Skip to Content
Release NotesInsightcloudsec23.4.4 Release Notes

Apr 04, 2023

InsightCloudSec is pleased to announce Release 23.4.4.

🚧 Important Changes to Review

Note on Database Migration for IaC Users

Releases after 23.3.28 include updates that can lead to long DB migrations for IaC users. The updates required a fix for a rare bug that could cause incomplete scan results to show in the UI. These updates also include preparations for some additional upcoming improvements for IaC Scanning.
Note: The larger quantity of scans your environment contains, the longer this update may take.

InsightCloudSec Software Release Notice - 23.4.4 Release

Release Highlights (23.4.4)

InsightCloudSec is pleased to announce Release 23.4.4. This release includes several performance improvements, two new Insights, seven updated Query Filters, ten new Query Filters, one updated Bot action, and 15 bug fixes.

📘 Self-Hosted Deployment Updates (23.4.4)

Release availability for self-hosted customers is Thursday, April 6, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Our latest Terraform template (static files and modules) can be found here: <https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip>

Modules can be updated with the terraform get -update command.

Features & Enhancements (23.4.4)

Layered Context

  • Resources with “Info” Insight severity level that are not identified as public, have no or “Low” severity Threat findings, and have a Vulnerability Risk score of 0 will no longer appear in the Layered Context table. [ENG-24260]
  • We have updated the labels in the Advanced Filtering from for Layered Context as follows:
    • Resource Risk Score => Vuln Risk Score
    • Resource Severity => Vuln Severity
    • Resource Assessment Date => Vuln Last Assessment Date
    • Resources containing CVE ID => Vuln Resources containing CVE ID
    • Resource Image ID => Vuln Resource Image ID
      [ENG-23797]

Other Features & Enhancements

  • Added a processor that logs critical harvester jobs that have not succeeded for a specified period of time (36 hours by default). [ENG-25245]

  • We have added opt-in support to skipping/exempting analysis of policies for write permission, admin permission, or susceptibility to privilege escalation. [ENG-25247]

  • Added a confirmation dialog/modal to the IAM Settings → LPA Working Directory page to avoid accidental deletion of the settings. [ENG-25033]

Resources (23.4.4)

AWS

  • Reduced the number of calls made to RDS when retrieving database parameters, lessening the risk of rate limiting. [ENG-25308]

AZURE

  • Added Azure source document support for network subnets. These will now be viewable in the resource blade of the UI. [ENG-19158]

  • When adding an Azure Organization on the Organizations page, customers can now see an auto-add toggle. [ENG-24977]

Insights (23.4.4)

AZURE

  • We are changing the Azure Security Benchmark v3 pack to Microsoft Cloud Security Benchmark, which is the successor of Azure Security Benchmark (ASB). [ENG-25405]

  • Azure AD Applications with Potential Multi-Tenant Misconfiguration - New Insight identifies applications with potentially misconfigured multi-tenant AAD audience. Note: this Insight will flag potential issues; the customer will need to investigate these. [ENG-25498]

  • Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is disabled - New Insight identifies Azure subscriptions that have Microsoft Defender for Endpoint Integration set to disabled. [ENG-18835]

Query Filters (23.4.4)

AWS

  • Transit Gateway Passes Default Maximum Limit for Route Table Count - New Query Filter identifies transit gateways based on the number of route tables attached. Supports AWS, AWS Gov, and AWS China. [ENG-16656]

AZURE

  • Cloud Account with Microsoft Defender for Endpoint Integration disabled. - New Query Filter matches Azure subscriptions that have Microsoft Defender for Endpoint Integration set to disabled. [ENG-18835]

  • Cloud App Configured for Multi-Tenancy Access (Azure) - New Query Filter identifies cloud apps by their ability to allow access from multiple tenants. [ENG-25498]

  • Cloud App with Multi-Tenancy Access Linked to App Service with No Network Restrictions (Azure) - New Query Filter identifies cloud apps by their ability to allow access from multiple tenants that have been linked to an Azure App Service that has no networking restrictions enabled. [ENG-25498]

  • Web App Using User Assigned Identity with Key Vault - New Query Filter finds web apps that are using a user-assigned identity instead of their system assigned identity on Azure. A new field “key_vault_reference_identity” has been added to the WebApps table. This field stores the ID of the managed identity being used with the web app; if the app is using its default identity, “SystemAssigned” will appear instead. [ENG-20427]

Added four new Query Filters for Azure Web Application Firewall:

  • Web Application Firewall With/Without Diagnostic Settings - New Query Filter identifies WAFs with associated resources to determine whether or not their linked load balancer or content delivery network are collecting web application firewall logs.

  • Web Application Firewall With/Without Associated Resources - New Query Filter identifies WAFs to determine if they are/are not attached to any resources, e.g., Application Gateway (LoadBalancer) or Frontdoor (ContentDeliveryNetwork).

  • Web Application Firewall With/Without Managed Rules - New Query Filter identifies WAFs that are using Azure’s built-in managed rule sets, e.g., OWASP.

  • Web Application Firewall With/Without Resource Lock - New Query Filter identifies WAFs by whether they have/do not have Read Only or Delete Protection Locks enabled.
    [ENG-22851]

MULTI-CLOUD/GENERAL

  • Route Table With Default Route To Transit Gateway - New Query Filter identifies Match route tables that have default route (0.0.0.0/0) to transit gateway. This Query Filter has the option to specify which target gateway. [ENG-24511]

  • We have updated several of our Query Filters to improve their performance in the context of IaC scans and BotFactory operations. The optimized Query Filters are:

    • Resource Specific Policy Principal Search
    • Resource Specific Policy Resource Wildcard Search
    • Resource Specific Policy Action/Resource Search
    • Resource Specific Policy With Negation Key
    • Resource With Specific Action and Missing Condition
    • Resource Specific Policy With/Without Conditions
    • Resource Not In Resource Group
      [ENG-25421]

Bot Actions (23.4.4)

AZURE

  • The “Publish to Notification Topic with Target Selection” Bot action is now supported for Azure. Customers that wish to use this Bot action will need to grant the Azure Service Bus Data Owner role to their InsightCloudSec-associated Service Principal via the Service Bus resource you want the Bot action run against. [ENG-24785]

Bug Fixes (23.4.4)

  • Removed Insight Cluster not using Role-Based Access Control from the Azure CIS packs because it does not align with a benchmark. [ENG-25464]

  • Fixed a bug with Insight Exemption rules that would incorrectly assign an exemption to a resource during modification if it matched a rule that was bound to a limited number of cloud accounts. [ENG-25393]

  • We are now enqueueing a harvest of Private Images when we receive the event ModifyImageAttribute. This harvest is in addition to the Snapshot Permissions harvest. This change should ensure that when an image property updates – for example, it is shared with another account or made public – that its property is updated immediately. [ENG-25343]

  • Fixed a bug with the action “Assign Owner Tag To Resource” that was not correctly honoring the ‘Only Email Owners’ option. [ENG-25285]

  • Fixed an edge case with AWS EDH event consumers where it was possible to get an intermittent AccessDenied error when the IAM Role had the full permissions. This change allows the consumer to durably retry and clear the error if the error is indeed transient. [ENG-25256]

  • Expanded user entitlements to work with the Kubernetes Clusters & Host Vulnerability sections of the product. [ENG-25244]

  • Fixed an error in the AWS:ECSTaskHarvester where we were not accounting for ECS services without a linked task definition before passing task definition ARNs to follow-on calls. We’re now confirming that task definitions exist before attempting follow-on calls to retrieve further detail about them. [ENG-25110]

  • Fixed a bug that was preventing EIAM Federated Users being fetched from an S3 bucket in the Access Explorer. [ENG-25066]

  • Updated our CreateTable event processing for AWS DynamoDB to re-enable the assignment of a creator tag. [ENG-25009]

  • Fixed a bug in the Insight listing that would show the same cloud multiple times if more than one badge scope was active. [ENG-24983]

  • Fixed a bug that referenced the wrong parent resource ID when harvesting CloudWatch Log Groups that are associated with App Runner resources. [ENG-24960]

  • Revised content in the Insight Cloud Account Without An Alarm for Unauthorized API Calls to update remediation steps. [ENG-24369]

  • Updated Insights Access List Exposes SSH to the Public (NACL) and Access List Exposes Windows RDP to the Public (NACL) to check the TCP protocol. [ENG-24211]
    Added the ability to delete Azure Private Images. [ENG–24009]

  • Fixed a bug in the Azure WebApplicationFirewallHarvester where the relationships between WAFs and their associated resources were not being stored. [ENG-22851]

Required Policies & Permissions

📘 **Policies required for individual CSPs are as follows: **

Alibaba Cloud

AWS

Azure

GCP

Oracle Cloud Infrastructure

Host Vulnerability Management

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.