Release Highlights (23.6.13)

InsightCloudSec is pleased to announce Release 23.6.13. This release includes the Kubernetes Inventory view (Related Resources), S3 Intelligent Tiering Configuration support, Kubernetes Remote Scanner general availability, Compliance Scorecard entitlement improvements, and various property/attribute additions to resources.
In addition, 23.6.13 includes one updated Insight, two updated Query Filters, six new Query Filters, two new Bot actions, one updated Bot action, and nine bug fixes.

• Contact us through the unified Customer Support Portal  with any questions.

📘 Self-Hosted Deployment Updates (23.6.13)

Release availability for self-hosted customers is Thursday, June 15, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal .

Our latest Terraform template (static files and modules) can be found here: <https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip> 

Modules can be updated with the terraform get -update command.

📘 Limited Release for 23.6.20

As the next week includes a Federal Holiday, we will not be providing a formal release with release notes for the week of 23.6.20. SaaS or self-hosted customers may have minor bug fixes and we may provide a limited release, but our next full release for both SaaS and self-hosted customers will be on 23.6.27. Reach out to your CSM or InsightCloudSec support with questions or concerns.

New Permission Required (23.6.13)

Note: Additional permissions references can be found at the end of the release notes under “Required Policies & Permissions”.

🚧 New Permission: AWS

For AWS Commercial Read Only Users and GovCloud Standard (Read-Only) Users:
“s3:ListIntelligentTieringConfigurations”

This permission supports the newly added harvesting for S3 Intelligent Tiering Configurations. [ENG-27441]

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to harvest new resources and properties without changing harvesting policies.

Features & Enhancements (23.6.13)

• We have added the Related Resources capability to Kubernetes Clusters to provide an inventory of all components related to a given cluster. Review Clusters Account Setup & Management for more information.

• We have enabled the Kubernetes Remote Scanner feature by default for all customers. The “Kubernetes Clusters” page will show all Kubernetes clusters by default. Refer to the Remote Scanner  documentation for information on configuration and usage. [ENG-27796]

• We have expanded Pack/Scorecard Subscription functionality to Basic Users:

  • The scorecard is now accessible to basic users with the appropriate entitlement.
  • Scorecard subscription management is now accessible to basic users with the appropriate entitlement.
  • Insight pack subscription management is now accessible to basic users with the appropriate entitlement.
    [ENG-22424]

• We have added disk encryption details to Region resource details, including whether it is enabled, and if so, with what encryption key,. [ENG-27574]

• We have added a proof-of-concept capability to allow customers to disable Insights from scanning. This capability will reduce the system demand imposed by the TemplateCache job and improve system performance. [ENG-27570]

• We have added Event-Driven Harvesting support for the event CreateVirtualMFADevice. [ENG-27509]

Additional Features & Enhancements

• We have implemented UI improvements to the following areas of the product:
  • User (Identity) Management [ENG-27790]
  • System Administration [ENG-27789]
• Added the “Overly Permissive Access” and “Highly Permissive Access” Risk Factor dropdown option on Advanced Filters for IAM Analysis. [ENG-27431, ENG-27432]

Resources (23.6.13)

AWS

• We have added harvest and IaC support for S3 Intelligent Tiering Configurations; enabling this no-cost configuration can significantly lower S3 storage costs by transitioning unaccessed objects into less expensive storage classes:

  • Added the property Intelligent Tiering to storage containers

• Added the Query Filter Storage Container With/Without Intelligent Tiering

• Added the BotFactory action “Enable Intelligent Tiering On Storage Containers”

• A new permission is required for both the AWS commercial and AWS GovCloud Read-Only roles: “s3:ListIntelligentTieringConfigurations”
  [ENG-27441]

• We have added a new property to Content Delivery Networks called Function Body Access and a corresponding Query Filter Content Delivery Network Function With Request Body Access that identifies content delivery networks using functions that can access the body of requests, possibly leading to an exfiltration of data from request information including PII. [ENG-27780]

Insights (23.6.13)

AWS

• Insight Cloud Region without Default Volume Encryption - Updated Insight description to clarify that Insight only applies to regions in use, i.e., those regions with volumes present. The rationale is that regions without volumes present are unused or blocked and therefore of little security interest so creating an Insight finding would be noisy. [ENG-27567]

Query Filters (23.6.13)

AWS

• Content Delivery Network Function With Request Body Access - New Query Filter identifies content delivery networks using functions that can access the body of requests. [ENG-27780]

• Resource is Accessible by Cloud Principal - New Query Filter accepts a Principal Resource ID and returns the resources in which that Principal has access. [ENG-27480]

• Storage Container With/Without Intelligent Tiering - New Query Filter identifies storage containers with or without Intelligent Tiering enabled. [ENG-27441]

• We have added two Query Filters related to whether a resource was provided using Cloud Formation [ENG-27630]:

  • Resource Provisioned Using Cloud Formation
  • Resource Not Provisioned Using Cloud Formation

MULTI-CLOUD/GENERAL

• Resource Contains Tag Key and Value Regular Expression (Regex) - New Query Filter matches child resources if parent resources match with the user-defined key and with the values associated with that key fit the regular expression. This can help identify use cases where the tag key is known, e.g, “Branch”, and the value is flexible, e.g., “US-”, where the filter would find “US-1”, “US-2”, etc. [ENG-27871]
• We have added case insensitivity as an option to the Query Filters Resource Tag Mirrors Parent and Resource Tag Does Not MIrror Parent. [ENG-27573]

Bot Actions (23.6.13)

AWS

• “Enable Intelligent Tiering On Storage Container” - New Bot action adds an Intelligent Tiering configuration to a storage container and enables Intelligent Tiering. Of note, if there is an existing Intelligent Tiering configuration with the same provided ID, the bot will overwrite the configuration. [ENG-27441]
• “Update Content Delivery Network Function Body Access” - New BotFactory action modifies the setting allowing or disallowing a content delivery network function access to incoming request bodies. [ENG-27782]
• “Update Content Delivery Network Viewer Protocol Policy” - BotFactory action renamed from “Update Content Delivery Viewer Protocol Policy”. [ENG-27782]

Bug Fixes (23.6.13)

• Fixed our resource-based policy analysis to match AWS’s broader definition of public. Specifically, AWS includes resources with the following condition statement as public
  json "Condition": { "Bool": { "aws:SecureTransport": "true"\
  }
  `
  We have updated our analysis accordingly. This change is most likely to surface for resources like SQS and/or SNS. [ENG-27161]
• Fixed an edge case where IaC could treat Redshift clusters’ allow_version_upgrade field as false by default instead of true. [ENG-28010]
• Fixed an issue where too many ResourceCount jobs are concurrently executeddue to badging or onboarding. [ENG-28004]
• Hardened the resource scope of Exemption Rules upon resource creation as well as resource modification. [ENG-27874]
• Fixed a bug with the AWS WebAppHarvester, which was failing when we attempted to add a relationship between the web app and a message queue which was not yet harvested. [ENG-27794]
• Resolved an issue where Query Filter dropdowns were populating with incorrect dropdown options for certain user types. [ENG-27511]
• Fixed an issue where CloudAccountProcessor was failing, causing stale GCP projects/new GCP projects not being added. [ENG-27214]
• Fixed a bug that prevented use of the filter MapReduce Cluster Without Properly Configured Security Config within IaC analysis. [ENG-26534]
• Fixed issue where platform login wasn’t recording last login date/time. [ENG-25986]

📘 Required Policies & Permissions

**Policies required for individual CSPs are as follows: **

Alibaba Cloud

• Read Only Policy 

AWS

• Commercial
  • Managed Read Only Supplement Policy 
  • Customer-Managed Read Only Policy
    • Part 1 
    • Part 2 
    • Part 3 
  • Commercial Power User Policy 
• GovCloud
  • Read Only Policy
    • Part 1 
    • Part 2 
  • Power User Policy 
• China Read Only Supplement 

Azure

• Commercial
  • Custom Reader User Role 
  • Power User Role 
  • Reader Plus User Role 
• GovCloud
  • Custom Reader User Role 
  • Power User Role 

GCP

• _For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended
  APIs that is maintained as part of our GCP coverage. _

Oracle Cloud Infrastructure

• Power User Policy 
• Read Only Policy 

Host Vulnerability Management

• Host VM User Policy 

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal .