InsightCloudSec Release Notes / Oct 16, 2024

Oct 16, 202424.10.15

Release Summary

InsightCloudSec is pleased to announce release version 24.10.15. This release includes a Kubernetes cluster reclassification, new AWS resources, and many new Query Filters and Insights.

New Permissions: Amazon Web Services

These permissions support the AWS Elasticsearch Ingest Pipeline resource. All permissions have been added to the appropriate onboarding user roles.

For AWS Read-Only Users:

  • "chime:ListVoiceConnectors",
  • "chime:GetVoiceConnectorOrigination",
  • "chime:GetVoiceConnectorTermination",
  • "osis:GetPipeline",
  • "osis:ListPipelines"

For AWS Power Users:

  • "chime:*"
  • "osis:*"

Python upgrade

With this release, InsightCloudSec is upgrading our Python to version 3.10. Custom Plugins may be affected, so you should contact your Customer Success Manager or Support for help upgrading your plugins.

Details for self-hosted customers

InsightCloudSec version 24.10.15 will not be made available to self-hosted customers. Use version 24.10.8 or wait until the next release (24.10.22).

New

  • Local and Cloud-managed (remote) Kubernetes clusters, like Azure Kubernetes Service (AKS) or Elastic Kubernetes Service (EKS), are now tracked in relation to their parent cloud account. This means they'll appear in the full count when exploring a Cloud Account's resources. You'll still be able to manage all your clusters on the Kubernetes Clusters page. As a result of this change, many of the features throughout InsightCloudSec have been upgraded to assist you in monitoring your Kubernetes Clusters, including the Resource Inventory, Layered Context, and Vulnerabilities. You may also see changes in Insight findings and Query Filter results, which means Bots that are scoped to generic filters (for example: to AWS or a Cloud Account but not to a specific resource) may run.
  • Added support for the AWS Elasticsearch Ingest Pipeline and Amazon Chime resources, including various new and modified Query Filters and Insights.
  • Added the following Insights to map to CIS Azure 2.1 recommendations:
    • Cloud Account without Additional email addresses configured for Security Contact Email (recommendation 2.1.18)
    • Storage Account with Cross Tenant Replication Enabled (recommendation 3.16)
    • Cloud Account without Diagnostic Settings for Activity Logs (recommendation 5.1.1)
    • Cloud Account with Conditional Access Policy that Blocks Geographic Locations Out Of Scope (recommendation 1.2.2)
  • Added the following Insights:
    • Allow Listed Compute Instance Open to the Public
    • ElasticSearch Ingest Pipeline using Cloud Managed Key Instead of Customer Managed Key
    • ElasticSearch Ingest Pipeline Has Publicly Exposed Data
    • ElasticSearch Ingest Pipeline With Destination Bucket Without VPC Restricted Access
    • ElasticSearch Ingest Pipeline Not Within VPC
    • ElasticSearch Ingest Pipeline Without Logging Configured
  • Added the following Query Filters:
    • Content Delivery Network With Specified Origin Type
    • Content Delivery Network With Custom Origins (Regex)
    • Cloud Account Without Diagnostic Settings
    • Cloud Account with Conditional Access Policy without included locations enabled
    • Allow Listed Instance Open to the Public
    • ElasticSearch Ingest Pipeline Within VPC
    • ElasticSearch Ingest Pipeline Status
    • ElasticSearch Ingest Pipeline Destination Bucket Not Restricted To VPC
    • ElasticSearch Ingest Pipeline Destination Bucket is Publicly Exposed
    • ElasticSearch Ingest Pipeline Without Logging Configured
  • Added source documents support for Amazon Connect, AWS Redshift Serverless Namespaces, and AWS Redshift Serverless Workgroups.
  • Added support for VPC Endpoint/PrivateLink resources in CloudFormation Infrastructure-as-Code (IaC) scans.

Improved

  • Added a retention policy of 365 days for completed Scheduled Events.
  • Renamed the Storage Account Allows Public Blob Access Insight to Storage Account with Allow Blob Anonymous Access Enabled to better map to CIS Azure 2.1 recommendation 3.17.
  • Reconfigured all Insight tags (labels) to conform to a standard format and to be more descriptive.
  • Marked the Content Delivery Network With Object Storage Origin Query Filter for future removal.
  • Marked the Content Delivery Network With Specific Origin Type Query Filter for future removal.
  • Marked the Instance With Serial Port Connectivity Enabled (Deprecating) (ID 480) for future removal. You should use the identical Insight, Instance With Serial Port Connectivity Enabled (ID 227), instead.
  • Added a new internal table to help audit Bot resource deletions.
  • Updated the look-and-feel of the Vulnerability Assessment In-Scope coverage graph for improved readability and usability.

Fixed

  • Improved exception handling for the Service Limit Harvester to reduce failures.
  • Fixed an issue where deleting a badge wouldn't immediately update the badge counts for cloud accounts that had the badge.
  • Fixed IaC scans not correctly identifying Container Registries with public network access.
  • The Case Insensitive toggle for Applications Settings has been temporarily disabled as it was not applying correctly.