InsightCloudSec Release Notes / Jul 16, 2024

Jul 16, 202424.7.16

Release Summary

InsightCloudSec is pleased to announce release version 24.7.16. This release includes a new risk dashboard, several new Insights, a toggle for legacy user interfaces, and support for the AWS CIS 3.0.0 benchmark.

Details for self-hosted customers
  • Release Availability - Thursday, July 18, 2024
    • The latest Terraform template (static files and modules) can be downloaded here. Modules can be updated with the terraform get -update command.
  • Amazon Elastic Container Repository (ECR) Image Tags - The Amazon Web Services (AWS) Elastic Container Repository (ECR) build images for this version of InsightCloudSec can be obtained using the following tags (all versions can be found at: https://gallery.ecr.aws/rapid7-insightcloudsec?page=1):
    • latest
    • 24.7.16
    • 24.7.16.a82e1f19e
  • ECR Build ID - a82e1f19e35eaad118d137cca4b24069fe3aa0eb

New

  • Added a new risk-focused overview to the home page (Summary).
  • Added the following Insights:
    • Amazon Machine Image (AMI) Shared with Untrusted/Unknown Account
    • Database Instance Without Minor Upgrades Enabled (RDS)
    • Private Image Deprecated
    • Task Definition Contains Specific Environment Variables (Regex)
    • Cloud User Not Assigned Permissions through Group Policies
  • Added the Cloud User Not Assigned Permissions through Group Policies Query Filter.
  • Added a new compliance pack for Center for Internet Security (CIS) version 3.0.0 AWS benchmark.
  • Added a new toggle to switch between the modern and legacy versions of the interface for the following pages:
    • Insights
    • Insight Packs
    • Insight Details
    • Insight Pack Details
    • Scheduled Events
    • Basic User Groups
    • Resource Group Detail View
    • Cloud Account Detail Overview

Improved

  • Removed the Database Instance Without Minor Upgrades Enabled Insight from the CIS - AWS 2.0.0 Compliance Pack.
  • Added the Database Instance Without Minor Upgrades Enabled (RDS) Insight to the CIS - AWS 2.0.0 Compliance Pack.
  • Updated the Database Instance/Cluster/Snapshot Engine Query Filter to allow for excluding resources of certain engine types.
  • Added the deprecation time to the Private Image resource properties.
  • Updated the Host Vulnerability Assessment AWS onboarding role permissions:
    • The kms:RetireGrant action has been broadened to all resources (*).
    • The ec2:ModifySnapshotAttribute action has been restricted to resources created by InsightCloudSec. Review the documentation to learn more about these permissions.
  • Updated the logic for how Vulnerability Severity and CVSS scores are created to be more accurate.
  • Updated the overview and remediation details for the Database Instance Flag 'cloudsql.enable_pgaudit' Disabled Insight.
  • Updated Cloud Account With Active Root Account Insight to align more closely with the CIS standard and include API key activity. It has also been renamed as Root Service User With Recent Activity to reflect the resource returned by its corresponding Query Filter.
  • Added support for deleting GCP Global IP Addresses in the Inventory view or with a Bot action.
  • Added edit capabilities for registries on the Container Assessment Vulnerability Settings page.
  • Improved the Cloud User with Unused Original API Keys Insight to be more accurate and created a new Query Filter, Cloud User With Unused Original API Keys, to aid this.
  • Expands the resources supported for the Resource associated with Security Group with Rule allowing ingress from exploitable Service Tags Query Filter and Insight.
  • Added Alibaba Cloud Simple Log Service support for the Log Group Retention Period Query Filter.
  • Added an audit option to the Category Group field for the Cognitive Search Service Invalid Diagnostic Logging Configuration Query Filter.
  • Updated Insight formatting of AWS CIS 2.0 and 3.0 Compliance Pack Insights.

Fixed

  • Fixed an issue with Create Jira Issue Bot action where the custom fields were not able to be loaded as JSON.
  • Fixed an issue with Azure Front Door resources where Route Tables with query string caching would cause the harvester to fail.
  • Fixed issues within the harvester for Instance Interfaces that was failing to properly establish relationships between Instances, Subnets, and Security Groups
  • Fixed an issue with detecting network information attached to Scale Set Instances
  • Fixed an issue that caused Scale Set Instances to duplicate on harvest
  • Fixed a casing issue when associating Azure Subnets to Azure Virtual Machines
  • Removed the Risk Score column from the Vulnerabilities > AWS Inspector tab in the resource details.
  • Fixed an issue for Batch Environment resources where the Public Access tab in the resource details would not populate with data.
  • Fixed an issue where attempting to delete an IAM User from the Inventory would fail if the user had security credentials attached.
  • Fixed an issue where GCP recommendations were not linked to service users and service roles on the Identity Analysis page under the Remediations tab.
  • Fixed an issue where badges were not removed after adding an application to the scope.