Release Summary
InsightCloudSec is pleased to announce release version 25.3.25. This release includes support for the Ingress Nightmare vulnerabilities, new GCP resources, and improved AWS Connect support.
Azure deprecation announcements
Azure Database for PostgreSQL Single Server deprecation announcement
Azure announced the deprecation of Database for PostgreSQL Single Server and retired the service on September, 16, 2024. After March 28, 2025, Azure Database for PostgreSQL Single Server instances will no longer receive security updates or fixes. Non-responsive PostgreSQL Single Server instances that have not migrated to another service will be deleted. Azure recommends migrating to a PostgreSQL Flexible Server instance and will attempt to automatically migrate any non-responsive PostgreSQL Single Server instances. For more information, review the Azure documentation: https://learn.microsoft.com/en-us/azure/postgresql/migrate/whats-happening-to-postgresql-single-server
To assist with identifying affected resources, InsightCloudSec has added a new Insight available with this version that will flag any PostgreSQL Single Server instances: Azure Database Instance Single Server Migration (PostgreSQL)
After March 28, 2025, the following Insights will be removed:
Database Instance Allowing Access from Cloud Resources (PostgreSQL Single Server)Database Instance without Infrastructure Encryption Enabled (PostgreSQL Single Server)Database Instance Not Configured to Log Connections (PostgreSQL Single Server)Database Instance Not Configured to Log Disconnections (PostgreSQL Single Server)Database Instance Not Configured to Throttle Connections (PostgreSQL Single Server)Database Instance Log Retention Below Threshold (PostgreSQL Single Server)Database Instance not Enforcing Transit Encryption (PostgreSQL - Single Server)Database Instance not configured to Log Checkpoints (PostgreSQL Single Server)
After March 28, 2025, the following Query Filter will be removed:
Database Instance Server Type
Details for self-hosted customers
Version 25.3.25 requires downtime
It is recommended to schedule downtime for InsightCloudSec with your user base and scale interface servers to 0 before taking this upgrade. After the upgrade is complete, you may revert the interface server scaling.
- Release Availability - Self-hosted customers are able to download the new version of InsightCloudSec usually six business days after SaaS customers are upgraded. The estimated date for this version's self-hosted availability is March 31, 2025.
- The latest Terraform template (static files and modules) can be downloaded from our public S3 bucket: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip
- Modules can be updated with the
terraform get -updatecommand.
- Amazon Elastic Container Repository (ECR) Image Tags - You can obtain the ECR build images for this version of InsightCloudSec from the InsightCloudSec ECR Gallery: https://gallery.ecr.aws/rapid7-insightcloudsec?page=1
New
- Added a Query Filter to assist with identifying resources that could be exploited by the Ingress Nightmare vulnerabilities:
Publicly exposed vulnerable Ingress NGINX Admission. Read our blog post for additional details. - Added the following Insights:
Cloud Credential Without Restricted UseCompute Instance With Public IP Address (Excluding GKE)
- Added the following Query Filter:
Cloud Credentials with Weak Restrictions
- Added support for GCP Artifact Registry Docker images and Maven artifacts. These resources do not require any new permissions. Support includes the following Query Filters:
Artifact Registry Docker Image With/Without TagsArtifact Registry Docker Image Tag Search
Improved
- Updated the formatting on the following Insight descriptions for improved readability and compliance pack alignment:
Database Instance Flag 'log_disconnections' DisabledDatabase Instance Flag 'log_statement' Not Set AppropriatelyDatabase Instance Flag 'log_min_duration_statement' EnabledDatabase Instance Flag 'external scripts enabled' EnabledDatabase Instance Flag 'cross db ownership chaining' Enabled
- Added support for harvesting tags for AWS Connect Instances.
- Removed the
VMSummaryProcessorbackground job as its functionality has been duplicated by the report generation job that occurs after assessments.
Fixed
- Fixed an issue where the Resource Type field was not initialized with selected values when creating an Insight.
- Fixed an issue where refreshing a tag's overview page in the Tag Explorer would show an error.
- Fixed an issue where the link to view resources associated with an application would not apply the scope properly.
- Fixed an issue where Insights removed from an Insight Pack would not be removed from the Ignore/Warn lists for IaC Configurations using that Insight Pack.
- Fixed an issue with multiple copies of the same AWS account managed by an organization being created during the onboarding process. Contact Support or your Customer Success Advisor for assistance with removing duplicate accounts.