InsightCloudSec Release Notes / Apr 25, 2023

Apr 25, 2023

23.4.25 Release Notes

🚧 **Important Changes to Review **

Client Certificates - Potential Breaking Changes
In 23.4.18, we upgraded the version of cryptography we use which places additional restrictions on the formatting of certificates used to authenticate to certain cloud providers like Azure. In certain cases, some Azure accounts may be configured with a badly-formatted client certificate which will now be rejected by cryptography. If you have any issues with Azure harvesting after updating to this release and you are using Client Certificate authentication for that cloud, please reach out to support for further remediation steps.
Refer to the following link for additional details.

[ENG-25822]

Note on Database Migration for IaC Users
Releases after 23.3.28 include updates that can lead to long DB migrations for IaC users. The updates required a fix for a rare bug that could cause incomplete scan results to show in the UI. These updates also include preparations for some additional upcoming improvements for IaC Scanning.
Note: The larger quantity of scans your environment contains, the longer this update may take.

InsightCloudSec Software Release Notice - 23.4.25 Release

Release Highlights (23.4.25)

InsightCloudSec is pleased to announce Release 23.4.25. This release includes updates to our application UI/UX that provides a new look and feel and enables us to make continued navigation, performance, and architectural changes. We have also introduced a content Resource Center that enables access to content to explore after onboarding. Our recently revised cloud onboarding workflow has been updated to include companion videos for each supported cloud services provider. 23.4.25 introduces our new Identity Analysis capability with a unified location to explore principals for analysis and to remediate associated risk. This release also includes added support for Azure’s Cognitive Search service, as well as three updated Insights, one new Insight, three updated Query Filters, one new Query Filter, one new Bot action, and 20 bug fixes.

📘 Self-Hosted Deployment Updates (23.4.25)

Release availability for self-hosted customers is Thursday, April 27, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip

Modules can be updated with the terraform get -update command.

Features & Enhancements (23.4.25)

InsightCloudSec - UI/UX Updates

Beginning with 23.4.25 InsightCloudSec has updated our UI/UX. The updated appearance of the application offers a look and feel that aligns more closely with existing Rapid7 products. In addition, this switch to use React will allow us to continue to improve functionality, architecture, and performance throughout the application.

  • All navigation experiences are the same with two exceptions:
    • “Resource” category has been updated to “Inventory”, as shown in the image above
    • Manage Subscriptions functionality has an updated panel view with better overall usability

[ENG-21390]

Announcing - Identity Analysis
With 23.4.25 InsightCloudSec is pleased to announce our new Identity Analysis capability. Identity Analysis provides a unified location to view and explore principals and their associated details including cloud accounts, permissions, high-level Insight Summary details, and more.

  • Identify and prioritize cloud identity risk through key risk indicators like overly permissive access and privilege escalation.
  • Narrow the scope of your assessment with tools for search and filtering, and explore detailed information for individual principals.
  • Review permission usage summaries and remediation policies to take action on identified risks.

Check out our product documentation on Identity Analysis for additional details.

New Resource Center

Beginning with our 23.4.25 release InsightCloudSec now includes a content Resource Center. This feature provides access to post-onboarding recommendations from any page in the product. In addition to providing new users with access to helpful onboarding content it will also allow us to share announcements and other product details in a convenient permanent location.

  • Note: Popup Blockers, Privacy tools, and failure to leave the InsightCloudSec License "Help us improve by allowing us to collect anonymous usage and Insight data." box checked can all prevent this (Pendo) from displaying.

Onboarding Video Content
23.4.25 includes updates to our newly released Cloud Onboarding experience. With this release, onboarding has been updated to include videos of the process for each individual supported Cloud Service Provider to assist users with navigating and completing this process. [ENG-25401]

Additional Features & Enhancements

  • Fixed CVEs from guardrails dependencies for the following: CVE-2021-43565, CVE-2022-27191, CVE-2021-33194, CVE-2021-44716, CVE-2022-27664, CVE-2022-41723, CVE-2021-38561, CVE-2022-32149 [ENG-26230]
    Enhanced the tracking of scheduled bot runs so they show in the history even when there is an issue. [ENG-26202]

  • Updated our LPA feature to display an error if a user has misconfigured settings. This update also adds a button to the error which navigates the user to the IAM Settings page. [ENG-23876]

  • Improved Authenticating Role resolution from deployment context API. In the AWS Account onboarding form we infer the instance profile of the deployment, referred to as the Authenticating Principal. We improved the inference for self-hosted customers that don't have the value explicitly set as part of the deployment environment variables. To explicitly set the value, customer may use DIVVY_IAM_PROFILE_ROLE_ARN. [ENG-25294]

Resources (23.4.25)

Alibaba Cloud

  • We have updated our Alibaba Cloud Storage Container harvesting to support ACL configurations. By doing so, we are able to add Alibaba Cloud support to the Query Filter Storage Container Exposing Specific Permissions and the Insights Storage Container Exposed to the Public via ACL and Storage Container with PHI Open to the Public. [ENG-26130]

AZURE

  • We have updated support for Azure's Cognitive Search resource. This Azure resource, previously called Search Service under the resource type Search Cluster, can now be found as Cognitive Search under the new resource type of the same name, and under the new category Machine Learning & AI. No new permissions are required. [ENG-22393]

Insights (23.4.25)

Alibaba Cloud

  • The following Insights have been updated to support Alibaba Cloud:
    • Storage Container Exposed to the Public via ACL
    • Storage Container with PHI Open to the Public
      [ENG-26130]

AZURE

  • Custom Role with all Resource Lock Permissions - New Insight returns Custom Roles with read, write, and delete permissions. It supports Azure Commercial, China, and GovCloud. [ENG-18740]

MULTI-CLOUD/OTHER

  • Resource does not Support TLS 1.2 - Insight expanded to work with Azure Redis and AWS Rest API/Elasticsearch domains. [ENG-25860]

Query Filters (23.4.25)

Alibaba Cloud

  • Storage Container Exposing Specific Permissions - Updated Query Filter includes Alibaba Cloud support. [ENG-26130]

AZURE

  • Custom Role with/without Resource Lock Permissions - New Query Filter allows users to view Azure Custom Roles that have the read, write and/or delete permissions; supports Azure Commercial, China, and GovCloud.
    • Multi-select field allows users to specify any combination of permissions, selecting all 3 with only return custom roles, which are without 3 permissions, etc.
    • Boolean field With Lock Type will flip the return type, to return custom roles, which have those permissions rather than without.
      [ENG-18740]

MULTI-CLOUD/OTHER

  • Added the ability to Regex match for the following Query Filters:
    • Cloud Account Contains Identity Resource
    • Cloud Account Missing Identity Resource
      Regex matching can be enabled by selecting the toggle and entering a regular expression either as a singular expression, or a list of expressions to match on. [ENG-17425]

Bot Actions (23.4.25)

AWS

  • “Create Volume Snapshot With Tags” - New Bot action allows you to create a snapshot with all or some of the tags on the source volume. This functionality allows you to maintain tag compliance and provides the flexibility of selecting specific tags so as, for example, not to copy tags marking a resource for deletion. [ENG-24732]

Bug Fixes (23.4.25)

  • Azure Cloud Accounts that hit a 'Subscription Not Found Error' will now move to suspended state to avoid attempting to harvest. This error usually occurred from deleted subscriptions remaining in ICS. Note: Users will see this change in status on the Cloud Accounts page. [ENG-26230]

  • Fixed the Azure Storage Sync Service permission to prevent inaccurate surfacing in cloud visibility. [ENG-26221]

  • Fixed an issue with AWS CloudFormation template for IAM Role deployment: when the option to allow EventBridge to assume the Role for EDH purposes was disabled, the AssumeRolePolicy document was invalid. [ENG-26215]

  • Fixed an issue on the AWS Account onboarding form where the deployment IAM Role ARN was not shown on the first page. [ENG-26187]

  • Fixed a bug that would not update the cloud account state in the Cloud Summary view when the state was pending_closure. [ENG-26167]

  • Fixed a bug that would flag Azure SQL database instances as not supporting encryption at rest. [ENG-26161]

  • Fixed issue with broken direct links to Elasticsearch Instances. Updated our direct links to Elasticsearch Instances in AWS to match their internal change in URLs. [ENG-26157]

  • Hardened the BotFactory action “Attach Policy To Role” to surface exceptions raised by AWS to clarify when the action fails, for example, because the role already has the maximum allowed policy attachments. [ENG-26154]

  • Updated the harvesting of the Customer Managed property of Alibaba Cloud encryption keys. This change corrects the Query Filter results for Encryption Key Rotation Disabled. [ENG-26131]

  • Fixed a bug that prevented Azure Storage Account resources from being harvested when they have premium file shards activated. [ENG-26124]

  • Fixed an issue that prevented some Query Filters from working with IaC scanning. ENG-26166]

  • Fixed a bug where IaC CFT scans could fail when Volume and Instance resources' fields used parameters but users didn't set parameters when initiating the scan. [ENG-26134]

  • Fixed an edge case related to viewing AWS routes on EDH-enabled systems after the parent route table was deleted. [ENG-26098]

  • Resolved an issue that may cause the "ContainerRegistryHarvester" to intermittently fail in AWS Gov or AWS China. [ENG-26089]

  • Resolved issue with error when closing a Resource blade. [ENG-25963]

  • Resolved an issue in Host Vulnerability Management where a list of errors per account previously showed "Invalid Date" for some error reasons. All errors should now display a valid date. [ENG-25550]

  • Resolved an issue where the labeling was overflowing the circular background. [ENG-25425]

  • Fixed a bug when multiple LPAAthenaSetupJob executed in parallel. [ENG-24557]

  • Updated our analysis of Azure Virtual Machines (VMs) that have no associated Network Security Group. This change surfaces the VMs as matches for these filters:

    • Instance Exposing Public RDP
    • Instance Exposing Public SSH
    • Instance Exposing All Ports
    • Instance Exposing Specific Port/Protocols
    • Instance Exposing Specific Ports
    • Instance Without Network Security Group Assignment (Azure)
      [ENG-24500]

📘 Required Policies & Permissions

**Policies required for individual CSPs are as follows: **

Alibaba Cloud

AWS

Azure

GCP

Oracle Cloud Infrastructure

Host Vulnerability Management

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.