23.1.11 Release Notes
InsightCloudSec Software Release Notice - 23.1.11 Release
Release Highlights (23.1.11)
*InsightCloudSec is pleased to announce Release 23.1.11. This release includes details on some bug fixes and updates that took place during the end of 2022. These updates were provided to SaaS/hosted customers as part of their scheduled upgrades and will be part of the latest build for self-hosted customers in this release. *
Release 23.1.11 includes numerous updates to our resource support. This release adds support for AWS Keyspaces, expands AWS GuardDuty support to include findings from EKS, ECS, and RDS, and adds support for AWS resource Database Migration Service Endpoints. For Azure, we have added support for Azure Activity Log Alerts, Event Grid Topic harvesting, and DDoS Protection Plans. For GCP Subnets, we have added support for trusted accounts.
In addition, 23.1.11 includes more than a dozen updated Insights, four new Insights, seven updated Query Filters, seven new Query Filters, two updated Bot actions, one new Bot action, and 16 bug fixes.
- Contact us through the unified Customer Support Portal with any questions.
Self-Hosted Deployment Updates (23.1.11)
Release availability for self-hosted customers is Thursday, January 12, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.
Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip
New Permissions Required (23.1.11)
New Permissions Required: AWS
For AWS Commercial Standard (Read-Only) Users: "backup-gateway:GetGateway", "backup-gateway:ListGateways", "cassandra:Select", "dms:DescribeEndpoints"
For AWS Commercial Power Users: "backup-gateway:", "cassandra:"
For AWS GovCloud Standard (Read-Only) Users: "backup-gateway:GetGateway", "backup-gateway:ListGateways", "dms:DescribeEndpoints"
For AWS GovCloud Power Users: "backup-gateway:*****"
The above permissions support the newly added AWS Database Migration Service Endpoints (DMS Endpoint) and AWS Keyspaces Table. [ENG-22117, ENG-22237 & ENG-22517]
Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS' managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS' continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.
New Permissions Required: Azure
For Azure Reader Role: "Microsoft.EventGrid/topics/read", "Microsoft.Insights/ActivityLogAlerts/Read", "Microsoft.Network/ddosProtectionPlans/read"
For Azure Power User Role: "Microsoft.EventGrid/*****"
These permissions enable the newly added support for Azure DDoS Protection Plans [ENG-20544], Azure Event Grid topic harvesting [ENG-21616], and Azure Activity Log Alerts [ENG-19387].
Feature Enhancements (23.1.11)
We have added a new BotFactory hookpoint
Resource Created (Delayed)that triggers after a creation event with a built-in delay (by default, 20 minutes).This hookpoint is most useful when Event-driven Harvesting (EDH) is enabled and when examining resources that require additional time to configure for Bot analysis or to achieve a ready state for Bot corrective action. With the speed of EDH, a Bot using the
Resource Createdhookpoint can be triggered to evaluate or act before the cloud provider is ready -- a function of the cloud provider's guarantee of eventual consistency.For example, with EDH and the
Resource Createdhookpoint, a Bot can be triggered by the creation of a misconfigured database instance while the database instance is still in a creating state. The cloud provider generally blocks any corrective action until after the database instance has reached a ready or available state. TheResource Created (Delayed)hookpoint combines the response to the event with the delay required to take action. [ENG-22046]
Extended the
/v3/lpa/principals/endpoint to return the action type. For additional information, see our API reference. [ENG-21574]
User Interface Changes (23.1.11)
- Added a tooltip for not available dates on unused and unassessed permissions. [ENG-21997]
Resources (23.1.11)
AWS
Added visibility, tag, and lifecycle support for AWS Keyspaces (Storage category, new resource type Cassandra Table, AWS Keyspaces Table). Two new Query Filters–
Cassandra Table Throughput ModeandCassandra Table Point-in-time Recovery (PITR) Configuration--were added and one Query Filter–Resource Encrypted With Cloud Managed Key--updated for customers to audit the security and configuration of their Keyspace tables. This visibility requires an additional IAM permission: "cassandra:Select" for the AWS commercial read-only user policy and "cassandra:*****" for the AWS commercial power user policy. [ENG-22237, ENG-22517]Expanded AWS GuardDuty collection to include findings from EKS, ECS, and RDS. The Query Filters
Resource With Recent Threat Finding By SeverityandResource With Threat Finding By Regexwere also updated to support these resource types. [ENG-22276]Added support for AWS resource Database Migration Service Endpoints (DMS Endpoint), which can be found in the Network resource category as the new resource type Database Migration Endpoint. This new support requires that the permission "dms:DescribeEndpoints" be added to both the AWS commercial and AWS GovCloud read-only policies. [ENG-22117]
Updated AWS Event-Driven Harvesting support to include two UserPool events:
UpdateUserPoolandUpdateUserPoolClient. [ENG-22084]Expanded AWS SES identity visibility into Email address identities. [ENG-17031]
AZURE
Added harvesting of Azure Activity Log Alerts. This is part of a new resource type–Activity Log Alert–in the Identity & Management category of resources. We have added one new Insight–
Activity Log Alert Without "All Selected" Optionsand several new Query Filters–Activity Log Alerts By Severity Level,Activity Log Alerts By Selected Operation Type, andActivity Log Alerts Without "All Selected" Optionsto support this new resource. [ENG-19387]Added support for Event Grid Topic harvesting on Azure. This new resource can be found under the Compute category as a new resource type Event Grid Topic. A new permission is required: “Microsoft.EventGrid/topics/read” for Reader user roles and “Microsoft.EventGrid/*” for Power User roles. [ENG-21616]
Added tag and delete support for Azure DDoS Protection Plans (Network category, DDoS Protection resource type). A new permission is needed: "Microsoft.Network/ddosProtectionPlans/read". [ENG-20544]
GCP
- Support for trusted accounts has now been added for GCP Subnets. [ENG-21859]
Insights (23.1.11)
Alibaba Cloud
- We have expanded the following Insights to support AliBaba Cloud:
Instance with Public IP Address and any Port Exposure to 0.0.0.0/0Instance with a Public IP Exposing SSHInstance with a Public IP Exposing RDPCompute Instance With Public IP Attached[ENG-22315]
AWS
We have updated the reference links to several Insights to clarify that known internal AWS accounts are not considered "unknown" accounts and have added reference links. The following Insights have been updated. Some Insight names have been updated:
Compute Snapshot Trusting Unknown/Third Party Account (AWS)has been renamed toSnapshot Trusting Unknown/Third Party AccountDatabase Snapshot Trusting Unknown/Third Party Account (AWS)has been renamed toDatabase Snapshot Trusting Unknown/Third Party AccountResource with Cross Account Access to Unknown Accounthas been renamed toServerless Function Trusting Unknown Account[ENG-22038]
We have added three related Insights that are supported by the Query Filter
Resource Violation Identified By IAM Access Analyzer. These Insights are:Resource Violation Identified by IAM Access Analyzer – Cross Account- Identify resources that have been identified by AWS IAM Access Analyzer as having a cross account violation.Resource Violation Identified by IAM Access Analyzer – Unknown Account- Identify resources that have been identified by AWS IAM Access Analyzer as having an unknown account violation.Resource Violation Identified by IAM Access Analyzer – Public- Identify resources that have been identified by AWS IAM Access Analyzer as having a public violation. [ENG-21535]
AZURE
Activity Log Alert Without "All Selected" Options- New Insight identifies instances of Activity Alert Logs without severity and statuses set to "All Selected". [ENG-19387]
MULTI-CLOUD We have updated the following Insights' list of supported clouds to account for changes in their underlying query filters. No functionality has been removed here, the Insights incorrectly stated that these clouds were supported/unsupported [ENG-22062]:
Access Analyzer Not Enabled In Cloud Region (AWS)now additionally supports AWS Gov as well as AWS and AWS China. It Identifies cloud regions that do not have the Access Analyzer service enabled to help identify cross account and public access exposure via IAM policies.Access List Rule Without Description (Security Group)no longer supports Alibaba Cloud.Big Data Instance without Logging Enabledno longer supports Alibaba Cloud.Cache Instance Auth Token Disabledno longer supports Azure Arm or Azure Gov.Cloud Account Password Policy Age without Annual Expirationpreviously only stated that it supported Oracle Cloud. As this is not the case, this Insight has been deprecated as of 23.1 and will no longer be shown in the UI.Cloud Role Providing Cross Account Access Without External IDno longer supports AWS China.Cloud Role Trust Policy Without External IDno longer supports AWS China.Cloud User Exhibiting Suspicious Logging Activityno longer supports Alibaba Cloud.Cloud User with Stale/Inactive API Credentialsno longer supports Oracle Cloud.Container Image Not Scanned In Past 2 Daysno longer supports Alibaba Cloud.Content Delivery Network Not Requiring HTTPSno longer supports Alibaba Cloud.Database Cluster Backup Retention Policy Too Low (Seven Days)no longer supports Alibaba Cloud.Database Instance Threat Detection Alert Recipients Not Setpreviously was listed as supporting AWS Gov. This was a mistake and it should have been Azure Gov. It has now been rectified.Database Instance without Recent Snapshotno longer supports Alibaba Cloud, Azure or GCE.DNS Domain Without Auto Renewno longer supports AWS China or AWS Gov.DNS Domain Without Transfer Lockno longer supports AWS China or AWS Gov.Kubernetes Cluster Without Monitoring Enabledno longer supports Azure.Launch Configuration Orphanedno longer supports Alibaba Cloud.Resource High Costnow additionally supports Azure Gov and China. It identifies resources costing more than $1,000 per month.
Query Filters (23.1.11)
Alibaba Cloud
- We have expanded the following Query Filters to support AliBaba Cloud:
Instance Exposing Public RDPInstance Exposing Public SSHInstance With Public IP AttachedInstance Without Public IP Attached[ENG-22315]
AWS
Cassandra Table Point-in-time Recovery (PITR) Configuration- New Query Filter identifies resources based on whether or not point-in-time recovery is enabled/disabled. [ENG-22237]Cassandra Table Throughput Mode- New Query Filter identifies Cassandra tables based on the configured throughput mode. [ENG-22237]Identity Resource Associated With Threat Finding- New Query Filter identifies cloud users and roles which have been associated with one or more Threat Findings (e.g., AWS GuardDuty). [ENG-22308]Resource Encrypted With Cloud Managed Key- Query Filter updated to add the CassandraTable resource type. [ENG-22237]Resource Launched With Marketplace Image- New Query Filter identifies Compute Instances and Autoscaling Groups based on their association with an AWS Marketplace AMI. [ENG-20930]Resource With Recent Threat Finding By SeverityandResource With Threat Finding By Regex- These Query Filters were updated to support the expanded AWS GuardDuty collection findings from EKS, ECS, and RDS. [ENG-22276]
AZURE
Activity Log Alerts By Selected Operation Type- New Query Filter identifies all Activity Log Alerts by the selected operation type(s). [ENG-19387]Activity Log Alerts By Severity Level- New Query Filter identifies all Activity Log Alerts by the selected severity level(s). [ENG-19387]Activity Log Alerts Without "All Selected" Options- New Query Filter identifies all Activity Log Alerts where the severity and statuses do not equal "All Selected". [ENG-19387]
GCP
Identity Principal With Organization/Folder Level Access- New Query Filter identifies principals such as users, groups and service accounts based on their association to one or more folder/organization role bindings. [ENG-22482]
MULTI-CLOUD/GENERAL
Content Delivery Network Origin Public Storage Container- New Query Filter identifies CDNs that use as an origin a publicly accessible storage container. [ENG-21995]
Bot Actions (23.1.11)
AZURE
- “Disable Event Grid Topic Public Network Access” - New Bot action added for event grid topics to disable public network access. A new permission is required: "Microsoft.EventGrid/topics/write". [ENG-21619, ENG-14917]
GCP
- “Cleanup Resource Policy” - This Bot action was expanded to work with three additional GCP asset types: Cloud Functions, Pub/Sub Topics and Secrets. This action will also work from the resource property panel. [ENG-16135]
MULTI-CLOUD/GENERAL
- “Assign Owner Tag To Resource” - Added a new option to this Bot action that allows customers to only assign owner tags if the resource is not an AWS-generated value such as
AutoScaling. [ENG-22408]
Bug Fixes (23.1.11)
Fixed an issue that prevented Resource Group harvesting from being enqueued via the
Trigger Harvestview when the Bot is scoped to Azure subscriptions. [ENG-22278]Fixed an issue with Query Filter
Cloud Account With MFA Protected Root Accountthat caused incorrect results to be shown. [ENG-22239]Fixed a bug where certain system setting checkboxes did not reflect the actual value. [ENG-22218]
Fixed a bug where Azure Key Vaults were not successfully deleting through the Delete Resource action. [ENG-22195]
Fixed a bug that would not remove AWS CloudTrail resources when the DeleteTrail event was executed on global trails. [ENG-22135]
Fixed a bug with false positives for two query filters. S3 buckets with impaired visibility will no longer be evaluated when using the Query Filters
Storage Container With Default Server Side EncryptionandStorage Container Without Default Server Side Encryption. [ENG-22128]Fixed a bug with UpdateUserPool not harvesting. Updated AWS Event-Driven Harvesting support to include two UserPool events:
UpdateUserPoolandUpdateUserPoolClient. [ENG-22084]Updated the following Insights' list of supported clouds to account for changes in their underlying query filters. No functionality has been removed here, the Insights incorrectly stated that these clouds were supported/unsupported [ENG-22062]:
Access Analyzer Not Enabled In Cloud Region (AWS)now additionally supports AWS Gov as well as AWS and AWS China. It Identifies cloud regions that do not have the Access Analyzer service enabled to help identify cross account and public access exposure via IAM policies.Access List Rule Without Description (Security Group)no longer supports Alibaba Cloud.Big Data Instance without Logging Enabledno longer supports Alibaba Cloud.Cache Instance Auth Token Disabledno longer supports Azure Arm or Azure Gov.Cloud Account Password Policy Age without Annual Expirationpreviously only stated that it supported Oracle Cloud. As this is not the case, this Insight has been deprecated as of 23.1 and will no longer be shown in the UI.Cloud Role Providing Cross Account Access Without External IDno longer supports AWS China.Cloud Role Trust Policy Without External IDno longer supports AWS China.Cloud User Exhibiting Suspicious Logging Activityno longer supports Alibaba Cloud.Cloud User with Stale/Inactive API Credentialsno longer supports Oracle Cloud.Container Image Not Scanned In Past 2 Daysno longer supports Alibaba Cloud.Content Delivery Network Not Requiring HTTPSno longer supports Alibaba Cloud.Database Cluster Backup Retention Policy Too Low (Seven Days)no longer supports Alibaba Cloud.Database Instance Threat Detection Alert Recipients Not Setpreviously was listed as supporting AWS Gov. This was a mistake and it should have been Azure Gov. It has now been rectified.Database Instance without Recent Snapshotno longer supports Alibaba Cloud, Azure or GCE.DNS Domain Without Auto Renewno longer supports AWS China or AWS Gov.DNS Domain Without Transfer Lockno longer supports AWS China or AWS Gov.Kubernetes Cluster Without Monitoring Enabledno longer supports Azure.Launch Configuration Orphanedno longer supports Alibaba Cloud.Resource High Costnow additionally supports Azure Gov and China. It identifies resources costing more than $1,000 per month.
Previously a NoneType Error was being thrown during the NetworkEndpointServiceHarvester when service objects did not have auto_approval properties. This fix adds a check for this property before adding the nested list of auto_approval subscriptions to the NetworkEndpointService's trusted accounts. [ENG-22019]
Fixed an issue with harvesting of Azure Firewall Rules when they have been modified. [ENG-21996]
Fixed an issue where AWS Load Balancer redirection support was not looking at forwarding rules in addition to redirect rules. [ENG-21235]
Fixed a bug where Azure Security Groups that had flow logs enabled weren't being flagged as such. [ENG-21176]
Fixed a bug that prevented the Network Interface resource type from being filtered in the Bots listing page. [ENG-20602]
Fixed Query Filter
Resource With Clear Text Secretto exclude temporary credential regular expressions for resources with user data such as instances, web app environments and autoscaling launch configurations. [ENG-20246]Resolved issue so that a user is no longer logged out when updating password from Profile page. [ENG-17798]
Modified Azure Organizations to provisioning to exclude/ignore legacy "Access to Azure Active Directory" subscriptions. [ENG-10327]