InsightCloudSec Software Release Notice - 24.1.9 Release

Release Highlights (24.1.9)

InsightCloudSec is pleased to announce Release 24.1.9. This release includes significant user experience and performance improvements to the Vulnerabilities feature, a new AWS resource, a new OCI resource, and improved Guardrails debugging.

In addition, 24.1.9 includes an updated Rapid7 ML & AI Security Best Practices compliance pack, six new Insights, one updated Query Filter, five new Query Filters, one new Bot action, 15 bug fixes, and a number of vulnerability fixes.

• Contact us through the unified Customer Support Portal  with any questions.

New Permissions Required (23.12.12)

Note: Additional permission references can be found at the end of the release notes under “Required Policies & Permissions”.

Features & Enhancements (24.1.9)

• The Vulnerabilities feature has received significant user experience and performance improvements, including:
  • We are in the process of re-imagining the dashboard experience at the top of the page, so the charts have been removed for now, which provides performance improvements.
  • We have reorganized the tabs to display vulnerabilities by default to reflect the priority of the feature.
  • The Filtering experience has been overhauled to be exclusive to each tab instead of global to the feature; your filters will be saved while navigating between tabs.
  • The Action menus have been updated for better and more useful options.
  • Columns have been updated to provide the best value to users [ENG-33090]
• Column sortability has been improved and most columns are now sortable
  • Various bug fixes, database schema improvements, and performance improvements
• Updated EDH Events view in the UI.
• Added container digest metadata to the Image ID column of the Vulnerability -> Resources page. [ENG-34150]
• Improved Guardrails investigations in production with a new modified Kubernetes log level. This can be set by adding “—set Config.LogLevel=debug” to the helm command or by setting LOG_LEVEL=debug on the batch.job itself. Default log level is INFO. [ENG-33754]

Resources (24.1.9)

AWS

• Added visibility and harvesting for AWS Glue Connection (new Resource type ETL Connection, category Storage). A new permission, “glue:GetConnections” is required for AWS commercial and GovCloud Read-Only policies. [ENG-33160]
• Added coverage for new type of RDS engine - IBM Db2. [ENG-33558]
• Added Insight checking if AWS ECS Task definition does not pass any secrets in container definition. [ENG-31812]

GCP

• Added GCP Source Document support for GCP Identity Provider. [ENG-28631]

• Added IaC support for App Engine (GCP). [ENG-21739]

OCI

• Added coverage for SSH Key Pair resource (SSH Key Pair Resource type, Identity & Management category) for Oracle Cloud Provider (OCI). This resource does not require any new permissions. [ENG-33014]

GCP

• Added harvesting of GCP Vertex Custom Jobs into the new resource type Vertex Custom Job (Category: Machine Learning & AI Resources). [ENG-33560]

Insights (24.1.9)

AWS

• Added the Insight Bedrock Job Has Publicly Exposed Data to the Rapid7 AI/ML Security Best Practices compliance pack under the following controls:

  • Data Poisoning
  • Model Inversion
  • Model Stealing
  • Transfer Learning [ENG-34046]

• Cloud Account Is Not Part Of An Organization Managed Through AWS Organizations - New Insight checks if an AWS account is not part of an organization managed through AWS Organizations. [ENG-33424]

• CloudWatch Log Groups Retained For A Specific Time Period - New Insight identifies CloudWatch log group with a retention period of less than 365 days. [ENG-33426]

• Web Application Firewall Classic Global Without Rules or Rule Groups - New Insight identifies Classic Global Web Application Firewalls which do not have any associated rules or rule groups. [ENG-33418]

• Web Application Firewall Classic Regional Without Rules or Rule Groups - New Insight identifies Classic Regional Web Application Firewalls which do not have any associated rules or rule groups. [ENG-33418]

• Web Application Firewall v2 Without Rules or Rule Groups - New Insight identifies Classic v2 Web Application Firewalls that do not have any associated rules or rule groups. [ENG-33418]

GCP

• Access Approval Disabled - New Insight ensures Access Approval is enabled. This new Insight supports CIS 2.15. [ENG-32585]

MULTI-CLOUD/GENERAL

• Resource does not Support TLS 1.2 - Updated Insight to support the Storage Container resource type. [ENG-30513]

Query Filters (24.1.9)

AWS

• Cloud Account Is Part Of An Organization Managed Through AWS Organizations - New Query Filter checks if an AWS account is part of an organization managed through AWS Organizations. [ENG-33424]
• Web Application Firewall Rule Group Count - New Query Filter identifies web application firewalls based on the number of rule groups present. [ENG-33418]

AZURE

• Automation Account Without Log Analytics Workspace - New Query Filter matches automation accounts that don’t have a log analytics workspace.[ENG-32883]

GCP

• Cloud Account Access Approval Disabled - New Query Filter identifies GCP projects that do not have Access Approval service enabled. [ENG-32585]

MULTI-CLOUD/GENERAL

• Resource Does Not Support TLS 1.2 Minimum - Updated Query Filter to support new resource type Storage Container. [ENG-30513]
• Storage Container Minimal TLS Version - New Query Filter identifies storage containers based on the minimal TLS version. [ENG-30513]

Bot Actions (24.1.9)

MULTI-CLOUD/GENERAL

• Added Bot action “Create DNS Record” to “DNS Zone” resource. Added Delete action for “DNS Record” resource. Both actions support AWS and Azure. [ENG-23726]

Bug Fixes (24.1.9)

• Resolved package security vulnerabilities in accordance with our vulnerability resolution policy. [ENG-34087, ENG-34100]

• Fixed an issue for the Layered Context Clouds tab filtering when clicking a Public Access symbol or Insight Summary Severity number. [ENG-34005]

• Fixed an edge case where requests for creating existing auto-provisioned EventBridge EDH queues were attempted. [ENG-33909]

• Fixed a bug with Container Services that were not associating with their parent Container Cluster. Container Services will now be harvested under the ContainerClusterHarvester to ensure this relationship is always present. ContainerServiceHarvester no longer exists within the product due to this amalgamation. [ENG-33561]

• Fixed an issue where a malformed IP address would cause the Storage Account harvester to crash. [ENG-33508]

• Fixed an issue where GCP API Access Keys with no principal wouldn’t have a direct link in the resources page and also would cause bots to fail when sending Splunk events. [ENG-33229]

• Fixed a bug on the EDH page where filtering by badges would ignore the filter if there were no matches for the selected badges. [ENG-33051]

• Fixed an issue involving incorrect flagging for three Insights; added a mechanism to indicate trusted accounts for role Insights. [ENG-32643]

• Fixed incorrect state column data in Resource type Public IP CSV export to match UI. [ENG-31890]

• Updated description of Insight Database Instance with Access List Attached Exposed to the Public to better reflect usage. [ENG-31792]

• Fixed bug where large numbers could not be stored in the limit column for the table ServiceLimits. [ENG-31764]

• Fixed an issue where the Query Filter Cloud Group With Administrative Access To Tenancy was returning all cloud groups when it should have returned none. [ENG-31360]

• Fixed a bug with the Bot action “Remove Access List From Dependencies”. [ENG-28180]

• Fixed an issue where updates to the KMS encryption key in auto-provisioned EDH queues were not propagated. [ENG-28005]

• Fixed an issue in the SSH Keypair Orphaned Query Filter that was causing it to return false positives. [ENG-27743]