Release Summary
InsightCloudSec is pleased to announce release version 25.2.11. This release includes a new Oracle Cloud Infrastructure resource, new Query Filters and Insights, and expanded AWS and GCP resource support.
Azure Database for MySQL Single Server deprecation announcement
Azure announced the deprecation of Database for MySQL Single Server and retired the service on September, 16, 2024. After March 10, 2025, Azure Database for MySQL Single Server instances will no longer receive security updates or fixes. Non-responsive MySQL Single Server instances that have not migrated to another service will be deleted. Azure recommends migrating to a MySQL Flexible Server instance and will attempt to automatically migrate any non-responsive MySQL Single Server instances. For more information, review the Azure documentation: https://learn.microsoft.com/en-us/azure/mysql/migrate/whats-happening-to-mysql-single-server
To assist with identifying affected resources, InsightCloudSec has added a new Insight available with this version that will flag any MySQL Single Server instances: Azure Database Instance Single Server Migration (MySQL)
After March 10, 2025, the following Insights will be removed:
Database Instance Allowing Access from Cloud Resources (PostgreSQL Single Server)Database Instance without Infrastructure Encryption Enabled (PostgreSQL Single Server)Database Instance Not Configured to Log Connections (PostgreSQL Single Server)Database Instance Not Configured to Log Disconnections (PostgreSQL Single Server)Database Instance Not Configured to Throttle Connections (PostgreSQL Single Server)Database Instance Log Retention Below Threshold (PostgreSQL Single Server)Database Instance not Enforcing Transit Encryption (PostgreSQL - Single Server)Database Instance without Connection Log Auditing Events (MySQL Single Server)Database Instance not Enforcing Transit Encryption (MySQL Single Server)Database Instance not configured to Log Checkpoints (PostgreSQL Single Server)Database Instance without Log Auditing Enabled (MySQL Single Server)
After March 10, 2025, the following Query Filter will be removed:
Database Instance Server Type
Azure deprecating virtual network injection for Azure Data Explorer (ADX)/Kusto clusters
Beginning February 1, 2025, Azure will restrict an event hub's system-assigned identity from entering an ADX cluster's virtual network. This means if you are currently using the Azure Least-Privileged Access feature and deployed it using a virtual network, you will need to migrate to using managed virtual private endpoints instead. We recommend following Azure's detailed migration guide.
Details for self-hosted customers
- Release Availability - Self-hosted customers are able to download the new version of InsightCloudSec usually six business days after SaaS customers are upgraded. The estimated date for this version's self-hosted availability is February 18, 2025.
- The latest Terraform template (static files and modules) can be downloaded from our public S3 bucket: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip
- Modules can be updated with the
terraform get -updatecommand.
- Amazon Elastic Container Repository (ECR) Image Tags - You can obtain the ECR build images for this version of InsightCloudSec from the InsightCloudSec ECR Gallery: https://gallery.ecr.aws/rapid7-insightcloudsec?page=1
New
Added support for the OCI Integration Instance resource.
New Permissions: Oracle Cloud Infrastructure (OCI)
These permissions support the Integration Instance resources. All permissions (and any relevant wildcard equivalents) have been added to the appropriate onboarding user roles.
Allow group <GROUP_NAME> to read integration-instances in tenancy
Added the following Query Filters:
ETL Jobs Without Encryption In Security ConfigurationsElasticache Instance With User Group Access ControlNew Permissions: Amazon Web Services (AWS)
These permissions support the AWS ElastiCache resource. All permissions (and any relevant wildcard equivalents) have been added to the appropriate onboarding user roles.
"elasticache:DescribeUserGroups"
Storage Container Retention ConfigurationBedrock Model Without Invocation Logging ConfiguredIntegration instance data retention period (OIC)Integration instance age
Added the following Insights:
Internet-Facing Load Balancer Without Web Application FirewallBedrock Model Without Invocation Logging ConfiguredAzure Database Instance Single Server Migration (MySQL)
Improved
- Added support for harvesting the user group associated with AWS Cache Instance resources.
- Added support for harvesting the retention policy on GCP Storage Container resources.
- Added support for harvesting logging configuration details on AWS Bedrock Model resources.
- Added Kubernetes cluster name (when applicable) to the Vulnerability Resource Report download.
Fixed
- Fixed an issue where the incorrect value was being stored for the Soft Deletion Threshold on GCP Storage Containers.
- Fixed an issue where Container resource records were not being properly deleted from the database, which should result in improved performance for container-related queries.
- Fixed an issue preventing users with the proper entitlements from creating new infrastructure as code (IaC) configurations.
- Fixed an issue where IaC scans would incorrectly pass resources if they were explicitly encrypted using an AWS-native Key Management Service (KMS) key alias.