23.12.12 Release Notes

InsightCloudSec Software Release Notice - 23.12.12 Release

Release Highlights (23.12.12)

InsightCloudSec is pleased to announce Release 23.12.12. This release includes a rapid response to AWS re:Invent, comprising added support for three AWS resources (AWS Bedrock, AWS Clean Rooms, and AWS Network Firewall), and updates to three Compliance Packs: NIST SP 800-53 (Rev 5), AWS Foundational Security Best Practices, and AWS CIS 2.0. In addition, this release includes the Kubernetes Automated Agent Deployer, a new GCP resource, and an update to the Attack Path graph. 23.12.12 includes 16 new Insights, 12 new Query Filters, and five bug fixes.

• Contact us through the unified Customer Support Portal with any questions.

New Permissions Required (23.12.12)

Note: Additional permissions references can be found at the end of the release notes under “Required Policies & Permissions”.

Features & Enhancements (23.12.12)

Response To re:Invent

In a rapid response to re:Invent, we have:

• Added support for the following AWS resources:
  • Bedrock
  • Clean Rooms
  • Security Hub
  • Network Firewall
• Added many new Insights, updating the following packs:
  • NIST SP 800-53 (Rev 5)
  • AWS Foundational Security Best Practices
  • AWS CIS 2.0

These additions are detailed in the Resources, Insights, and Query Filters sections below.

Attack Path Analysis

• An updated Attack Path view has been released. This includes a new graph view for Attack Paths as well as the new Blast Radius capabilities. Users can access this by navigating to an attack path as normal through the table. [ENG-33785]

• In attack path analysis, the remediation information will now include a sub header "Recommendations from Azure Defender:" where the instructions are populated by Azure for clarification. [ENG-32054]

• Updated the APA CSV export to re-order columns, accounting for the additional attributes included in the JSON download. [ENG-33368]

Kubernetes Auto Deployer

• Release 23.12.12 introduces the Kubernetes Automated Agent Deployer. The Automated Deployer saves you time and effort when onboarding your new and existing Kubernetes Clusters across your AWS, Azure, and GCP environments to InsightCloudSec. It also provides for a seamless upgrade experience and an easy way to manage Cluster blacklists. Review the documentation for setup and usage details. [ENG-30169]

Other Feature Enhancements

• Deprecated the Resources containing CVE ID filter in Layered Context, providing a new Resources containing CVE IDs filter which is similar but allows selecting multiple CVE IDs at once. Eventually the old filter will be removed, but we are leaving it in place for now so as not to break any saved filters that rely on it. Note: Anyone with a saved filter that uses the deprecated filter should switch to the new filter and resave their filters. [ENG-32519]

• Updated the version of Alpine Linux in the EDH Worker to 3.17 (current version 3.15 was EOL). [ENG-33212]

Resources (23.12.12)

AWS

• Added harvesting for AWS Bedrock Customization Jobs into the new resource type Bedrock Jobs (Category Machine Learning & AI). New Permissions are required: “bedrock:ListModelCustomizationJobs”, “bedrock:GetModelCustomizationJob” for the commercial read-only role and “bedrock:*” for the commercial Power user roles. [ENG-33496]

• Added support for AWS Clean Rooms (new Resource type Collaboration, category Identity & Management). Two new Query Filters—Collaboration With Query Logging Support, Collaboration With Cryptographic Computing Support–have been added. New permissions are required for commercial read-only roles: “cleanrooms:GetCollaboration”, “cleanrooms:ListCollaborations”, and “cleanrooms:ListMembers”. [ENG-32313]

• Added Harvester and source document harvesting for AWS NetworkFirewall Resource (Category Network, Resource type Network Firewall). Updated Network Firewall resource table to include two new AWS related fields: delete_protection and subnet_change_protection. New permissions are required: "network-firewall:*" for AWS and AWS GovCloud Power user roles; "network-firewall:DescribeFirewall" and "network-firewall:ListFirewalls" for AWS and AWS GovCloud Read-only roles. [ENG-33477]

• ICS now supports the AWS region il-central-1. This is an opt-in region and users must configure it for use on the AWS platform before harvesting will begin. In addition, the region will not be activated on ICS until the AwsRegionHarvest runs successfully and picks up the new region. This can be manually scheduled to avoid waiting for the next scheduled harvest. EDH, if required, will also need to be reconfigured for the newly supported region. [ENG-31810]

• Extended the AWS DatabaseClusterHarvester to collect data regarding whether automatic minor version upgrades are enabled. [ENG-33413]

• Added a new property cloudwatch_metrics_enabled to the AWS WAF resource. [ENG-33415]

GCP

• Added harvesting of GCP Vertex Custom Jobs into the new resource type Vertex Custom Job (Category: Machine Learning & AI Resources). [ENG-33560]

Compliance Packs (23.12.12)

Rapid7 AI/ML Security Best Practices

Release 23.12.12 introduces a new Rapid7 AI/ML Security Best Practices Compliance Pack that is derived from the Open Worldwide Application Security Project's (OWASP) Top 10 Vulnerabilities for Machine Learning, the OWASP Top 10 for LLMs, and Insights checking if best practice configurations have been implemented. This pack introduces 11 controls (for more details, review the documentation):

• Data Poisoning
• Model Poisoning
• Transfer Learning
• Model Inversion
• Model Stealing
• Model Skewing
• Excessive Permissions
• Denial of Service
• Supply Chain Compromise
• Membership Inference
• Output Integrity

[ENG-33736]

NIST 800-53 (Rev 5)

We expanded our coverage for the NIST 800-53 (Rev 5) compliance pack to cover the new Identification and Authentication (IA)-13 control. NIST states that organizations should "Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions." IA-13 has been divided into three supporting control enhancements:

• IA-13 (01) - Cryptographic keys that protect access tokens are generated, managed, and protected from disclosure and misuse.
• IA-13 (02) - The source and integrity of identity assertions and access tokens are verified before granting access to system and information resources.
• IA-13 (03) - Assertions and access tokens are continuously refreshed, time-restricted, audience-restrained and revoked when necessary and after a defined period of non-use. [ENG-33461]

AWS CIS 2.0

• Shared File System Without Encryption - Updated compliance rule associated with this Insight under CIS 2.0.0. [ENG-33460]

• Added new Insight Cloudshell Access Unrestricted, identifying policies that grant unrestricted access to AWS CloudShell, to AWS CIS 2.0 Compliance Pack. [ENG-32162]

Insights (23.12.12)

AWS

• AppSync GraphQL APIs should not be authenticated with API keys - New Insight identifies applications that use an API key to interact with an AWS AppSync GraphQL API. [ENG-33394]

• Bedrock Job Has Publicly Exposed Data - New Insight identifies Bedrock Jobs with data from storage containers that are exposed to the public. This Insight supports the new AWS Bedrock Job resource type, working across AWS, AWS_CHINA, and AWS_GOV. This insight has critical severity. [ENG-33602, ENG-33596]

• Cloud Account without Security Hub enabled - New Insight identifies Cloud accounts without Security Hub enabled. Severity level is 3. [ENG-32166]

• CloudShell Access Unrestricted - New Insight identifies policies that grant unrestricted access to AWS CloudShell. [Hackathon PR-13204]

• Cloud Alarm Action Disabled - New Insight identifies Cloud Alarms that don't have actions enabled. [ENG-33427]

• Cloudshell Access Unrestricted - New Insight identifies policies that grant unrestricted access to AWS CloudShell. [ENG-32162]

• Database Cluster without Automatic Minor Version Upgrades Enabled - New Insight identifies Database Cluster resources such as AWS RDS which are not configured to automatically upgrade between minor versions. Default severity level is 4. [ENG-33413]

• DNS Zone Without Query Logging Enabled - New Insight identifies DNS Zones that do not have Query Logging Enabled. Default Insight severity level is 3. [ENG-33496, ENG-33414]

• Ensure IAM instance roles are used for AWS resource access from instances - New Insight identifies instances not associated with role. [ENG-32154]

• Network Firewall Without Delete Protection Enabled - New Insight identifies whether an AWS Network Firewall has deletion protection enabled. [ENG-33411]

• Service Alarm Without Alarm Action - New Insight identifies service alarms that don't have a configured alarm action. [ENG-33425]

• Web Application Firewall Rule Does Not Have CloudWatch Metrics Enabled - New Insight denotes whether WAF Roles/Role Groups have CloudWatch Metrics enabled. [ENG-33394, ENG-33415]

• Web Application Firewall V2 Without ACL Logging - New Insight identifies V2 Web Application Firewalls which do not have ACL logging enabled. This new Insight conforms with new AWS Config rule 'wafv2-logging-enabled'. [ENG-33423]

AZURE

• Identity Resources with Microsoft Storage List Keys Permission (management group) - New Insight matches Identity Resources with permissions to list keys on Microsoft Storage Account resources. [ENG-31612]

• Identity Resources with Microsoft Storage List Keys Permission (subscription) - New Insight matches Identity Resources with permissions to list keys on Microsoft Storage Account resources. [ENG-31612]

• Identity Resources with Microsoft Storage List Keys Permission (tenant) - New Insight matches Identity Resources with permissions to list keys on Microsoft Storage Account resources. [ENG-31612]

Query Filters (23.12.12)

AWS

• Bedrock Job Customization Status - New Query Filter identifies jobs that have one of the supplied statuses. [Hackathon PR-13204]

• Bedrock Job Customization Type - New Query Filter identifies jobs that match the selected customization type. [Hackathon PR-13204]

• Bedrock Job data is Publicly Exposed - New Query Filter identifies Bedrock Jobs that send or retrieve data from publicly exposed storage containers. This QF works across AWS, AWS_CHINA, and AWS_GOV and only for the AWS Bedrock Job resource. [ENG-33596, ENG-33602]]

• Cloud Account Without Security Hub - New Query Filter identifies Cloud Accounts without Security Hub.[ENG-32166]

• Cloud Alarm Action Enabled/Disabled - New Query Filter identifies cloud alarms which don't have actions enabled. [ENG-33427]

• Cloud Alarm Without Matching Action - New Query Filter identifies cloud alarms that don't have an action configured for their state value. [ENG-33425]

• CloudWatch Metrics Not Enabled - New Query Filter denotes whether WAF Roles/Role Groups have CloudWatch Metrics enabled. [ENG-33394, ENG-33415]

• Collaboration With Cryptographic Computing Support - New Query Filter identifies collaborations with or without cryptographic computing support enabled. [ENG-32313]

• Collaboration With Query Logging Support - New Query Filter identifies collaborations with or without query logging support enabled. [ENG-32313]

• Database Cluster With/Without Auto Minor Version Upgrade - New Query Filter identifies clusters that do/do not have automatic upgrades enabled between minor versions. This Query Filter supports the expanded coverage for the NIST 800 Rev 5 compliance pack. [ENG-33413]

• DNS Zone With/Without Query Logging - New Query Filter identifies DNS Zones that don't have query logging enabled. This Query Filter supports the newly added Bedrock Job resource. [ENG-33496, ENG-33414 ]

• Network Firewall without delete protection enabled - New Query Filter identifies networks firewalls that can be deleted. [ENG-33411]

Bug Fixes (23.12.12)

• Fixed an issue with the GCE:ServiceCheckHarvest where the harvester would fail if any critical service checks were identified during harvest. [ENG-33896]

• Addressed an issue with assessment scopes that would cause the HostAssessmentInstanceCheck background job to fail. [ENG-33173]

• Fixed a bug with Resource Access List Data not fully Captured/Harvested; for Azure Security Group Rules with multiple Source/Destination Port Ranges/Networks, added harvest of a new Resource Access List Rule for each. [ENG-32528]

• Resolved an edge case where AWS CIS metric filters gave false positives. [ENG-32499]

• Fixed the Insight Logic App With Invalid Diagnostic Logging Configuration (Azure) to check for invalid Diagnostic Setting category 'Function Application Logs'. [ENG-30675]