InsightCloudSec Software Release Notice - 24.1.23 Release

Release Highlights (24.1.23)

InsightCloudSec is pleased to announce Release 24.1.23. This release includes a significant update to the default Attack Path table view to better allow customers to understand the types and number of attack paths targeting their resources. In addition, we have added harvesting support for AWS Systems Manager Associations (SSM Associations). Release 24.1.23 includes three updated Insights, four new Insights, three updated Query Filters, five new Query Filters, one updated Bot action, nine bug fixes, and a vulnerability fix.

• Contact us through the unified Customer Support Portal  with any questions.

New Permissions Required (24.1.23)

Note: Additional permission references can be found at the end of the release notes under “Required Policies & Permissions”.

Features & Enhancements (24.1.23)

• The default Attack Path table view has been updated to group attack paths with the same attack path type, source, and destination together. This new organization means that customers can understand the types and number of attack paths targeting their resources for prioritization. [ENG-34467]

• Added “Actively Exploited” and “Has Exploits” Advanced Filters on Vulnerabilities tab. [ENG-34456]

Resources (24.1.23)

AWS

• Added harvesting for AWS Systems Manager Associations (SSM Associations) into the new resource type SSM Association, Compute category. New permissions– “ssm:DescribeAssociation” and “ssm:ListAssociations” – are needed for these services for the AWS Commercial and AWS GovCloud read-only roles. [ENG-32010]

GCP

• Renamed GCP resource from “Instance” to “Compute Engine”. This resource is still found under the Compute category, Resource Type “Instance”.[ENG-34521]

Insights (24.1.23)

AWS

• Bedrock Job Not Within VPC - New Insight identifies Bedrock Jobs not within VPC. This insight has also been added to the Rapid7 AI/ML Security Best Practices Compliance pack. [ENG-33597, ENG-33603]

• Bedrock Linked to Bucket Without VPC Restricted Access - New Insight identifies Bedrock Jobs pull data from or push data to an S3 bucket that doesn’t restrict access to only a VPC. New Query Filter Bedrock Job Data S3 Bucket Not Restricted To VPC supports this new Insight. [ENG-33598]

• Content Delivery Network Without Origin Access Identity - Updated Insight to extend resource support to include Storage Containers. This allows us to take automated action on storage containers used as CDN origins that should have an OAI but don’t. A similar update was made to Query Filter Content Delivery Network Without Origin Access Identity. [ENG-30543]

• GraphAPI with Field-Level Logging Disabled - New Insight identifies GraphAPIs that have field-level logging disabled. To support this new Insight, we modified the Query Filter Graph API Logging Configuration (AWS) to return GraphAPIs with field-level logging set to None. [ENG-33395]

• Lambda Runtime Scheduled for Deprecation - Insight renamed from Lambda Python 3.7 Runtime Deprecation Imminent and updated from identifying Lambdas with a runtime of 3.7 to identifying any Lambdas using a runtime that is scheduled for deprecation (planned within next 12 months). Query Filter “Serverless Function By Runtime Language updated with multiple new runtimes to support this updated Insight. [ENG-33376]

• Storage Container Missing Alarm For Storage Container Policy Changes - New Insight identifies storage containers associated with cloud accounts without an alarm for storage container IAM policy changes. A new Query Filter Storage Container Missing Alarm For Storage Container Policy Changes supports this new Insight. [ENG-30528]

• Traffic Mirror Originates From Unknown Account - Renamed Insight from Traffic Mirror Linked To Unknown Account to better reflect usage. Definition updated to clarify that Insight identifies traffic mirror target resources that have been shared from unknown accounts. [ENG-27997]

Query Filters (24.1.23)

AWS

• Bedrock Job Data S3 Bucket Not Restricted To VPC - New Query Filter identifies Bedrock Jobs that store training/validation/output data in an S3 that is not restricted to VPC access. Query Filter supports new Insight Bedrock Linked to Bucket Without VPC Restricted Access. [ENG-33598]

• Bedrock Job Within VPC - New Query Filter identifies Bedrock Jobs within VPC. [ENG-33597]

• Content Delivery Network Without Origin Access Identity - Updated Query Filter to extend resource support to include Storage Containers. This allows us to take automated action on storage containers used as CDN origins that should have an OAI but don’t. A similar update was made to Insight Content Delivery Network Without Origin Access Identity. [ENG-30543]

• Graph API Logging Configuration (AWS) - Modified Query Filter to return GraphAPIs with field-level logging set to None. Added GraphAPI with Field-Level Logging Disabled Insight. [ENG-33395]

• Individual Resources Shared To/From Unknown Account - New Query Filter identifies resources that are shared to an unknown account. Optionally, identifies resources that are shared from unknown accounts. [ENG-27997]

• Resource Shares To/From Unknown Account - New Query Filter identifies resource shares that share resources to an unknown account. Optionally, identifies resource shares that are shared from unknown accounts. [ENG-27997]

• Serverless Function By Runtime Language - Updated Query Filter to support any new runtimes. This updated Query Filter supports the updated (and renamed) Insight Lambda Runtime Scheduled for Deprecation (renamed from Lambda Python 3.7 Runtime Deprecation Imminent). [ENG-33376]

• Storage Container Missing Alarm For Storage Container Policy Changes - New Query Filter identifies storage containers associated with cloud accounts that are missing an AWS CIS alerting policy for bucket policy changes. Query Filter supports new Insight Storage Container Missing Alarm For Storage Container Policy Changes. [ENG-30528]

Bot Actions (24.1.23)

Alibaba Cloud

• “Disable Cloud User” - Added Alibaba Cloud to supported cloud types for this Bot action. [ENG-33570]

Bug Fixes (24.1.23)

• Fixed a bug related to DDoSProtectionHarvester; added the missing permission “shield:DescribeAttack”. [ENG-34658]

• Fixed a bug occurring during extraction of the minimum TLS version from the bucket policy. [ENG-34463]

• Fixed an issue where host assessment could be processed more than once, leading to an inconsistent database state. [ENG-34135]

• Fixed issue with Query Filter Resource Without Diagnostic Setting where serverless functions and logic apps appeared in the filtered result. These resources are no longer supported by the Query Filter. [ENG-33571]

• Fixed a bug involving incorrect URL for scan results from IAC v3 API. [ENG-33243]

• Fixed an issue with Basic User Roles UI. [ENG-33157]

• Fixed an issue where editing applied Query Filters with Data Collections forced interaction with the Data Collections input before submitting. [ENG-32419]

• Fixed an issue with the Query Filter Network Has No Instances. [ENG-31948]

• Fixed a bug involving incorrect displays of Cloud Accounts for User Roles. [ENG-31393]

• Resolved package security vulnerabilities in accordance with our vulnerability resolution policy. [ENG-34352]