InsightCloudSec Software Release Notice - 23.7.11 Release

🚧 Major Documentation Announcement: Site Migration

On August 1st, 2023, the InsightCloudSec documentation will be available on docs.rapid7.com alongside the documentation for the rest of the Rapid7 software portfolio.

While a lot of work will happen behind the scenes, you should largely be unaffected. Here are some important things you should know about this move:

• We pride ourselves on our documentation process and quality. These will not be changing.
• The new site will be located at docs.rapid7.com/insightcloudsec/; the old site (docs.divvycloud.com) will still exist until December 31st, 2023.
• The new and old sites are functionally similar, but the release notes will be in a different location (separate from the documentation): docs.rapid7.com/release-notes/insightcloudsec/
• After August 1st, 2023, the InsightCloudSec documentation team will only maintain the new site; the old site will remain static until its retirement
• After December 31st, 2023, all docs.divvycloud.com-related URLs will redirect to docs.rapid7.com/insightcloudsec/-related URLs

Visit our Getting Support  page for details on contacting support for any questions or issues with the transition.

Release Highlights (23.7.11)

InsightCloudSec is pleased to announce Release 23.7.11. This release includes an exciting new feature called Cloud Resource Context Enrichment, which enhances our investigation capabilities within third-party platforms. In addition, 23.7.11 includes four updated Query Filters, one renamed Query Filter, one updated Bot action, and 13 bug fixes.

• Contact us through the unified Customer Support Portal  with any questions.

📘 Self-Hosted Deployment Updates (23.7.11)

Release availability for self-hosted customers is Thursday, July 13, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal .

Our latest Terraform template (static files and modules) can be found here: <https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip> 

Modules can be updated with the terraform get -update command.

New Permissions Required (23.7.11)

Note: Additional permissions references can be found at the end of the release notes under “Required Policies & Permissions”.

🚧 AWS Permissions AWS read only policies have been updated to remove the wildcard permission support:* in favor of the explicit three permissions required.

“support:DescribeTrustedAdvisorChecks”, “support:DescribeTrustedAdvisorCheckResult”, “support:RefreshTrustedAdvisorCheck”

The original reason for the wildcard was due to an issue where AWS would give an AccessDenied error even when the principal had the explicit permissions. We no longer can reproduce the issue and are now restoring the explicit permissions. In the spirit of least privileged access, we encourage customers to adopt explicit permissions. However, keeping the wildcard will not cause any issues. [ENG-28098]

Features & Enhancements (23.7.11)

• We’ve added a new API feature called Cloud Resource Context Enrichment, which will provide resources with cloud attributes and context from various features within InsightCloudSec. Cloud Resource Context Enrichment empowers security investigation teams to conduct thorough analyses of threat finding events in their SIEM/XDR platforms. The API serves as a centralized data source, collecting comprehensive information about each resource based on the following contexts:

  • Harvested cloud attributes (Cloud properties, tags etc.)
  • Risk data (associated vulnerabilities, misconfigurations, IAM insights etc.)
  • Insights
  • Permissions (LPA - Least Privileges Access) context
  • ATA data (relationships)
  • Application context

  With this significant update, InsightCloudSec further solidifies its commitment to delivering cutting-edge solutions that enhance security investigation capabilities and provide valuable insights to our customers. Check out our API documentation for more details.

• Resolved CVE-2021-3801 and CWE-1333 vulnerabilities, which relate to Regular Expression Denial of Service (ReDoS). [ENG-28475]

• Substituted common filtering for advanced filtering on Compliance Summary page. [ENG-28890]

• Enhanced the EDH EventBusConsumer to improve performance for large customers. [ENG-27340]

• Added an endpoint to export all Insight Findings for a single cloud account. Additional information can be found in our reference documentation . [ENG-26519]

Resources (23.7.11)

AWS

• Updated the AWS CloudFormation template with a new Host Vulnerability Management policy that restricts the DeleteSnapshot permission to only snapshots created by InsightCloudSec. This update has been available to customers using the policy hosted at http://get.divvycloud.com/policies/AWS-CloudVm-Host-Assessment.json  and is now generally available in the CFT provided in the cloud onboarding process. [ENG-28431]

• Improved the AWS AssumeRole troubleshooting guide to include an AssumeRolePolicy document pre-populated with IAM Role ARN and external id values. This makes it easier to do a line by line comparison to what you see in the AWS console. [ENG-26388]

• Introduced a dynamically created message Group ID to the Lambda EDH processor. [ENG-28832]

GCP

• Enabled Source Doc harvesting for additional GCP resources. GCP resources with source documentation enabled now include: ArtifactRegistry, ServiceDomain, NotificationSubscription, NetworkPeer, ServiceCertificate, ServicePolicy, NatGateway, NetworkFlowLog, AirflowEnvironment, Secret, Snapshot, VirtualPrivateGateway, DataFactory, UrlMap, SharedFileSystem, ContainerCluster, ServiceCertificateAuthority, DirectConnect, and CloudCredentials. [ENG-28939]

Query Filters (23.7.11)

AWS

• We have renamed Query Filter Distributed Table Has Automated Backups Enabled to Distributed Table Has Point-In-Time Recovery Enabled (and their opposites) to clarify that the Query Filter is inspecting DynamoDB’s recovery service and not AWS’s Backup service. [ENG-28841]

GCP

• Load Balancer with/without Cloud Armor Policy - Added an option added to the Query Filter to change the WITH Cloud Armor option to match only load balancers where ALL associated resources have Cloud Armor instead of ANY: Match All (With Cloud Armor). [ENG-28006]

MULTI-CLOUD/GENERAL

• Added the option to trim whitespaces when evaluating tag values for the following three Query Filters [ENG-28836]:
  • Resource Contains Tag Key/Value Pair
  • Resource Does Not Contain Tag Key/Value Pair
  • Parent Resource Contains Tag Key/Value Pair

Bot Actions (23.7.11)

AWS

• “Enable Encryption” - Action added to the resource panel Actions for Data Streams to enable encryption for AWS Kinesis. [ENG-28850]

Bug Fixes (23.7.11)

• Fixed a bug with creating custom insights from Cognitive Service Account resources (in this case, OpenAI resource type with the filter Open AI (Cognitive Services) Configured with Public Access) where no resource information would show after creating the Insight, despite getting a number of matches. [ENG-28918]

• Vulnerability details will now display the CVSS v2 vector if no CVSS v3 vector is available. This fixes an issue where CVSS score and vector score were not matching. [ENG-28853]

• Fixed bug related to login flow affecting customers using LDAP configurations. Customers impacted by this change have been engaged. [ENG-28718]

• Fixed an issue where Host Vulnerability Assessments could not be completed if assessments were in progress for a deleted Cloud Account. [ENG-28562]

• Clarified descriptions and updated remediation with reference links on the Insights Database Instance With Internet Routable IP Address and Database Instance Security Group Allows Access From Public IP Space. [ENG-28522]

• Updated Instance user data harvesting to properly account for the removal of user data from an instance. [ENG-28516]

• Fixed a bug where Public Saved Filters names could not be duplicated across different features. [ENG-28093]

• Fixed the Create/Delete snapshot implementations for GCP so that they only require the documented permissions. [ENG-28063]

• Fixed a bug where backend buckets with cloud armor incorrectly flagged their associated load balancers in the Load Balancer with/without Cloud Armor Policy Query Filter. Updated the logic and description of the filter; previously any load balancers that had a mixture of resources with and without cloud armor policies attached to them, were NOT flagged in the “not having cloud armor” part of the filter, which could be misleading. Now, if ANY resources attached to the load balancer fit the configuration of the filter, the load balancer will be matched. [ENG-28006]

• Added support for Advanced Event Selectors to cloud trail harvesting. [ENG-27056]

• Improved AWS error handling when the active harvesting IAM Role is deleted. [ENG-26925]

• Fixed a bug where the Rename Instance action did not display. [ENG-24476]

• Resolved an issue where certain invalid characters in a Bot’s name caused failures in the Jira integration Bot actions. [ENG-19422]

📘 Required Policies & Permissions

**Policies required for individual CSPs are as follows: **

Alibaba Cloud

• Read Only Policy 

AWS

• Commercial
  • Read Only Policy
    • Part 1 
    • Part 2 
    • Part 3 
  • Power User Policy 
• GovCloud
  • Read Only Policy
    • Part 1 
    • Part 2 
  • Power User Policy 
• China
  • Read Only Policy
    • Part 1 
    • Part 2 
    • Part 3 

Azure

• Commercial
  • Custom Reader User Role 
  • Power User Role 
  • Reader Plus User Role 
• GovCloud
  • Custom Reader User Role 
  • Power User Role 

GCP

• _For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended APIs  that is maintained as part of our GCP coverage. _

Oracle Cloud Infrastructure

• Power User Policy 
• Read Only Policy 

Host Vulnerability Management

• AWS Host VM User Policy 

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal .