Release Highlights (23.6.6)

InsightCloudSec is pleased to announce Release 23.6.6. This release includes automatic account discovery for AWS, GCP, and Azure Organizations; look-and-feel and performance improvements to several parts of the InsightCloudSec interface; Azure and GCP support for the Host Vulnerability Management feature; and a script-driven/automated onboarding solution for Azure cloud accounts. In addition, 23.6.6 includes 6 new or updated Insights, 11 new or updated Query Filters, 23 bug fixes, and various general improvements to Resources, Bots, Infrastructure as Code, and the user interface.

• Contact us through the unified Customer Support Portal  with any questions.

📘 Self-Hosted Deployment Updates (23.6.6)

Release availability for self-hosted customers is Thursday, June 8, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal .

Our latest Terraform template (static files and modules) can be found here: <https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip> 

Modules can be updated with the terraform get -update command.

Permissions Update (23.6.6)

Note: Additional permissions references can be found at the end of the release notes under “Required Policies & Permissions”.

🚧 Updated Permissions: Azure

For Azure Commercial Read Only users and Azure GovCloud Standard (Read-Only) Users:

“Microsoft.Storage/storageAccounts/blobServices/read” (actions permission)
“Microsoft.KeyVault/vaults/*/read” (dataActions permission) “Microsoft.KeyVault/vaults/secrets/readMetadata/action” (dataActions permission)

These permissions support bug fixes. [ENG-27382, ENG-27818]

Features & Enhancements (23.6.6)

• Implemented Account Discovery within the Onboarding Wizard and Add Cloud Wizard. This implementation enables the onboarding experience to drive the user to enable automatic child/member account discovery for AWS/GCP/Azure directly from onboarding. [ENG-27202]

• We have implemented UI improvements to the following areas of the product:

  • Insights [ENG-27049]
  • Cloud Listing and Cloud Details[ENG-27496]
  • Scheduled Events [ENG-27500]
  • Bot Factory [ENG-27498]

• Added an automated/script-based path for onboarding Azure clouds and/or organizations. [ENG-26960]

• InsightCloudSec now supports Azure and GCP for the Host Vulnerability Management feature. Please review the Configuration page for details on setting up your Azure and GCP environments. [ENG-25480]

User Interface Changes (23.6.6)

• Renamed the drop down options on the “Risk Factor” advanced filter. The options now appear as:

  • Trust unknown or third party accounts
  • Cross Account Access
  • At risk of Privilege Escalation
  • Multi-Factor Authentication Disabled Inactive in the past 90 days
    [ENG-27384]

• Added Risk Factors visualization widget to Identity Analysis page. [ENG-27232]

• Made a styling improvement to the help text for Credential Configuration on the cloud settings page. [ENG-27153]

• Conditionally showing support video when AWS Gov/China selected: The Support Video for the AWS Introduction step during cloud onboarding is only shown when you select AWS Gov/China. [ENG-27087]

• Updated Identity Analysis “Insight Finding” Advanced Filter to only show options that support Cloud User and Cloud Role resource types. [ENG-27436]

• Moved the “MANAGE KUBERNETES API KEY” button from Cloud Accounts page to Kubernetes Cluster page. [ENG-25390]

Resources (23.6.6)

AWS

• We have added four new events to our EDH harvesting for AWS Lambda Layers. The events are:

  • AddLayerVersionPermission
  • DeleteLayerVersion
  • PublishLayerVersion’
  • RemoveLayerVersionPermission
    [ENG-27503]

• We have added the ability to delete AWS VPC Flow Logs via Resource Details and BotFactory. [ENG-27637]

• If AWS LPA is not configured, the Policy Stack is still available for viewing; we have added a link to the Policy Stack within the ‘LPA not configured” error to still allow access to this. [ENG-27255]

AZURE

• Azure Serverless functions now harvest the publicly_accessible property. They are now also included in the Resource Exposed to Public Query Filter. Because of this, the Serverless Function Exposed To Public Via Parent Web App Query Filter that is specific to Azure Serverless Functions has been removed. Note: Any Bots using this removed filter should now be reconfigured to use the Resource Exposed to Public Query Filter instead. [ENG-27300]

GCP

• Added GCP recommendations to related resources tab for principals (ServiceUser & ServiceRole). Added content field to RecommendationFindings detail API call. The content field contains a string of the JSON content for the RecommendationFinding. This was added to facilitate the UI showing the permissions that will be removed/changed if a Recommendation is applied. [ENG-27277]

MULTI-CLOUD/GENERAL

• The Storage Account resource type now supports scheduled deletion in BotFactory. [ENG-23982]

Insights (23.6.6)

AZURE

• Updated Principals with Unused Permissions Insight to support the following clouds:
  • Microsoft Azure
  • Microsoft Azure China
  • Microsoft Azure Gov
    [ENG-27433]
• Added the following newInsights for the Azure App Config resource:
  • App Configuration with Public Network Access - Used to identify App Configurations with public network access enabled
  • App Configuration Invalid Diagnostic Logging Configuration - Used to identify App Configurations with an invalid diagnostic logging configuration
  • App Configuration without Managed Identity - Used to identify App Configurations without a Managed Identity
  • App Configuration Not Encrypted with Customer Managed Key - Used to identify App Configurations that aren’t encrypted with a customer-managed key
  • App Configuration Without Purge Protection - Used to identify App Configurations without purge protection enabled
    [ENG-26762]

MULTI-CLOUD/GENERAL

• Added multi-select support for the cloud provider on the Insights page. [ENG-16563]
• We have improved our analysis of badge-scoped Insights to process them more quickly. [ENG-27932]
• Re-introduced functionality to filter configuration Insights in the configuration blade and set all Insights for a configuration to a specified setting. [ENG-27362]

Query Filters (23.6.6)

AWS

• We have added two Query Filters for Connect Instances:
  • Connect Instance Resource Types - Used to identify connect instances by their resource type
  • Connect Instance Storage Type - Used to identify connect instances by their storage type
    [ENG-27360]

AZURE

• Database Instance Azure Active Directory Administrator Audit - New Query Filter that can be used to identify database instances that are or are not using approved administrator usernames. [ENG-27634]
• Added the following new Query Filters for the Azure App Config resource:
  • App Configuration by Public Network Access State - Used to identify App Configurations by their public network access state
  • App Configuration with Selected Pricing Tier - Used to identify App Configurations by their pricing tier
  • App Configuration with Managed Identity - Used to identify App Configurations that have been assigned a managed identity
  • App Configuration Encrypted with Customer Managed Key - Used to identify App Configurations that are encrypted using a customer-managed key with Key Vault
  • App Configuration Without Purge Protection - Used to identify App Configurations that do not have purge protection enabled
  • App Configuration Invalid Diagnostic Logging Configuration - Used to identify App Configurations with an invalid diagnostic logging configuration
    [ENG-26762]
• Filter has been updated from Instance with attached DNS Name to Instance With/Without Attached DNS Name. Functionality has been added to match Instances which do not have the specified Domain Name. This will only return Instances which have a Domain Name configured. [ENG-27330]

MULTI-CLOUD/GENERAL

• We have added the Query Filter Snapshot Description Regular Expression that allows the examination of snapshot descriptions using Regex. [ENG-27575]

Bot Actions (23.6.6)

Other

• Reduced overall latency of bot listing functions and endpoints. [ENG-27585]
• Added the ability to search and download/export Bot Execution History. [ENG-14488]

Infrastructure as Code (IaC) (23.6.6)

• We have added a System Setting iac_filter_exclusions that allows certain filters to be excluded when performing an IaC scan. For example, if an Insight includes the Query Filter Resource Lifecycle State to focus on running instances, that information may not be as relevant when performing an IaC scan. [ENG-26889]
• Updated two default properties for Infrastructure as Code evaluations:
  • Changed the default AWS RDS instance size to db.m5.large if its class cannot be determined.
  • Changed the global_encryption property of an AWS S3 bucket to AES256 to align with a recent change made by AWS.
    [ENG-27389]

Bug Fixes (23.6.6)

• Fixed an issue for onboarding Oracle tenants when the home region is not the default us-ashburn-1. [ENG-27797]

• Fixed an edge case for Exemption Rules that could create an exemption for an out-of-scope resource when that resource was harvested by a multi-resource harvester. [ENG-27786]

• Fixed issue where ephemeral IPs from LoadBalancers have no resources. [ENG-27742]

• Fixed issue where some load balancers had incorrect schema. [ENG-27742]

• Updated our write/admin/privilege escalation policy analysis to skip Cloud-provider policies when they are listed in the DIVVY_SERVICE_POLICIES_TO_SKIP environment variable. [ENG-27739]

• Fixed a bug where certain Terraform Cloud/Enterprise Run Task request payloads would fail to scan, causing Terraform Cloud/Enterprise runs to fail with an error. [ENG-27685]

• Fixed an issue for CVE-2023-1732 in mimICS. [ENG-27679]

• Fixed table (with no default sorting) not paginating after the page is first clicked. [ENG-27535]

• Updated the comparison to evaluate whether a Big Data Instance has been modified, which should surface changes related to public accessibility more quickly. [ENG-27489]

• Fixed an issue where Machine Learning & AI resources were not caching the total counts of resources on the inventory screen. [ENG-27488]

• Fixed an edge case where AWS Organization info for some accounts failed to harvest. [ENG-27401]

• Fixed an IaC Exemption Rule issue with correctly processing Azure Key Vault Secrets/Encryption Keys/SSL Certificates resources. In order to harvest Azure secrets as objects in Azure Key Vaults, the following permissions must be added as values under dataActions like the example below:

{
	"properties": {
    "roleName": "RoleName",
    "description": "Role description.",
    "assignableScopes": [
      "/subscriptions/<subscription-id>"
    ],
    "permissions": [
      {
        "actions": [], 
        "notActions": [], 
        "dataActions": [
          "Microsoft.KeyVault/vaults/*/read",
          "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
        ], 
        "notDataActions": []
      }
    ]
	}
}

[ENG-27382]

• Fixed an issue where a user can potentially see an error modal when switching between CSPs during the add cloud flow. [ENG-27370]

• Fixed a bug where AuditLog.Read.All was not surfacing correctly in the permission scanning for Azure orgs/subscriptions. [ENG-26861]

• Azure HttpResponseErrors with code ResourceCollectionRequestsThrottled are now included as one of the error messages we flag as RATE_LIMITED. [ENG-26829]

• Fixed issue with Cloud Discovery reports inability to download in Firefox. [ENG-26820]

• Fixed visualization resizing jumps on load. [ENG-26627]

• Fixed a presentation issue with the Related Resources graph; the graph now centers. [ENG-26206]

• Fixed issue where using - in tag input in Tag Explorer with CONTAINS ALL option checked causes the request to fail. [ENG-26041]

• Added missing read BlobServices permission (“Microsoft.Storage/storageAccounts/blobServices/read”) to Azure Custom reader role, which is required for the StorageAccountHarvester and StorageContainerHarvester

• Enhanced information logged for each scheduled event to more efficiently trace their triggered jobs. [ENG-25584]

• Fixed an IaC issue where subnets associated with an Application Load Balancer were incorrectly associated in the dynamic IaC simulation analysis. [ENG-25521]

• Updated behavior for the NetworkAccessList harvester to allow harvesting to complete for GCP when the DNS API is not enabled. Note: This API being disabled will result in no parent network ID being obtained for ACLs and therefore will log modifications if the status of the API is changed. [ENG-24247]

📘 Required Policies & Permissions

**Policies required for individual CSPs are as follows: **

Alibaba Cloud

• Read Only Policy 

AWS

• Commercial
  • Managed Read Only Supplement Policy 
  • Customer-Managed Read Only Policy
    • Part 1 
    • Part 2 
    • Part 3 
  • Commercial Power User Policy 
• GovCloud
  • Read Only Policy
    • Part 1 
    • Part 2 
  • Power User Policy 
• China Read Only Supplement 

Azure

• Commercial
  • Custom Reader User Role 
  • Power User Role 
  • Reader Plus User Role 
• GovCloud
  • Custom Reader User Role 
  • Power User Role 

GCP

• _For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended APIs  that is maintained as part of our GCP coverage. _

Oracle Cloud Infrastructure

• Power User Policy 
• Read Only Policy 

Host Vulnerability Management

• Host VM User Policy 

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal .