24.3.19 Release Notes
InsightCloudSec Software Release Notice - 24.3.19 Release
Release Highlights (24.3.19)
InsightCloudSec is pleased to announce Release 24.3.19. This release includes the Kubernetes Admission Controller interface, expanded container vulnerability assessment registry support, enhanced host vulnerability assessment reporting, and, and a modernized user experience for Query Filters. In addition, 24.3.19 includes one new Insight, one updated Query Filter, one new Query Filter, and 26 bug fixes.
- Contact us through the unified Customer Support Portal with any questions.
Self-Hosted Deployment Updates (24.3.19)
Release availability for self-hosted customers is Thursday, March 21, 2024. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal. Our latest Terraform template (static files and modules) can be found here. Modules can be updated with the terraform get -update
command. The Amazon Web Services (AWS) Elastic Container Repository (ECR) build images for this version of InsightCloudSec can be obtained using the following tags (all versions can be found here):
latest
24.3.19
24.3.19.cc45d0bce
ECR Build ID: cc45d0bcedc283b79883129efdd786b496e9cb02
Features & Enhancements (24.3.19)
- Enabled the Kubernetes Admission Controller interface, which currently allows users to manage a set of pre-defined and recommended Gatekeeper Constraints for their Kubernetes Clusters to be enforced by Gatekeeper. These Constraints describe and enforce security policies to ensure best security practices across your cluster workloads.
- Added log driver and group name properties to the ECS Task Definitions table. [ENG-33405]
- Improved and modernized the Query Filters user experience. [ENG-34628]
- Allow Container Vulnerability Assessment to assess images from unauthenticated xpkg.upbound.io registries. [ENG-36071]
- Reduced size of OS Platform column on Vulnerabilities Resources table for improved presentation. [ENG-36046]
- Improved messaging for certain authentication errors occurring while assessing container images in registries. [ENG-36032]
- Added an advanced filter–filter by OS Platform–to the Vulnerabilities Resources tab. [ENG-35769]
Insights (24.3.19)
AWS
Task Definition Resource Has No Log Configuration
- New Insight matches Task Definition resources that do not have a log configuration set. [ENG-33405]
Query Filters (24.3.19)
AWS
Instance Last Launch Time for EC2 Instances
- Updated Query Filter now supports AWS, AWS China, and AWS GovCloud. [ENG-32536]Task Definition Resource Has No Log Configuration
- New Query Filter matches Task Definition resources that do not have a log configuration set. [ENG-33405]
Bug Fixes (24.3.19)
Fixed an issue with missing rules for Kubernetes CIS compliance; added compliance rules to Insights of the pack. [ENG-35980]
Deprecated Insight
Data Lake Storage Invalid Diagnostic Logging Configuration
and filtersData Lake Storage Is Unencrypted
,Data Lake Storage Tier
" andData Lake Storage Invalid Diagnostic Logging Configuration (Azure)
. Support for this resource has been removed in the previous release. [ENG-35808]Fixed issue with inaccurate Resource count for basic users with resource group scope. [ENG-35514]
Fixed a bug involving GCP PostgreSQL with SSL enforced not marked compliant for enforcing transit encryption. [ENG-35459]
Ensured that HVA Snapshots are deleted when an instance has been deleted from the cloud account. [ENG-35441]
AWS Lambdas having the
InvokeFunctionUrl
permission with"lambda:FunctionUrlAuthType": "NONE"
will now correctly be classified as publicly accessible. [ENG-35404]Resolved an issue causing errors when sorting in the table view of various resources. [ENG-35320]
Fixed an issue involving the Access Analyzer Harvester and the use of ListFindingsV2 API. [ENG-35223]
Updated the Resources Page Scopes panel to prevent Cloud Account Searches from searching by non-existent table values (e.g., roles). [ENG-35153]
The Host Vulnerability Assessment feature is now correctly accessible by basic users. [ENG-35069]
Fixed a bug where
ServiceEncryptionKeyVaultHarvester
was not harvesting key vaults in all compartments (OCI). We have also updated theServiceEncryptionKeyVaultHarvester
to be regional rather than global. [ENG-34291]Fixed an issue in Query Filter
Kubernetes Cluster Engine Public Access CIDRs
. [ENG-34252]Removed duplicate runtime value from Serverless Functions. [ENG-34091]
Fixed an issue with the AWS Content Delivery Network Harvester returning deprecated and deleted RMTP streaming distributions. We have also removed these permissions from the permission scanning utility and from our CFT policies. [ENG-33781]
Fixed MFA bug for Azure AD users. [ENG-33377]
Updated the
Network Endpoint Service With Connection From Unknown Account
Query Filter to not return Endpoint Services with connections from unknown accounts that were rejected. A new "Include Rejected Connections" flag has been added to trigger the previous behavior. [ENG-33371]Fixed a bug where Exemption Rules could be created via the API without selecting Harvest and/or IAC support. Also updated any unscoped rules to apply to both harvested resources and IAC simulated resources. Fixes apply to customers with Exemption Rules only. [ENG-32956]
Fixed a bug where ICMP resources were displayed in the Query Filter
Access List Exposes Non Web Ports (Security Groups)
. [ENG-32104]Fixed a bug with Insight
Database Instance Vulnerability Assessment Without Recurring Scans
where MySQL and PostgreSQL engine databases were flagging (these are not supported by vulnerability assessment). [ENG-31906]Fixed edge case with Query Filter
Cloud Policy With Access To All Services/Resources
where it returned false positives on policies that shared the same name with previously retrieved, deleted policies of the same resource. [ENG-30246]Fixed potential false positives for the Insights
Database Instance with Access List Attached Exposed to the Public
andMessage Broker Publicly Accessible with Attached Exposed Security Group (AWS)
when performing an IaC scan against RDS and MQ broker resources that have attached security groups that expose ports to the public. [ENG-29474]Updated Layered Context interactive filters (e.g., through the table or data visualization interaction) to be additive instead of clearing previously applied filters. [ENG-29317]
Fixed Delete action for Azure Serverless Function resources. [ENG-28528]
Added error handling for the
AWS:SharedFileSystemHarvester
for calls to retrieve FSx data failing due to missing permissions. [ENG-28082]Resolved an issue on Platform login where domain admins with duplicated email addresses in ICS weren't able to login to ICS via Platform. [ENG-27381]
Removed Query Filters
Instance Averaging Low CPU
andInstance Averaging High CPU
as we no longer harvest the data required to filter for these. [ENG-19465]
Required Policies & Permissions (24.3.19)
Required Policies & Permissions
Policies required for individual CSPs are as follows:
Alibaba Cloud
AWS
- Commercial
- Read Only Policy
- Power User Policy
- GovCloud
- Read Only Policy
- Power User Policy
- China
Azure
- Commercial
- GovCloud
GCP
- For GCP, since permissions are tied to APIs, there is no policy file to maintain. Refer to our list of Recommended APIs, which is maintained as part of our GCP coverage.
Oracle Cloud Infrastructure
Host Vulnerability Management
For any questions or concerns, reach out to us through your CSM or the Customer Support Portal.