InsightCloudSec Release Notes / Aug 13, 2024

Aug 13, 202424.8.13

Release Summary

InsightCloudSec is pleased to announce release version 24.8.13. This release includes new AWS resources, many new Query Filters and Insights, and a new compliance pack.

Details for self-hosted customers
  • Release Availability - Thursday, August 15, 2024
    • The latest Terraform template (static files and modules) can be downloaded here. Modules can be updated with the terraform get -update command.
  • Amazon Elastic Container Repository (ECR) Image Tags - The Amazon Web Services (AWS) Elastic Container Repository (ECR) build images for this version of InsightCloudSec can be obtained using the following tags (all versions can be found at: https://gallery.ecr.aws/rapid7-insightcloudsec?page=1):
    • latest
    • 24.8.13
    • 24.8.13.613a847ba
  • ECR Build ID - 613a847ba184f42391c81409a5e125cd21d42a2f

New Permissions: Amazon Web Services (AWS)

These permissions support the new AWS Bedrock Knowledge Base and Bedrock Guardrail resources.

For AWS Read-Only Users:

  • "bedrock:ListGuardrails"
  • "bedrock:ListKnowledgeBases"
  • "bedrock:GetGuardrail"
  • "bedrock:GetKnowledgeBase"

These permissions have been added to the AWS Read Only Policy 1 for InsightCloudSec.

New

  • Added 2 new AWS resources: Bedrock Knowledge Base and Bedrock Guardrail.
  • Added the following Query Filters:
    • Load Balancer With Named Cloud Armor Policy attached to their Backend Service(s)
    • Backend Service With/Without Cloud Armor Policy Name
    • Resource Namespace IDs Match List
    • Bedrock Knowledge Base Source Data Is Publicly Exposed
    • Bedrock Knowledge Base Source Data Encrypted With Cloud Managed Key
    • Bedrock Knowledge Base Embedding Model
    • Bedrock Knowledge Base Status
    • Bedrock Resource Base Model
    • Bedrock Agent Without Guardrail Configured
    • Bedrock Guardrail Status
    • Bedrock Agent Without Guardrail Configured
    • Bedrock Guardrail using Cloud Managed Key Instead of Customer Managed Key
    • Volume Encryption Type
  • Added the following Insights:
    • Cloud Region Without Network Watcher Enabled. This Insight replaces Network Watcher Not Enabled For All Regions, which will be removed in the future.
    • Storage Container without Object Level Logging for Read Events, which was also added to the CIS AWS 3.0 Compliance Pack (mapped to Recommendations 3.9) and the CIS AWS 2.0 Compliance Pack (mapped to Recommendations 3.11).
    • Storage Container without Object Level Logging for Write Events, which was also added to the CIS AWS 3.0 Compliance Pack (mapped to Recommendations 3.8) and the CIS AWS 2.0 Compliance Pack (mapped to Recommendations 3.10).
    • Bedrock Knowledge Base Source Data Is Publicly Exposed
    • Bedrock Knowledge Base Source Data Encrypted With Cloud Managed Key Instead of Customer Managed Key
    • Database Instance without Microsoft Entra Admin Configured (SQL Server)
    • Database Instance not Enforcing Transit Encryption (MySQL Single Server) and added it to CIS Azure 2.0 Compliance Pack under Recommendation 4.4.1.
    • Database Instance Not Configured to Log Checkpoints (PostgreSQL Single Server) and added it to CIS Azure 2.0 Compliance Pack under Recommendation 4.3.2.
    • Database Instance Allowing Access from Cloud Resources (PostgreSQL - Single Server) and added it to CIS Azure 2.0 Compliance Pack under Recommendation 4.3.7.
    • Database Instance without Infrastructure Encryption Enabled (PostgreSQL Single Server) and added it to CIS Azure 2.0 Compliance Pack under Recommendation 4.3.8.
    • Database Instance without Log Auditing Enabled for MySQL Single Server and added it to CIS Azure 2.0 Compliance Pack under Recommendation 4.4.3.
  • Added a new compliance pack for Center for Internet Security (CIS) version 2.1 Azure benchmark. Updated the Overview, Remediation Steps, and Reference Links for all Insights associated with this new pack.
  • Added a new entitlement to control the visibility of Source Documents for resources.
  • Added Source Document and Event Driven Harvesting support for Azure HDInsight Clusters.
  • Added Infrastructure as Code (IaC) support for AWS Secrets.
  • Harvested a new encryption_type property to the Volume resource.

Improved

  • Updated the Load Balancer With Cloud Armor Policy Type attached to their Backend Service(s) Query Filter to allow searching for load balancers without the specified type of Cloud Armor Policy.
  • Removed the Storage Container without Object Level Logging Insight (and removed it from CIS AWS 2.0 Pack for Recommendations 3.10 and 3.11) and replaced it with Storage Container not Logged by API Accounting Config
  • On the Clouds Accounts page, the Migrate to Org button is now disabled if one of the selected clouds is already part of an organization.
  • Added the option to limit the default timeframe to the last 30 days on the Scheduled Events > Event History page.
  • Replaced the Database Instance Azure Active Directory Admin not Configured (Azure) Insight with Database Instance Microsoft Entra Admin not Configured (Azure) to reflect the Azure Active Directory to Microsoft Entra ID name update.
  • Replaced Database Instance With/Without Infrastructure Encryption (PostgreSQL) Query Filter and Insight to Database Instance With/Without Infrastructure Encryption to reflect expanded support beyond exclusively PostgreSQL.
  • Updated the GCP Service Encryption Key Vault Harvester to harvest the key protection level.
  • Updated the Encryption Key Using/Not Using HSM and Encryption Key Origin Query Filters to support GCP.
  • GCP Cloud Account harvesting is automatically disabled when a harvester encounters a GCP error that the account does not exist.
  • Improved the description for the Application Gateway/Stage With Metrics Enabled Query Filter.
  • Added an Insight ID column to the Insight Library.
  • On the Harvesting Strategy > Listing > Strategy Configuration page, the Override (minutes) and Cadence sliders are disabled when Dynamic Scheduling is enabled.
  • Updated with Resource associated with Security Group with Rule allowing ingress from exploitable Service Tags Query Filter and Insight to support the Serverless Function resource type.
  • Improved Route Table resource dependencies usage in Jinja2 templates to include related routes.
  • Containers With Microsoft Defender for Cloud Disabled Insight renamed to Cloud Account With Microsoft Defender Disabled for Containers
  • Database Instance with Microsoft Defender Disabled (Azure) Insight renamed to Cloud Account with Microsoft Defender Disabled for SQL Servers
  • Microsoft Defender for Cosmos DB Is Set To 'Off' Insight renamed to Cloud Account with Microsoft Defender for Cosmos DB Is Set To 'Off'
  • Storage Container with Microsoft Defender Disabled (Azure) Insight renamed to Cloud Account with Microsoft Defender Disabled for Storage Accounts
  • Cloud Account Is Guest User Insight renamed to Cloud User Is Guest
  • Database with Microsoft Defender Disabled (Azure) Insight renamed to Cloud Account with Microsoft Defender Disabled for Azure SQL Databases
  • Instance with Microsoft Defender Disabled (Azure) Insight renamed to Cloud Account with Microsoft Defender Disabled for Servers
  • Web App with Microsoft Defender Disabled (Azure) Insight renamed to Cloud Account with Microsoft Defender Disabled for App Service
  • DNS Zone With Microsoft Defender for Cloud Disabled Insight renamed to Cloud Accounts with Microsoft Defender for Cloud Disabled for DNS
  • Encryption Key Vault with Microsoft Defender Disabled (Azure) Insight renamed to Cloud Accounts with Microsoft Defender Disabled for Encryption Key Vault
  • Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is disabled Insight renamed to Cloud Accounts with Microsoft Defender for Endpoint Integration Disabled
  • Microsoft Defender Cloud Apps Integration Disabled Insight renamed to Cloud Accounts with Microsoft Defender Cloud Apps Integration Disabled
  • Resource Manager with Microsoft Defender Disabled Insight renamed to Cloud Accounts with Microsoft Defender Disabled for Resource Manager
  • Reduced latency and lock times for the Scheduled Events page.
  • Updated the AWS Network Firewall Harvester to store AWS and Suricata domain-based rules. This will cause modifications on first harvest post-release for all firewalls that have rules targeting domains instead of IP ranges.

Fixed

  • Resolved an issue that caused the Network Watcher Not Enabled For All Regions Insight to show false positives.
  • Removed the Reset MFA option from the Users Action menu.
  • Resolved an issue preventing the Host Assessment Lifecycle Snapshot Checker job from creating ASSESSMENT_MAX_NUMBER_OF_RUNNING_ASSESSMENTS snapshots.
  • Resolved an issue with the Connect Instance harvester and its comparison of associated Encryption Keys.
  • Resolved an issue with Azure MySQL and PostgreSQL Flexible Servers not harvesting the correct values for minimum TLS and transport security properties.
  • Resolved an issue that was causing incorrect resource counts after clearing Insight findings search results on the Resources page.
  • Resolved package security vulnerabilities in accordance with our vulnerability resolution policy.
  • Resolved an issue with the Network Firewall harvester where it was not storing rule port ranges.
  • Resolved an issue with Insight downloads by passing scopes to download.
  • Resolved an issue that caused the Load Balancer SSL Policy Lookup Query Filter to show false positives when using the not in flag.
  • Resolved an issue that occurred when resources were being deleted while the AWS Subnet harvester was running.
  • Resolved a performance issue when exporting resource data.
  • Resolved the Column 'reason' cannot be null error with the Security Posture harvester.
  • Improved handling for the Client Error: InvalidRouteTableID.NotFound exception.