InsightCloudSec Software Release Notice - 23.6.27 Release

Release Highlights (23.6.27)

InsightCloudSec is pleased to announce Release 23.6.27. This release includes the general availability of our Attack Path Analysis, a graph-based feature to identify potential vulnerabilities. This release also adds harvesting and IaC support for AWS S3 Intelligent Tiering Configurations, as well as two resource properties–Capacity Providers and Capacity ASG Scaling—for AWS ECS cluster resources. Release 23.6.27 introduces two FedRAMP compliance packs, and resolves CVE-2022-31129 and CWE-1333 vulnerabilities, which relate to Regular Expression Denial of Service (ReDoS).

In addition, 23.6.27 includes two new Insights, eight new Query Filters, two new Bot actions, and 17 bug fixes.

• Contact us through the unified Customer Support Portal  with any questions.

📘 Limited Release for 23.7.4

As the next week includes a Federal Holiday, we will not be providing a formal release with release notes for the week of 23.7.4. SaaS or self-hosted customers may have minor bug fixes and we may provide a limited release, but our next full release for both SaaS and self-hosted customers will be on 23.7.14. Reach out to your CSM or InsightCloudSec support with questions or concerns.

🚧 Self-Hosted Customers: Scale Down P3 Worker Tasks Before Upgrade (23.6.27)

In order to improve IAM-related feature performance, we will be rebuilding certain database tables as part of the v23.6.27 upgrade. Unlike normal schema updates, these table updates could be long-lived depending on the size of your cloud footprint. As a result, we recommend that the P3 worker task count be scaled down to ZERO during the upgrade. If you are using P3 auto-scaling via Terraform, you will want to set use_p3_autoscaling = false before manually setting the P3 worker task count to zero.

📘 Self-Hosted Deployment Updates (23.6.27)

Release availability for self-hosted customers is Thursday, June 29, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal .

Our latest Terraform template (static files and modules) can be found here: <https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip> 

Modules can be updated with the terraform get -update command.

New Permissions Required (23.6.27)

Note: Additional permissions references can be found at the end of the release notes under “Required Policies & Permissions”.

🚧 New Permission: AWS

For AWS Commercial Read Only Users and GovCloud Standard (Read-Only) Users:
“ecs:DescribeCapacityProviders”,
“s3:GetIntelligentTieringConfiguration”

These permissions support the newly added resource properties for AWS ECS cluster resources, as well as harvesting for S3 Intelligent Tiering Configurations. [ENG-27578, ENG-27441, ENG-28100]

We have updated our AWS definition of read-only permissions to include several permissions added by AWS to its ReadOnlyAccess policy. This change will mean that policies with those added permissions will no longer be flagged as having write permission. [ENG-28688]

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to harvest new resources and properties without changing harvesting policies.

Features & Enhancements (23.6.27)

Attack Path Analysis
Attack Path Analysis is now generally available. This feature provides simple visualizations that identify the potential avenues to exploit a vulnerable resource and/or access sensitive information within your cloud environment(s). Check out our Attack Paths documentation  for details. [ENG-22050]

Additional Features & Enhancements

• Resolved CVE-2022-31129 and CWE-1333 vulnerabilities, which relate to Regular Expression Denial of Service (ReDoS). [ENG-28474]

• Added a feature that updates the Runtime settings automatically.
  Instead of typing the Runtime API Endpoint and API Token manually (Settings/System/Runtime Settings); they are retrieved automatically using periodic jobs. [ENG-23440]

• We have extended our IAM Remediation Tab to support Google Cloud Platform. You can now see GCP Recommendations associated with a Cloud Role or Cloud User and apply these directly within this view. [ENG-26385]

  • Added new API to enable UI to display GCP remediation steps. [ENG-28112]

User Interface Changes (23.6.27)

• Added the permissions bar visualization, which is seen on the Identity Analysis main page, to the table header under the Permissions tab within the resource view details blade. [ENG-24824]

• We have consolidated the Cloud and Account Name columns on the Identity Analysis main table; this will now display the cloud provider icon, along with the account name and unique ID. [ENG-28451]

• Added the ability to view the security details of resources on the related resources graph. [ENG-22603]

Resources (23.6.27)

AWS

• We have added harvest and IaC support for S3 Intelligent Tiering Configurations. Enabling this no-cost configuration can significantly lower S3 storage costs by transitioning unaccessed objects into less expensive storage classes:

  • Added the property Intelligent Tiering to storage containers
  • Added the Query Filter Storage Container With/Without Intelligent Tiering
  • Added the BotFactory action “Enable Intelligent Tiering On Storage Containers”
  • A new permission is required for both the AWS commercial and AWS GovCloud Read-Only roles: “s3:ListIntelligentTieringConfigurations”
  • [ENG-27441, ENG-28284]]

• We have added two resource properties to Container Clusters for AWS ECS cluster resources: Capacity Providers and Capacity ASG Scaling. We have added two Query Filters to inspect these properties: Container Cluster Capacity Providers and Container Cluster Autoscaling Capacity Provider Scaling State, which can surface clusters by their provider and whether or not the cluster using ASG has a scaling policy in place. Note: harvesting these properties requires a new permission: ecs:DescribeCapacityProviders. [ENG-27578]

• We have updated the ‘latest’ and ‘deprecated’ runtime information for Serverless Functions for AWS Lambda. Note: This runtime maintenance may change whether a Serverless Function is no longer running a ‘latest’ or is now running a “deprecated” runtime, which may result in a resource modification. [ENG-28435]

Insights (23.6.27)

Federal Risk and Authorization Management Program (FedRAMP®)
Release 23.6.27 introduces two FedRAMP compliance packs: the FedRAMP Low and FedRAMP Moderate Packs which align ICS insights to the Low and Moderate Security Controls Baselines. [ENG-24699]

• The Federal Risk and Authorization Management Program (FedRAMP®) was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies. FedRAMP empowers federal organizations to use modern cloud technologies, with an emphasis on security and protection of federal information.

AWS

• Content Delivery Network Without Origin Access Control - New Insight identifies AWS CloudFront distributions with S3 origin but not using the new method for securing access , which is favored over Origin Access Identities. [ENG-28250]

• Storage Container Without Object Lifecycle Management - New Insight identifies storage containers that do not have Intelligent Tiering enabled, do not have a lifecycle policy, or have a lifecycle policy that does not delete or transition unaccessed objects. [ENG-28100]

Query Filters (23.6.27)

AWS

• Container Cluster Autoscaling Capacity Provider Scaling State - New Query Filter identifies container clusters that use an autoscaling group capacity provider by the autoscaling group scaling state. By default, identify container clusters when the scaling state is disabled. Optionally identify container clusters when state is enabled. A new permission is required to harvest these properties: ecs:DescribeCapacityProviders. [ENG-27578]

• Container Cluster Capacity Providers - New Query Filter identifies container clusters by whether they have selected capacity providers. A new permission is required to harvest these properties: ecs:DescribeCapacityProviders. [ENG-27578]

• Content Delivery Network State - New Query Filter identifies content delivery networks by their state, distinguishing between “enabled” and “disabled” content delivery networks. By default, this QF identifies enabled content delivery networks.[ENG-28239]

• Content Delivery Network Using Managed Cache Policy - New Query Filter identifies AWS Cloudfront distributions by the managed cache policy that they use. [ENG-28251]

• Content Delivery Network Without Origin Access Control - New Query Filter identifies AWS CloudFront distributions with S3 origin but not using the new method for securing access , which is favored over Origin Access Identities. [ENG-28250]

• Storage Container Without Expiration/Transitions Lifecycle Rules - New Query Filter identifies storage containers with lifecycle policies, but without Expiration or Transitions lifecycle rules, which delete or change the storage class of objects respectively. Optionally include storage containers without lifecycle policies and/or identify storage containers with those rules. [ENG-28100]

• Storage Container With/Without Intelligent Tiering - New Query Filter identifies storage containers with or without Intelligent Tiering enabled. [ENG-27441]

AZURE

• Automation Account Using Specific Managed Identity Type - New Query Filter identifies automation accounts with managed identities of the chosen type(s). Note: In order to facilitate this change, the managed_identity field for Automation Accounts has been converted from a boolean value to a string value, where the type of the identity (if any) is now stored. The resource list view will display a boolean value of whether or not a resource has an identity attached, however the details pane for a resource will now show the type(s) of identity used. [ENG-28200]

Bot Actions (23.6.27)

AWS

• “Enable Intelligent Tiering On Storage Container” - New Bot action adds an Intelligent Tiering configuration to a storage container and enables Intelligent Tiering. Of note, if there is an existing Intelligent Tiering configuration with the same provided ID, the bot will overwrite the configuration. [ENG-27441]

MULTI-CLOUD/GENERAL

• “Assign Badge to Cloud” - New Bot action updates existing badges and prevents the addition of badges with the same key, which is consistent with the experience in the UI. [ENG-27649]

Bug Fixes (23.6.27)

• Fixed: ContainerClusterHarvester was failing because AWS was returning deleted container clusters from the list call, causing the harvester to fail when attempting the describe call. [ENG-28548]

• Fixed: ServiceCheckHarvester failing as displayName returned as None by GCP for a resource. [ENG-28548]

• Fixed a bug in GCP Instance/IP harvesting where the harvesting job would fail if IPs existed in regions unsupported by Google Compute Engine. [ENG-28535]

• Improved error messaging for Compliance Scorecard page involving unsupported cloud types. [ENG-28503]

• Updated our Oracle Cloud Infrastructure database harvesting to support harvesting Oracle Base Database DB Systems. [ENG-28419]

• Fixed bug with scope panel not scoping by tag properly. [ENG-28409]

• Fixed issue where Tenable assets fail to get mapped to an account. [ENG-28401]

• Fixed a bug where certain Terraform Cloud/Enterprise Run Task request payloads would fail to scan, causing Terraform Cloud/Enterprise runs to fail with an error. [ENG-28394, ENG-27685]

• Fixed a bug where the search bar for applications within Layered Context only searched for applications where the search value was a prefix. [ENG-28103]

• Fixed a bug in Query Filter Resource has a Private Endpoint in supporting resource type Storage Accounts. [ENG-27756]

• Fixed an issue where basic users with entitlement ‘Editor’ or above on Kubernetes Cluster were unable to resume/pause from Kubernetes Clusters page. [ENG-27745]

• Fixed an issue where VM scale sets on Azure that used the “Flexible” orchestration type would cause the InstanceInterfaceIpHarvester to fail. [ENG-27595]

• Fixed an issue when trying to harvest a recently deleted DynamoDB table. [ENG-27310]

• Fixed a 404 error that was appearing when managing plugins. [ENG-27171]

• Fixed a ZeroDivisionError occurring when harvesting service limits for Azure. [ENG-26831]

• Fixed the BotFactory action “Create Database Instance Snapshot” to accommodate instances that are members of database clusters. [ENG-26713]

• Fixed an issue with updating tags: Harvesting tags and updating tags for the “Image” resource type on Azure is now supported in ICS. [ENG-23120]

📘 Required Policies & Permissions

**Policies required for individual CSPs are as follows: **

Alibaba Cloud

• Read Only Policy 

AWS

• Commercial
  • Read Only Policy
    • Part 1 
    • Part 2 
    • Part 3 
  • Power User Policy 
• GovCloud
  • Read Only Policy
    • Part 1 
    • Part 2 
  • Power User Policy 
• China
  • Read Only Policy
    • Part 1 
    • Part 2 
    • Part 3 

Azure

• Commercial
  • Custom Reader User Role 
  • Power User Role 
  • Reader Plus User Role 
• GovCloud
  • Custom Reader User Role 
  • Power User Role 

GCP

• _For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended APIs  that is maintained as part of our GCP coverage. _

Oracle Cloud Infrastructure

• Power User Policy 
• Read Only Policy 

Host Vulnerability Management

• AWS Host VM User Policy 

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal .