23.12.5 Release Notes

Jan 25, 2023

InsightCloudSec is pleased to announce Release 23.12.5

InsightCloudSec Software Release Notice - 23.12.5 Release

Release Highlights (23.12.5)

InsightCloudSec is pleased to announce Release 23.12.5. This release includes visibility into the AWS Resource Access Manager (RAM) resource. We have also expanded Attack Path Analysis coverage for Azure and will now perform analysis on AWS ECS.

In addition, 23.12.5 includes one updated Insight, two new Insights, one updated Query Filter, five new Query Filters, one updated Bot action, one new Bot action, 12 bug fixes, and several vulnerability fixes.

Self-Hosted Deployment Updates (23.12.5)

Release availability for self-hosted customers is Thursday, December 7, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal . Our latest Terraform template (static files and modules) can be found here . Modules can be updated with the terraform get -update command. The Amazon Web Services (AWS) Elastic Container Repository (ECR) build images for this version of InsightCloudSec can be obtained using the following tags (all versions can be found here ):

latest
23.12.5
23.12.5.e1e31bafd

New Permissions Required (23.12.5)

Note: Additional permissions references can be found at the end of the release notes under “Required Policies & Permissions”.

⚠️

New Permissions: AWS

New Permissions: AWS For AWS Commercial and GovCloud Standard (Read-Only) Users:

“ram:GetResourceShares”,
“ram:ListResources”

For AWS Commercial and GovCloud Power Users:

“ram:*”

These permissions support the newly added AWS Resource Access Manager (RAM) resources [ENG-21134].

Note: We recommend our AWS commercial (non-GovCloud) Standard (Read-Only) Users employ AWS’ managed read-only policy, supplemented by a small additional InsightCloudSec policy. The benefit of using the AWS managed policy lies in AWS’ continuously updating the policy for new services, making it easier for the customer to harvest new resources and properties without changing harvesting policies. Details on this recommendation can be found at AWS IAM Policies Standard User (Read-Only) AWS-managed supplemental policy.

⚠️

New Permissions: Azure

New Permissions: Azure

For Azure GovCloud Power User Role:

“Microsoft.Kusto/*”

These permissions allow for automated Azure LPA deployment. [ENG-33444]

Features & Enhancements (23.12.5)

Introduced a new asynchronous download endpoint (POST /v3/public/resources/related/export) to grab all combinations of related resources under a given Cloud Account or Organization. [ENG-28114]
Pods annotations are now available in the Pod Details view. [ENG-25338]

ATTACK PATH ANALYSIS

AWS attack paths analysis now considers ECS as well as EC2. [ENG-32200]
Added new Azure attack paths:
- “Publicly Exposed Compute Instance with access to Event Grid System Topics.” [ENG-30838]
- “Publicly Exposed Compute Instance with access to Event Grid System Topics via Message Queue”. [ENG-33486]
Renamed old Azure Attack Path “Publicly Exposed Compute Instance with access to Event Grid System Topics” to “Publicly Exposed Compute Instance with access to Event Grid System Topics via Storage Queue.” [ENG-33486]

Resources (23.12.5)

AWS

Added visibility into AWS Resource Access Manager (RAM) resource. Resource Access Manager resources are shown in the tool as two new Resource types, Resource Share and Resource Share Resource, both under the Identity and Management resource category. Two new Query Filters support this resource. New permissions are required for the AWS commercial and GovCloud Standard (Read-Only) user policies: “ram:GetResourceShares”, and “ram:ListResources”. AWS commercial and GovCloud Power Users will need “ram:*”. (ENG-21134)
Added a Subnet as a related resource of AWS ECS Container resource. [ENG-32640]
Added direct link for Big Data Workspace resource. [ENG-32253]

AZURE

Added full Kusto permissions (“Microsoft.Kusto/*”) to the Azure GovCloud Power User role so that it can automatically install Azure LPA. These permissions were added in an earlier release for the Azure Commercial Power User role. [ENG-33444]

Insights (23.12.5)

AWS

Serverless Function Configured with Deprecated Runtime - Updated Insight for AWS Lambda (Serverless Function) to show runtimes of Python3.7, Node.js14.x, and Ruby2.7 as deprecated (deprecated on 27 November 2023, 27 November 2023, and 7 December 2023, respectively). [ENG-33537]

GCP

Added two Insights for GCE App Engine support:
- App Engine Version using Legacy Runtime - Identifies Versions within an App Engine Service that are using a legacy runtime.
- App Engine Service with Public Accessibility - Identifies App Engine Services that have ingress settings allowing all traffic.
[ENG—31807]

Query Filters (23.12.5)

AWS

New Query Filters supporting visibility into AWS Resource Access Manager (RAM):
- Resource Share With/Without External Principal Allowed - Identifies resource shares that allow external principals. Optionally,identify resource shares that do not allow external principals.
- Resource Share Owner Account - Identifies resource shares based on owner account.
[ENG-21134]

AZURE

Cloud User is Not Disabled - New Query Filter identifies cloud users which are not disabled. [ENG-32009]

GCP

Added two Query Filters for GCE App Engine support:
- App Engine Service Version with Legacy Runtime - Returns App Engine Service Versions that are using runtimes considered legacy by Google.
- App Engine Service By Ingress Settings - Returns App Engine Services by their selected Ingress Settings eg. All traffic, private and VPC, private only and unspecified.
[ENG—31807]

MULTI-CLOUD/GENERAL

Resource Vulnerability Count By Severity - Modified Query Filter to add a field that enables searching for resources without vulnerabilities. [ENG-32760]

Bot Actions (23.12.5)

AWS

“Cleanup Unknown/Untrusted Third Party Access From Resource Access Policy” action now supports SSM Documents. The action will remove any unknown accounts from the SSM Document sharing permissions and leave any known ones. [ENG-31581]

AZURE

“Disable Open AI (Cognitive Services) Public Network Access” - New action for the OpenAI resource disables access from public networks on an Open AI (Cognitive Services) resource. [ENG-31413]

Bug Fixes (23.12.5)

Resolved package security vulnerabilities in accordance with our vulnerability resolution policy. [ENG-32638, ENG-33021, ENG-33269]
Fixed a bug with “Add to Data Collection” action. [ENG-33355]
Fixed the Remote Kubernetes harvester not populating the creation_timestamp field; added Creation Timestamp property to Kubernetes and ECS Container Resources. [ENG-33140]
Corrected the description for Insight Task Definition Running Containers without Read Only Filesystem. [ENG-32958]
Fixed a bug with the MapReduce Cluster deletion action for regions outside of us-east-1. [ENG-32890]
Fixed an issue with Insight Storage Container Exposed to the Public via ACL; updated the Insight to use Query Filter Storage Container Public Access Via Legacy Access Control List to consider public access block settings only if a bucket has public ACL grants. [ENG-32725]
Fixed Message Queue Exposing Permissions To Public Query Filter to filter resources with more than one principal in Access Policy. [ENG-32481]
Fixed a bug with Layered Context where resources would not be updated from public to not-public despite the configuration changing to make the resource non-public. [ENG-32380]
Fixed a bug where domain admins with multiple API keys were duplicated in the UI for the Identity Management Settings page. [ENG-31882]
Fixed a bug involving ORG onboarding allowing configuration with empty fields; updated role-assuming logic. [ENG-31651]
Fixed an issue when filtering Route53 HostedZone. [ENG-31091]
Fixed an issue where Azure subnets weren’t picked up by EDH. [ENG-25342]
Fixed issue with ContainerSpecs records improperly removed from the database when its associated cloud account has been removed. [ENG-21200]

Required Policies & Permissions

Policies required for individual CSPs are as follows:

Alibaba Cloud

Read Only Policy

AWS

Commercial \t- Read Only Policy \t\t - Part 1 \t\t- Part 2 \t\t- Part 3 \t- Power User Policy
GovCloud \t- Read Only Policy \t\t- Part 1 \t\t- Part 2 \t\t- Part 3 \t- Power User Policy
China \t- Read Only Policy \t\t- Part 1 \t\t- Part 2 \t\t- Part 3

Azure

Commercial \t- Custom Reader User Role \t- Power User Role \t- Reader Plus User Role
GovCloud \t- Custom Reader User Role \t- Power User Role

GCP

For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended APIs that is maintained as part of our GCP coverage.

Oracle Cloud Infrastructure

Host Vulnerability Management

AWS Host VM User Policy

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal .