23.11.7 Release Notes

Jan 17, 2023

InsightCloudSec is pleased to announce Release 23.11.7

InsightCloudSec Software Release Notice - 23.11.7 Release

Limited Release for 23.11.21 and 23.11.28

Due to the upcoming U.S. Thanksgiving holiday and AWS ReInvent, next week’s Release 23.11.14 will be the last formal release until 23.12.5. SaaS or self-hosted customers may have minor bug fixes and we may provide limited releases for those weeks, but our next full release for both SaaS and self-hosted customers will be on 23.12.5. Reach out to your CSM or InsightCloudSec support with questions or concerns.

Release Highlights (23.11.7)

InsightCloudSec is pleased to announce Release 23.11.7. This release includes added visibility and harvesting for Azure Storage Queues for all three Azure Cloud Environments–Azure Commercial, Azure GovCloud, and Azure China. This release also includes vulnerability fixes, one new Insight, one updated Insight, three updated Query Filters, and six bug fixes.

Self-Hosted Deployment Updates (23.11.7)

Release availability for self-hosted customers is Thursday, November 9, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal . Our latest Terraform template (static files and modules) can be found here . Modules can be updated with the terraform get -update command. The Amazon Web Services (AWS) Elastic Container Repository (ECR) build images for this version of InsightCloudSec can be obtained using the following tags (all versions can be found here ):

latest
23.11.7
23.11.7.f79893425

New Permissions Required (23.11.7)

Note: Additional permissions references can be found at the end of the release notes under “Required Policies & Permissions”.

⚠️

New Permissions: Azure

New Permissions: Azure For Azure Commercial and GovCloud Standard (Reader Role):

“Microsoft.Storage/storageAccounts/queueServices/read”,
“Microsoft.Storage/storageAccounts/queueServices/queues/read”

These permissions support the newly added resource Azure Storage Queues. [ENG-31435]

For Azure Power User Role:

“Microsoft.Kusto/*”

This permission supports the added capability to allow out-of-the-box automatic installation of Azure LPA. [ENG-32871]

Features & Enhancements (23.11.7)

For Attack Paths, added messaging if no attack paths are found; the messaging includes a link to the documentation. [ENG-31288]
Pods discovered by a Kubernetes Remote Scan now properly reflect their managed containers in the Containers resource inventory . [ENG-32668]

Resources (23.11.7)

AZURE

Added visibility and harvesting for Azure Storage Queues (Storage category, new resource type Storage Queue). New permissions are required to access this new resource for both the Azure Custom Reader Role and the Azure GovCloud Custom Reader Role:
- “Microsoft.Storage/storageAccounts/queueServices/read”
- “Microsoft.Storage/storageAccounts/queueServices/queues/read”
This resource type is available for Azure Commercial, Azure GovCloud, and Azure China. [ENG-31435]
Added full Kusto permissions (“Microsoft.Kusto/*”) to the Azure Power User role so that it would be able to automatically install Azure LPA. [ENG-32871]

GCP

Added GCP Source Document support for GCP Instances. [ENG-28587]

Insights (23.11.7)

AWS

AWS Lambda Python 3.7 Runtime Deprecation Imminent - New Insight identifies Lambdas running Python 3.7 in anticipation of the runtime’s deprecation. [ENG-32345]

MULTI-CLOUD/GENERAL

Updated remediation of Database Instance Threat Detection Administrator Alerts Disabled Insight. [ENG-24087]

Query Filters (23.11.7)

AWS

Updated definition of “latest” Python version for Lambda Query filters. Specifically, added Python 3.11 to the configuration options available for Serverless Function By Runtime Language, and updated the definition of “latest” used by Serverless Function Using/Not Using Latest Runtime from Python 3.10 to Python 3.11. [ENG-32624, ENG-31974]

MULTI-CLOUD/GENERAL

Serverless Function Using/Not Using Latest Runtime - Updated Query Filter to include Python 3.11 as a filter. [ENG-32624]

Bug Fixes (23.11.7)

Fixed home region issues in OCI:OracleSubnetHarvester and OCI:OracleSubnetHarvester. [ENG-32850]
Resolved package security vulnerabilities in accordance with our vulnerability resolution policy. [ENG-32785]
Fixed an issue in the ResourceVulnerabilityHarvesters that could prevent successful harvests for AWS Inspector, GCP, and Azure resource vulnerabilities. [ENG-32559]
Fixed an edge case with the Insight Private Image Exposed to the Public where non-shared images were incorrectly marked as public. [ENG-31627]
Corrected display of required permissions in Cloud Advisor Check; removed overly permissive (support:*) permissions from AWS Gov Read Only Policy. [ENG-30259]
Fixed an issue with validating EFS resource type that has in-transit encryption enabled that was causing IAC scan failures. [ENG-27901]

Required Policies & Permissions

Policies required for individual CSPs are as follows:

Alibaba Cloud

Read Only Policy

AWS

Commercial \t- Read Only Policy \t\t - Part 1 \t\t- Part 2 \t\t- Part 3 \t- Power User Policy
GovCloud \t- Read Only Policy \t\t- Part 1 \t\t- Part 2 \t\t- Part 3 \t- Power User Policy
China \t- Read Only Policy \t\t- Part 1 \t\t- Part 2 \t\t- Part 3

Azure

Commercial \t- Custom Reader User Role \t- Power User Role \t- Reader Plus User Role
GovCloud \t- Custom Reader User Role \t- Power User Role

GCP

For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended APIs that is maintained as part of our GCP coverage.

Oracle Cloud Infrastructure

Host Vulnerability Management

AWS Host VM User Policy

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal .