Release Summary
InsightCloudSec is pleased to announce release version 24.7.23. This release includes several new Azure and GCP resources, several new Query Filters and Insights, and extended Jinja2 templating support.
Details for self-hosted customers
- Release Availability - Thursday, July 23, 2024
- The latest Terraform template (static files and modules) can be downloaded here. Modules can be updated with the
terraform get -update
command.
- The latest Terraform template (static files and modules) can be downloaded here. Modules can be updated with the
- Amazon Elastic Container Repository (ECR) Image Tags - The Amazon Web Services (AWS) Elastic Container Repository (ECR) build images for this version of InsightCloudSec can be obtained using the following tags (all versions can be found at: https://gallery.ecr.aws/rapid7-insightcloudsec?page=1):
latest
24.7.23
24.7.23.fdb2c5c8e
- ECR Build ID -
fdb2c5c8e81213353e48119bcbc9602b0f826747
New
Added 3 new GCP resources: AllowDB Cluster (available under Compute > Database Cluster), AlloyDB Backup (available under Storage > Database Snapshot), and AlloyDB Instance (available under Compute > Database Instance). These resources do not require any new permissions.
Added 8 new Azure resources to extend support for Azure AI (Cognitive) Services. These resources do not require any new permissions.
- AI Services (available under Machine Learning & AI > AI Services)
- AI Multi-Service Account (available under Machine Learning & AI > AI Services Multi-service Account)
- Custom Vision (Prediction & Training) (available under Machine Learning & AI > Custom Vision Prediction)
- Content Safety (available under Machine Learning & AI > Content Safety)
- Document Intelligence (available under Machine Learning & AI > Document Intelligence)
- Face API (available under Machine Learning & AI > Face API)
- Health Insights (available under Machine Learning & AI > Health Insights)
- Immersive Reader (available under Machine Learning & AI > Immersive Reader)
Added a new Jinja2 template to access all Insight findings for a resource:
{% for insight in resource.get_insights(exclude_exempt_insights=False) %} {{ insight.name }} {% endfor %}
Added Infrastructure as Code (IaC) support for Elastic Container Service (ECS) Task Definitions.
Added a
default_action
property for Storage Accounts that tracks the default Network Access Control List (NACL) action.Added the following Query Filters:
Storage Account Default NACL Action Setting
Storage Account Soft Delete Setting(s) Disabled
Elasticache Instance Minimum TLS Version
AI Service By Type
Resource Is In Subnet Within IP Range
Added the following Insights:
Storage Account with Default Allow Network Access Rule
Soft Delete Disabled for Storage Account Containers or Blob Storage
AI Services Without Managed Access
Improved
- Updated the Insights mapping for recommendation 3.7 within the CIS - Azure 2.0 Compliance Pack:
- Removed the
Storage Container Exposed to the Public
Insight. - Added the
Storage Account Allows Access from the Public
Insight.
- Removed the
- Updated the
Storage Account Allows Access from the Public
Insight to meet the new standard CIS Insight formatting. - Updated the existing Azure AI Services-related Insights to include the new Azure AI Services resources.
- Replaced the existing Azure AI Services-related Query Filters with a new generic Query Filter that supports all Azure AI Services. The old Query Filters will be available for 6 months, after which they will be removed.
- Added the following tags for all Insights mapped under controls for Requirement 10 of the PCI DSS v4.0 Compliance pack:
- PCI DSS v4.0
- PCI DSS v4.0 - 10.2.1
- PCI DSS v4.0 - 10.2.1.1
- PCI DSS v4.0 - 10.2.1.2
- PCI DSS v4.0 - 10.2.1.3
- PCI DSS v4.0 - 10.2.1.4
- PCI DSS v4.0 - 10.2.1.5
- PCI DSS v4.0 - 10.2.1.7
- PCI DSS v4.0 - 10.3.1
- PCI DSS v4.0 - 10.4.1.1
- Renamed the
Resource Is In Subnet
Query Filter toResource Is In Subnet By Subnet ID
Fixed
- Fixed an issue where the harvest for Google Load Balancer resources would fail if a load balancer had no IP addresses.
- Fixed an issue where removing Azure identities on Azure Instances that previously had them would prevent the related instance's tags from being harvested.