🚧 **Important Changes to Review **

Client Certificates - Potential Breaking Changes

In this release, we upgraded the version of cryptography we use which places additional restrictions on the formatting of certificates used to authenticate to certain cloud providers like Azure. In certain cases, some Azure accounts may be configured with a badly-formatted client certificate which will now be rejected by cryptography. If you have any issues with Azure harvesting after updating to this release and you are using Client Certificate authentication for that cloud, please reach out to support for further remediation steps.

Refer to the following link for additional details. 

Note on Database Migration for IaC Users

Releases after 23.3.28 include updates that can lead to long DB migrations for IaC users. The updates required a fix for a rare bug that could cause incomplete scan results to show in the UI. These updates also include preparations for some additional upcoming improvements for IaC Scanning.

• Note: The larger quantity of scans your environment contains, the longer this update may take.

InsightCloudSec Software Release Notice - 23.4.18 Release

Release Highlights (23.4.18)

InsightCloudSec is pleased to announce Release 23.4.18. This release includes the addition of a new resource category - Machine Learning and AI, which also includes both the recategorization of four resource types and the addition of eight new resource types. 23.4.18 adds support for a new, no-cost AWS RDS capability, Storage Autoscaling, and also updates three new powerful Insights linked to Azure CIS 1.5.0/Azure CIS 2.0.0. In addition we have updated our ISO27001:2013 Compliance Pack to include many new Insights. 23.4.18 includes one updated Insight, four new Insights, 16 updated Query Filters, eight new Query Filters, one new Bot action, and 16 bug fixes.

• Contact us through the unified Customer Support Portal  with any questions.

📘 Self-Hosted Deployment Updates (23.4.18)

Release availability for self-hosted customers is Friday, April 21, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal .

Our latest Terraform template (static files and modules) can be found here: <https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip> 

Modules can be updated with the terraform get -update command.

New Permissions Required (23.4.18)

Note: Additional permissions references can be found at the end of the release notes under “Required Policies & Permissions”.

🚧 New Permissions: AWS

We have updated our read-only policies to include these permissions which are used to facilitate onboarding AWS accounts via AWS organizations and to connect with Kubernetes clusters.

AWS-Managed-Read-Only-Supplement.json , AWS-Read-Only-Policy1.json , and AWS-GovCloud-Read-Only-Policy1.json  have added
”eks:AccessKubernetesApi”

AWS-Read-Only-Policy2.json  and AWS-GovCloud-Read-Only-Policy2.json  have added
”organizations:DescribeAccount”,
“organizations:ListAccountsForParent”,
“organizations:ListOrganizationalUnitsForParent”,
“organizations:ListRoots”,
“organizations:ListTagsForResource”

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to harvest new resources and properties without changing harvesting policies. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

🚧 New Permissions: Azure

For Azure Standard (Reader Role) Users :
“Microsoft.CognitiveServices/accounts/read”

For Azure Power User Role :
“Microsoft.CognitiveServices/*”

These permissions support the newly added Azure resources Computer Vision, Content Moderator, Language Service, LUIS API, Open AI, Personalizer, Speech Services, and Translator.

Features & Enhancements (23.4.18)

NEW RESOURCE CATEGORY
We have added a new Resource top-level category to house all of our artificial intelligence- and machine learning-related resources: Machine Learning & AI. At a high level, we have moved four existing resources and have introduced eight new resources to this category. Review the Resources documentation  for details.

• Moved Resource Types
  Automation Account
  Bot Service
  Machine Learning Instance
  Machine Learning Training Job

• New Resource Types
  Computer Vision
  Content Moderator
  Language Service
  LUIS API
  Open AI
  Personalizer
  Speech Services
  Translator

The eight new resource types currently support newly added visibility and harvesting for Azure-specific resources. A new permission—“Microsoft.CognitiveServices/accounts/read” for the Standard Role or “Microsoft.CognitiveServices/*” for the Power User role—is required. [ENG-24457]

ADDITIONAL FEATURES & ENHANCEMENTS

• We created a direct link to the Permissions tab of a given Principal. Upon opening the resource panel for a Principal within Identity Analysis, the URL changes to reflect the current resource and tab selected, this URL can then be shared with others taking them directly to the Resource Panel. [ENG-23872]

• Updated the history table on the Bots Overview page to allow users to change the pagination settings. [ENG-19881]

Resources (23.4.18)

AWS

• We have added support for a new, no-cost AWS RDS capability — Storage Autoscaling. With the new feature, AWS permits your RDS storage to grow as needed without manual intervention and downtime. We are harvesting the property, have added a Query Filter Database Instance Storage Autoscaling to find it and added a BotFactory action “Modify Database Instance Storage Autoscaling” to enable it. [ENG-24583]

Insights (23.4.18)

ISO27001:2013 Pack

• We have revised our Compliance Pack ISO27001:2013 to include additional Insights we have added since this pack was last updated. This Compliance Pack now includes over 500 Insights. [ENG-24697]

AZURE

• Added three new Insights linked to Azure CIS 1.5.0/Azure CIS 2.0.0:

  • Cloud User with Privileged Access and without Multi-Factor Authentication - Identifies cloud users with owner/admin/contributor permissions which do not require multi-factor authentication.

  • Cloud Account without Custom Role Defined for Administering Resource Locks - Identifies cloud accounts, specifically Microsoft Azure Subscriptions, that are missing a custom role for lock administration.

  • Cloud Account with Open Source Microsoft Defender Disabled - Identifies cloud accounts that have Defender disabled for Open Source RDMS resources.
    [ENG-3049, ENG-22390]

• Expanded the following Insights for compatibility with Microsoft Azure:

  • Cloud Policy with Full Access

  • Cloud Policy with Full Access In Use
    [ENG-3049, ENG-22390]

• Storage Sync Service Allows All Incoming Traffic - New Insight identifies Storage Sync services with a policy that allows all incoming traffic. [ENG-21832]

Query Filters (23.4.18)

Alibaba Cloud

• Cloud Account With Root API Access Key Present - Query Filter updated to support Alibaba Cloud edge case. [ENG-22390]

• Database Instance With/Without Required Flag - Query Filter renamed from Database Instance Without Required Flag and updated to identify database instances with or without the specified flag in place and configured with the appropriate value. [ENG-25790]

AWS

• Database Instance Storage Autoscaling - New Query Filter identifies database instances by whether their storage autoscaling is disabled (default) or enabled. [ENG-24583]

AZURE

• Cloud Account Missing Custom Policy With Permission(s) - New Query Filter identifies cloud accounts which do not contain a custom policy with one or more of the supplied permissions. [ENG-22390]

• Added two Query filters for Azure File Sync Resources.

  • Storage Sync Service by Incoming Traffic Policy - Identifies all Storage Sync Service instances with specific value of Incoming Traffic Policy.

  • Storage Sync Service Without Private Endpoints - Identifies all Storage Sync Service instances without private endpoints.
    [ENG-21831]

• Expanded the following Query Filters to support Azure:

  • Cloud Policy Attachment Count Equals or Exceeds Threshold - Note: Additionally changed Query Filter name from Cloud Policy Attachment Count is Equal To or Exceeds Threshold

  • Cloud Policy Attachment Count Equals or Below Threshold Note: Additionally changed Query Filter name from Cloud Policy Attachment Count Equals or Below Threshold

  • Cloud Policy Attachment Count Equals or Exceeds Threshold - Note: Additionally changed Query Filter name from Cloud Policy Attachment Count is Equal To or Exceeds Threshold

  • Cloud Policy With Access To All Services/Resources

  • Identity Resource Contains Invalid Actions

  • Identity Resource With Wildcard Access (*:*)
    [ENG-3049, ENG-22390]

• Additional Azure Query Filter Updates:

  • Cloud Account Microsoft Defender Cloud App Access My Data Disabled- Name changed from Cloud Account with access for Microsoft Defender to Cloud App Data Disabled

  • Cloud Account Microsoft Defender Cosmos DB Set To 'Off' - Name changed from Cloud Account with Microsoft Defender for Cosmos DB Set To 'Off'

  • Cloud Account Microsoft Defender For Cloud Automatic Provisioning Of Monitoring Agent Not Enabled - Name changed from Cloud Account Microsoft Defender for Cloud Log Analytics agent/Azure Monitor agent Not Enabled (Azure)

  • Cloud Account Microsoft Defender For Cloud Status - Updated to support additional resource types

  • Cloud Account Microsoft Defender For Endpoint Integration Disabled - Name changed from Cloud Account with Microsoft Defender for Endpoint Integration disabled

  • Cloud Account Microsoft Defender For Open-Source Relational Databases Not Enabled - Name changed from Cloud Account Without Microsoft Defender For Open-Source Relational Databases Enabled
    [ENG-22390]

MULTI-CLOUD/OTHER

• Cloud Account With/Without Service Control Policy - Name changed from Cloud Account With Service Control Policy. [ENG-22390]

• Elasticsearch Instance Version - Updated Query Filter for additional flexibility; the Query Filter can now do a version comparison to find versions that are less than 7.9. It can also match more loosely, such as matching 7.10 to 7.10.0_with_X-Pack. Finally, it can search legacy and OpenSearch versions concurrently, e.g., searching less than 7.10 and OpenSearch_1.2 at the same time. [ENG-24985]

• Added three new Query Filters to help analyze instances running with agents:

  • Instance Operating System Platform - Identifies instances by their operating system platform. Of note, instance-level information is only available if the instance has an agent reporting the information.
  • Instance Operating System Distribution (Regex) - Identifies instances by their operating system distribution using a regular expression, e.g., ^Ubuntu. Of note, instance-level information is only available if the instance has an agent reporting the information.
  • Instance Agent Type - Identifies instances by agent, e.g. InsightVM.
    [ENG-21009]

• Network With/Without Resources- New Query Filter identifies networks hosting or not hosting resources by type. Of note, the filter uses OR logic. [ENG-19466]

Bot Actions (23.4.18)

AWS

• “Modify Database Instance Storage Autoscaling” - New Bot action enables database instance storage autoscaling. When enabled, the databases instance’s storage will increase automatically as needed to the set maximum value. This action can either set the maximum value explicitly (in GiB) or set the maximum value as an increase from the current storage value. If both parameters are selected, the larger increase will be used. Of note, the database instance must be Available for a modification to take place. Supports the newly added resource AWS Storage Autoscaling. [ENG-24583]

Bug Fixes (23.4.18)

• Updated Oracle policies to include a missing permission used to harvest storage containers and subnets. [ENG-26085]

• Fixed downloading of diagnostic reports resulting in a JSON intent even when there is an error. [ENG-26001]

• Fixed issues related to Client Certificates; upgraded the version of cryptography we use which places additional restrictions on the formatting of certificates used to authenticate to certain cloud providers like Azure. In certain cases, some Azure accounts may be configured with a badly-formatted client certificate which will now be rejected by cryptography. See callout at top of these notes. [ENG-25822]

• Addressed TypeError error in evaluation of the CFT intrinsic function Fn::Sub where arguments passed into the string.replace() function were not strings as expected. [ENG-25791]

• Fixed a bug with a Query Filter. Updated the name of the Query Filter Database Instance With/Without Required Flag to reflect that it finds database instances with flags; updated the corresponding logic. [ENG-25790]

• Fixed an issue with downloading CSVs from the Resource page. [ENG-25973]

• Fixed a bug where certain IaC results created by the mimICS analyzer would display in the ICS UI without a resource name. [ENG-25735]

• Fixed an issue with the Assessment Coverage column on the Cloud Accounts page affecting Azure and GCP results. [ENG-25732]

• Fixed a NoneType error in IaC CFT scans of S3 bucket resources that are configured with the BucketKeyEnabled but without explicitly defined ServerSideEncryptionByDefault options. [ENG-25650]

• Fixed an issue with severity/boolean fields not displaying label when filter set programmatically. [ENG-25477]

• Resolved an issue where EDH events from AWS Elastic Container Registry were improperly handled. [ENG-25470]

• Fixed an issue where Bots unnecessarily logged errors if one or more of their query filter data collections were emptied. [ENG-25413]

• Fixed an issue where harvesting AWS Workspaces may fail if there is a workspace in the “Pending” state. [ENG-25328]

• Updated our Infrastructure as Code logic to include AWS’s new definition of public for AWS Lambda functions that can be invoked by S3. More information can be found at the AWS remediation reference.  [ENG-23746]

• Fixed an issue where harvesting jobs from a recently added cloud were not enqueued immediately due to immediate alterations to its harvesting strategy. [ENG-23135]

• Added network firewall attachment information to Azure Public IPs, which are shown in the Public IPs’ Related Resources tab. [ENG-21854]

📘 Required Policies & Permissions

**Policies required for individual CSPs are as follows: **

Alibaba Cloud

• Read Only Policy 

AWS

• Commercial
  • Managed Read Only Supplement Policy 
  • Customer-Managed Read Only Policy
    • Part 1 
    • Part 2 
    • Part 3 
  • Commercial Power User Policy 
• GovCloud
  • Read Only Policy
    • Part 1 
    • Part 2 
  • Power User Policy 
• China Read Only Supplement 

Azure

• Commercial
  • Custom Reader User Role 
  • Power User Role 
  • Reader Plus User Role 
• GovCloud
  • Custom Reader User Role 
  • Power User Role 

GCP

• _For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended
  APIs that is maintained as part of our GCP coverage. _

Oracle Cloud Infrastructure

• Power User Policy 
• Read Only Policy 

Host Vulnerability Management

• Host VM User Policy 

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal .