Skip to Content
Release NotesInsightcloudsec22.12.14 Release Notes

Dec 13, 2022

InsightCloudSec is pleased to announce Release 22.12.14

InsightCloudSec Software Release Notice - 22.12.14 Release

Release Highlights (22.12.14)

InsightCloudSec is pleased to announce Release 22.12.14. This release includes added visibility into AWS Lambda SnapStart and support for transit encryption enforcement for AWS RDS MySQL instances. We have improved the Insight CSV download performance and dramatically reduced the number of API calls made against the ECS Service to provide a better experience across Insights, Bots, and Container Vulnerability Assessment. This release also has several Compliance Pack updates including: a new Compliance Pack, ACSC Cloud Security Controls Matrix (ISM Sep22), the addition of relevant Insights to controls in the Compliance Pack ACSC Essential 8, and an update to the Azure Security Basic Compliance Pack to address Microsoft Defender for Resource Manager (Control 103).

In addition, 22.12.14 includes one new Insight, two updated Query Filters, three new Query Filters, two new Bot actions, and 13 bug fixes.

Self-Hosted Customers (22.12.14)

⚠️

LONG UPGRADE TIMES (SELF-HOSTED CUSTOMERS WITH MANY RUNNING KUBERNETES/ECS CONTAINERS)

For self-hosted customers with many running Kubernetes/ECS containers, upgrading from a release including or prior to 22.12.14, this upgrade will require longer-than-usual times to accommodate several database schema changes.

Depending on your installation, upgrade times of up to two hours may be required. The upgrade process should not be interrupted, so plan accordingly.

Self-Hosted Deployment Updates (22.12.14)

Release availability for self-hosted customers is Thursday, December 15, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Terraform Templates Our latest Terraform template (static files and modules) can be found here.

  • Modules can be updated with the terraform get -update command.

P3 Workers P3 workload/service is now enabled by default. The following files have been updated to support this change:

  • MODULES
    modules/aws/divvy_server/variables.tf line 57
  • STATIC
    variables.tf line 246

Auto-Scaling Auto-scaling is now the default behavior for this workload/service. The following files have been updated to support this change:

  • MODULES modules/aws/autoscale/main.tf lines 90-183 modules/aws/autoscale/variables.tf lines 33-55 modules/aws/divvy_server/fargate.tf lines 335-408 modules/aws/divvy_server/variables.tf lines 156-159, 497-499

  • STATIC main.tf lines 216, 336, 339, 342-343 variables.tf lines 721-728

Features & Enhancements (22.12.14)

  • Improved the Insight CSV download performance. [ENG-21846]

User Interface Changes (22.12.14)

  • The “Last Modified” field in the details for a resource has been renamed to “Last Harvest Change Time” in the UI. [ENG-20606]

Resources (22.12.14)

AWS

  • As of this release, InsightCloudSec will no longer harvest all ECS Task Definitions in an AWS account. Only active ECS Task Definitions which are associated with an ECS Service will be included for harvesting. This change should dramatically reduce the number of API calls made against the ECS Service, and also will improve performance across Insights, Bots and Container Vulnerability Assessment. [ENG-22009]

  • Added visibility into AWS Lambda SnapStart. We’ve added a new Query Filter Serverless Function SnapStart Configuration, identifying serverless functions based on whether or not SnapStart is enabled. [ENG-21836]

  • Added support for transit encryption enforcement for AWS RDS MySQL instances. This was in response to the recent AWS RDS update made on August 1st. [ENG-21860]

Insights (22.12.14)

AZURE

  • Updated the Azure Security Compliance Pack with the existing Insight Microsoft Defender for Resource Manager should be enabled to address Control 103. [ENG-19622]

  • Instance Adaptive Application Control Policy Allowlist Rules Out Of Date - New Insight identifies virtual machines which should have their allowlist rules updated under adaptive application control. [ENG-19611]

MULTI-CLOUD/GENERAL

  • We have added a new Compliance Pack, ACSC Cloud Security Controls Matrix (ISM Sep 22), and added relevant Insights to controls in another pack, ACSC Essential 8. [ENG-22024]

  • Included a new collection_mapping property on Custom Insights when one or more Data Collections are used in the Insight configuration. [ENG-14841]

Query Filters (22.12.14)

AWS

  • Serverless Function SnapStart Configuration - New Query Filter identifies serverless functions based on whether or not SnapStart is enabled. [ENG-21836]

AZURE

  • Instance Adaptive Application Control Policy Allowlist Rules Out Of Date - New Query Filter matches Compute instances where Microsoft Defender has identified allowlist rules in your adaptive application control policy which should be updated. [ENG-19611]

  • Resource With Specific Role - Expanded Query Filter support to work with ECS Task Definitions. [ENG-21840]

  • Storage Account Allows Ingress Traffic From Specified IP Addresses - New Query Filter identifies Storage Accounts that have an allow rule for the list of given IPv4 addresses. If an invalid IP address is entered, all resources will be returned. [ENG-14976]

  • Web App Configured To Use SCM - Expanded the Query Filter by adding a new field scm_default to check if ’scmipSecurityRestrictionsandscmIpSecurityRestrictionsDefaultAction` are NULL or FALSE.

    • In addition expanded the Query Filter to be able to search for both compliant and non-compliant resources. Resources are compliant if scm_default contains “DenyALL” rule OR “scmIpSecurityRestrictionsUseMain” is TRUE.
    • Resources are non-compliant if any of the following values are NULL or FALSE: “scmipSecurityRestrictions”, scmIpSecurityRestrictionsDefaultAction”, or “scmIpSecurityRestrictionsUseMain”. [ENG-21424]

GCP

  • Storage Container Used As CDN Origin - Updated Query Filter now supported for GCP. [ENG-21775]

Infrastructure as Code (IaC) (22.12.14)

  • Added IaC support for the google_dns_managed_zone resource in Terraform Plans targeting GCP. [ENG-21849]

IAM (22.12.14)

AZURE

  • Added support to display Unused/Unassessed permissions of Azure Principal Activities via JSON file download. [ENG-21419]

Bot Actions (22.12.14)

AZURE

  • “Disable Storage Account Public Network Access” - New Bot action disables public access for Azure storage accounts. [ENG-18491]

  • “Enable Storage Account Public Network Access” - New Bot action enables public access for Azure storage accounts. [ENG-18491]

Bug Fixes (22.12.14)

  • Fixed an Overflow Error that was being thrown in the Volume Without Recent Snapshot Query Filter when a number of days greater than the number of days that have occurred so far (1 million) was entered. This fix handles this error, keeping the default number of days at 14. It also makes the days field required. [ENG-22005]

  • Fixed a bug that prevented the trusted_accounts property from populating for GCP Snapshot Permissions and Encryption Keys. [ENG-21937]

  • Fixed critical KeyError from ResourceTagTrigramsProcessor job when there were two or more trigrams that were only different by use of accented letters instead of ASCII alphabet. [ENG-21920]

  • Fixed Query Filter Cloud Role Trusted Accounts Contains Specific Accounts to correctly match rolls when any supplied account is trusted in the trust relationship policy, rather than require all accounts to be in the trust relationship policy. [ENG-21886]

  • Fixed a bug where the Allowed Actions and Allowed Services count for IAM Roles and IAM Users would be incorrect if there was a statement containing NotAction with an Effect set to Deny. [ENG-21800]

  • Fixed a bug where some IAM Query Filters would not work as expected because the IAMPolicyProcessor job was not running. [ENG-21755]

  • Fixed an issue where AWS EDH Incognito User Pool events were not processing. [ENG-21506]

  • Fixed feature enhancement regressions in the edit exemption workflow. [ENG-21306]

  • Fixed a bug that prevented processing of the AWS EDH “DeleteEventBus” action. [ENG-21213]

  • Fixed a bug involving improperly scoping Insight Exemptions based on the selected Insight Pack in the summary view. [ENG-21031]

  • Fixed an error in the AWSOrganizationSyncBadges Job relating to duplicate account org tree paths. We now check to see if an updated org tree path for an account is already being stored before trying to add it to the database. [ENG-20636]

  • Fixed a bug in the Load Balancer Orphaned Query Filter where load balancers with backend pools setup with IP addresses were incorrectly flagged. [ENG-15564]

  • Fixed an issue for GCP snapshot volume references that prevented the Query Filter Volume Without Recent Snapshot from working correctly. [ENG-14618]