Release Notes

Release Summary

InsightCloudSec is pleased to announce release version 24.7.23. This release includes several new Azure and GCP resources, several new Query Filters and Insights, and extended Jinja2 templating support.

New

• Added 3 new GCP resources: AllowDB Cluster (available under Compute > Database Cluster), AlloyDB Backup (available under Storage > Database Snapshot), and AlloyDB Instance (available under Compute > Database Instance). These resources do not require any new permissions.

• Added 8 new Azure resources to extend support for Azure AI (Cognitive) Services. These resources do not require any new permissions.

  • AI Services (available under Machine Learning & AI > AI Services)
  • AI Multi-Service Account (available under Machine Learning & AI > AI Services Multi-service Account)
  • Custom Vision (Prediction & Training) (available under Machine Learning & AI > Custom Vision Prediction)
  • Content Safety (available under Machine Learning & AI > Content Safety)
  • Document Intelligence (available under Machine Learning & AI > Document Intelligence)
  • Face API (available under Machine Learning & AI > Face API)
  • Health Insights (available under Machine Learning & AI > Health Insights)
  • Immersive Reader (available under Machine Learning & AI > Immersive Reader)

• Added a new Jinja2 template to access all Insight findings for a resource:

  {% for insight in resource.get_insights(exclude_exempt_insights=False) %}
  {{ insight.name }}
  {% endfor %}
  

• Added Infrastructure as Code (IaC) support for Elastic Container Service (ECS) Task Definitions.

• Added a default_action property for Storage Accounts that tracks the default Network Access Control List (NACL) action.

• Added the following Query Filters:

  • Storage Account Default NACL Action Setting
  • Storage Account Soft Delete Setting(s) Disabled
  • Elasticache Instance Minimum TLS Version
  • AI Service By Type
  • Resource Is In Subnet Within IP Range

• Added the following Insights:

  • Storage Account with Default Allow Network Access Rule
  • Soft Delete Disabled for Storage Account Containers or Blob Storage
  • AI Services Without Managed Access

Improved

• Updated the Insights mapping for recommendation 3.7 within the CIS - Azure 2.0 Compliance Pack:
  • Removed the Storage Container Exposed to the Public Insight.
  • Added the Storage Account Allows Access from the Public Insight.
• Updated the Storage Account Allows Access from the Public Insight to meet the new standard CIS Insight formatting.
• Updated the existing Azure AI Services-related Insights to include the new Azure AI Services resources.
• Replaced the existing Azure AI Services-related Query Filters with a new generic Query Filter that supports all Azure AI Services. The old Query Filters will be available for 6 months, after which they will be removed.
• Added the following tags for all Insights mapped under controls for Requirement 10 of the PCI DSS v4.0 Compliance pack:
  • PCI DSS v4.0
  • PCI DSS v4.0 - 10.2.1
  • PCI DSS v4.0 - 10.2.1.1
  • PCI DSS v4.0 - 10.2.1.2
  • PCI DSS v4.0 - 10.2.1.3
  • PCI DSS v4.0 - 10.2.1.4
  • PCI DSS v4.0 - 10.2.1.5
  • PCI DSS v4.0 - 10.2.1.7
  • PCI DSS v4.0 - 10.3.1
  • PCI DSS v4.0 - 10.4.1.1
• Renamed the Resource Is In Subnet Query Filter to Resource Is In Subnet By Subnet ID

Fixed

• Fixed an issue where the harvest for Google Load Balancer resources would fail if a load balancer had no IP addresses.
• Fixed an issue where removing Azure identities on Azure Instances that previously had them would prevent the related instance's tags from being harvested.