🚧 Important Changes to Review

Note on Database Migration for IaC Users

23.3.28 includes updates that can lead to long DB migrations for IaC users. The updates required a fix for a rare bug that could cause incomplete scan results to show in the UI. These updates also include preparations for some additional upcoming improvements for IaC Scanning.
Note: The larger quantity of scans your environment contains, the longer this update may take.

Changes to Paths for Hosted Customers

As of {release}, accessing static data via /divvy/ will no longer work. In cases like this, you will need to use /static/ instead which should function identically. The most common examples or usage of these paths is in the Logo URL of custom packs that reference cloud provider images and in some Plugins.

Updates to Endpoint Handling

InsightCloudSec’s 23.2.28 release included updates to our internal webserver library, Flask. As a result, some of our endpoint handling has changed in the following ways:

• Any requests submitting JSON to an endpoint must explicitly include the Content-Type: application/json header (e.g. for POST requests).
• Any requests POSTing empty bodies may fail with a 500 error as empty bodies for endpoints that expect one aren’t valid JSON.
• Plugins that declare custom endpoints will also be affected by the above changes.
• For more information about the above changes, refer to the details linked here .

InsightCloudSec Software Release Notice - 23.3.28 Release

Release Highlights (23.3.28)

InsightCloudSec is pleased to announce Release 23.3.28. This release includes a new Application Context feature that allows customers to create dynamic collections of resources as a powerful scoping mechanism for real-time visibility into their infrastructure. In this release we have also updated Layered Context with support for scoping via Clouds and Applications (through the Application Context feature).

For Kubernetes customers, we have updated InsightCloudSec to support OPA Gatekeeper and provide improved policy and governance capabilities. 23.3.28 also includes a graph-based visual of resources connected to your Compute and Storage resources, and a new Compliance Pack in support of ISO27001.

In addition, 23.3.28 includes one new Insight, four new Query Filters, one new Bot action, and 12 bug fixes.

• Contact us through the unified Customer Support Portal  with any questions.

📘 Self-Hosted Deployment Updates (23.3.28)

Release availability for self-hosted customers is Thursday, March 30, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal .

Our latest Terraform template (static files and modules) can be found here: <https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip> 

Modules can be updated with the terraform get -update command.

New Permissions Required (23.3.28)

Note: Additional permissions references can be found at the end of these release notes under “Required Policies & Permissions”

🚧 New Permissions: AWS

For AWS Commercial  and GovCloud Standard (Read-Only) Users :
“ses:DescribeConfigurationSet"
"ses:ListConfigurationSets”

These permissions support the newly added resource AWS Simple Email Service (SES) Configuration Sets for both AWS commercial and AWS GovCloud Standard (Read-only) users. Azure-Custo

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

🚧 New Permissions: Azure

For Azure Standard (Reader Role) Users :
“Microsoft.Network/bastionHosts/read”

This new permission supports the added Azure resource Bastion Host. [ENG-24338]

Features & Enhancements (23.3.28)

Application Support

With 23.3.28, InsightCloudSec has the ability to dynamically group infrastructure into “Applications”. An Application is a collection of resources/infrastructure that’s dynamically built and maintained as customer infrastructure scales up/down to support their workloads. These collections are built based on the presence of a specific tag key that is configured within InsightCloudSec. While on the surface they seem similar to Resource Groups, Applications go much further, providing customers with a real time view of the infrastructure backing their apps while also providing data enrichment based on customer input/metadata.

• Learn more about the Application feature in our documentation. 

Support for OPA Gatekeeper

InsightCloudSec now includes support for OPA Gatekeeper which requires InsightCloudSec 23.3.28 and the Kubernetes Local Scanner v 4.0.1. OPA Gatekeeper support is available via two new resources: Gatekeeper ConstraintTemplates and Gatekeeper Constraints (both available under the Containers Resource Category). A policy (constraint + template) is specific to the cluster on which it is configured. ICS harvests and shows Inventory across all monitored clusters.

In addition, this support includes a new Query Filter named Clusters Missing OPA Constraints that allows customers visibility for all non-compliant clusters. This Query Filter requires the creation of a data collection that contains the names of all gatekeeper constraints required by all clusters.

• Refer to the OPA Gatekeeper documentation page  for additional details on this new capability.

[ENG-24438, ENG-24433, ENG-23717]

Related Resources

Beginning with 23.3.28 InsightCloudSec is pleased to offer a new graph-based visual view of resources connected to your Compute and Storage resources. This feature, Related Resources, is available through the Resources detail view; it allows you to examine threats and uncover deep insights into your cloud footprints.

• Check out our Related Resources documentation  for additional details.

Updates to Layered Context
23.3.28 includes updates to Layered Context to allow users to scope and browse data by Cloud and Application, in addition to the existing Resources view. Users can further narrow their scope using the existing filtering capabilities for a quick way to focus on security context.

• Refer to updated details in our documentation on scoping the data.  [ENG-24351]

Additional Feature Updates

• Updated AWS harvesting configuration to increase retries in the case of API calls being rate limited. [ENG-23007]

Resources (23.3.28)

AWS

• We have added a new resource type Email Service Config (Compute category) to harvest and analyze AWS SES Configuration Sets. We have added a Query Filter Email Service Config TLS Setting to note whether the resource requires TLS. The resource is available for AWS commercial and GovCloud. Two new permissions are required: “ses:DescribeConfigurationSet” and “ses:ListConfigurationSets”. [ENG-24205]

• We have updated our AWS Web Application Firewall harvester to reduce the incidence of AWS rate throttling, which can negatively impact harvesting. [ENG-24581]

• In Resources > Cloud Role, within the Principal Activity Blade, the remediation policy tab is now available for AWS Service Linked Roles, displayed as an informational alert reporting to users that the policies are unavailable for these role types as Unused permissions are not evaluated for Service Linked Roles. [ENG-23839]

AZURE

• We’ve added harvesting/visibility into Azure’s Bastion Host resource. This newly supported resource can be found under the Network category as the new resource type Bastion Host. A new permission is required: “Microsoft.Network/bastionHosts/read”. [ENG-24338]

Insights (23.3.28)

New Compliance Pack ISO27001:2022
ISO27001:2022 includes requirements in Annex A for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO27001 are generic and are intended to be applicable to all organizations, regardless of type, size or nature. We have released the ISO27001:2022 pack that aligns our insights with the requirements in Annex A of ISO27001. [ENG-21730]

AZURE

• Service Fabric Cluster Not On Latest Available Code Version - New Insight identifies Service Fabric Clusters not on the latest code version available. This new Insight supports the new Bot action “Upgrade Service Fabric Cluster Code Version to Latest Version”. [ENG-24769]

Query Filters (23.3.28)

AWS

• Email Service Config TLS Setting - New Query Filter identifies email service configs by whether Transport Layer Security (TLS) is required or optional (default). New Query Filter supports the added resource type to harvest and analyze AWS SES configuration sets. [ENG-24205]

AZURE

• Service Fabric Cluster Not On Latest Available Code Version - New Query Filter identifies Service Fabric Clusters not on the latest code version available.This new QF supports the new Bot action “Upgrade Service Fabric Cluster Code Version to Latest Version”. [ENG-24769]

Kubernetes

• Clusters Missing OPA Constraints - New Query Filter identifies K8s clusters that are missing some/all OPA constraints provided as a data collection. This Query Filter is part of the new OPA Gatekeeper support. [ENG-24438]

MULTI-CLOUD/GENERAL

• Identity Resource With Wildcard Access (*:*) - New Query Filter identifies Users, Groups, and Roles with attached/inline policies which provide wildcard access to all services/resources. Note: This new Query Filter has then been attached to every risky permission Insight to stop admin roles from being returned. [ENG-23224]

Bot Actions (23.3.28)

AZURE

• “Upgrade Service Fabric Cluster Code Version to Latest Version” - New Bot action updates Service Fabric Clusters to the latest available code version for that cluster. A new field, “latest_available_code_version” has been added to the resource in order to make this possible. There is also a new Query Filter and Insight added: Service Fabric Cluster Not On Latest Available Code Version. _Note: User must have sufficient permission granted to their app registration to modify the service fabric cluster version using this action._ [ENG-24769]

Bug Fixes (23.3.28)

• Fixed an AttributeError in the Azure MemcacheInstanceHarvester that was thrown when one of the resources was harvested mid-delete. [ENG-25107]

• Fixed an issue in the AWS ServerlessFunctionHarvester. When the call to retrieve individual function’s details resulted in an error, the error data was stored in an incompatible format. [ENG-25041]

• Fixed an EDH bug that did not propagate permission changes to AWS snapshots/machine images up to the parent resource. [ENG-25038]

• Updated the logic for the VideoStreamHarvester in AWS to reduce the chances of rate limiting. [ENG-24965]

• Fixed a harvesting error by adding a re-sync of disabled resource types at scheduler start. [ENG-24848]

• We have updated our definition of write permission to not include some permissions that are outside of AWS’s ReadOnlyAccess policy. For example, sts:AssumeRole, iam:PassRole, and support and quicksight permissions are no longer considered write permissions. [ENG-24835]

• Fixed a bug where IaC scans conducted with the mimics CLI tool could display incorrect results in the UI. Note: This change will cause long migrations for installations with a large number of IaC scans. [ENG-24655]

• Updated supported resources details for Azure EDH support to remove resources where events were being surfaced without EDH support. Refer to the EDH - Supported Resources (Azure) page  for an up-to-date list of supported Azure Resources. [ENG-24633]

• Updated our CreateCluster event processing for AWS Container Clusters to re-enable the assignment of a creator tag. [ENG-24617]

• Fixed inconsistent results being returned for Risky Permission Insights. [ENG-24222]

• Fixed an edge case with the Bot action “Cleanup Exposed Storage Container” that would not remove pending scheduled events for S3 buckets if they became compliant before the event executes. [ENG-23780]

• Fixed an issue in AWS:WorkspaceHarvester where a large number of workspaces in an account and region could cause the harvester to fail. [ENG-23698]

Required Policies & Permissions

📘 **Policies required for individual CSPs are as follows: **

Alibaba Cloud

• Read Only Policy 

AWS

• Commercial
  • Managed Read Only Supplement Policy 
  • Customer-Managed Read Only Policy
    • Part 1 
    • Part 2 
    • Part 3 
  • Commercial Power User Policy 
• GovCloud
  • Read Only Policy
    • Part 1 
    • Part 2 
  • Power User Policy 
• China Read Only Supplement 

Azure

• Commercial
  • Custom Reader User Role 
  • Power User Role 
  • Reader Plus User Role 
• GovCloud
  • Custom Reader User Role 
  • Power User Role 

GCP

• _For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended
  APIs that is maintained as part of our GCP coverage. _

Oracle Cloud Infrastructure

• Power User Policy 
• Read Only Policy 

Host Vulnerability Management

• Host VM User Policy 

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal .