23.5.2 Release Notes

May 02, 2023

InsightCloudSec is pleased to announce Release 23.5.2

🚧 **Important Changes to Review **

Client Certificates - Potential Breaking Changes
In 23.4.18, we upgraded the version of cryptography we use which places additional restrictions on the formatting of certificates used to authenticate to certain cloud providers like Azure. In certain cases, some Azure accounts may be configured with a badly-formatted client certificate which will now be rejected by cryptography. If you have any issues with Azure harvesting after updating to this release and you are using Client Certificate authentication for that cloud, please reach out to support for further remediation steps.

Refer to the following link for additional details.

InsightCloudSec Software Release Notice - 23.5.2 Release

Release Highlights (23.5.2)

InsightCloudSec is pleased to announce Release 23.5.2. This release updates two AWS resources with new properties: the properties Throttling Burst Limit and Throttling Rate Limit are now included with AWS API Gateway Stages, and the trusted_accounts property has been added to AWS Kinesis Firehose (Delivery Streams). 23.5.2 also includes a new mimics release (v 1.2.0) with three IaC-related updates.

In addition, 23.5.2 includes two new Insights, four updated Query Filters, seven new Query Filters, and 11 bug fixes.

📘 Self-Hosted Deployment Updates (23.5.2)

Release availability for self-hosted customers is Thursday, May 4, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal .

Our latest Terraform template (static files and modules) can be found here: <https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip>

Modules can be updated with the terraform get -update command.

Features & Enhancements (23.5.2)

In the AWS Account onboarding form we infer the instance profile of the deployment; referred to as the Authenticating principal. We improved the inference for self hosted customers that don’t have the value explicitly set as part of the deployment environment variables. To explicitly set the value, customer may use DIVVY_IAM_PROFILE_ROLE_ARN. [ENG-25294]
The IAM “Remediation Policy” tab has been renamed to “Remediation”. [ENG-26383]

Resources (23.5.2)

AWS

AWS Lambda now supports Python 3.10. We have updated our Query Filter Serverless Function By Runtime Language and our value of latest runtime accordingly. [ENG-26291]
We have modified the AWS WebApplicationFirewallHarvest job to run regionally versus globally to add harvest scheduling flexibility. [ENG-26323]
We have added the trusted_accounts property to AWS Kinesis Firehose (Delivery Streams) resources and added Delivery Streams support to Query Filters surfacing resources trusting unknown accounts, e.g.,
- Resource Shared With Account
- Resource Supporting Cross Account Access
- Resource Trusting Account Outside Of Allowed List
- Resource Trusting Unknown Account
- Resource Trusting Unknown Account By Badge
We have also surfaced the s3_destination and trusted _accounts properties in the UI. [ENG-16108]
We have added two properties to API Gateway Stages, Throttling Burst Limit and Throttling Rate Limit.
- With these additional properties, we have added the following Query Filters:
  - Application Gateway/Stage Throttling Status
  - Application Gateway/Stage Throttling Burst Limit
  - Application Gateway/Stage Throttling Rate Limit
- We have also added the Insight Application Gateway/Stage without Throttling Enabled.
- Further, we have expanded support for the following Query Filters to support API Gateway Stages (in addition to API Gateways):
  - Application Gateway/Stage Without Transit Encryption
  - Application Gateway/Stage Without Access Logging
  - Application Gateway/Stage X-Ray Tracing Enabled
  - Application Gateway/Stage X-Ray Tracing Disabled
    [ENG-25293]

AZURE

A new field, “WAF Mode”, has been added to the Load Balancer resource for Azure. [ENG-24226]

Insights (23.5.2)

AWS

Application Gateway/Stage without Throttling Enabled - New Insight identifies application gateways with one or more stages that do not have throttling enabled.[ENG-25293]

Kubernetes

Containers allow PrivilegeEscalation enabled - New ICS Insight reports Kubernetes workloads (ReplicaSet, DeamonSet, stand-alone Pods etc.) with securityContext configuration allowing Privilege escalation. This Insight validates Security context settings for allowPrivilegeEscalation which controls whether a process can gain more privileges than its parent process. For more details about securityContext configuration see the related Kubernetes documentation . [ENG-24226]

Query Filters (23.5.2)

AWS

Three new Query Filters support the additional properties of API Gateway Stages, Throttling Burst Limit and Throttling Rate Limit [ENG-25293]:
- Application Gateway/Stage Throttling Burst Limit - Identifies application gateways and stages by their throttling burst limit. By default, the resources with limits below the value provided will be matched.
- Application Gateway/Stage Throttling Rate Limit - Identifies application gateways and stages by their throttling rate limit. By default, the resources with limits below the value provided will be matched.
- Application Gateway/Stage Throttling Status - Identifies application gateways and stages which do not have throttling enabled. Alternatively, find those resources that do have throttling enabled.
Expanded support for the following Query Filters to support API Gateway Stages (in addition to API Gateways) [ENG-25293]:
- Application Gateway/Stage Without Transit Encryption
- Application Gateway/Stage Without Access Logging
- Application Gateway/Stage X-Ray Tracing Enabled
- Application Gateway/Stage X-Ray Tracing Disabled

AZURE

Added the following Query Filters for Cognitive Search:
- Cognitive Search Invalid Diagnostic Logging Configuration - Identifies Cognitive Search Services without proper diagnostic configuration. Those without diagnostic settings are also matched.
- Cognitive Search Services with Public Network Access State - Identifies Cognitive Search Services by their public network access state.
- Cognitive Search Services with API Access Control - Identifies Cognitive Search Services by their API access controls.
- Cognitive Search Services Within Particular Resource Group - Identifies Cognitive Search Services within a particular resource group.
  [ENG-22395]

mimICS

The following updates are for mimICS release v.1.2.0

IaC Terraform Plan Parser [ENG-25627]
IaC Insights with Actionable Feedback - Terraform/AWS - CIS AWS 1.x [ENG-23522]
IaC Insights with Actionable Feedback -Terraform/AWS - AWS Foundational Security Best Practices [ENG-23701]

Bug Fixes (23.5.2)

Fixed bug introduced last month that prevented the harvesting of GCP CryptoKeys. [ENG-26799]
Updated the functionality to reintroduce Open-in-New-Tab for sidebar navigation items. [ENG-26636]
Fixed an issue with the BotFactory action Remove Unknown Accounts From Snapshot/Image Permissions to support Database Cluster snapshots. [ENG-26626]
We have updated the ISO27001:2013 and ISO27001:2002 packs, removing Insights linked to licenses that made the packs unusable for customers. [ENG-26608]
Fixed an issue involving attempted harvesting of AWS GovCloud Savings Plan information. We are no longer attempting to harvest Savings Plan information from AWS GovCloud, where it is not supported directly but only through purchases made via AWS Commercial. [ENG-26559]
Fixed a bug where new GCP Artifact Repositories weren’t harvesting. [ENG-26556]
Improved entitlement handling so that an absence of a user’s entitlement for an entitlement requiring module is not treated as having a viewer access, instead as disabled, which is intended. This has a side-effect that users of a group of which entitlements never included roles for entitlement requiring modules will no longer be able to access those modules. If any unexpected behavior is experienced, an admin user should review affected user group entitlements and re-save with or without any appropriate updates. [ENG-26632]
Fixed an issue where entitlements for features that have gone GA recently (HVA, Threat Findings, Layered Context) weren’t included as available system entitlements. This has a side-effect that an already saved user group entitlements will not include values for entitlements (HVA, Threat Findings, Layered Context) that will become available due to this fix. If any unexpected behavior is experienced, an admin user should review affected user group entitlements and re-save with or without any appropriate updates. [ENG-26362]
Fixed a bug involving the Instance action “Get Console Output”; updated the action to be selectively available from Resource Details when the Instance is hosted by AWS (commercial, China, GovCloud) and GCP and the Instance is in a running or available state. [ENG-26273]
Updated the system to include the K8s license by default, resolving an issue around the visibility of certain Compliance Packs. [ENG-25651]
Fixed a bug where bots that get interrupted go into limbo with incorrect state. [ENG-24195]

📘 Required Policies & Permissions

**Policies required for individual CSPs are as follows: **

Alibaba Cloud

Read Only Policy

AWS

Commercial

Managed Read Only Supplement Policy

Customer-Managed Read Only Policy

Part 1

Part 2

Part 3

Commercial Power User Policy

GovCloud

Read Only Policy

Part 1

Part 2

Power User Policy

China Read Only Supplement

Azure

Commercial

Custom Reader User Role

Power User Role

Reader Plus User Role

GovCloud

Custom Reader User Role

Power User Role

GCP

_For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended
APIs that is maintained as part of our GCP coverage. _

Oracle Cloud Infrastructure

Power User Policy

Read Only Policy

Host Vulnerability Management

Host VM User Policy

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal .