24.3.5 Release Notes
InsightCloudSec Software Release Notice - 24.3.5 Release
Release Highlights (24.3.5)
InsightCloudSec is pleased to announce Release 24.3.5. This release includes the ability to export Attack Path groups as well as override HVA assessment regions and user experience improvements to resource access list rules and Compliance Scorecard exports. In addition, 24.3.5 includes one updated Insight, two new Insights, three updated Query Filters, one new Query Filter, one new Bot action, and 13 bug fixes, including one vulnerability fix.
- Contact us through the unified Customer Support Portal with any questions.
Self-Hosted Deployment Updates (24.3.5)
Release availability for self-hosted customers is Thursday, March 7, 2024. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal. Our latest Terraform template (static files and modules) can be found here. Modules can be updated with the terraform get -update
command. The Amazon Web Services (AWS) Elastic Container Repository (ECR) build images for this version of InsightCloudSec can be obtained using the following tags (all versions can be found here):
latest
24.3.5
24.3.5.2fc0f13a1
ECR Build ID: 2fc0f13a1af3b78bed0b66b4d01fd112ac8b588a8
Features & Enhancements (24.3.5)
Added the ability to export Attack path groups and group contents. [ENG-35065]
Users are now able to specify which HVA-supported regions that assessments are executed in. This new functionality is located on the Vulnerability Settings page under the Host Assessment tab. [ENG-31834]
Added resource access list rules to the detailed representation of resource access lists we provide via endpoints and Bot templates. [ENG-31412]
Added the ability to optionally include all resource tags when exporting a Compliance Scorecard report. [ENG-30881]
Resources (24.3.5)
AWS
- Added the following relations to the Related Resources feature under the resources detailed view:
- AWS Glue Data Catalog and AWS Glue Connection [ENG-34840]
- AWS Glue Crawler and AWS S3 Bucket [ENG-34706]
- AWS Glue Job and AWS Glue Connection [ENG-33244]
AZURE
Removed support for Azure Data Lake Storage (Gen1) as this resource type has been deprecated by Azure. [ENG-35478]
Added Source Documentation support for:
- Azure IP Group [ENG-19130]
- Azure Express Route Circuit [ENG-19121]
Insights (24.3.5)
AWS
CloudFront Not Logging
- Insight renamed fromContent Delivery Network Not Logging
and updated the remediation steps for this Insight. Cloud CDNs that have an Origin Type of Backend Bucket are no longer returned by theCloudFront Not Logging
Insight. [ENG-35319]
GCP
Cloud CDN Not Logging
- New Insight identifies Cloud CDN resources that do not have logging enabled. Updates logic for determining if a Cloud CDN has logging enabled to now factor in the 'Sample Rate' specified. [ENG-35319]Vertex Custom Job Without Data Access Audit Logging Enabled
- New Insight identifies Vertex jobs without data access audit logging enabled. [ENG-35368]
Query Filters (24.3.5)
GCP
Vertex AI With Audit Logging Enabled
- New Query Filter matches Vertex AI within cloud accounts with audit logging enabled. You can filter by Admin Read, Data Read, and Data Write logging (Admin Write is enabled by default and cannot be disabled). [ENG-35368]Resource With Clear Text Secret
- Updated Query Filter to improve logic. [ENG-35414]
MULTI-CLOUD/GENERAL
- Added a setting to the following Query Filters to ignore instances with no security groups attached:
Instance Exposing Public SSH
Instance Exposing Public RDP
[ENG-35111]
Bot Actions (24.3.5)
AWS
- “Modify Security Group Rule IP Address Range” - New Bot action modifies the IP address range of an ingress security group rule (Does not support NACLs). [ENG-31608]
Bug Fixes (24.3.5)
Resolved CWE-438 vulnerability in styled-components library which relates to Undesired Behavior. [ENG-35232]
Fixed Cloud Vulnerability Assessment incorrectly attempting to pull some private images without authentication when their names started with
docker\.
. [ENG-35676]Fixed a bug with CVM advanced filter for "last assessment date". [ENG-35662]
Fixed a bug occurring when attempting to create a snapshot for an improperly provisioned harvested cloud account. This change allows for other accounts to complete rather than failing the job. [ENG-35507]
Updated logic in Query Filter
Resource With Clear Text Secret
. [ENG-35414]Fixed a bug involving IaC module incorrect handling of database encryption for DB instances on an Aurora Cluster. [ENG-35346]
Fixed platform login issue for users who've set the "Personalized Session Timeouts" setting to "Non-Expiring". [ENG-35312]
Fixed an edge case where some attack path resources were missing a resource type label. [ENG-34917]
Fixed the assignment of the minimal TLS version for S3. [ENG-34714]
Fixed an indexing error by adding harvesting support for Developer Tier Bastion Hosts. [ENG-34053]
Fixed an issue with Azure Instances where attached Network Security Groups were not detected. [ENG-32458]
Fixed incorrect display of columns (Last Attack Start Time, Last Attack End Time, Last Attack Vectors) in DDoS Protection resource table. [ENG-32228]
Required Policies & Permissions (24.3.5)
Required Policies & Permissions
Policies required for individual CSPs are as follows:
Alibaba Cloud
AWS
- Commercial
- Read Only Policy
- Power User Policy
- GovCloud
- Read Only Policy
- Power User Policy
- China
Azure
- Commercial
- GovCloud
GCP
- For GCP, since permissions are tied to APIs, there is no policy file to maintain. Refer to our list of Recommended APIs, which is maintained as part of our GCP coverage.
Oracle Cloud Infrastructure
Host Vulnerability Management
For any questions or concerns, reach out to us through your CSM or the Customer Support Portal.