Release summary
InsightCloudSec is pleased to announce release version 25.5.6. This release includes new Insights and Query Filters, Kubernetes Guardrails debug functionality, and expanded support for Event Grid Topics.
New Microsoft Azure Permissions
These permissions were missing and are required to support the Azure Web App resource. All permissions (and any relevant wildcard equivalents) have been added to the appropriate onboarding user roles.
"Microsoft.Web/sites/basicPublishingCredentialsPolicies/read"
Details for self-hosted customers
- Release Availability - Self-hosted customers are able to download the new version of InsightCloudSec usually six business days after SaaS customers are upgraded. The estimated date for this version's self-hosted availability is May 11, 2025.
- The latest Terraform template (static files and modules) can be downloaded from our public S3 bucket: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip
- Modules can be updated with the
terraform get -update
command.
- Amazon Elastic Container Repository (ECR) Image Tags - You can obtain the ECR build images for this version of InsightCloudSec from the InsightCloudSec ECR Gallery: https://gallery.ecr.aws/rapid7-insightcloudsec?page=1
New
- Added the following Insights:
Database Instance Flag 'log_min_error_statement' Is Not Set to Error or Stricter
- Added the following Query Filters:
Relay Namespace by Public Network Access State
Relay Namespace Invalid Diagnostic Logging Configuration
Event Grid Topics With Local Auth Disabled
Event Grid Topics By Minimum TLS Version Allowed
Cloud Account Not Using Key Vault
Database Instance 'log_min_error_statement' Flag Does Not Match Required Logging Level Criteria
Improved
Added a debug flag for Kubernetes Guardrails logs to assist with troubleshooting and diagnosing issues.
Added the ability for GCP Cloud Organizations to consume API quota from the individual projects instead of relying on the management project in which the service account belongs. This should reduce rate limiting failures for GCP harvesters on Organization cloud accounts. This feature is enabled by request only and requires an additional
Service Usage Consumer
role.Expanded support for Event Grid Topic resources to harvest additional data.
Added a link to the documentation on the Risk Overview and Compliance Overview tabs on the Cloud Summary page.
Improved the coverage for the
Publicly exposed vulnerable Ingress NGINX Admission
Insight to report on broader types of Kubernetes resources.Added the vulnerability first found date to the Resource Vulnerability Report.
Replaced the
Azure Key Vault not used to store Web App secrets
Insight with theCloud Account Not Using Key Vault
Insight to prevent false positives and improve accuracy. TheAzure Key Vault not used to store Web App secrets
Insight will be available until version 25.7.1.Added support for AWS Event Bridge Schedule. This feature is enabled by request only.
Added new job states for better error logging.
Removed the Include Suspended checkbox on the Clouds > Summary page. You can still filter on suspended accounts using the Coverage Overview widget.
We made several changes to our user interface to improve the experience and consistency for the following pages:
- Harvesting Strategy
- Exemptions
- Tag Explorer
Additionally, the button to Switch to Legacy UI has been removed.
Fixed
- Fixed an issue that prevented scheduled events from displaying for Azure Gov Cloud accounts.
- Fixed an issue on the Resources Inventory page where making changes in the View Options window and closing it before saving would still apply the changes.
- Fixed an issue that caused the
ControlPolicyHarvester
to fail for new GCP Organization policies if it has a different structure than other policies. - Fixed an issue causing the
EtlDataCatalogHarvester
to fail when a connection that was previously encrypted with a KMS key is no longer encrypted. - Fixed an issue causing the
NetworkFirewallHarvester
to fail for a list of comma-delimited ports. - Fixed an issue causing some vulnerabilities to not be returned when using Jinja templating with certain Bot Actions.
- Fixed an issue causing the
CloudWatchLogDestinationHarvester
to not retrieve all tags properly. - Fixed an issue causing the
SearchIndexDataSourceHarvester
to fail when it encountered a custom datasource on an AWS Kendra Index. - Fixed the
Database Instance Is Multi-Availability Zone
andDatabase Instance Is Not Multi-Availability Zone
Query Filters to perform on both the cluster and instance level. - Fixed the
Identity Resource Does Not Have Policy
Query Filter to also check IAM users with groups.
Upcoming release information for May
Our new API documentation will be available starting next week!
API documentation for all InsightCloudSec customers will soon be available starting with release 25.5.13. With each phased release, you will be able to access the new standardized and comprehensive API documentation by navigating to your Profile page or selecting the help icon from InsightCloudSec.
This change is part of a larger effort to improve your API experience, including:
- Standardized error handling
- Documentation that stays in sync with implementation
- Request validation
- Performance optimizations
- Pagination consistency
- Response enrichment for every endpoint
The focus of the next three releases (25.5.13, 25.5.20, 25.5.27) is to primarily ensure a smooth roll-out for the API documentation, but some releases may contain unrelated additional fixes and improvements. The next standard release will be on June 3, 2025. Reach out to your CSA or support with questions or concerns.