Release Summary

InsightCloudSec is pleased to announce release version 24.6.4. This release includes 2 new Azure resources, CIS Kubernetes Compliance Pack updates, and an improved user experience for Badges, Current User Sessions, and Resource Group Details.

New

• Added new Query Filters For Google Load Balancers:
  • Load Balancer With Backend Service Type
  • Backend Service By Type
  • Load Balancer With Cloud Armor Policy Type attached to their Backend Service(s)
  • Backend Service With/Without Cloud Armor Policy Type
  • Cloud Provider Backend Service ID in List
• Added 2 new Azure resources: Conditional Access Policy and Named Location. These resources do not require any new permissions.
• Added new Query Filters for the new Conditional Access Policy and Named Location Azure resources:
  • Cloud Account Without/With Named Locations
  • Cloud User Without/With Conditional Access MFA Enabled
• Added new Distributed Table Minimal TLS Version Query Filter for the Azure Cosmos Database minimal TLS version property.

Improved

• Modernized and improved the user experience of the following features: Badges, Current User Sessions, and Resource Group Details.
• Renamed the Identity Management section of the system settings to User Management.
• Updated support for Azure Cosmos Databases to include the minimal TLS version property.
• Updated the Resource Does Not Support TLS 1.2 Minimum Query Filter and the Resource does not Support TLS 1.2 Insight to include Azure Cosmos Database.
• Updated Threat Finding severity levels support to include all levels from AWS, Azure, and GCP.
• Updated the supported resources for the Search Threat Finding by Regex Query Filter to include API Accounting Config.
• Updated support for harvesting Threat Findings from the me-central-1 AWS region
• Added filters for Account Name, Account ID, and Account Badges to the Applications page.
• Improved entitlement change detections for users that are logged in without requiring the user to log out.
• Added the following tags for all insights mapped under controls for Requirement 4 of the PCI DSS v4.0 Compliance pack:
  • PCI DSS v4.0
  • PCI DSS v4.0 - 4.2.1
• Updated the CIS - Kubernetes Compliance Pack to version 1.8. This version includes the following changes:
  • Added new Insights:
    • Ensure that the --protect-kernel-defaults argument is set to true (Compliance Rule 4.2.6)
    • Ensure that a limit is set on pod PIDs (Compliance Rule 4.2.13)
    • Minimize access to secrets (Compliance Rule 5.1.2)
    • Minimize access to create pods (Compliance Rule 5.1.4)
    • Ensure that default service accounts are not actively used (Compliance Rule 5.1.5)
    • Ensure that Service Account Tokens are only mounted where necessary (Compliance Rule 5.1.6)
    • Avoid use of system:masters group (Compliance Rule 5.1.7)
    • Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Compliance Rule 5.1.8)
    • Minimize access to create persistent volumes (Compliance Rule 5.1.9)
    • Minimize access to the proxy sub-resource of nodes (Compliance Rule 5.1.10)
    • Minimize access to the approval sub-resource of certificatesigningrequests objects (Compliance Rule 5.1.11)
    • Minimize access to webhook configuration objects (Compliance Rule 5.1.12)
    • Minimize access to the service account token creation (Compliance Rule 5.1.13)
    • Ensure that the cluster has at least 1 active policy control mechanism in place (Compliance Rule 5.2.1)
    • Minimize the admission of Windows HostProcess Containers (Compliance Rule 5.2.11)
    • Minimize the admission of HostPath volumes (Compliance Rule 5.2.12)
    • Minimize the admission of containers which use HostPorts (Compliance Rule 5.2.13)
    • Prefer using secrets as files over secrets as environment variables (Compliance Rule 5.4.1)
    • Ensure that the DenyServiceExternalIPs is set (Compliance Rule 1.2.3)
  • Removed Insights:
    • Ensure that the --basic-auth-file argument is not set (Compliance Rule 1.2.2)
    • Ensure that the --kubelet-https argument is set to true (Compliance Rule 1.2.4)
    • Ensure that the admission control plugin PodSecurityPolicy is set (Compliance Rule 1.2.16)
    • Ensure that the --insecure-bind-address argument is not set (Compliance Rule 1.2.18)
    • Ensure that the --insecure-port argument is set to 0 (Compliance Rule 1.2.19)
    • Ensure that the --secure-port argument is not set to 0 (Compliance Rule 1.2.20)

Fixed

• Updated the recommended Azure Custom Reader User Role for missing permissions.
• Fixed an issue with emails coming from InsightCloudSec being sent as attachments instead of as an email body.
• Fixed the Clouds filter on the Event-Driven Harvesting (EDH) Summary page to correctly populate clouds.
• Host Vulnerability Assessments that have been in progress for greater than or equal to 2 days now automatically fail with a timeout error message.
• Fixed Google Cloud Platform (GCP) system-managed service account keys to be marked as inactive once they have reached their expiration date.
• Fixed the GCP Storage Container Harvester to succeed when the Organization Policy API is not turned on for a project. However, the minimum-allowed TLS version will be set to 1.0 (GCP default).
• Fixed an issue where Network Load Balancers were appearing in the Load Balancer With SSL and HTTP Listener Insight and Query Filter.
• Removed Amazon Bedrock permissions from the list of required permissions for AWS China.
• Fixed a display issue with Serverless Function runtimes.
• Removed the High Risk filter for the Layered Context page.
• Fixed the MIME type of Scorecard Subscription emails to render properly in the Thunderbird email client.
• Fixed an issue with false positives for the AWS Elastic MapReduce (EMR) S3 at rest encryption parameter.
• Fixed an issue with Azure Virtual Machines being unable to relate their attached disks if their Instance ID contained mixed-case letters.