24.1.16 Release Notes

Jan 16, 2024

InsightCloudSec is pleased to announce Release 24.1.16

InsightCloudSec Software Release Notice - 24.1.16 Release

Release Highlights (24.1.16)

InsightCloudSec is pleased to announce Release 24.1.16. This release includes AWS EKS support for the Cloud Machine Learning Anomaly Detection feature, a new Canadian Centre for Cyber Security (CCCS) Compliance Pack, and two new AWS resources. We have also updated our list of high-risk ports to include TCP 5900 and UDP 137/138. In addition, 24.1.16 includes seven new Insights, seven new Query Filters, seven bug fixes, and vulnerability fixes.

Self-Hosted Deployment Updates (24.1.16)

Release availability for self-hosted customers is Thursday, January 18, 2024. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal . Our latest Terraform template (static files and modules) can be found here . Modules can be updated with the terraform get -update command. The Amazon Web Services (AWS) Elastic Container Repository (ECR) build images for this version of InsightCloudSec can be obtained using the following tags (all versions can be found here ):

latest
24.1.16
24.1.16.67632adbc

ECR Build ID: 67632adbce22b25e34660a23aac2cc29fd35237f

New Permissions Required (24.1.16)

Note: Additional permission references can be found at the end of the release notes under “Required Policies & Permissions”.

⚠️

New Permissions: AWS

For AWS Commercial and GovCloud Standard (Read-Only) and Power Users:

“controltower:GetEnabledControl”
“controltower:ListEnabledControls”
“controltower:GetLandingZone”
“controltower:GetLandingZoneDriftStatus”
“controltower:GetLandingZoneStatus”
“controltower:ListLandingZones”

These permissions support the newly added AWS Control Tower Controls and Control Tower Landing Zones resources. [ENG-33533]

Features & Enhancements (24.1.16)

Cloud Machine Learning Anomaly Detection now supports monitoring AWS managed Elastic Kubernetes Service (EKS) clusters. As you onboard AWS accounts, your EKS clusters will be available for monitoring. InsightCloudSec provides a CFT for an easy configuration experience. Review the Cloud Anomaly Detection page in the documentation for details.
Updated our list of high-risk ports to include TCP 5900 and UDP 137/138. Updated the two Insights checking high risk ports to reflect these changes:
- Access List Exposes High Risk Port to the Public: updated to include TCP 5900 (used by VNC for remote desktop access)
- Access List Exposes High Risk UDP Ports to the Public: updated to include UDP 137 and 138 (utilized by NetBIOS Name and Lookup services. Enabling NetBIOS services provides access to shared resources like files and printers not only to your network computers but also to anyone across the Internet) [ENG-21891]
Made performance improvements to the Resource tab accessed from the Packages blade within the Vulnerabilities feature. [ENG-34241]

Resources (24.1.16)

AWS

Added visibility and harvesting for AWS Control Tower Controls (new Resource type Control Tower Control, category Identity & Management) and Control Tower Landing Zones (new Resource type Control Tower Landing Zone, category Identity & Management). Several new permissions are required for AWS commercial and GovCloud Read-Only & Power User policies. [ENG-33533]
IAM Policy Version resources are now embedded in their related IAM Policy (Customer Managed) source document instead of being standalone. Note that IAM Policy (Customer Managed) resources are Event Driven Harvested only, so their source documents will not be visible via the UI. [ENG-30522]

GCP

Added GCP Source Document support for Google Map Reduce Cluster resource. [ENG-28608]
Added additional context details to the source documents tab for many GCP resources. [ENG-31641]
Added IaC support for App Engine (GCP). [ENG-21739]

Compliance Packs (24.1.16)

Canadian Centre for Cyber Security (CCCS) Compliance Pack The Canadian Centre for Cyber Security (CCCS) is Canada’s cybersecurity authority, guiding and supporting the government, industry, and public. The Medium Cloud Control Profile, introduced in May 2020, replaces previous standards, ensuring medium-level security for organizations using public cloud services. This defense mechanism prevents unauthorized access or loss of critical information, addressing risks like financial impact and privacy violations. The CCCS compliance pack includes 533 insights, covering 79 controls and 104 resource types, enhancing security across all of our supported cloud providers. Review the Compliance Pack documentation for additional details.

Insights (24.1.16)

AWS

Classic Global Web Application Firewall Has Rule Group Without Any Rules - New Insight identifies Classic Regional Web Application Firewalls which have rule groups without any rules in them. [ENG-33420]
Classic Global Web Application Firewall Has Rules Without Any Conditions - New Insight identifies Classic Regional Web Application Firewalls which have rules that have no conditions. [ENG-33419]
Control Tower Control has failed deployment - New Insight identifies Control Tower Controls that have a deployment status of “failed”. [ENG-33659]
Control Tower Landing Zone has failed deployment - New Insight identifies Control Tower Landing Zones that have a deployment status of “failed”. [ENG-33657]
Control Tower Control with Drift Status of Drifted - New Insight identifies whether an account managed by Control Tower Enabled Control has a status of “drifted”. [ENG-33658]
Control Tower Landing Zone with Drift Status of Drifted - New Insight identifies whether an account managed by Control Tower Enabled Control has a status of “drifted”. [ENG-33656]
Storage Container without Macie Enabled - New Insight identifies storage Containers that are in a cloud account and region that does not have Macie enabled. [ENG-30541]

Query Filters (24.1.16)

AWS

Classic Global Web Application Firewall Has Rule Group With No Rules - New Query Filter identifies web application firewalls that have a rule group with no rules. [ENG-33420]
Classic Global Web Application Firewall Has Rule With No Condition - New Query Filter identifies web application firewalls that have rules with no conditions. [ENG-33419]
Control Tower Control by Deployment Status - New Query Filter identifies Control Tower Controls based on their deployment status. [ENG-33659]
Control Tower Landing Zone by deployment status - New Query Filter identifies Control Tower Landing Zones based on their deployment status. [ENG-33657]
Control Tower Control by Drift Status - New Query Filter identifies Control Tower Enabled Controls by Drift Status. [ENG-33658]
Control Tower Landing Zone by Drift Status - New Query Filter identifies whether a landing zone status is flagged as Drifted. [ENG-33656]
Resources In Cloud Without Macie Enabled - New Query Filter identifies AWS resources within accounts without Macie enabled. [ENG-30541]

Bug Fixes (24.1.16)

Resolved package security vulnerabilities in accordance with our vulnerability resolution policy. [ENG-34204, ENG-34130, ENG-34007, ENG-34087]
Fixed an edge case where the table for the packages tab of the vulnerabilities section did not properly sort. [ENG-34341]
Fixed an edge case where account status was not cleared when there are no longer any EDH consumers. [ENG-33910]
Fixed an issue with Insight Database Instance without Log Auditing Enabled (MySQL) that was returning false positives. [ENG-33750]
Fixed Service Control Policy (AWS) issues; added a relationship between a ServiceControlPolicy and the accounts they target. [ENG-30853]
Fixed an issue with Query Filter Distributed Table without Managed Identity (Azure) returning false positives. [ENG-29608]
Fixed a bug involving IaC and Public EC2 instances; added support for RouteTables in IaC scans. [ENG-29397]
Removed the Tags tab from the API Access Key resource blade as users cannot create tags for API Access Keys. [ENG-27313]

Required Policies & Permissions

Policies required for individual CSPs are as follows:

Alibaba Cloud

Read Only Policy

AWS

Commercial \t- Read Only Policy \t\t - Part 1 \t\t- Part 2 \t\t- Part 3 \t- Power User Policy
GovCloud \t- Read Only Policy \t\t- Part 1 \t\t- Part 2 \t\t- Part 3 \t- Power User Policy
China \t- Read Only Policy \t\t- Part 1 \t\t- Part 2 \t\t- Part 3

Azure

Commercial \t- Custom Reader User Role \t- Power User Role \t- Reader Plus User Role
GovCloud \t- Custom Reader User Role \t- Power User Role

GCP

For GCP, since permissions are tied to APIs, there is no policy file to maintain. Refer to our list of Recommended APIs , which is maintained as part of our GCP coverage.

Oracle Cloud Infrastructure

Host Vulnerability Management

AWS Host VM User Policy

For any questions or concerns, reach out to us through your CSM or the Customer Support Portal .