🚧 Important Changes to Review

Note on Database Migration for IaC Users

Releases after 23.3.28 include updates that can lead to long DB migrations for IaC users. The updates required a fix for a rare bug that could cause incomplete scan results to show in the UI. These updates also include preparations for some additional upcoming improvements for IaC Scanning.

• Note: The larger quantity of scans your environment contains, the longer this update may take.

InsightCloudSec Software Release Notice - 23.4.11 Release

Release Highlights (23.4.11)

InsightCloudSec is pleased to announce Release 23.4.11. This release includes a new guided onboarding experience for all supported Cloud Service Providers. 23.4.11 includes a new mimics release (v 1.1.0) with details on a new subcommand and a handful of bugfixes, support for Azure’s Storage Sync Service, and for GCP, the “DB instance” resource type now supports tagging. In addition, 23.4.11 includes two updated Query Filters, one new Query Filter, and eight bug fixes.

• Contact us through the unified Customer Support Portal  with any questions.

📘 Self-Hosted Deployment Updates (23.4.11)

Release availability for self-hosted customers is Thursday, April 13, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal .

Our latest Terraform template (static files and modules) can be found here: <https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip> 

Modules can be updated with the terraform get -update command.

New Permissions Required (23.4.11)

Note: Additional permissions references can be found at the end of the release notes under “Required Policies & Permissions”.

🚧 New Permissions: Azure

For Azure Standard (Reader Role) Users :
“Microsoft.StorageSync/storageSyncServices/read”

For Azure Power User Role :
“Microsoft.StorageSync/*”

These permissions support the newly added Azure resource Storage Sync Service.

Features & Enhancements (23.4.11)

Introducing New Guided Cloud Onboarding

Beginning with 23.4.11 InsightCloudSec is pleased to introduce our new onboarding workflow. This workflow provides a guided experience for all of our supported Cloud Service Providers (CSP) for first time users and users who wish to onboard a new CSP or a new account for an existing CSP. Each supported CSP includes detailed instructions for both admin and non-admin users, as well as supporting product documentation.

Check out the Cloud Account Setup & Management docs page for some high-level information and links to the revised onboarding documentation.

As always we are interested in your feedback and are happy to answer questions on this new capability. Reach out to us through your CSM or the Customer Support Portal .

Resources (23.4.11)

AWS

• With the announcement of support of TLS 1.3 by AWS, we have updated our Query Filters Load Balancer SSL Protocol Version and Resource Does Not Support TLS 1.2 Minimum to support TLS 1.3. We have also surfaced the SSL Protocols property in the UI so you can see which protocols are supported by the Load Balancer’s SSL Policies, which are already in the UI. [ENG-25111]

AZURE

• We have added visibility and harvesting support for Azure’s Storage Sync Service. This resource can be found in the Storage category as a new Resource Type Azure FileSync. A new permission is needed: “Microsoft.StorageSync/storageSyncServices/read” for the Standard Reader role and “Microsoft.StorageSync/*” for the Power User role. [ENG-21830]

GCP

• The “DB instance” resource type now supports tagging for GCP. In order to make use of this particular tagging functionality, the “Cloud SQL Admin” API (an API we already recommend) must be enabled and the following permission granted to the client being used with the cloud account in ICS: “cloudsql.admin”. [ENG-22316]

Multi-Cloud/General

• Implemented resource submanagement table search; new feature allows for searching submanagement tab content in the resource panel. [ENG-25695]
• Added network interface information for Deployments/Tasks resource types. [ENG-25426]

Query Filters (23.4.11)

AWS

• Load Balancer SSL Protocol Version - Updated Query Filter now supports TLS 1.3 by AWS. [ENG-25111]

• Resource Does Not Support TLS 1.2 Minimum - Updated Query Filter now supports TLS 1.3 by AWS. [ENG-25111]

AZURE

• Serverless Function Trigger Type - New Query Filter identifies Serverless Functions based on the configured trigger(s), e.g.,HTTP, Queue, CosmosDB, etc. [ENG-23468]

mimICS

Updates are for mimICS release v.1.1.0

Features (mimICS)

• InsightCloudSec has introduced a new mimics sub-command: scan-image. This sub-command creates vulnerability reports on Docker images intended to be used by developers or in CLI pipelines. Check out additional details in our CLI Tool Commands and Parameters - Docker Images documentation.

Bug Fixes (mimICS)

• Fixed a bug where certain IaC results created by the mimics analyzer would display in the ICS UI without a resource name. [ENG-25735]

• Fixed CVE-2023-27561 in mimics binary. [ENG-25632]

• Fixed a bug where files created on windows with UTF-16 encoding failed to parse. [ENG-25788]

Bug Fixes (23.4.11)

• Made the “Harvester Jobs Table” diagnostic report asynchronous. Users will see the report with its timestamp available in the dropdown when ready. [ENG-25793]

• Fixed an IaC scan bug that prevented Kinesis streams from being evaluated. [ENG-25787]

• FIxed a bug where results for certain IaC scans could not display in the ICS UI. [ENG-25723]

• Fixed a Layered Context advanced filtering issue with Threat Finding Last Detected Query Filter not working as expected:

  • Threat Finding Last Detected (filters on the last seen date of the ThreatFinding resource) was removed
  • Threat Finding Resource Last Detected (filters on the event last seen date of a resource found by the ThreatFinding resource) was added
    [ENG-25529]

• Fixed an issue where transit encryption settings were not evaluated for SNS topics when running IaC scans. [ENG-25205]

• Updated pagination logic on Identity Dashboard to reset to page 1 when filters are changed (update/add/remove filters). [ENG-24836]

• Hardened Bot instruction handling of excluded days for daily schedules so that user cannot exclude the whole week. [ENG-24615]

• Updated the ICS Organization creation logic when copying data from an existing organization; we now copy all data collections and their data when copying an organization, so that Insights which reference those collections will continue to work. [ENG-14404]

📘 Required Policies & Permissions

**Policies required for individual CSPs are as follows: **

Alibaba Cloud

• Read Only Policy 

AWS

• Commercial
  • Managed Read Only Supplement Policy 
  • Customer-Managed Read Only Policy
    • Part 1 
    • Part 2 
    • Part 3 
  • Commercial Power User Policy 
• GovCloud
  • Read Only Policy
    • Part 1 
    • Part 2 
  • Power User Policy 
• China Read Only Supplement 

Azure

• Commercial
  • Custom Reader User Role 
  • Power User Role 
  • Reader Plus User Role 
• GovCloud
  • Custom Reader User Role 
  • Power User Role 

GCP

• _For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended
  APIs that is maintained as part of our GCP coverage. _

Oracle Cloud Infrastructure

• Power User Policy 
• Read Only Policy 

Host Vulnerability Management

• Host VM User Policy 

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal .