Release summary
InsightCloudSec is pleased to announce release version 25.5.6. This release includes new Insights and Query Filters, Kubernetes Guardrails debug functionality, and expanded support for Event Grid Topics.
New Microsoft Azure Permissions
These permissions were missing and are required to support the Azure Web App resource. All permissions (and any relevant wildcard equivalents) have been added to the appropriate onboarding user roles.
"Microsoft.Web/sites/basicPublishingCredentialsPolicies/read"
Details for self-hosted customers
- Release Availability - Self-hosted customers are able to download the new version of InsightCloudSec usually six business days after SaaS customers are upgraded. The estimated date for this version's self-hosted availability is May 11, 2025.
- The latest Terraform template (static files and modules) can be downloaded from our public S3 bucket: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip
- Modules can be updated with the
terraform get -updatecommand.
- Amazon Elastic Container Repository (ECR) Image Tags - You can obtain the ECR build images for this version of InsightCloudSec from the InsightCloudSec ECR Gallery: https://gallery.ecr.aws/rapid7-insightcloudsec?page=1
New
- Added the following Insights:
Database Instance Flag 'log_min_error_statement' Is Not Set to Error or Stricter
- Added the following Query Filters:
Relay Namespace by Public Network Access StateRelay Namespace Invalid Diagnostic Logging ConfigurationEvent Grid Topics With Local Auth DisabledEvent Grid Topics By Minimum TLS Version AllowedCloud Account Not Using Key VaultDatabase Instance 'log_min_error_statement' Flag Does Not Match Required Logging Level Criteria
Improved
Added a debug flag for Kubernetes Guardrails logs to assist with troubleshooting and diagnosing issues.
Added the ability for GCP Cloud Organizations to consume API quota from the individual projects instead of relying on the management project in which the service account belongs. This should reduce rate limiting failures for GCP harvesters on Organization cloud accounts. This feature is enabled by request only and requires an additional
Service Usage Consumerrole.Expanded support for Event Grid Topic resources to harvest additional data.
Added a link to the documentation on the Risk Overview and Compliance Overview tabs on the Cloud Summary page.
Improved the coverage for the
Publicly exposed vulnerable Ingress NGINX AdmissionInsight to report on broader types of Kubernetes resources.Added the vulnerability first found date to the Resource Vulnerability Report.
Replaced the
Azure Key Vault not used to store Web App secretsInsight with theCloud Account Not Using Key VaultInsight to prevent false positives and improve accuracy. TheAzure Key Vault not used to store Web App secretsInsight will be available until version 25.7.1.Added support for AWS Event Bridge Schedule. This feature is enabled by request only.
Added new job states for better error logging.
Removed the Include Suspended checkbox on the Clouds > Summary page. You can still filter on suspended accounts using the Coverage Overview widget.
We made several changes to our user interface to improve the experience and consistency for the following pages:
- Harvesting Strategy
- Exemptions
- Tag Explorer
Additionally, the button to Switch to Legacy UI has been removed.
Fixed
- Fixed an issue that prevented scheduled events from displaying for Azure Gov Cloud accounts.
- Fixed an issue on the Resources Inventory page where making changes in the View Options window and closing it before saving would still apply the changes.
- Fixed an issue that caused the
ControlPolicyHarvesterto fail for new GCP Organization policies if it has a different structure than other policies. - Fixed an issue causing the
EtlDataCatalogHarvesterto fail when a connection that was previously encrypted with a KMS key is no longer encrypted. - Fixed an issue causing the
NetworkFirewallHarvesterto fail for a list of comma-delimited ports. - Fixed an issue causing some vulnerabilities to not be returned when using Jinja templating with certain Bot Actions.
- Fixed an issue causing the
CloudWatchLogDestinationHarvesterto not retrieve all tags properly. - Fixed an issue causing the
SearchIndexDataSourceHarvesterto fail when it encountered a custom datasource on an AWS Kendra Index. - Fixed the
Database Instance Is Multi-Availability ZoneandDatabase Instance Is Not Multi-Availability ZoneQuery Filters to perform on both the cluster and instance level. - Fixed the
Identity Resource Does Not Have PolicyQuery Filter to also check IAM users with groups.
Upcoming release information for May
Our new API documentation will be available starting next week!
API documentation for all InsightCloudSec customers will soon be available starting with release 25.5.13. With each phased release, you will be able to access the new standardized and comprehensive API documentation by navigating to your Profile page or selecting the help icon from InsightCloudSec.
This change is part of a larger effort to improve your API experience, including:
- Standardized error handling
- Documentation that stays in sync with implementation
- Request validation
- Performance optimizations
- Pagination consistency
- Response enrichment for every endpoint
The focus of the next three releases (25.5.13, 25.5.20, 25.5.27) is to primarily ensure a smooth roll-out for the API documentation, but some releases may contain unrelated additional fixes and improvements. The next standard release will be on June 3, 2025. Reach out to your CSA or support with questions or concerns.