Skip to Content
Release NotesInsightcloudsec23.5.23 Release Notes

May 22, 2023

InsightCloudSec is pleased to announce Release 23.5.23

Release Highlights (23.5.23)

InsightCloudSec is pleased to announce Release 23.5.23. This release includes one new resource, AWS Amazon Connect, and one updated resource type as well as a new Critical Security Controls Insight Pack and minor updates to how permissions are visualized within the Identity Analysis feature.

In addition, 23.5.23 includes six new query filters, one new bot action, and 13 bug fixes.

📘 Self-Hosted Deployment Updates (23.5.23)

Release availability for self-hosted customers is Thursday, May 25, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Our latest Terraform template (static files and modules) can be found here: <https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip>

Modules can be updated with the terraform get -update command.

New Permissions Required (23.5.23)

Note: Additional permissions references can be found at the end of the release notes under “Required Policies & Permissions”.

🚧 New Permissions: AWS

For AWS Commercial Read Only Users and GovCloud Standard (Read-Only) Users:
“connect:DescribeInstanceStorageConfig”,
“connect:ListInstances”,
“connect:ListInstanceStorageConfigs”

For AWS Commercial Power Users and AWS GovCloud Power Users:
“connect:*”

These permissions support the newly added Amazon Connect resource. [ENG-23971]

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to harvest new resources and properties without changing harvesting policies.

Features & Enhancements (23.5.23)

Additional Features & Enhancements

  • Updated Local Exceptions to Dev Exceptions for consistency and clarity. [ENG-27335]
  • Users can now create/update Insight Exemption Rules and associate multiple resource types with the updated rule. [ENG-26223]
  • The unassessed permission count has been removed from the Identity Analysis visualization (seen under the ‘Permissions” column within the table. Hovering your mouse on the visualization will reveal a tooltip that contains the count of used, unused, and unassessed permissions. [ENG-27095]

Resources (23.5.23)

AWS

  • We have added the “Enable Encryption” action to resource details for Delivery Streams (AWS Kinesis Firehose). [ENG-20132]
  • We’ve added harvesting/visibility into Amazon’s Connect service. This newly supported resource can be found under the Compute category as the new resource type Connect Instance. New permissions are required: “connect:DescribeInstanceStorageConfig”, “connect:ListInstances”, “connect:ListInstanceStorageConfigs”

AZURE

  • We’ve moved the existing Azure Service Bus resource under the Compute category as the new resource type Message Queue Namespace.
  • A delete action, as well as an action to disable public network access, has been added for Azure App Configurations. A new permission is required in order to use these actions: “Microsoft.AppConfiguration/configurationStores/write”. [ENG-26763]
  • Included an opt-in option to look up resource tags from the parent Azure Resource Group when exporting resource CSVs from the Compliance Scorecard where the resource itself does not have the corresponding tag. [ENG-25803]

Insights (23.5.23)

New Compliance Pack: Critical Security Controls Version 8 Pack

  • We have created the Critical Security Controls Version 8 Pack. The Critical Security Controls Version 8 Pack (CIS Controls v8) is a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. CIS Controls v8 has been enhanced to keep up with modern systems and software. [ENG-24698]

Query Filters (23.5.23)

AWS

  • Encryption Key With Default Policy Attached - New Query Filter identifies AWS KMS encryption keys that have the default IAM policy for permissions. [ENG-24582]
  • Resource Not Provisioned Using Terraform - New Query Filter identifies AWS resources that were provisioned by a mechanism other than Terraform. [ENG-26147]

AZURE

  • Four query filters support the new Azure Service Bus resource:
    • Message Queue Namespace With Local Authentication - Identifies service buses that support local authentication . [ENG-26141]
    • Azure Service Bus Publicly Accessible - Identifies service buses that are configured to allow network access from the public. [ENG-26812]
    • Message Queue Namespace Minimum TLS Version - Identifies message queue namespaces based on minimal TLS version configured. [ENG-26812]
    • Message Queue Namespace Type - Identifies message queue namespaces by a particular type. [ENG-26812]

Bot Actions (23.5.23)

  • “Disable Service Bus Public Access” - New Bot action automates disabling public access for Azure Service Bus resources. Note: Users must have sufficient permission granted to their app registration to modify the service bus access using this action. [ENG-22652, ENG-26812]

Bug Fixes (23.5.23)

  • Fixed an issue with incorrect tagging: added a secondary check when examining whether an AWS ECS Cluster was using Fargate. The secondary check surfaces clusters that do not have Fargate tasks in a running or pending state and do not have Fargate an active or draining service, so thisthe update will likely increase the count of ECS Clusters using Fargate. [ENG-27390]
  • Fixed an issue with AWS Custom/Inline Policies failing to display in Resource Properties. [ENG-27373]
  • Fixed an issue with inability to add system badges to custom packs from the Web console. Added the ability to use system badges in our updated Insight Pack Creation wizard. System badges include badges that scope to cloud-specific accounts like AWS or Azure, for example. [ENG-27359]
  • Fixed an issue during Oracle Cloud onboarding where, if the CloudGuard service was disabled for the Oracle tenant, the form would show an error indicating incorrectly that the cloud failed to add successfully. [ENG-27319]
  • Fixed a bug where the UI would not let users proceed in the Add Cloud/Onboarding flow. [ENG-27282]
  • Fixed an issue with the inability to migrate standalone cloud accounts from one ICS organization to another. [ENG-27257]
  • We are no longer de-duplicating the BotFactory action Post Request To URL, so that action can be taken multiple times in a single bot if desired. [ENG-27216]
  • Fixed an issue where security groups were incorrectly showing as not having flow logs enabled. [ENG-26950]
  • Fixed an issue where application segmentation was incorrectly included when navigating to exemptions from the Insights page. [ENG-26863]
  • Fixed an issue where we fail to re-add missing schedules from bot’s scheduled events table. [ENG-26637]
  • Fixed a bug where opening Insights results in a new window or tab caused the page to escape the frame. [ENG-26617]
  • Fixed an issue where some EventConsumer runs partially fail when there are duplicate events using EDH Organization CloudTrail. [ENG-26123]
  • Fixed a bug that prevented display of the loading bar in the Resource Search dialog window. [ENG-12339]

📘 Required Policies & Permissions

**Policies required for individual CSPs are as follows: **

Alibaba Cloud

AWS

Azure

GCP

Oracle Cloud Infrastructure

Host Vulnerability Management

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.