InsightCloudSec Release Notes / Mar 05, 2024

Mar 05, 2024

24.3.5 Release Notes

InsightCloudSec Software Release Notice - 24.3.5 Release

Release Highlights (24.3.5)

InsightCloudSec is pleased to announce Release 24.3.5. This release includes the ability to export Attack Path groups as well as override HVA assessment regions and user experience improvements to resource access list rules and Compliance Scorecard exports. In addition, 24.3.5 includes one updated Insight, two new Insights, three updated Query Filters, one new Query Filter, one new Bot action, and 13 bug fixes, including one vulnerability fix.

Self-Hosted Deployment Updates (24.3.5)

Release availability for self-hosted customers is Thursday, March 7, 2024. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal. Our latest Terraform template (static files and modules) can be found here. Modules can be updated with the terraform get -update command. The Amazon Web Services (AWS) Elastic Container Repository (ECR) build images for this version of InsightCloudSec can be obtained using the following tags (all versions can be found here):

  1. latest
  2. 24.3.5
  3. 24.3.5.2fc0f13a1

ECR Build ID: 2fc0f13a1af3b78bed0b66b4d01fd112ac8b588a8

Features & Enhancements (24.3.5)

  • Added the ability to export Attack path groups and group contents. [ENG-35065]

  • Users are now able to specify which HVA-supported regions that assessments are executed in. This new functionality is located on the Vulnerability Settings page under the Host Assessment tab. [ENG-31834]

  • Added resource access list rules to the detailed representation of resource access lists we provide via endpoints and Bot templates. [ENG-31412]

  • Added the ability to optionally include all resource tags when exporting a Compliance Scorecard report. [ENG-30881]

Resources (24.3.5)

AWS

  • Added the following relations to the Related Resources feature under the resources detailed view:
    • AWS Glue Data Catalog and AWS Glue Connection [ENG-34840]
    • AWS Glue Crawler and AWS S3 Bucket [ENG-34706]
    • AWS Glue Job and AWS Glue Connection [ENG-33244]

AZURE

  • Removed support for Azure Data Lake Storage (Gen1) as this resource type has been deprecated by Azure. [ENG-35478]

  • Added Source Documentation support for:

    • Azure IP Group [ENG-19130]
    • Azure Express Route Circuit [ENG-19121]

Insights (24.3.5)

AWS

  • CloudFront Not Logging - Insight renamed from Content Delivery Network Not Logging and updated the remediation steps for this Insight. Cloud CDNs that have an Origin Type of Backend Bucket are no longer returned by the CloudFront Not Logging Insight. [ENG-35319]

GCP

  • Cloud CDN Not Logging - New Insight identifies Cloud CDN resources that do not have logging enabled. Updates logic for determining if a Cloud CDN has logging enabled to now factor in the 'Sample Rate' specified. [ENG-35319]

  • Vertex Custom Job Without Data Access Audit Logging Enabled - New Insight identifies ​​Vertex jobs without data access audit logging enabled. [ENG-35368]

Query Filters (24.3.5)

GCP

  • Vertex AI With Audit Logging Enabled - New Query Filter matches Vertex AI within cloud accounts with audit logging enabled. You can filter by Admin Read, Data Read, and Data Write logging (Admin Write is enabled by default and cannot be disabled). [ENG-35368]

  • Resource With Clear Text Secret - Updated Query Filter to improve logic. [ENG-35414]

MULTI-CLOUD/GENERAL

  • Added a setting to the following Query Filters to ignore instances with no security groups attached:
    • Instance Exposing Public SSH
    • Instance Exposing Public RDP [ENG-35111]

Bot Actions (24.3.5)

AWS

  • “Modify Security Group Rule IP Address Range” - New Bot action modifies the IP address range of an ingress security group rule (Does not support NACLs). [ENG-31608]

Bug Fixes (24.3.5)

  • Resolved CWE-438 vulnerability in styled-components library which relates to Undesired Behavior. [ENG-35232]

  • Fixed Cloud Vulnerability Assessment incorrectly attempting to pull some private images without authentication when their names started with docker\.. [ENG-35676]

  • Fixed a bug with CVM advanced filter for "last assessment date". [ENG-35662]

  • Fixed a bug occurring when attempting to create a snapshot for an improperly provisioned harvested cloud account. This change allows for other accounts to complete rather than failing the job. [ENG-35507]

  • Updated logic in Query Filter Resource With Clear Text Secret. [ENG-35414]

  • Fixed a bug involving IaC module incorrect handling of database encryption for DB instances on an Aurora Cluster. [ENG-35346]

  • Fixed platform login issue for users who've set the "Personalized Session Timeouts" setting to "Non-Expiring". [ENG-35312]

  • Fixed an edge case where some attack path resources were missing a resource type label. [ENG-34917]

  • Fixed the assignment of the minimal TLS version for S3. [ENG-34714]

  • Fixed an indexing error by adding harvesting support for Developer Tier Bastion Hosts. [ENG-34053]

  • Fixed an issue with Azure Instances where attached Network Security Groups were not detected. [ENG-32458]

  • Fixed incorrect display of columns (Last Attack Start Time, Last Attack End Time, Last Attack Vectors) in DDoS Protection resource table. [ENG-32228]

Required Policies & Permissions (24.3.5)

Required Policies & Permissions

Policies required for individual CSPs are as follows:

Alibaba Cloud

AWS

Azure

GCP

Oracle Cloud Infrastructure

Host Vulnerability Management

For any questions or concerns, reach out to us through your CSM or the Customer Support Portal.