Skip to Content
Release NotesInsightcloudsecIndex

Jun 18, 2024

This release includes a new AWS Bedrock Agent resource, improvements to the Insights user experience, and several Query Filter and Insight updates.

Release Summary

InsightCloudSec is pleased to announce release version 24.6.18. This release includes a new AWS Bedrock Agent resource, improvements to the Insights user experience, and several Query Filter and Insight updates.

Details for self-hosted customers

  • Release Availability - Thursday, June 20, 2024
    • The latest Terraform template (static files and modules) can be downloaded here. Modules can be updated with the terraform get -update command.
  • Amazon Elastic Container Repository (ECR) Image Tags - The Amazon Web Services (AWS) Elastic Container Repository (ECR) build images for this version of InsightCloudSec can be obtained using the following tags (all versions can be found at:https://gallery.ecr.aws/rapid7-insightcloudsec?page=1):
    • latest
    • 24.6.18
    • 24.6.18.4fc2e56ad
  • ECR Build ID - 4fc2e56ad5fa5150ae76321a526c53fcfde31a99
⚠️

New Permissions: Amazon Web Services (AWS)

These permissions support the new AWS Bedrock Agent resource.

For AWS Commercial Read-Only Users:

  • \"bedrock:GetAgent\"
  • \"bedrock:ListAgents\"

These permissions have been added to the AWS Read Only Policy (Part 1) for InsightCloudSec.

New

  • Added a new AWS Bedrock Agent resource. Added the following Insight and Query Filters to support the resource:
    • Insight: Bedrock Agent using Cloud Managed Key Instead of Customer Managed Key
    • Query Filters:
      • Bedrock Agent Status
      • Bedrock Agent's Base Model

Improved

  • Modernized and improved the user experience of the Insights page.
  • Added the Apply And and Omitted Time fields to the Instance Agent Type Query Filter.
  • Updated the Compliance Packs page to order the packs alphabetically and remove legacy packs.
  • Added the Rotation Period (Days) property to KMS Key harvesting, so now you can use the Encryption Key Rotation Period Threshold to filter KMS Keys that have a rotation period greater than 2 years.
  • Added the Direct Access Disabled field to the Machine Learning Instance Direct Access Query Filter.
  • Added more logging for the CrowdStrike integration.
  • Improved the AWS onboarding Python script to support more customizations for CloudFormation Templates (CFTs) creation and deployment:
    • The onboarding script is now self-contained and can generate CFTs directly.
    • The new script is fully backwards-compatible with the old script.
    • A new --skip-deploy option to skip deploying a given CFT if you’d rather only generate or review a custom CFT.
    • Added a new --iam-path option to specify a prefix or namespace for your custom CFTs.
    • Added a new --role-name option to specify custom role names for your custom CFTs.
    • Added a new --unique-suffix option to specify a unique suffix to the roles used within your custom CFTs.
    • Added a new --tags option to include tags on CFT resource definitions that are applied to resources that support tagging in CloudFormation. Tagging on IAM policies is not supported at this time.
⚠️

IAM Path Deprecation

InsightCloudSec currently includes the /rapid7/ path in the default AWS onboarding CFTs to help you more easily identify Rapid7 IAM resources, but this creates several issues:

  • You cannot bind IAM roles that contain paths in them for harvesting Elastic Kubernetes Service (EKS) resources, so this requires a second IAM role to be used solely for EKS harvesting.
  • Using IAM paths can make troubleshooting onboarding issues difficult because IAM paths are prone to omission or typos.
  • IAM paths are not first-class citizens in the AWS console for search or navigation.

For these reasons, InsightCloudSec recommends that you begin to transition away from using IAM paths for your onboarding artifacts. The default CFTs for InsightCloudSec onboarding will use IAM paths for the time being, and we will inform you before we change the behavior.

You can switch to a role without an IAM path by using the new --iam-path option or supply a / during interactive mode when you are prompted to provide a path.

Fixed

  • Standardized timestamps in the Resource details window by changing Last Harvested Timestamp and Instance Launch Time to be in YYYY-MM-DD HH:MM:SS format.
  • Fixed an issue where newly harvested non-root volumes were being queued for assessment, resulting in hosts incorrectly showing a failed assessment status.