Release Highlights (23.5.16)

InsightCloudSec is pleased to announce Release 23.5.16. This release includes updates to Jinja2 options to accept parameters to allow a delay. We have also made improvements to the Related Resources Graph. In addition, 23.5.16 includes one updated Insight, two new Insights, three updated Query Filters, four new Query Filters, two updated Bot actions, two new Bot actions, and five bug fixes.

• Contact us through the unified Customer Support Portal  with any questions.

📘 Self-Hosted Deployment Updates (23.5.16)

Release availability for self-hosted customers is Thursday, May 18, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal .

Our latest Terraform template (static files and modules) can be found here: <https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip> 

Modules can be updated with the terraform get -update command.

New Permissions Required (23.5.16)

Note: Additional permissions references can be found at the end of the release notes under “Required Policies & Permissions”.

🚧 Updated Permissions: Alibaba Cloud

We have updated our standard Alibaba Cloud Read Only Policy  to include permissions required to harvest resources. The updates include:
“elasticsearch:ListInstance”,
“ram:GetRole”

[ENG-27069]

🚧 New Permissions: Azure

For Azure Standard (Reader Role) Users :
“Microsoft.AppConfiguration/configurationStores/read”

For Azure Power User Role :
“Microsoft.AppConfiguration/*”

These permissions support the newly added Azure resource App Configurations.

[ENG-26634, ENG-26761]

Features & Enhancements (23.5.16)

Calculated DateTime in Jinja Actions
We have updated the Jinja2 options, event.get_date() and event.get_timestamp(), which are most commonly used with tags, to accept parameters to allow a delay. This option is most helpful if the tag key is an indicator of a deadline, e.g., deadline_to_remove_public_access: Jun-09-2023, etc. [ENG-20272]

Examples:

• {{event.get_date()}} can be modified as {{event.get_date(days=30)}}
• {{event.get_timestamp()}} can be modified as
• {{event.get_timestamp(unit="minutes", value=60)}}
• {{event.get_timestamp(unit="hours", value=12)}}
• {{event.get_timestamp(unit="days", value=7)}}

Improvements to Related Resources Graph

• Added an orientation toggle to related resources graph. The default view is left to right (root node on left, graph “grows” to the right) and the toggle switches to top-down (root node on top, graph “grows” down.) [ENG–25958]
• Related resource graphs can now be printed. Graphs can be positioned on a page by dragging graph before printing. [ENG-25633]

Additional Features & Enhancements

• Added search functionality to organization switch dropdown list. [ENG-26795]
• Updated the configuration blade in the IaC configurations section to include a local exceptions toggle which can be used to select whether or not local exceptions are included. [ENG-26569]
• Added logging every time a user pauses, resumes, or archives a Bot and included the option to attach notes/reasoning as to why the lifecycle change was made. [ENG-16731]

User Interface Changes (23.5.16)

• Improved the Cloud Settings page for Accounts that are managed by a Cloud Organization. We have also added support for deleting a managed account and reduced the likelihood of that account being re-added. [ENG-26245]

Resources (23.5.16)

AWS

• Added visibility into the IMDS version for AWS EMR Security Configurations and updated the Query Filter MapReduce Cluster Without Properly Configured Security Config to include an option to audit for v1. [ENG-26990]

• Updated the provided AWS IAM policy for host assessment to respect resource tags for snapshot delete. [ENG-26297]

AZURE

• We’ve added harvesting/visibility into Azure’s App Configurations resource. This newly supported resource can be found under the Compute category as the new resource type App Configuration. A new permission is required: “Microsoft.AppConfiguration/configurationStores/read”. [ENG-26634, ENG-26761]

• Azure LPA users that leverage the “hub-and-spoke” of Azure infrastructure (multiple subscriptions linked to one Azure storage bucket) will now find that their Azure LPA auto-discovers and links those additional data flows (by examining the Azure LPA storage bucket contents). Removal/disablement is also linked. [ENG-26663]

• We have added new properties to Storage Accounts related to blob soft delete and container soft delete settings. With these new properties, we have added new Query Filters, Storage Account Blob Soft Delete Setting and Storage Account Container Soft Delete Setting, and new Insights, Storage Account with Blob Soft Delete Disabled and **`Storage Account with Container Soft Delete Disabled. [ENG-26521]

Insights (23.5.16)

Updated AZURE CIS Packs

• Updated the Azure CIS packs 1.5.0 and 2.0 by replacing the Insight Storage Container Without Access Logging with the Insight Storage Account Blob Service Logging Disabled. We found a discrepancy between the packs and updated for consistency. Note: This update will cause an effect on metrics for the pack as we will be introducing a new Insight against the customer’s Azure environment. [ENG-26941]

AWS

• We have added AWS reference links to the Insight Resource does not Support TLS 1.2 to serve as an aid for understanding and remediation. [ENG-27080]

AZURE

• Storage Account with Blob Soft Delete Disabled - New Insight identifies storage accounts that have Blob Soft Delete disabled. [ENG-26521]

• Storage Account with Container Soft Delete Disabled - New Insight identifies storage accounts that have Container Soft Delete disabled. [ENG-26521]

Query Filters (23.5.16)

AWS

• MapReduce Cluster Without Properly Configured Security Config - Updated the Query Filter includes an option to audit for v1. [ENG-26990]

AZURE

• Instance with attached DNS Name - New Query Filter identifies instances which have the specified DNS Name. Matching can either be on the DNS name, or the Fully Qualified Domain Name. [ENG-14975]

• Storage Account Blob Soft Delete Setting - New Query Filter identifies storage accounts that have Blob Soft Delete disabled (default) or enabled. [ENG-26521]

• Storage Account Container Soft Delete Setting - New Query Filter identifies storage accounts that have Container Soft Delete disabled (default) or enabled. [ENG-26521]

MULTI-CLOUD/GENERAL

• Updated two Query Filters to make them more flexible:

  • Load Balancer Instance Count is now called Load Balancer Classic Instance Count to reflect that it applies only to Alibaba Cloud and AWS classic load balancers. It now also offers an option to match load balancers with less than or equal to or other comparison to an instance count.
  • Load Balancer Instance Count Below Threshold is now called Load Balancer Instance Count to reflect that it offers an option to match load balancers with less than or equal to or other comparison to an instance count.
    [ENG-27081]

• Resource Trusting Specific Account - New Query Filter identifies resources that have a trust relationship with a specified account. [ENG-27077]

Bot Actions (23.5.16)

AWS

• “Publish to AWS Cloudwatch” - We have added the ability to “skip duplicates” on this BotFactory action . This enhancement can reduce noise when reviewing logs and eliminate duplicate notices. [ENG-26603]

MULTI-CLOUD/GENERAL

• “Delete Badge From Cloud Account” - New Bot Action allows the deletion of badges (badge key/value pairs) from Cloud Accounts. [ENG-26785]
• “Send Bulk Email” - We have added a “cc” option to the BotFactory action “Send Bulk Email”. The carbon copy option will send a single email with all recipients identified on the cc: line. [ENG-26789]
• “Update Content Delivery Viewer Protocol Policy” - New BotFactory action, when used in conjunction with the Query Filter Content Delivery Network Not Requiring HTTPS, allows users to create a bot that automatically updates viewer protocol policies to “redirect-to-https” or “https only”, when a content delivery network is created and/or modified. [ENG-25804]

Bug Fixes (23.5.16)

• Fixed a bug where the sidenav for the Security Posture resource wasn’t accessible. [ENG-27182]

• Fixed a false positive seen with the Volume Without Recent Snapshot Query Filter. [ENG-27108]

• Added missing tag support for IaC terraform scans containing aws_iam_policy resources. [ENG-26993]

• Fixed a bug where opening Insights resulted in a new window or tab causing the page to escape frame. [ENG-26617]

• Fixed an issue where transit encryption settings were not evaluated for SNS topics when running IaC scans. [ENG-25205]

📘 Required Policies & Permissions

**Policies required for individual CSPs are as follows: **

Alibaba Cloud

• Read Only Policy 

AWS

• Commercial
  • Managed Read Only Supplement Policy 
  • Customer-Managed Read Only Policy
    • Part 1 
    • Part 2 
    • Part 3 
  • Commercial Power User Policy 
• GovCloud
  • Read Only Policy
    • Part 1 
    • Part 2 
  • Power User Policy 
• China Read Only Supplement 

Azure

• Commercial
  • Custom Reader User Role 
  • Power User Role 
  • Reader Plus User Role 
• GovCloud
  • Custom Reader User Role 
  • Power User Role 

GCP

• _For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended
  APIs that is maintained as part of our GCP coverage. _

Oracle Cloud Infrastructure

• Power User Policy 
• Read Only Policy 

Host Vulnerability Management

• Host VM User Policy 

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal .