Skip to Content
Release NotesInsightcloudsec23.1.18 Release Notes

Jan 17, 2023

InsightCloudSec is pleased to announce Release 23.1.18

InsightCloudSec Software Release Notice - 23.1.18 Release

Release Highlights (23.1.18)

InsightCloudSec is pleased to announce Release 23.1.18. This release includes new resource support for AWS Global Accelerator and for AWS Keyspaces Table for AWS GovCloud. This release also includes support for Azure Advisor Recommendations as well as additional Insight support for Alibaba Cloud AsparaDB for RDS coverage. In addition, 23.1.18 includes two updated Insights, eight new Query Filters, nine updated Query Filters, two new Bot actions, and nine bug fixes.

Self-Hosted Deployment Updates (23.1.18)

Release availability for self-hosted customers is Thursday, January 19, 2022. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip

Permissions (23.1.18)

⚠️

New Permission Required: Alibaba Cloud

“rds:DescribeDBInstanceIPArrayList”

This permission supports the expanded Alibaba Cloud AsparaDB for RDS coverage to include support for two Insights. [ENG-15931]

Details on permissions for Alibaba Cloud are available in our Alibaba Cloud documentation.

⚠️

New Permissions Required: AWS

For AWS Commercial and GovCloud Standard (Read-Only) Users: “globalaccelerator:DescribeAcceleratorAttributes”, “globalaccelerator:ListAccelerators”, “globalaccelerator:ListListeners” “globalaccelerator:ListTagsForResource”

For AWS Commercial and GovCloud Power Users: “globalaccelerator:*****”

For AWS GovCloud Standard (Read-Only) Users: “cassandra:Select”

For AWS GovCloud Power Users: “cassandra:*****”

These permissions support the added AWS Global Accelerator resource [ENG-21465] and AWS Keyspaces Table for GovCloud [ENG-22541].

The following changes have been made to our Supplemental Policy to the AWS-Managed Read-Only policy: “globalaccelerator:DescribeAcceleratorAttributes”, “globalaccelerator:ListAccelerators”, “globalaccelerator:ListListeners” “globalaccelerator:ListTagsForResource”

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

Features & Enhancements (23.1.18)

  • Updated the Crowdstrike integration to remove the dependency on the soon-to- be deprecated v1 Get device details endpoint, GET /devices/entities/devices/v1. This Crowdstrike endpoint will reach its end of life and be removed from production on February 9, 2023. Note that our integration has been updated to use the new API endpoint. [ENG-22413]

User Interface Changes (23.1.18)

  • On the Permissions Blade in Resources view, we have added the Azure-specific columns Permission level and Plane. [ENG-22185]

Resources (23.1.18)

AWS

  • We have added support for AWS Global Accelerators (Network category, Global Load Balancer resource type). The following permissions are required for the AWS Commercial and AWS GovCloud Read-Only policies: “globalaccelerator:DescribeAcceleratorAttributes”, “globalaccelerator:ListAccelerators”, “globalaccelerator:ListListeners”, and “globalaccelerator:ListTagsForResource”. To update the AWS Commercial and AWS GovCloud Power User policies, add globalaccelerator:* [ENG-21465]

  • We have expanded AWS EDH support to include AWS GuardDuty and Macie findings. With the expanded support, we can raise a Threat Finding alert within 60s of a new GuardDuty or Macie finding. [ENG-22331]

  • Added support for storing Service Control Policies affecting a specific cloud account within an AWS Organization. A new Query Filter has been added for searching Service Control Policies: Service Control Policy Applied to Cloud Account. [ENG-14782]

  • We have updated Email Service Domains to surface visibility into whether AWS SES Email Identities provide untrusted third party access and/or public/anonymous. These properties can be found using existing Query Filters Resource Trusting Unknown Account and Resource Is Exposed To Public respectively. We also added the resource-specific Query Filter Email Service Identity Allows Public Access. [ENG-17292]

  • We have added support to AWS Transit Gateways in UAE as AWS has done. [ENG-22610]

AZURE

  • Added support for new resource Azure Policy, which falls under Policy- definitions in the Azure Portal. This added support harvests all built-in policies from Azure and any custom-made policies. [ENG-18647]

  • Added support for Azure Advisor Recommendations (Identity & Management, new resource type Security Posture) which is Microsoft Defender for Cloud Security Posture Recommendations. (Microsoft Defender for Cloud > Cloud security > Security Posture) in Azure portal. This is a rework of Azure Advisor which appeared previously under InsightCloudSec’s Cloud Advisor Check and has been reworked to appear as its own resource. [ENG-20655]

GCP

Note for Customers with Bots for GCP Compute Instances

Customers who have Bots that operate on GCP Compute Instances should be aware that updates from the changes referenced below may see a temporary increase in Bot evaluations.

  • We’ve added a new property to identify GCP Compute Instances that are not using a default service account. Populating this property will occur on the first harvest post-upgrade, and may result in temporarily increased Bot evaluations. [ENG-22136].

Insights (23.1.18)

Alibaba Cloud

  • Expanded Alibaba Cloud AsparaDB for RDS coverage to include support for the following Insights [ENG-15931]:
    • Database Instance Retention Policy Too Low
    • Database Instance with Access List Attached Exposed to the Public
    • Note: This requires the following updated IAM permission “rds:DescribeDBInstanceIPArrayList”. Details on permissions for Alibaba Cloud are available in our Alibaba Cloud documentation.

Query Filters (23.1.18)

Alibaba Cloud

  • Expanded Alibaba Cloud AsparaDB for RDS coverage to include support for the following Query Filters [ENG–15931].
    • Database/Big Data/Broker/Stream Security Group Exposing Access
    • Database/Big Data/Broker Instance With Internet Routable IP Address
    • Database/Big Data/Broker Instance Without Internet Routable IP Address
    • Database Instance With SSL Enforced
    • Instance Backup Retention Policy At Most
    • Instance Backup Retention Policy At Least
    • Instance Is Encrypted
    • Instance Without Defined Backup Policy
    • Resource With Permissive Network Access Rules
    • Note: This requires the following updated IAM permission “rds:DescribeDBInstanceIPArrayList”. Details on permissions for Alibaba Cloud are available in our Alibaba Cloud documentation.

AWS

  • We have added two Query Filters to identify AWS regions that have one or more local or wavelength zones enabled. These zones are opt-in capabilities that permit more precise targeting of geographic areas for compute/storage:

    • Cloud Region With Local Zone Enabled - New Query Filter identifies cloud regions that have one or more local zones enabled.
    • Cloud Region With Wavelength Zone Enabled - New Query Filter identifies cloud regions that have one or more wavelength zones enabled. [ENG-22622]

  • Email Service Identity Allows Public Access - New Query Filter identifies email service identities that have an identity policy that allows anonymous/public access. [ENG-17292]

  • Service Control Policy Applied to Cloud Account - New Query Filter identifies AWS Accounts that have any specified Service Control Policies attached to them. SCPs applied higher than the account level will still match an account if the policy affects it. [ENG-14782]

AZURE

  • Blob Change Feed status in Storage Account - New Query Filter identifies Azure Storage Accounts which have Blob Change Feed either Enabled, Disabled, or Not Configurable. [ENG-16091]

  • Identity Resource Allows Permission (Azure) - New Query Filter accepts an Azure Permission and returns Azure Users which are granted that permission at any scope. [ENG-21741]

Bot Actions (23.1.18)

AWS

  • “Modify Memcache Instance Attribute” - New Bot action for AWS ElastiCache clusters modifies one or more attributes for a Memcache instance/cluster; it can be used to toggle transit encryption enforcement. [ENG-22350]

MULTI-CLOUD/GENERAL

  • “Send Email Summary With Detailed CSVs” - New Bot action sends an Email summary with separate, resource-specific CSV attachments. Each resource-specific CSV attachment should mirror the CSV download that users can trigger from the Resources section of the tool with their resource-specific details. [ENG-20323]

Bug Fixes (23.1.18)

  • Fixed an issue with the AWS EtlDatabaseHarvester which was failing when database tags could not be retrieved, causing an AttributeError. We are now accounting for both databases with no tags, and when errors are thrown during tag retrieval. [ENG-22629]

  • Fixed an issue with the Insight Identity Resource Unused for 90 Days by adding another Query Filter Resource Age Exceeds to it to ensure the Insight is not identifying newly created resources. [ENG-22581]

  • Fixed a bug with Insight details displaying twice; updated the custom Insight notes editor to not include Pack membership in the notes, but store that information separately. [ENG-22550]

  • Fixed a KeyError in the Airflow Environment Missing Logging Configuration Query Filter that was causing attached Insights to fail. [ENG-22492]

  • Fixed an issue with the Insight Stream Instance Without A Logging Destination showing false positives. [ENG-22443]

  • Fixed the error handling for the AWS:ColdStorageHarvester to complete further follow-on calls when a vault does not have a lock/policy instead of raising and stopping the harvest. In addition, fixed a small issue in the ColdStorageHarvester backend causing event driven harvesting to fail. [ENG-22228]

  • Fixed an issue with the Instance Associated With Default Service Account Query Filter returning false positives when Instances that were once using the default SA had been updated to use a non-default account. [ENG-22136]

  • Fixed two issues in the CloudMetadataHarvester when collecting GCP/Azure cloud properties. [ENG-21868]