23.8.1 Release Notes
InsightCloudSec Software Release Notice - 23.8.1 Release
Major Documentation Announcement: Site Migration
On August 1st, 2023, the InsightCloudSec documentation will be available on docs.rapid7.com
alongside the documentation for the rest of the Rapid7 software portfolio.
While a lot of work will happen behind the scenes, you should largely be unaffected. Here are some important things you should know about this move:
- We pride ourselves on our documentation process and quality. These will not be changing.
- The new site will be located at
docs.rapid7.com/insightcloudsec/
; the old site (docs.divvycloud.com
) will still exist until December 31st, 2023 but will not be publicly visible. - The new and old sites are functionally similar, but the release notes will be in a different location (separate from the documentation):
docs.rapid7.com/release-notes/insightcloudsec/
- After August 1st, 2023, the InsightCloudSec documentation team will only maintain the new site; the old site will remain static until its retirement
- On August 1st, 2023, all
docs.divvycloud.com
-related URLs will redirect todocs.rapid7.com/insightcloudsec/
-related URLs
Visit our Getting Support page for details on contacting support for any questions or issues with the transition.
Release Highlights (23.8.1)
InsightCloudSec is pleased to announce Release 23.8.1. This release includes vulnerability fixes, updates to the Identity Management API, and interface improvements to Attack Paths and the Clouds Listing page. In addition, this release includes several Insight and Compliance pack updates, three new or modified Query Filters, one updated Bot Action, and nine bug fixes.
- Contact us through the unified Customer Support Portal with any questions.
Release Tagging & Hashes
The InsightCloudSec team is expanding our tagging strategy for publishing images. To align ourselves with industry best practices, each new InsightCloudSec build version (starting with this one) will include a hash after the version number (including hot fix versions). This means you can obtain this version of InsightCloudSec using three, separate tags (all versions can be found here):
latest
23.8.1
23.8.1.<hash>
Self-Hosted Deployment Updates (23.8.1)
Release availability for self-hosted customers is Thursday, August 3, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.
Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip
Modules can be updated with the terraform get -update
command.
New Permissions Required (23.8.1)
New Permissions: AWS
For AWS Commercial Standard (Read-Only) Users :
- "ec2:CopySnapshot"
- "kms:Decrypt"
- "kms:Encrypt"
- "kms:GenerateDataKeyWithoutPlaintext"
- "kms:RetireGrant"
These permissions support the newly added Host Vulnerability Management feature for assessing volumes encrypted with an AWS managed key. [ENG-25743].
Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS' managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS' continuously updating the policy for new services, making it easier for the customer to harvest new resources and properties without changing harvesting policies. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.
Features & Enhancements (23.8.1)
Resolved CVE-2021-21306 and CWE-400 vulnerabilities, which relate to Regular Expression Denial of Service (ReDoS). [ENG-28483]
Updated the identity-management API to reflect /principals and /federated-users endpoints. Updated the endpoint
{{domain}}/v4/iam/identity-management/
to{{domain}}/v4/iam/identity-management/principals/
. [ENG-30015]Attack Paths will now display an explicit "Internet" node when the viewed attack path is publicly accessible. [ENG-25951]
User Interface Changes (23.8.1)
- Clouds Listing, and associated modals, have all been implemented in React. The user experience has been improved. [ENG-28253]
- Disabled the "Console Access" button in the Just-In-Time IAM feature for roles meant for CLI access only. [ENG-29707]
- Added a visual indicator for active and inactive session credentials on the Just-in-time IAM feature. [ENG-29651]
Resources (23.8.1)
AWS
We have added a new property to Cache Instances:
Automatic Minor Version Upgrade
.We have added a Query Filter,
Cache Instance Automatic Minor Version Upgrade Status
, to surface cache instances based upon the property.We added an Insight,
Cache Instance without Automatic Minor Version Upgrades Enabled
, to track status.We updated the BotFactory action "Modify Memcache Instance Attribute" to fix it.
Further, we have updated our AWS Foundational Security Best Practices pack to include the new Insight as it matches the control "[ElastiCache.2] Minor version upgrades should be automatically applied to ElastiCache for Redis cache clusters".
[ENG-29374]We have added suspicious event support for the AWS event
AttachGroupPolicy
. Now, if a group has a permission added that includesadmin access
,write access
, and/orprivilege escalation
, we flag the event as suspicious and mark the group as having a suspicious event. [ENG-27885]Added support to the Host Vulnerability Management feature for assessing volumes encrypted with an AWS managed key. The new permissions (AWS commercial Read-Only users) required to use this feature are "kms:RetireGrant", "kms:GenerateDataKeyWithoutPlaintext", "kms:Encrypt", and "kms:Decrypt". [ENG-25743]
GCP
- Added GCP Source Document support for Spanner. We’ve also added Cloud Asset Inventory (CAI) support and added a direct link to the Spanner within the Resource Properties blade. [ENG-28594]
- Added GCP Source Document support for Service Account. [ENG-28636]
- Added GCP Source Document support for Cloud Functions. [ENG-28601]
- Added GCP Source Document support for Database Instance. [ENG-28517]
Insights (23.8.1)
AWS CIS 1.5
We are updating the AWS CIS 1.5 pack to the current release of AWS CIS 2.0. Major changes include:
- Adding two benchmarks:
- 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
- 5.6 - Ensure that EC2 Metadata Service only allows IMDSv2
- Deleting one benchmark:
- 2.1.1 - Ensure all S3 buckets employ encryption-at-rest
[ENG-29902]
- 2.1.1 - Ensure all S3 buckets employ encryption-at-rest
AWS
Cache Instance without Automatic Minor Version Upgrades Enabled
- New Insight tracks status of newly-added property for Cache Instances,Automatic Minor Version Upgrade
. [ENG-29374]- We have updated our AWS Foundational Security Best Practices pack to include the new Insight as it matches the control "[ElastiCache.2] Minor version upgrades should be automatically applied to ElastiCache for Redis cache clusters".
[ENG-29374]
- We have updated our AWS Foundational Security Best Practices pack to include the new Insight as it matches the control "[ElastiCache.2] Minor version upgrades should be automatically applied to ElastiCache for Redis cache clusters".
- We have added the following Insights for AWS [ENG-29471]:
Cache Instance with Auth Token Disabled and using early Redis Version
- New Insight identifies Redis cache instances which do not have auth token enabled and are running a version before version 6.0.Cache Instance without Automatic Failover Enabled
- New Insight identifies cache instances that do not have automatic failover enabled.Cache Instances without Automatic Backups
- New Insight identifies cache instances without automatic backups that require a snapshot retention period of 1 day or longer.
- We have updated our AWS Foundational Security Best Practice Pack to support the following controls [ENG-29471]:
- ElastiCache.1 ElastiCache for Redis clusters should have automatic backups scheduled
- ElastiCache.2 Minor version upgrades should be automatically applied to ElastiCache for Redis cache clusters
- ElastiCache.3 ElastiCache for Redis replication groups should have automatic failover enabled
- ElastiCache.4 ElastiCache for Redis replication groups should be encrypted at rest
- ElastiCache.5 ElastiCache for Redis replication groups should be encrypted in transit
- ElastiCache.6 ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH
AZURE
Serverless Function Configured with Deprecated Runtime
- Updated Insight now supports Azure. [ENG-23328]
Query Filters (23.8.1)
AWS
Cache Instance Automatic Minor Version Upgrade Status
- New Query Filter surfaces cache instances based upon the newly-added propertyAutomatic Minor Version Upgrade
. [ENG-29374]
AZURE
Serverless Function Using/Not Using Deprecated Runtime
- Updated Query Filter now supports Azure. [ENG-23328]
OracleDatabase Instance/Cluster/Snapshot Engine
- Query Filter modified to include several Oracle options [ENG-29924]:Oracle Custom EE
Oracle EE CDB
Oracle Custom EE CDB
Oracle SE2 CDB
Bot Actions (23.8.1)
AWS
- "Modify Memcache Instance Attribute" - We updated this BotFactory action to be able to fix issues related to the new Insight
Cache Instance without Automatic Minor Version Upgrades Enabled
. [ENG-29374]
Bug Fixes (23.8.1)
- Fixed slow loading Vulnerabilities result rows. [ENG-30000]
- Hardened EDH harvesting for the AWS legacy event UpdateGlobalTable to allow the enqueuing of a subsequent harvest to collect full details. [ENG-29916]
- Added fix for Host Assessment in Azure and GCP where instances were failing to be assessed. [ENG-29881]
- Fixed an issue with CVSS score not showing iIn merged Vulnerabilities dashboard. [ENG-29775]
- Fixed error on downloading Vulnerabilities report. [ENG-29774]
- Changed apply remediation button to primary ghost button and added space. We also fixed the alignment between permission count and button. [ENG-29197]
- Fixed an error when harvesting an OCI database with a storage size of None. [ENG-28821]
- Fixed an issue involving API activity not logging for users who login via Rapid7 Insight platform. [ENG-28694]
- Fixed an issue where badge fields weren't appearing for the
Snapshot With Active Share (AWS)
andResource Not In Cloud With Badge Key/Value
Query Filters. [ENG-28304]
Required Policies & Permissions
Policies required for individual CSPs are as follows:
Alibaba Cloud
AWS
- Commercial
- Read Only Policy
- Power User Policy
- GovCloud
- Read Only Policy
- Power User Policy
- China
Azure
- Commercial
- GovCloud
GCP
- For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended APIs that is maintained as part of our GCP coverage.
Oracle Cloud Infrastructure
Host Vulnerability Management
For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.