24.3.19 Release Notes

InsightCloudSec Software Release Notice - 24.3.19 Release

Release Highlights (24.3.19)

InsightCloudSec is pleased to announce Release 24.3.19. This release includes the Kubernetes Admission Controller interface, expanded container vulnerability assessment registry support, enhanced host vulnerability assessment reporting, and, and a modernized user experience for Query Filters. In addition, 24.3.19 includes one new Insight, one updated Query Filter, one new Query Filter, and 26 bug fixes.

• Contact us through the unified Customer Support Portal with any questions.

Features & Enhancements (24.3.19)

• Enabled the Kubernetes Admission Controller interface, which currently allows users to manage a set of pre-defined and recommended Gatekeeper Constraints for their Kubernetes Clusters to be enforced by Gatekeeper. These Constraints describe and enforce security policies to ensure best security practices across your cluster workloads.
• Added log driver and group name properties to the ECS Task Definitions table. [ENG-33405]
• Improved and modernized the Query Filters user experience. [ENG-34628]
• Allow Container Vulnerability Assessment to assess images from unauthenticated xpkg.upbound.io registries. [ENG-36071]
• Reduced size of OS Platform column on Vulnerabilities Resources table for improved presentation. [ENG-36046]
• Improved messaging for certain authentication errors occurring while assessing container images in registries. [ENG-36032]
• Added an advanced filter–filter by OS Platform–to the Vulnerabilities Resources tab. [ENG-35769]

Insights (24.3.19)

AWS

• Task Definition Resource Has No Log Configuration - New Insight matches Task Definition resources that do not have a log configuration set. [ENG-33405]

Query Filters (24.3.19)

AWS

• Instance Last Launch Time for EC2 Instances - Updated Query Filter now supports AWS, AWS China, and AWS GovCloud. [ENG-32536]

• Task Definition Resource Has No Log Configuration - New Query Filter matches Task Definition resources that do not have a log configuration set. [ENG-33405]

Bug Fixes (24.3.19)

• Fixed an issue with missing rules for Kubernetes CIS compliance; added compliance rules to Insights of the pack. [ENG-35980]

• Deprecated Insight Data Lake Storage Invalid Diagnostic Logging Configuration and filters Data Lake Storage Is Unencrypted, Data Lake Storage Tier" and Data Lake Storage Invalid Diagnostic Logging Configuration (Azure). Support for this resource has been removed in the previous release. [ENG-35808]

• Fixed issue with inaccurate Resource count for basic users with resource group scope. [ENG-35514]

• Fixed a bug involving GCP PostgreSQL with SSL enforced not marked compliant for enforcing transit encryption. [ENG-35459]

• Ensured that HVA Snapshots are deleted when an instance has been deleted from the cloud account. [ENG-35441]

• AWS Lambdas having the InvokeFunctionUrl permission with "lambda:FunctionUrlAuthType": "NONE" will now correctly be classified as publicly accessible. [ENG-35404]

• Resolved an issue causing errors when sorting in the table view of various resources. [ENG-35320]

• Fixed an issue involving the Access Analyzer Harvester and the use of ListFindingsV2 API. [ENG-35223]

• Updated the Resources Page Scopes panel to prevent Cloud Account Searches from searching by non-existent table values (e.g., roles). [ENG-35153]

• The Host Vulnerability Assessment feature is now correctly accessible by basic users. [ENG-35069]

• Fixed a bug where ServiceEncryptionKeyVaultHarvester was not harvesting key vaults in all compartments (OCI). We have also updated the ServiceEncryptionKeyVaultHarvester to be regional rather than global. [ENG-34291]

• Fixed an issue in Query Filter Kubernetes Cluster Engine Public Access CIDRs. [ENG-34252]

• Removed duplicate runtime value from Serverless Functions. [ENG-34091]

• Fixed an issue with the AWS Content Delivery Network Harvester returning deprecated and deleted RMTP streaming distributions. We have also removed these permissions from the permission scanning utility and from our CFT policies. [ENG-33781]

• Fixed MFA bug for Azure AD users. [ENG-33377]

• Updated the Network Endpoint Service With Connection From Unknown Account Query Filter to not return Endpoint Services with connections from unknown accounts that were rejected. A new "Include Rejected Connections" flag has been added to trigger the previous behavior. [ENG-33371]

• Fixed a bug where Exemption Rules could be created via the API without selecting Harvest and/or IAC support. Also updated any unscoped rules to apply to both harvested resources and IAC simulated resources. Fixes apply to customers with Exemption Rules only. [ENG-32956]

• Fixed a bug where ICMP resources were displayed in the Query Filter Access List Exposes Non Web Ports (Security Groups). [ENG-32104]

• Fixed a bug with Insight Database Instance Vulnerability Assessment Without Recurring Scans where MySQL and PostgreSQL engine databases were flagging (these are not supported by vulnerability assessment). [ENG-31906]

• Fixed edge case with Query Filter Cloud Policy With Access To All Services/Resources where it returned false positives on policies that shared the same name with previously retrieved, deleted policies of the same resource. [ENG-30246]

• Fixed potential false positives for the Insights Database Instance with Access List Attached Exposed to the Public and Message Broker Publicly Accessible with Attached Exposed Security Group (AWS) when performing an IaC scan against RDS and MQ broker resources that have attached security groups that expose ports to the public. [ENG-29474]

• Updated Layered Context interactive filters (e.g., through the table or data visualization interaction) to be additive instead of clearing previously applied filters. [ENG-29317]

• Fixed Delete action for Azure Serverless Function resources. [ENG-28528]

• Added error handling for the AWS:SharedFileSystemHarvester for calls to retrieve FSx data failing due to missing permissions. [ENG-28082]

• Resolved an issue on Platform login where domain admins with duplicated email addresses in ICS weren't able to login to ICS via Platform. [ENG-27381]

• Removed Query Filters Instance Averaging Low CPU and Instance Averaging High CPU as we no longer harvest the data required to filter for these. [ENG-19465]

Required Policies & Permissions (24.3.19)