Release Summary

InsightCloudSec is pleased to announce release version 24.6.25. This release includes several Query Filter and Insight updates, new Kubernetes Insights, and additional Jira Bot Action support.

New

• Added a new Insight and Query Filter, Security Group with Rule allowing ingress from exploitable Service Tags, that can be used to find Azure Resource Access Lists currently sing exploitable Service Tags.
• Added a new Query Filter, Resource With/Without Action, to match AWS resources that have had an action within a defined time period.
• Added support for custom container registries within the Container Vulnerability Assessment feature.

Improved

• Added EDH support for AWS DynamoDB RestoreTableFromBackup and RestoreTableToPointInTime events.
• Added 2 new input fields to the Create Individual Jira Issue Bot Action:
  • A date string field, which provides support for the Jira Due Date field.
  • A JSON object field that can handle simple keys and string or string list values, which provides limited support for Jira custom fields.
• Removed the Policy Option (Deprecated) field from the Storage Container/Global Access Point Without Block Public Access Settings Query Filter.
• Updated the Storage Container without Block Public Access Protection Insight formatting.
• Added the following tags for all Insights mapped under controls for Requirement 4 of the PCI DSS v4.0 Compliance pack.
  • PCI DSS v4.0
  • PCI DSS v4.0 - 6.3.1
  • PCI DSS v4.0 - 6.3.6
  • PCI DSS v4.0 - 6.4.2
• Created new Kubernetes Insights from existing Insights, but they have been renamed to include their impacted resource type (the change is listed in bold):
  • Avoid use of system:masters group on Roles
  • Ensure that Service Account Tokens are only mounted where necessary on ServiceAccounts
  • Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster on Roles
  • Minimize access to create persistent volumes on Roles
  • Minimize access to create pods on Roles
  • Minimize access to secrets on Roles
  • Minimize access to the approval sub-resource of certificatesigningrequests objects on Roles
  • Minimize access to the proxy sub-resource of nodes on Roles
  • Minimize access to the service account token creation on Roles
  • Minimize access to webhook configuration objects on Roles

Fixed

• Fixed an issue with the Identity Resource Does Not Have Policy Query Filter when analyzing infrastructure-as-code (IaC) resources.
• Updated the database_type property for Azure Databases resources using elasticpool to use elasticdatabase instead to more accurately reflect the harvested resource in InsightCloudSec.
• Fixed a rare issue that was preventing moving a cloud account from one InsightCloudSec Organization to a different InsightCloudSec Organization.
• Fixed an issue where an AWS account could be added to 2 different AWS Organizations in InsightCloudSec when using the AWS Organization’s Account Discovery feature.
  • If both AWS Organizations have been configured in InsightCloudSec, the change in AWS Organization is detected automatically and the account is moved to the proper AWS Organization.

• The following Insights are now correctly marked as deprecated in the Kubernetes CIS Compliance Pack:
  • Ensure that the --protect-kernel-defaults argument is set to true
  • Ensure that the admission control plugin PodSecurityPolicy is set
  • Ensure that the --insecure-bind-address argument is not set
  • Ensure that the --insecure-port argument is set to 0
  • Ensure that the --basic-auth-file argument is not set
  • Ensure that the --secure-port argument is not set to 0
  • Ensure that the --kubelet-https argument is set to true