InsightCloudSec Release Notes / Oct 29, 2024

Oct 29, 202424.10.29

Release Summary

InsightCloudSec is pleased to announce release version 24.10.29. This release includes two new AWS resources, multiple new Insights and Query filters, and an improved Host Vulnerability Assessment settings experience.

New Permissions: Amazon Web Services (AWS)

These permissions support the AWS Search Index Data Source, Textract Adapter, and Comprehend resources. All permissions have been added to the appropriate onboarding user roles.

  • "comprehend:ListEntitiesDetectionJobs"
  • "comprehend:ListDocumentClassificationJobs"
  • "comprehend:ListTopicsDetectionJobs"
  • "kendra:DescribeDataSource"
  • "kendra:ListDataSources"
  • "textract:GetAdapterVersion"
  • "textract:ListAdapterVersions"
Details for self-hosted customers
  • Release Availability - Self-hosted customers are able to download the new version of InsightCloudSec usually 2-3 days after SaaS customers are upgraded. The estimated date for this version's self-hosted availability is Thursday, October 31, 2024.
    • The latest Terraform template (static files and modules) can be downloaded here. Modules can be updated with the terraform get -update command.
  • Amazon Elastic Container Repository (ECR) Image Tags - You can obtain the ECR build images for this version of InsightCloudSec from the InsightCloudSec ECR Gallery.

New

  • Added support for the AWS Search Index Data Source and Textract Adapter resources.
  • Added the following Insights:
    • Encryption Key Vault with Role Based Access Control Disabled (mapped to CIS Azure 2.1 Recommendation 8.6)
    • Resource Without Azure Monitor Logging Configured
    • Security Group with HTTP(S) Access from Internet
    • Security Group with RDP Access from Internet
    • Security Group with SSH Access from Internet
    • Security Group with UDP Access from Internet
    • Cloud Account without Multi-Factor Authentication report Policies for All Users (mapped to CIS Azure 2.1 Recommendation 1.2.4)
    • Textract Adapter using Cloud Managed Key Instead of Customer Managed Key
    • Textract Adapter Has Publicly Exposed Data
    • Textract Adapter without KMS Encryption Key Configured
  • Added the following Query Filters:
    • Cloud Account without Multi-Factor Authentication report Policies for All Users
    • Load Balancer With No HTTP Listeners Redirecting To HTTPS
    • Textract Adapter Feature Type
    • Textract Adapter Version Status
    • Textract Adapter data is Publicly Exposed
    • Textract Adapter Without KMS key
  • Added source document support for AWS Redshift Serverless Namespaces and Workgroups.
  • Updated the Host Vulnerability Assessment Settings details with more context and improved organization.

Improved

  • Updated the Cloud Credentials Accessible To The Public Query Filter to handle cases where GCP API Keys were not being flagged despite not having any external access restrictions.
  • Expanded AWS Comprehend support to include the following job types: Topics Detection, Entities Detection, and Custom Classification.
  • Moved the Search Index resource from the Compute category to the Machine Learning & AI category in the Resources Inventory.

Fixed

  • Fixed false positive occurrences for the Instance Without Block Project-wide SSH Keys Enabled Insight.
  • Fixed GCP Cloud Run harvesting to reflect that multiple containers can be part of each service.
  • Fixed issues where non-source document resources would not be stored after being deleted by a Bot.
  • Fixed an issue with the AWS Connect Instance Harvester resource ID.
  • Fixed an issue where environment variables that no longer exist on Serverless Function resources were not removed from source documents.
  • Fixed the Internet Gateway resource converter for AWS CloudFormation Infrastructure-as-Code (IaC) scans.
  • Fixed the MapReduce resource converter for AWS CloudFormation IaC scans.
  • Fixed the NAT Gateway resource converter for AWS CloudFormation IaC scans.
  • Fixed API Accounting resource converter for AWS CloudFormation IaC scans.
  • Fixed Lambda event-driven harvesting that was incorrectly ignoring UpdateFunctionConfiguration, UpdateFunctionConfiguration20150331, and UpdateFunctionConfiguration20150331v2 events.