Features Introduced in June 2022

Learn about the new Code Security capabilities on Prisma™ Cloud Enterprise Edition (SaaS) in June 2022.

The following new features or enhancements are available for Prisma Cloud Code Security. These capabilities help agile teams add security checks to their existing IaC (Infrastructure-as-Code) model and enforce security throughout the build lifecycle.

Policy Updates	Description
Terraform Cloud (Run Tasks)	Integrate Terraform Cloud (Run Tasks) ( Settings Add Repositories Terraform Cloud (Run Tasks) ) to seamlessly add policy-as-code checks to your Terraform pipelines for completely automated security guardrails and enable you to collect feedback or directly block insecure deployments.
New Configuration Build Policies	The following new build policies are available on Prisma Cloud Code Security module: OCI private keys are hard coded in the provider OpenStack hard coded password, token, or application_credential_secret exists in provider OpenStack Security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) OpenStack Security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) Kubernetes ClusterRoles that grant control over validating or mutating admission webhook configurations are not minimized Kubernetes ClusterRoles that grant permissions to approve CertificateSigningRequests are not minimized Kubernetes Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings are not minimized Kubernetes Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRole are not minimized AWS Lambda encryption settings environmental variable is not set properly Provisioned resources are manually modified Traced AWS resources are manually modified
Updates to Existing Configuration Run Policies	The following new Build policies are added to the existing Configuration Run policies: OCI Block Storage Block Volume does not have backup enabled OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) OCI Compute Instance boot volume has in-transit data encryption is disabled OCI Compute Instance has Legacy MetaData service endpoint enabled OCI Compute Instance has monitoring disabled OCI Object Storage bucket does not emit object events OCI Object Storage Bucket has object Versioning disabled OCI Object Storage Bucket is not encrypted with a Customer Managed Key (CMK) OCI Object Storage bucket is publicly accessible OCI IAM password policy for local (non-federated) users does not have a lowercase character OCI IAM password policy for local (non-federated) users does not have a number OCI IAM password policy for local (non-federated) users does not have a symbol OCI IAM password policy for local (non-federated) users does not have an uppercase character OCI File Storage File Systems are not encrypted with a Customer Managed Key (CMK) OCI VCN has no inbound security list OCI VCN Security list has stateful security rules OCI IAM password policy for local (non-federated) users does not have minimum 14 characters
Build Policy Updates-Metadata	AWS access keys and secrets are hard coded in infrastructure Changes —The cloud type for this policy is updated from ANY to AWS. Impact —No impact on alerts.
	Azure Storage Account Access Keys Changes —The cloud type for this policy is updated from ANY to Azure. Impact —No impact on alerts.
	GCP resources that support labels do not have labels Changes —The cloud type for this policy is updated from ANY to GCP. Impact —No impact on alerts.
	AWS S3 Bucket BlockPublicPolicy is set to True Changes —The policy name has been updated to support Prisma Cloud’s naming guidelines. Current Policy Name — AWS S3 Bucket BlockPublicPolicy is set to True Updated Policy Name — AWS S3 Bucket BlockPublicPolicy is not set to True Impact —No impact on alerts.
	AWS S3 bucket IgnorePublicAcls is set to True Changes —The policy name has been updated to support Prisma Cloud’s naming guidelines. Current Policy Name — AWS S3 bucket IgnorePublicAcls is set to True Updated Policy Name — AWS S3 bucket IgnorePublicAcls is not set to True Impact —No impact on alerts.
	AWS S3 bucket RestrictPublicBucket is set to True Changes —The policy name has been updated to support Prisma Cloud’s naming guidelines. Current Policy Name — AWS S3 bucket RestrictPublicBucket is set to True Updated Policy Name — AWS S3 bucket RestrictPublicBucket is not set to True Impact —No impact on alerts.
	S3 bucket MFA Delete is not enabled Changes —The policy description and recommendation details have been updated to describe the policy better. Updated Description —Ensure S3 bucket MFA Delete is enabled. Impact —No impact on alerts.
	AWS IAM policies that allow full administrative privileges are created Changes —The severity level for this policy is updated from Critical to Low . Impact —No impact on alerts.
	Lambda function's environment variables expose secrets Changes —The severity level for this policy is updated from High to Medium . Impact —No impact on alerts.
	SQS queue policy is public and access is not restricted to specific services or principals Changes —The severity level for this policy is updated from Medium to High . Impact —No impact on alerts.
Policy Deletions `Applies only if you have enabled the Code Security subscription on Prisma Cloud`	The following build policies are deleted from Prisma Cloud: Secret Keyword Redshift clusters do not have AWS Backup's backup plan A retention period of less than 90 days is not specified Secure transfer required is not enabled Impact —No impact on alerts.

Document:Prisma™ Cloud Release Notes

Features Introduced in June 2022

Table of Contents

Features Introduced in June 2022

Recommended For You

Document:Prisma™ Cloud Release Notes

Features Introduced in June 2022

Table of Contents

Features Introduced in June 2022

Recommended For You

Recommended Videos