Jul 25, 2023

23.7.25 Release Notes

InsightCloudSec Software Release Notice - 23.7.25 Release

Major Documentation Announcement: Site Migration

On August 1st, 2023, the InsightCloudSec documentation will be available on docs.rapid7.com alongside the documentation for the rest of the Rapid7 software portfolio.

While a lot of work will happen behind the scenes, you should largely be unaffected. Here are some important things you should know about this move:

  • We pride ourselves on our documentation process and quality. These will not be changing.
  • The new site will be located at docs.rapid7.com/insightcloudsec/; the old site (docs.divvycloud.com) will still exist until December 31st, 2023.
  • The new and old sites are functionally similar, but the release notes will be in a different location (separate from the documentation): docs.rapid7.com/release-notes/insightcloudsec/
  • After August 1st, 2023, the InsightCloudSec documentation team will only maintain the new site; the old site will remain static until its retirement
  • After December 31st, 2023, all docs.divvycloud.com-related URLs will redirect to docs.rapid7.com/insightcloudsec/-related URLs

Visit our Getting Support page for details on contacting support for any questions or issues with the transition.

Release Highlights (23.7.25)

InsightCloudSec is pleased to announce Release 23.7.25. This release includes a new Compliance Pack–the ISO/IEC27017:2015 Pack–and the capability to scan individual Kubernetes nodes. In addition, 23.7.25 includes 12 new Insights, two new Query Filters, and ten bug fixes.

Release Tagging & Hashes

The InsightCloudSec team is expanding our tagging strategy for publishing images. To align ourselves with industry best practices, each new InsightCloudSec build version (starting with this one) will include a hash after the version number (including hot fix versions). This means you can obtain this version of InsightCloudSec using three, separate tags (all versions can be found here):

  1. latest
  2. 23.7.25
  3. 23.7.25.4a1f8fdf6

Self-Hosted Deployment Updates (23.7.25)

Release availability for self-hosted customers is Thursday, July 27, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.

Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip

Modules can be updated with the terraform get -update command.

Features & Enhancements (23.7.25)

  • We’ve added the capability to scan individual Kubernetes nodes. Additional information can be found in our Kubernetes Node Scanner documentation. A new Insight, Ensure r7-node-scanner is installed supports this feature. [ENG-28743]
  • We have updated our logic that checks for public network access on Azure, so Insights that check for public access on Azure resources may have a noticeable change in number of findings after this release. [ENG-28945]

User Interface (23.7.25)

  • Updated the UI for the Just-In-Time IAM feature which dynamically changes the front-end layout when a user is navigating to the page from the Rapid7 Awsaml application. [ENG-29055]

  • Added a link to the Identity Analysis Documentation at the top of the Identity Analysis page. [ENG-28381]

Resources (23.7.25)

AWS

  • We have updated evaluation of storage container modifications for AWS S3 to evaluate whether Intelligent Tiering has changed, i.e., if an S3 bucket's Intelligent Tiering property or configuration changes, it will trigger a resource modification hookpoint. [ENG-29694]

GCP

  • We have added a script to calculate billable resources for Google Cloud Platform. [ENG-28508]
  • Added GCP Source Document support for Subnets. [ENG-28627]
  • Added GCP Source Document support for Networks. [ENG-28596]
  • Added GCP Source Document support for Sink. [ENG-28364]
  • Added GCP Source Document support for ApiAccountingConfig. [ENG-28078]

Insights (23.7.25)

New ISO/IEC27017:2015 Pack
We have created the ISO/IEC27017:2015 Pack. The ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing: additional implementation guidance for relevant controls specified in ISO/IEC 27002; additional controls with implementation guidance that specifically relate to cloud services. This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers. [ENG-26782]

AWS

  • We have updated our AWS Foundational Security Best Practices pack to provide more detail on the supported controls. Of note, AWS changed the category of one control from ELBv2.1 to ELB.1. It is the control "Application Load Balancer should be configured to redirect all HTTP requests to HTTPS". [ENG-29431]

  • We have added the following Insights for AWS [ENG-29471]:

    • Cache Instance with Auth Token Disabled and using early Redis Version - New Insight identifies Redis cache instances which do not have auth token enabled and are running a version before version 6.0.
    • Cache Instance without Automatic Failover Enabled - New Insight identifies cache instances that do not have automatic failover enabled.
    • Cache Instances without Automatic Backups - New Insight identifies cache instances without automatic backups that require a snapshot retention period of 1 day or longer.
  • We have updated our AWS Foundational Security Best Practice Pack to support the following controls [ENG-29471]:

    • ElastiCache.1 ElastiCache for Redis clusters should have automatic backups scheduled
    • ElastiCache.2 Minor version upgrades should be automatically applied to ElastiCache for Redis cache clusters
    • ElastiCache.3 ElastiCache for Redis replication groups should have automatic failover enabled
    • ElastiCache.4 ElastiCache for Redis replication groups should be encrypted at rest
    • ElastiCache.5 ElastiCache for Redis replication groups should be encrypted in transit
    • ElastiCache.6 ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH

MULTI-CLOUD/GENERAL
Added nine new Insights [ENG-27875]:

  • Batch Environment has Public Access - This Insight identifies batch environments that have public access enabled.

  • Big Data Workspace allows Public Access - This Insight identifies big data workspaces that allow access from the public.

  • Cloud Region Without Block Public Sharing for SSM Documents - This Insight identifies cloud regions that do not block public sharing of SSM documents.

  • Cloud Storage Access Point allows Public Access - This Insight identifies cloud access points that allow public access.

  • Cold Storage Exposed To Public - This Insight identifies cold storage vaults exposed to the public.

  • Content Delivery Network uses Public Storage Container for Origin - This Insight identifies content delivery networks that are using a publicly accessible storage container for an origin.

  • Database Cluster With Publicly Available Database Instances - This Insight identifies database clusters with publicly available database instances.

  • Service App Without Public Client Enabled - This Insight identifies cloud apps with public cloud enabled.

  • Service Role Is Public - This Insight identifies cloud roles that are public.

Query Filters (23.7.25)

AWS

  • Resource Specific Policy With/Without Specific Condition Values - New Query Filter identifies resources whose direct policy has one or more Statements missing a specific Condition property defined by condition comparison, condition key, and condition values. Optionally, match resources that have the specific Condition property on all Statements. If multiple condition values are not required, see Query Filter Resource Specific Policy With/Without Specific Condition, which is more performant. This is useful for inspecting conditions with multiple values, e.g., a condition that denies action unless the source IP falls within an accepted list of IP addresses. [ENG-29484]

MULTI-CLOUD/GENERAL

  • Kubernetes Cluster Unsupported Version (EKS/AKS/GKE) - New Query Filter identifies Kubernetes clusters running unsupported version. [ENG-16343]

Bot Actions (23.7.25)

MULTI-CLOUD/GENERAL

  • Added insight_link to Bot jinja templates, so that Bots include a link to the details about the Insight. [ENG-13748]

Bug Fixes (23.7.25)

  • Fixed an issue where errors in the EventBusReceiver and EventBusConsumer were not making the job fail. [ENG-29709]

  • Fixed an issue with AWS Sink harvester crashing due to not trying to retrieve a namespace_id. [ENG-29524]

  • Standardized the harvester permissions simulation implementation that you see in the "Missing permissions" warning on the Cloud Listing page. Previously, one might see some discrepancies between the simulation run when an account was initially added and the ongoing simulations done for maintenance. [ENG-29395]

  • Fixed base url setting when logged in via platform login. [ENG-29198]

  • Bug fix: users can now dismiss the "add cloud" modal for the Compliance Scorecard. [ENG-29136]

  • InsightCloudSec will no longer immediately harvest AWS Transcribe Jobs when Event-Driven Harvesting is enabled as we are able to use the event payload data to create the resource without a follow-up API call. This can significantly reduce the number of API calls for these immutable resources. [ENG-28538]

  • Fixed handling of BlockDeviceMappings in IaC scans of CFT files that caused unexpected results for Insights that check for Unencrypted Root Volumes. [ENG-28458]

  • Added correct handling for when AdalError occurred in AuthenticationServerUserSync. [ENG-27860]

  • Fixed an error message with boto AccessDenied Exception in CassandraTableHarvester; now gives Unauthorised failure message instead of Provider_Error. [ENG-26997]

  • Fixed issue of de-syncing between LC and Vuln tables, which led to the result where using Vuln Severity filter inside Layered Context yielded resources that had N/A value for Vulnerability Summary column. [ENG-25629]

Required Policies & Permissions

Policies required for individual CSPs are as follows: Alibaba Cloud

AWS

Azure

GCP

Oracle Cloud Infrastructure

Host Vulnerability Management

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.