23.8.29 Release Notes

InsightCloudSec Software Release Notice - 23.8.29 Release

Release Highlights (23.8.29)

InsightCloudSec is pleased to announce Release 23.8.29. This release includes improved onboarding content for Alibaba Cloud, Oracle Cloud Infrastructure (OCI), and Google Cloud Platform (GCP); expanded Source Document support; a new, unique Attack Path ID; and a reworked Related Resources user experience.

In addition, 23.8.29 includes three updated Insights, one new Insight, one updated Query Filter, three new Query Filters, and 13 bug fixes.

• Contact us through the unified Customer Support Portal with any questions.

Features & Enhancements (23.8.29)

• We’ve updated the onboarding content and documentation for:

  • Alibaba Cloud [ENG-29575]
  • GCP [ENG-29573]

• Added a unique Path ID to the Attack Paths listing view to help differentiate between similar looking attack paths. [ENG-28965]

• We have reworked the Related Resources User Experience to improve performance and provide look and feel consistent with other parts of the application. Note: The Print functionality has been removed temporarily; we suggest users employ screenshots as needed until an updated Print functionality is available in the near future. [ENG-29945]

Resources (23.8.29)

AWS

• Added AWS Source Document support for AWS Managed Policy. Note: This is for Event Driven Harvesting only so the source documents will not be visible via the UI. [ENG-19078]

AZURE

• Added support for an alternative way to set up our Azure EDH system. Note: if the customer has networking restrictions that inhibit access over ports 5671/5672, they can now switch to port 443 for Azure EDH using the DIVVY_AZURE_SERVICEBUS_WEBSOCKETS env variable being set to true. [ENG-27307]

GCP

Added GCP Source Document support for:

• Distributed Table Clusters [ENG-28591]
• GCE Service Dataset [ENG-28615]
• Dataflow Jobs [ENG-28638]

Insights (23.8.29)

AWS

• Storage Container Without Dual-Layer Server-Side Encryption - New Insight identifies storage containers (AWS S3 buckets) without dual-layer server-side encryption enabled. [ENG-30463]
• Database Migration Instance Publicly Accessible - Insight was deprecated. [ENG-28790]
• Database Replication Instance with the Publicly Accessible Option Enabled (AWS) - This Insight will be maintained as it uses the same underlying Query Filter configuration as the now-deprecated Insight Database Migration Instance Publicly Accessible, its severity matches AWS Security Hub, and it has IaC support. [ENG-28790] GCP
• Instance Without Block Project-wide SSH Keys Enabled - Insight name changed from Instance Without Project-wide SSH Keys Enabled. [ENG-29196]

Query Filters (23.8.29)

AWS

• Storage Container Without Dual-Layer Server-Side Encryption - New Query Filter identifies storage containers (AWS S3 buckets) without dual-layer server-side encryption enabled. [ENG-30463]

GCP

• Instance Without Block Project-wide SSH Keys Enabled - New Query Filter identifies instances without Block Project-wide SSH keys enabled or, if not, OS Login is enabled instead. Further, ignore instances created by GKE. [ENG-29196]

MULTI-CLOUD/GENERAL

• Cloud Account With Active Root API Access Key Present - Updated Query Filter renamed from Cloud Account With Root API Access Key Present and updated to return only accounts that have access keys that are active. [ENG-29653]

• Cloud Account With Root API Access Key Present - New Query Filter cloud accounts with API access keys present on the root account (active or inactive). [ENG-29653]

Bug Fixes (23.8.29)

• Fixed an issue where the resource properties sidebar never loaded for Cognitive Service resources. [ENG-30702]

• Fixed an issue with GCP Harvesting of Compute API resources not stopping despite disabled APIs. This change updates the service resource mapping to include a few missing resources. This was causing the associated harvesters for these resources to be run, and then fail, rather than adding them to disabled resources. [ENG-30601]

• Fixed an issue for customers using AWS Organization onboarding. In the edge case where a customer is authenticating with an IAM User + Access Key (as opposed to AssumeRole that authenticates with Role to Role trust relationship), when customer updates only the AccessKey and nothing else, the new AccessKey won't be used by the member accounts. This fix ensures that the configuration propagation detects the change. [ENG-30449]

• Fixed a bug where account name displayed incorrectly when viewing the details of a Cloud Account. [ENG-30302]

• Fixed an issue with tagging Bot actions that were providing inconsistent results. Added a new check to the action assign_tag_to_resource to allow force tag additions. [ENG-30282]

• Fixed an issue where the ExemptionRuleProcessor is incorrectly creating exemptions for non-IaC resources from IaC only rules. [ENG-29806]

• Fixed an issue with Query Filter Cloud Account With Root API Access Key Present (now renamed Cloud Account With Active Root API Access Key Present) where an added check did not not denote whether access keys are active or not. [ENG-29653]

• Fixed a bug with long resource names in Attack Paths. [ENG-29423]

• Fixed an issue with the Azure Database Instance Harvester that was causing false positives in the Database Instance Azure Active Directory Administrator Not Configured Query Filter. [ENG-29335]

• Fixed logic for Instances Without OS Login Enabled Insight. [ENG-29196]

• Fixed an issue with an inaccurate severity in Insight Database Migration Instance Publicly Accessible by deprecating this Insight and merged with Insight Database Replication Instance with the Publicly Accessible Option Enabled (AWS). These two were duplicates using the same underlying Query Filter configuration. [ENG-28790]

• Improved the Resource Specific Policy Principal Wildcard Search Query Filter to better handle policies with invalid principals. [ENG-28130]