Release Summary
InsightCloudSec is pleased to announce release version 24.11.19. This release includes a new AWS resource, expanded source documents support, and a Kubernetes security benchmark upgrade.
Limited release for 24.11.26
As next week includes a U.S. federal holiday, we will not be providing a formal release with release notes on November 26th, 2024. SaaS or self-hosted customers may have minor bug fixes and we may provide a limited release, but our next full release for both SaaS and self-hosted customers will be on December 3, 2024. Reach out to your CSM or support with questions or concerns.
New Permissions: AWS
These permissions were missing from the default onboarding roles and are required to support the Web Application Firewall (WAF) and WAF regional resources.
"waf-regional:ListGeoMatchSets""waf-regional:ListIPSets""waf-regional:ListRuleGroups""waf:ListGeoMatchSets""waf:ListIPSets""waf:ListRuleGroups""wafv2:ListIPSets""wafv2:ListRuleGroups""waf-regional:ListActivatedRulesInRuleGroup""waf-regional:ListLoggingConfigurations""waf:ListActivatedRulesInRuleGroup"
Details for self-hosted customers
- Release Availability - Self-hosted customers are able to download the new version of InsightCloudSec usually 2-3 days after SaaS customers are upgraded. The estimated date for this version's self-hosted availability is November 21, 2024.
- The latest Terraform template (static files and modules) can be downloaded from our public S3 bucket: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip
- Modules can be updated with the
terraform get -updatecommand
- Amazon Elastic Container Repository (ECR) Image Tags - You can obtain the ECR build images for this version of InsightCloudSec from the InsightCloudSec ECR Gallery: https://gallery.ecr.aws/rapid7-insightcloudsec?page=1
New
- Added source document support for AWS Containers.
- Added support for the AWS Resource Control Policy resource. This resource does not require any new permissions.
Improved
- Renamed the
Classic Global Web Application Firewall Has Rule Group With No RulesQuery Filter toWeb Application Firewall Has Rule Group With No Rules. - Added support for the following AWS Comprehend Jobs:
- Key Phrases Detection
- Dominant Language Detection
- Events Detection
- Upgraded CIS Kubernetes - 1.8.0 support to 1.10.0 to ensure alignment with the latest security benchmarks and compliance standards and to enhance automated audit checks. As part of this upgrade, we have added the
Ensure that the kube-proxy metrics service is bound to localhostInsight and deprecated theEnsure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not usedInsight. - Added a new job to improve the count accuracy for Container Registries.
Fixed
- Fixed an issue causing incorrect counts of Vulnerabilities on the Vulnerabilities > Resources page.
- Fixed an issue where the Public resources at risk of privilege escalation toxic combination displayed an inflated number of resources on the Summary page.
- Fixed an issue where some combinations of filters would break the page.
- Fixed the Insight deprecation logic.
- Fixed handling of Kubernetes Gatekeeper Constraint and ConstraintTemplates without annotations.
- Fixed the Security Group resource converter for AWS CloudFormation Infrastructure-as-Code (IaC) scans.
- Fixed an issue preventing proper resource relationships between Notification Topics and Notification Subscriptions.