API keys. DLP Job Found Info Type (Regex) - Identifies jobs based on the types of sensitive information that were found during execution.
- We have added two new Insights to support DLP Jobs: Cloud DLP Job Does Not Export Findings to Security Command Center - New Insight identifies DLP Jobs that do send findings to Security Command Center for Analysis. Cloud DLP Job Without De-Identification - New Insight identifies DLP Jobs that do de-identify sensitive data. [ENG-20254]
Added support for new field ‘lastStartTimestamp’ and updated Query Filter Instance Running 24x7 to support GCP. Created new Query Filter Instance Last Launch Time. [ENG-17424]
Revised the name of the GCP-supported resource from “GCP Stackdriver Sink” to simply “Sink” within the InsightCloudSec resources view. Sink is also the normalized name of the resource type under the Identity & Management category.

User Interface Changes (22.12.7)

Added Users and SSH Keys to Secure File Transfer Resource Properties blade. [ENG-9143]

Insights (22.12.7)

AZURE

Service Fabric Clusters with Manual Upgrade Mode (CVE-2022-30137) - New Insight identifies Service Fabric Clusters with its Upgrade Mode set to Manual, used to protect users against vulnerability CVE-2022-30137. This new Insight supports the added harvesting of Azure’s Service Fabric Cluster, this in response to the vulnerability CVE-2022-30137. [ENG-18645]
Storage Account Allows Shared Key Access - New Insight identifies storage accounts which allow authorization via access key. The new Insight accompanies the existing Storage Account With Shared Key Access Enabled (Azure) Query Filter. Also updated the Azure storage account harvester logic to better determine whether a storage account allows shared key access. We now assume that this is the case unless the response from the CSP tells us otherwise, matching the Azure documentation. [ENG-14845]

GCP

We have added two new Insights to support DLP Jobs [ENG-2025]:
- Cloud DLP Job Does Not Export Findings to Security Command Center - New Insight identifies DLP Jobs that do send findings to Security Command Center for Analysis.
- Cloud DLP Job Without De-Identification - New Insight identifies DLP Jobs that do de-identify sensitive data.

Query Filters (22.12.7)

AWS

Cloud Global Access Point Allows Access From World - New Query Filter Identifies global access points that allow access from the world. [ENG-21772]
Cloud Region Configured With CloudWatch Observability Access - New Query Filter identifies cloud account regions that have a sink configuration in place with one or more monitoring accounts. [ENG-21795]
Elasticsearch Instance With/Without Advanced Security Enabled - Updated Query Filter with option to find instances with advanced security enabled. [ENG-21448]
Log Group Data Protection Status - New Query Filter matches log groups based on their data protection status configuration. This new QF supports added visibility into the new AWS Data Protection Status for Cloudwatch Log Groups. [ENG-21644]
Shared File System Throughput Mode - New Query Filter identifies shared file systems based on performance mode.This Query Filter supports added visibility for AWS EFS Elastic Throughput. [ENG-21646]

AZURE

Five new Query Filters support the added harvesting of Azure’s Service Fabric Cluster, in response to the vulnerability CVE-2022-30137 [ENG-18645]:
Service Fabric Clusters by Endpoint Type and Port - Identifies all Service Fabric Clusters by the selected endpoint type and port.
Service Fabric Clusters Not In Ready State - Identifies all Service Fabric Clusters whose cluster state is not Ready.
Service Fabric Clusters with Manual Upgrade Mode (CVE-2022-30137) - Identifies all Linux based Service Fabric Clusters with a manual upgrades mode, used for vulnerability CVE-2022-3013.
Service Fabric Clusters With Selected Operating System(s) - Identifies all Service Fabric Clusters with the selected operating system.
Service Fabric Clusters with Selected Upgrade Mode - Identifies all Linux based Service Fabric Clusters with a selected upgrades mode.

GCP

Cloud Role Trust Relationship Policy Contains Account In Search Term - Updated Query Filter now supports GCP. [ENG-21718]
Cloud Role Trust Relationship Policy Does Not Contain Account In Search Term - Updated Query Filter now supports GCP. [ENG-21718]
Instance Last Launch Time New Query Filter identifies an instance when its age exceeds a user-defined value. This filter can specify units in minutes, hours or days.. [ENG-17424]
Instance Running 24x7 - Query Filter updated to support GCP. [ENG-17424]
We have added five new Query Filters to support DLP Jobs [ENG-2025]:
- DLP Job Takes/Does Not Take Specified Action - New Query Filter identifies jobs taking/not taking specific actions such as de-identification or export to Security Command Center.
- DLP Job With Specified Job State - New Query Filter identifies jobs based on current state, e.g., running/failed/canceled.
- DLP Job With Specified Minimum Likelihood - New Query Filter identifies jobs based on their minimum likelihood threshold, e.g., possible/very likely.
- DLP Job Searches for Info Type (Regex) - New Query Filter identifies jobs based on the types of sensitive information that they scan, e.g., credit card numbers or API keys.
- DLP Job Found Info Type (Regex) - New Query Filter identifies jobs based on the types of sensitive information that were found during execution.

MULTI-CLOUD/GENERAL

Instance Last Launch Time - New Query Filter identifies an instance when its age exceeds a user-defined value. This filter can specify units in minutes, hours or days. [ENG-17424]

Infrastructure as Code (IaC) (22.12.7)

Updated IaC Scans page to include advanced filters support. [ENG-21312]
Added IaC support for the google_project_iam_member resource, google_service_account resource, and google_service_account_key resource in Terraform Plans targeting GCP. [ENG-19994, ENG-19995, ENG-19996]

Bug Fixes (22.12.7)

Fixed an error creating tags for Map Reduce Cluster resources. We have added tagging support to MapReduceClusters. Of note, tagging only works on non-terminated resources. [ENG-21664]
Updated our SSL policy harvesting for AWS classic load balancers to retain a customer SSL policy if it does not have a reference AWS SSL policy. In addition, we have added supported SSL protocol information. [ENG-21501]
Fixed a bug with ThreatFinder JSON not loading in Firefox Browser. [ENG-20784]
Fixed an error in the AWSOrganizationSyncBadges Job relating to duplicate account org tree paths. We now check to see if an updated org tree path for an account is already being stored before trying to add it to the database. [ENG-20636]
Corrects a bug where we recorded IAM permissions as used when they were denied. [ENG-19590]
Fixed Bot action DeleteBatchEnvironment to resolve issue for Azure. [ENG-18526]