Features Introduced in June 2022

Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in June 2022.
The following new features or enhancements are available for Prisma Cloud Code Security. These capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code) model and enforce security throughout the build lifecycle.
Policy Updates
Description
Terraform Cloud (Run Tasks)
Integrate Terraform Cloud (Run Tasks) (
Settings
Add Repositories
Terraform Cloud (Run Tasks)
) to seamlessly add policy-as-code checks to your Terraform pipelines for completely automated security guardrails and enable you to collect feedback or directly block insecure deployments.
New Configuration Build Policies
The following new build policies are available on Prisma Cloud Code Security module:
  • OCI private keys are hard coded in the provider
  • OpenStack hard coded password, token, or application_credential_secret exists in provider
  • OpenStack Security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp)
  • OpenStack Security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)
  • Kubernetes ClusterRoles that grant control over validating or mutating admission webhook configurations are not minimized
  • Kubernetes ClusterRoles that grant permissions to approve CertificateSigningRequests are not minimized
  • Kubernetes Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings are not minimized
  • Kubernetes Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRole are not minimized
  • AWS Lambda encryption settings environmental variable is not set properly
  • Provisioned resources are manually modified
  • Traced AWS resources are manually modified
Updates to Existing Configuration Run Policies
The following new Build policies are added to the existing Configuration Run policies:
  • OCI Block Storage Block Volume does not have backup enabled
  • OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK)
  • OCI Compute Instance boot volume has in-transit data encryption is disabled
  • OCI Compute Instance has Legacy MetaData service endpoint enabled
  • OCI Compute Instance has monitoring disabled
  • OCI Object Storage bucket does not emit object events
  • OCI Object Storage Bucket has object Versioning disabled
  • OCI Object Storage Bucket is not encrypted with a Customer Managed Key (CMK)
  • OCI Object Storage bucket is publicly accessible
  • OCI IAM password policy for local (non-federated) users does not have a lowercase character
  • OCI IAM password policy for local (non-federated) users does not have a number
  • OCI IAM password policy for local (non-federated) users does not have a symbol
  • OCI IAM password policy for local (non-federated) users does not have an uppercase character
  • OCI File Storage File Systems are not encrypted with a Customer Managed Key (CMK)
  • OCI VCN has no inbound security list
  • OCI VCN Security list has stateful security rules
  • OCI IAM password policy for local (non-federated) users does not have minimum 14 characters
Build Policy Updates-Metadata
AWS access keys and secrets are hard coded in infrastructure
Changes
—The cloud type for this policy is updated from ANY to AWS.
Impact
—No impact on alerts.
Azure Storage Account Access Keys
Changes
—The cloud type for this policy is updated from ANY to Azure.
Impact
—No impact on alerts.
GCP resources that support labels do not have labels
Changes
—The cloud type for this policy is updated from ANY to GCP.
Impact
—No impact on alerts.
AWS S3 Bucket BlockPublicPolicy is set to True
Changes
—The policy name has been updated to support Prisma Cloud’s naming guidelines.
  • Current Policy Name
    AWS S3 Bucket BlockPublicPolicy is set to True
  • Updated Policy Name
    AWS S3 Bucket BlockPublicPolicy is not set to True
Impact
—No impact on alerts.
AWS S3 bucket IgnorePublicAcls is set to True
Changes
—The policy name has been updated to support Prisma Cloud’s naming guidelines.
  • Current Policy Name
    AWS S3 bucket IgnorePublicAcls is set to True
  • Updated Policy Name
    AWS S3 bucket IgnorePublicAcls is not set to True
Impact
—No impact on alerts.
AWS S3 bucket RestrictPublicBucket is set to True
Changes
—The policy name has been updated to support Prisma Cloud’s naming guidelines.
  • Current Policy Name
    AWS S3 bucket RestrictPublicBucket is set to True
  • Updated Policy Name
    AWS S3 bucket RestrictPublicBucket is not set to True
Impact
—No impact on alerts.
S3 bucket MFA Delete is not enabled
Changes
—The policy description and recommendation details have been updated to describe the policy better.
Updated Description
—Ensure S3 bucket MFA Delete is enabled.
Impact
—No impact on alerts.
AWS IAM policies that allow full administrative privileges are created
Changes
—The severity level for this policy is updated from
Critical
to
Low
.
Impact
—No impact on alerts.
Lambda function's environment variables expose secrets
Changes
—The severity level for this policy is updated from
High
to
Medium
.
Impact
—No impact on alerts.
SQS queue policy is public and access is not restricted to specific services or principals
Changes
—The severity level for this policy is updated from
Medium
to
High
.
Impact
—No impact on alerts.
Policy Deletions
Applies only if you have enabled the Code Security subscription on Prisma Cloud
The following build policies are deleted from Prisma Cloud:
  • Secret Keyword
  • Redshift clusters do not have AWS Backup's backup plan
  • A retention period of less than 90 days is not specified
  • Secure transfer required is not enabled
Impact
—No impact on alerts.

Recommended For You