Skip to Content
Release NotesInsightcloudsec22.12.21 Release Notes

Dec 20, 2022

InsightCloudSec is pleased to announce Release 22.12.21

InsightCloudSec Software Release Notice - 22.12.21 Release

Limited Release for 22.12.28 or 23.1.4 As the next two weeks include several Federal Holiday(s), we will not be providing a formal release with release notes for the weeks of 22.12.28 or 23.1.4. SaaS or self-hosted customers may have minor bug fixes and we may provide a limited release, but our next full release for both SaaS and self-hosted customers will be on 23.1.11. Reach out to your CSM or InsightCloudSec support with questions or concerns.

Release Highlights (22.12.21)

InsightCloudSec is pleased to announce Release 22.12.21. This release includes added support for AWS Glue Databases and Azure’s Application Credentials. For GCP we have added support for GCP Cloud Composer, GCP Data Fusion, and GCP Service Certificate Authority. This release also includes a new Compliance Pack supporting the Cloud Security Alliance Cloud Controls Matrix (CSA CCM). In addition, 22.12.21 includes three new Insights, one updated Query Filter, one new Query Filter, and five bug fixes.

⚠️

LONG UPGRADE TIMES (SELF-HOSTED CUSTOMERS WITH MANY RUNNING KUBERNETES/ECS CONTAINERS)

For self-hosted customers with many running Kubernetes/ECS containers, upgrading from a release including or prior to 22.12.14, this upgrade will require longer-than-usual times to accommodate several database schema changes.

Depending on your installation, upgrade times of up to two hours may be required. The upgrade process should not be interrupted, so plan accordingly.

Self-Hosted Deployment Updates (22.12.21)

Release availability for self-hosted customers is Thursday, December 22, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Terraform Templates Our latest Terraform template (static files and modules)can be found here.

  • Modules can be updated with the terraform get -update command.

P3 Workers P3 workload/service is now enabled by default. The following files have been updated to support this change:

  • MODULES
    modules/aws/divvy_server/variables.tf line 57
  • STATIC
    variables.tf line 246

Auto-Scaling Auto-scaling is now the default behavior for this workload/service. The following files have been updated to support this change:

  • MODULES modules/aws/autoscale/main.tf lines 90-183 modules/aws/autoscale/variables.tf lines 33-55 modules/aws/divvy_server/fargate.tf lines 335-408 modules/aws/divvy_server/variables.tf lines 156-159, 497-499

  • STATIC main.tf lines 216, 336, 339, 342-343 variables.tf lines 721-728

New Permissions Required (22.12.21)

⚠️

New Permission Required: AWS

For AWS Commercial and GovCloud Standard (Read-Only) Users: “glue:GetTables”

The above permissions support the newly added visibility and lifecycle support for AWS Glue Databases. [ENG-22148]

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

⚠️

Permission Set Required: Azure

The following permission set is required for Azure: “Application.Read.All”

The “Application.Read.All” permission set is needed for Microsoft Graph to run successfully in supporting the recently added Azure Application Credentials resource. [ENG-21855]

For additional reference, see: [Configure an Application Registration, Step 1, parts 7 & 8, for a single cloud] (https://docs.divvycloud.com/docs/azure-setup-single-cloud#step-1-configure-an-application-registration) Configure an Application Registration, Step 1, parts 7 & 8, for an organization

⚠️

New APIs Required: GCP

New APIs Required: GCP:

  • Cloud Composer API
  • Cloud Data Fusion API
  • Certificate Authority Service API

These APIs support the added visibility into GCP Cloud Composer, GCP Data Fusion, and GCP Service Certificate Authority. Refer to our documentation on GCP Projects and GCP Organizations for full details. [ENG-22116]

Features & Enhancements (22.12.21)

  • Added a new download option that can be used to get organization metrics about cloud utilization. Note that this report can only be called by Org Admins, Domain Admins, and Domain Viewers. [ENG-22039]

  • Improved performance for the EDH History cloud section dropdown. [ENG-21686]

  • Alibaba has indicated to their vendors that they prefer to be referred to as Alibaba Cloud rather than the more informal AliCloud which they had used in the past. Names have been updated to reflect that preference. [ENG-21505]

Resources (22.12.21)

AWS

  • Added visibility and lifecycle support for AWS Glue Databases (new Resource type ETL Database, Storage category). This support includes the ability to manipulate tags despite the cloud provider not supporting tags within the console. We have added a new read only permission to AWS commercial and GovCloud readonly policies, “glue:GetTables”. [ENG-22148]

AZURE

  • We have added support for Azure’s Application Credentials (Resource type API Access Key, Identity & Management resource category). The permission “Application.Read.All” is needed for Microsoft Graph to run this new capability successfully. A new Query Filter, Service Access Key Expiration Date Exceeds is also available. [ENG-21855]

GCP

  • Added visibility into three additional GCP services:

    • GCP Cloud Composer (Resource type “Airflow Environment”, Compute category)
    • GCP Data Fusion (Resource type “Data Factory”, Storage category)
    • GCP Service Certificate Authority (Resource type “SSL Certificate Authority”, Identity & Management category)

    In conjunction with this added visibility, the following Insights have added GCP support:

    • Airflow Environment Allows Public Web Server Access
    • Data Factory Encrypted with Cloud Managed Key
    • Data Factory Supports Public Access

    No new permissions are required for this as we use the Cloud Asset Inventory for retrieval and these permissions are already documented. However, there are three new APIs that customers will need to enable: Cloud Composer API, Cloud Data Fusion API, and Certificate Authority Service API. [ENG-22116]

Insights (22.12.21)

New CSA CMM Compliance Pack

  • We have added a new Compliance Pack to support the Cloud Security Alliance Cloud Controls Matrix (CSA CCM). This pack includes 491 Insights that map to CSA CCM standards. See also our listing of Compliance Packs on our Insights page. [ENG-20019]

GCP

  • Three Insights have added GCP support In conjunction with the added visibility into GCP Cloud Composer, GCP Data Fusion, and GCP Data Factory [ENG-22116]
    • Airflow Environment Allows Public Web Server Access
    • Data Factory Encrypted with Cloud Managed Key
    • Data Factory Supports Public Access

Query Filters (22.12.21)

AZURE

  • Web App Configured To Use SCM - Expanded Query Filter to identify Azure App Services which are SCM Compliant/Non-compliant.compliant/non-compliant resources. Compliant resources contain a DenyALL rule in the list of firewall rules or scmIpSecurityRestrictionsUseMain is TRUE. A resource is non-compliant if any the following properties are NULL or FALSE: “scmipSecurityRestrictions”, “scmIpSecurityRestrictionsDefaultAction”, or “scmIpSecurityRestrictionsUseMain”. [ENG-21951]

MULTI-CLOUD/GENERAL

  • Service Access Key Expiration Date Exceeds - New Query Filter identifies Service Access Keys depending on whether their expiration date is within a specified number of days. [ENG-21855]

Infrastructure as Code (IaC) (22.12.21)

  • Added IaC support for the google_kms_key_ring, google_kms_key_ring_iam_binding, and google_kms_key_ring_iam_member resources in Terraform plans targeting GCP. (Note: This is support for the “Key Vault” resource type.) [ENG-22044]

  • Added IaC support for the google_apikey_key resource in Terraform plans targeting GCP. (Note: This is support for the “Cloud Credentials” resource type.) [ENG-21848]

IAM (22.12.21)

  • AWS IAM Effective Access results will now include cross-account access. This will affect results for Access Explorer as well as identity-related Query Filters:

    • Identity Resource with Effective Access to Resources
    • Identity Resource with Effective Access to Resources Using Tags
    • Resource Granting Effective Access to Identity

    Results will also increase to reflect new services announced at re:Invent. Anywhere that lists permissions allowed by a principal (the Principal Explorer page, the Principal Activity page, etc.) should now include these new actions. [ENG-21803]

  • Updated the displayed table columns on the Permissions Blade in the Resources panel to show permissions-relevant information: Used status, Permission Name, Count, and Last Executed [date]. [ENG-21461]

Bug Fixes (22.12.21)

  • Fixed bug where GetBucketLocation was failing due to region in LPAAggregationJob. [ENG-22131]

  • Fixed edge case where the ECSTaskHarvester raised an unnecessary exception when there was no hookpoint notification to send. [ENG-22082]

  • Updated harvesting of the AWS Launch Template property for AWS Autoscaling Groups to accommodate different AWS API responses. [ENG-22077]

  • Fixed an edge case that prevented collection of Azure Functions due to Storage Account permissions errors. [ENG-22064]

  • Fixed an issue where AWS EDH Incognito User Pool events were not processing. [ENG-21506]