24-12-3 | Cloud Security Documentation

Dec 03, 2024
24.12.3

Delayed release: This release includes new Insights and Query Filters, a new Bot Action, and performance improvements.

⚠️

Delayed release

This release has been delayed until December 4, 2024.

Release Summary

InsightCloudSec is pleased to announce release version 24.12.3. This release includes new Insights and Query Filters, a new Bot Action, and performance improvements.

⚠️

AWS onboarding updates

The AWS onboarding script and CloudFormation Template have been updated to use the SecurityAudit AWS managed policy as the base policy for read only harvesting permissions. The SecurityAudit policy covers most required permissions and the remaining are covered by a single supplemental policy. This has the benefit of reducing the number of attached policies and resolves an issue where the CFT template size exceeded the max 51200 byte size for direct uploads using the onboarding script.

This also introduces a new permissions requirement to the AWS onboarding script. The current IAM Role must have the following permissions:

{\"Sid\": \"AllowSecurityAuditPolicyIntrospection\", \"Effect\": \"Allow\", \"Action\": [\"iam:ListPolicyVersions\" \"iam:GetPolicyVersion\"], \"Resource\": [\"arn:aws:iam::aws:policy/SecurityAudit\"]}

To revert to using explicit read only policies, use the python onboard.py --explicit-readonly-policy --skip-deploy option. Note the explicit policies currently exceed the max upload size for the --template-body option and the template must be uploaded to s3 manually or using the CloudFormation console’s create or update forms.

For more information, review the AWS Managed Policy documentation: https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SecurityAudit.html

Details for self-hosted customers

Release Availability - Self-hosted customers are able to download the new version of InsightCloudSec usually 2-3 days after SaaS customers are upgraded. The estimated date for this version’s self-hosted availability is December 5, 2024.
- The latest Terraform template (static files and modules) can be downloaded from our public S3 bucket: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip
- Modules can be updated with the terraform get -update command
Amazon Elastic Container Repository (ECR) Image Tags - You can obtain the ECR build images for this version of InsightCloudSec from the InsightCloudSec ECR Gallery: https://gallery.ecr.aws/rapid7-insightcloudsec?page=1

New

Added the following Insights:
- Cloud Account With Authorization Policy - Allowed To Create Tenants Not Disabled
- Cloud Account Without Microsoft Defender For Cloud Security Email Subscription Owners Set (mapped to CIS Azure 2.1 Recommendation 2.1.17)
- Cloud Account Microsoft Defender For Cloud Alert Notifications Not Properly Configured (mapped to CIS Azure 2.1 Recommendation 2.1.19)
- Cloud Account Without MFA Requirement to Register or Join Devices With Microsoft Entra ID
Added the following Query Filters:
- Cloud Account With Authorization Policy - Allowed To Create Tenants Not Disabled
- Cloud Account Microsoft Defender For Cloud Security Email Subscription Owners Not Set
- Cloud Account Microsoft Defender For Cloud Alert Notifications Not Properly Configured
- Cloud Account Without MFA Requirement to Register or Join Devices With Microsoft Entra ID

Improved

The Host Assessment Instance Check job now runs every hour instead of every 12.
Updated the default sort order for the Business Critical and Favorite columns to descending for the Applications page.
Added Azure support for the Route Table Route Destination Target Type Query Filter and expanded it to include the functionality of the Route Table Route Destination Missing Target Type Query Filter.
Marked the Route Table Route Destination Missing Target Type Query Filter for deprecation.
Expanded Delete Resource action support on the Resources page to include Azure API Access Keys.
Renamed the Disable Cloud User Access Keys Bot Action to Disable All Cloud User Access Keys.
Added a new Disable Cloud User Access Keys Exceeding Age Threshold Bot Action to delete keys that are older than the provided number of days.
Turned on the Scheduled Events retention policy by default. Inactive events and history older than a year will be deleted.

Fixed

Corrected cloud type support for the following Query Filters to indicate support only for Alibaba Cloud and AWS:
- Instance scanned or assessed by InsightVM
- Instance not scanned or assessed by InsightVM
- Instance scanned or assessed by InsightVM Last Assessment Threshold
- Instance With Crowdstrike Falcon Agent Configured
- Instance Without Crowdstrike Falcon Agent Configured
- Instance With SentinelOne Agent Configured
- Instance Without SentinelOne Agent Configured
Corrected cloud type support for the following Query Filters to indicate support only for AWS, AWS China, AWS Gov:
- Instance With Tenable.io Agent Configured
- Instance With Tenable.io Agent Not Configured
- Instance With Tenable.io Agent Last Checkin Threshold
- Instance With Qualys Agent Configured
- Instance Without Qualys Agent Configured
- Instance with Resource Agent Operating System Platform
- Instance Operating System Distribution (Regex)
- Instance Agent Type
Fixed the onboarding CloudFormation template sizes to not exceed the maximum byte size for direct upload using the onboarding script.
Fixed the Security Group resource converter for AWS CloudFormation Infrastructure-as-Code (IaC) scans.
Fixed an issue where the Web Application Firewall harvester demonstrated unexpected modification behavior.
Fixed an issue where the AWS Global Access Point harvester failed unexpectedly.
Fixed an issue where the AWS Collaboration harvester failed to complete.
Fixed the logic for the Cloud Account Without Diagnostic Settings Query Filter to correctly return cloud accounts with misconfigured or no diagnostic settings.
Removed AWS Gov and AWS China support for AWS Macie-related Query Filters and Insights as Macie does not support them.
Fixed an issue where insufficient permissions for a GCP project caused the GCP Organization Onboarding Kickoff job to fail, which in turn caused stale projects to not be deleted in InsightCloudSec and project and folder tags for the organization to not be updated.
Fixed false positives for the Access List Allows Public Access by improving the logic that checks for private IPV6 addresses.
Fixed an issue where AWS Comprehend Jobs without names would cause the Comprehend Job harvester to fail.
Fixed an issue preventing printing the Cloud Summary.
Fixed issues related to a missing public_accessibility field for Vulnerabilities exports.
Fixed an issue where the Assessment Coverage Details in the Vulnerabilities Settings page was displaying data from out-of-scope organizations and cloud services.
Fixed an issue preventing Slack notifications when there are multiple webhooks.
Fixed an issue where some instance flavors in AWS were missing.
Fixed the Distributed Table harvester to handle corrupted AWS responses.