Oct 17, 2023
InsightCloudSec is pleased to announce Release 23.10.17
InsightCloudSec Software Release Notice - 23.10.17 Release
DivvyCloud Docs Site End-of-Life (EOL) Update
On August 1st, 2023, the InsightCloudSec documentation transitioned to docs.rapid7.com to be with the documentation for the rest of the Rapid7 software portfolio. The old site (docs.divvycloud.com) will continue to exist until a near-future date but will remain static. After this date, any links to the old site will be redirected to their docs.rapid7.com/insightcloudsec/ counterpart, so the old site will functionally not be visible publicly. However, the API reference will still be available until further notice. Visit our Getting Support page for details on contacting support for any questions or issues with the transition.
Release Highlights (23.10.17)
InsightCloudSec is pleased to announce Release 23.10.17. In this release, we have addressed a couple of CWEs and CVEs, enhanced EDH Consumer and EDH Producer pages for all customers, and made Attack Paths exportable in CSV and JSON formats. In addition, 23.10.17 includes one updated Query Filter, and 10 bug fixes.
- Contact us through the unified Customer Support Portal with any questions.
Self-Hosted Deployment Updates (23.10.17)
Release availability for self-hosted customers is Thursday, October 19, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal . Our latest Terraform template (static files and modules) can be found here . Modules can be updated with the terraform get -update command. The Amazon Web Services (AWS) Elastic Container Repository (ECR) build images for this version of InsightCloudSec can be obtained using the following tags (all versions can be found here ):
latest23.10.1723.10.17.8b41bcf9c
Features & Enhancements (23.10.17)
-
Enhanced EDH Consumer and EDH Producer pages are now generally available. No change to the existing EDH functionality. [ENG-32249]
-
Attack Paths are now exportable in CSV and JSON formats. [ENG-29599]
-
We have patched the following vulnerabilities:
- Improper Neutralization of Special Elements in Data Query Logic - CWE-943: Updated
msalpackage to version 1.24.1. [ENG-31846] - Denial of Service - CWE-400 CVE-2023-3446: Updated
cryptographypackage to version 41.0.4. [ENG-31847]
- Improper Neutralization of Special Elements in Data Query Logic - CWE-943: Updated
Query Filters (23.10.17)
AZURE
Identity Resource Allows Permission (Azure)updated to include additional parameterization:- Added an (optional) parameter for scope(s); permission assignments in Azure have specific scope(s), such as tenant, management group, subscription, resource group, resource
- Added an (optional) parameter for permission plane; Azure supports control and data permissions
- Added an (optional) parameter for scope type; universal, tenant, management group, subscription, resource group, resource [ENG-32002]
Bug Fixes (23.10.17)
-
Resolved DB performance issues caused by Azure Identities relationship. [ENG-32231]
-
Fixed exemption rule modal not saving changes when date limit is empty. [ENG-32125]
-
Fixed a bug where ServiceAccessKeyHarvester was not harvesting for only one subscription per Azure tenant, resulting in duplicate resources being harvested. [ENG-32089]
-
Fixed an API bug with failure to return a bad request when sent incorrect parameters for
/iam-explorer/export-policy-stack. [ENG-32031] -
Added il-central-1 to EDH provisioning exclude list since it is an opt-in region. [ENG-32022]
-
Corrected link to Vulnerabilities documentation. [ENG-31985]
-
Fixed an issue where AWS accounts not managed by an AWS Organization config would have their credentials updated when the Sync Accounts feature was not enabled. [ENG-31893]
-
Fixed an issue where OCI Exadata VM Clusters couldn’t be harvested. [ENG-30989]
-
Fixed a bug that prevented validation of some clouds permissions if a Google Cloud Account failed to validate. [ENG-30690]
-
Fixed database inconsistency between recommendations and service users/service roles. [ENG-29195]
Required Policies & Permissions
Policies required for individual CSPs are as follows:
Alibaba Cloud
AWS
- Commercial \t- Read Only Policy \t\t - Part 1 \t\t- Part 2 \t\t- Part 3 \t- Power User Policy
- GovCloud \t- Read Only Policy \t\t- Part 1 \t\t- Part 2 \t\t- Part 3 \t- Power User Policy
- China \t- Read Only Policy \t\t- Part 1 \t\t- Part 2 \t\t- Part 3
Azure
- Commercial \t- Custom Reader User Role \t- Power User Role \t- Reader Plus User Role
- GovCloud \t- Custom Reader User Role \t- Power User Role
GCP
- For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended APIs that is maintained as part of our GCP coverage.
Oracle Cloud Infrastructure
Host Vulnerability Management
For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal .