23.7.25 Release Notes

InsightCloudSec Software Release Notice - 23.7.25 Release

Release Highlights (23.7.25)

InsightCloudSec is pleased to announce Release 23.7.25. This release includes a new Compliance Pack–the ISO/IEC27017:2015 Pack–and the capability to scan individual Kubernetes nodes. In addition, 23.7.25 includes 12 new Insights, two new Query Filters, and ten bug fixes.

• Contact us through the unified Customer Support Portal with any questions.

Features & Enhancements (23.7.25)

• We’ve added the capability to scan individual Kubernetes nodes. Additional information can be found in our Kubernetes Node Scanner documentation. A new Insight, Ensure r7-node-scanner is installed supports this feature. [ENG-28743]
• We have updated our logic that checks for public network access on Azure, so Insights that check for public access on Azure resources may have a noticeable change in number of findings after this release. [ENG-28945]

User Interface (23.7.25)

• Updated the UI for the Just-In-Time IAM feature which dynamically changes the front-end layout when a user is navigating to the page from the Rapid7 Awsaml application. [ENG-29055]

• Added a link to the Identity Analysis Documentation at the top of the Identity Analysis page. [ENG-28381]

Resources (23.7.25)

AWS

• We have updated evaluation of storage container modifications for AWS S3 to evaluate whether Intelligent Tiering has changed, i.e., if an S3 bucket's Intelligent Tiering property or configuration changes, it will trigger a resource modification hookpoint. [ENG-29694]

GCP

• We have added a script to calculate billable resources for Google Cloud Platform. [ENG-28508]
• Added GCP Source Document support for Subnets. [ENG-28627]
• Added GCP Source Document support for Networks. [ENG-28596]
• Added GCP Source Document support for Sink. [ENG-28364]
• Added GCP Source Document support for ApiAccountingConfig. [ENG-28078]

Insights (23.7.25)

New ISO/IEC27017:2015 Pack
We have created the ISO/IEC27017:2015 Pack. The ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing: additional implementation guidance for relevant controls specified in ISO/IEC 27002; additional controls with implementation guidance that specifically relate to cloud services. This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers. [ENG-26782]

AWS

• We have updated our AWS Foundational Security Best Practices pack to provide more detail on the supported controls. Of note, AWS changed the category of one control from ELBv2.1 to ELB.1. It is the control "Application Load Balancer should be configured to redirect all HTTP requests to HTTPS". [ENG-29431]

• We have added the following Insights for AWS [ENG-29471]:

  • Cache Instance with Auth Token Disabled and using early Redis Version - New Insight identifies Redis cache instances which do not have auth token enabled and are running a version before version 6.0.
  • Cache Instance without Automatic Failover Enabled - New Insight identifies cache instances that do not have automatic failover enabled.
  • Cache Instances without Automatic Backups - New Insight identifies cache instances without automatic backups that require a snapshot retention period of 1 day or longer.

• We have updated our AWS Foundational Security Best Practice Pack to support the following controls [ENG-29471]:

  • ElastiCache.1 ElastiCache for Redis clusters should have automatic backups scheduled
  • ElastiCache.2 Minor version upgrades should be automatically applied to ElastiCache for Redis cache clusters
  • ElastiCache.3 ElastiCache for Redis replication groups should have automatic failover enabled
  • ElastiCache.4 ElastiCache for Redis replication groups should be encrypted at rest
  • ElastiCache.5 ElastiCache for Redis replication groups should be encrypted in transit
  • ElastiCache.6 ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH

MULTI-CLOUD/GENERAL
Added nine new Insights [ENG-27875]:

• Batch Environment has Public Access - This Insight identifies batch environments that have public access enabled.

• Big Data Workspace allows Public Access - This Insight identifies big data workspaces that allow access from the public.

• Cloud Region Without Block Public Sharing for SSM Documents - This Insight identifies cloud regions that do not block public sharing of SSM documents.

• Cloud Storage Access Point allows Public Access - This Insight identifies cloud access points that allow public access.

• Cold Storage Exposed To Public - This Insight identifies cold storage vaults exposed to the public.

• Content Delivery Network uses Public Storage Container for Origin - This Insight identifies content delivery networks that are using a publicly accessible storage container for an origin.

• Database Cluster With Publicly Available Database Instances - This Insight identifies database clusters with publicly available database instances.

• Service App Without Public Client Enabled - This Insight identifies cloud apps with public cloud enabled.

• Service Role Is Public - This Insight identifies cloud roles that are public.

Query Filters (23.7.25)

AWS

• Resource Specific Policy With/Without Specific Condition Values - New Query Filter identifies resources whose direct policy has one or more Statements missing a specific Condition property defined by condition comparison, condition key, and condition values. Optionally, match resources that have the specific Condition property on all Statements. If multiple condition values are not required, see Query Filter Resource Specific Policy With/Without Specific Condition, which is more performant. This is useful for inspecting conditions with multiple values, e.g., a condition that denies action unless the source IP falls within an accepted list of IP addresses. [ENG-29484]

MULTI-CLOUD/GENERAL

• Kubernetes Cluster Unsupported Version (EKS/AKS/GKE) - New Query Filter identifies Kubernetes clusters running unsupported version. [ENG-16343]

Bot Actions (23.7.25)

MULTI-CLOUD/GENERAL

• Added insight_link to Bot jinja templates, so that Bots include a link to the details about the Insight. [ENG-13748]

Bug Fixes (23.7.25)

• Fixed an issue where errors in the EventBusReceiver and EventBusConsumer were not making the job fail. [ENG-29709]

• Fixed an issue with AWS Sink harvester crashing due to not trying to retrieve a namespace_id. [ENG-29524]

• Standardized the harvester permissions simulation implementation that you see in the "Missing permissions" warning on the Cloud Listing page. Previously, one might see some discrepancies between the simulation run when an account was initially added and the ongoing simulations done for maintenance. [ENG-29395]

• Fixed base url setting when logged in via platform login. [ENG-29198]

• Bug fix: users can now dismiss the "add cloud" modal for the Compliance Scorecard. [ENG-29136]

• InsightCloudSec will no longer immediately harvest AWS Transcribe Jobs when Event-Driven Harvesting is enabled as we are able to use the event payload data to create the resource without a follow-up API call. This can significantly reduce the number of API calls for these immutable resources. [ENG-28538]

• Fixed handling of BlockDeviceMappings in IaC scans of CFT files that caused unexpected results for Insights that check for Unencrypted Root Volumes. [ENG-28458]

• Added correct handling for when AdalError occurred in AuthenticationServerUserSync. [ENG-27860]

• Fixed an error message with boto AccessDenied Exception in CassandraTableHarvester; now gives Unauthorised failure message instead of Provider_Error. [ENG-26997]

• Fixed issue of de-syncing between LC and Vuln tables, which led to the result where using Vuln Severity filter inside Layered Context yielded resources that had N/A value for Vulnerability Summary column. [ENG-25629]