Release summary

May 06, 2025
25.5.6

This release includes new Insights and Query Filters, Kubernetes Guardrails debug functionality, and expanded support for Event Grid Topics.

InsightCloudSec is pleased to announce release version 25.5.6. This release includes new Insights and Query Filters, Kubernetes Guardrails debug functionality, and expanded support for Event Grid Topics.

⚠️

New Microsoft Azure Permissions

These permissions were missing and are required to support the Azure Web App resource. All permissions (and any relevant wildcard equivalents) have been added to the appropriate onboarding user roles.

\"Microsoft.Web/sites/basicPublishingCredentialsPolicies/read\"

Details for self-hosted customers

Release Availability - Self-hosted customers are able to download the new version of InsightCloudSec usually six business days after SaaS customers are upgraded. The estimated date for this version’s self-hosted availability is May 11, 2025.
- The latest Terraform template (static files and modules) can be downloaded from our public S3 bucket: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip
- Modules can be updated with the terraform get -update command.
Amazon Elastic Container Repository (ECR) Image Tags - You can obtain the ECR build images for this version of InsightCloudSec from the InsightCloudSec ECR Gallery: https://gallery.ecr.aws/rapid7-insightcloudsec?page=1

New

Added the following Insights:
- Database Instance Flag 'log_min_error_statement' Is Not Set to Error or Stricter
Added the following Query Filters:
- Relay Namespace by Public Network Access State
- Relay Namespace Invalid Diagnostic Logging Configuration
- Event Grid Topics With Local Auth Disabled
- Event Grid Topics By Minimum TLS Version Allowed
- Cloud Account Not Using Key Vault
- Database Instance 'log_min_error_statement' Flag Does Not Match Required Logging Level Criteria

Improved

Added a debug flag for Kubernetes Guardrails logs to assist with troubleshooting and diagnosing issues.
Added the ability for GCP Cloud Organizations to consume API quota from the individual projects instead of relying on the management project in which the service account belongs. This should reduce rate limiting failures for GCP harvesters on Organization cloud accounts. This feature is enabled by request only and requires an additional Service Usage Consumer role.
Expanded support for Event Grid Topic resources to harvest additional data.
Added a link to the documentation on the Risk Overview and Compliance Overview tabs on the Cloud Summary page.
Improved the coverage for the Publicly exposed vulnerable Ingress NGINX Admission Insight to report on broader types of Kubernetes resources.
Added the vulnerability first found date to the Resource Vulnerability Report.
Replaced the Azure Key Vault not used to store Web App secrets Insight with the Cloud Account Not Using Key Vault Insight to prevent false positives and improve accuracy. The Azure Key Vault not used to store Web App secrets Insight will be available until version 25.7.1.
Added support for AWS Event Bridge Schedule. This feature is enabled by request only.
Added new job states for better error logging.
Removed the Include Suspended checkbox on the Clouds > Summary page. You can still filter on suspended accounts using the Coverage Overview widget.
We made several changes to our user interface to improve the experience and consistency for the following pages:
- Harvesting Strategy
- Exemptions
- Tag Explorer
Additionally, the button to Switch to Legacy UI has been removed.

Fixed

Fixed an issue that prevented scheduled events from displaying for Azure Gov Cloud accounts.
Fixed an issue on the Resources Inventory page where making changes in the View Options window and closing it before saving would still apply the changes.
Fixed an issue that caused the ControlPolicyHarvester to fail for new GCP Organization policies if it has a different structure than other policies.
Fixed an issue causing the EtlDataCatalogHarvester to fail when a connection that was previously encrypted with a KMS key is no longer encrypted.
Fixed an issue causing the NetworkFirewallHarvester to fail for a list of comma-delimited ports.
Fixed an issue causing some vulnerabilities to not be returned when using Jinja templating with certain Bot Actions.
Fixed an issue causing the CloudWatchLogDestinationHarvester to not retrieve all tags properly.
Fixed an issue causing the SearchIndexDataSourceHarvester to fail when it encountered a custom datasource on an AWS Kendra Index.
Fixed the Database Instance Is Multi-Availability Zone and Database Instance Is Not Multi-Availability Zone Query Filters to perform on both the cluster and instance level.
Fixed the Identity Resource Does Not Have Policy Query Filter to also check IAM users with groups.

Upcoming release information for May

Our new API documentation will be available starting next week!

API documentation for all InsightCloudSec customers will soon be available starting with release 25.5.13. With each phased release, you will be able to access the new standardized and comprehensive API documentation by navigating to your Profile page or selecting the help icon from InsightCloudSec.

This change is part of a larger effort to improve your API experience, including:

Standardized error handling
Documentation that stays in sync with implementation
Request validation
Performance optimizations
Pagination consistency
Response enrichment for every endpoint

The focus of the next three releases (25.5.13, 25.5.20, 25.5.27) is to primarily ensure a smooth roll-out for the API documentation, but some releases may contain unrelated additional fixes and improvements. The next standard release will be on June 3, 2025. Reach out to your CSA or support with questions or concerns.