Features Introduced in February 2019

Learn what’s new on Prisma™ Cloud in February 2019.
The following topic provides a snapshot of new features introduced for Prisma™ Cloud in February 2019. Refer to the Prisma™ Cloud Administrator’s Guide for more information on how to use Prisma™ Cloud.

Features Introduced on February 21, 2019

New Features

This release of Prisma™ Cloud includes these improvements:
FEATURES
DESCRIPTION
Cloud Provisioning Admin Role
The new role Cloud Provisioning Admin provides the granular permissions required to onboard and manage cloud accounts using the Prisma Cloud admin console and the APIs. For example, with this new permission group, you can now offload the cloud account onboarding and management activities to members in your CloudOps teams.
When you add a new role and assign the 
Cloud Provisioning Admin
 permission group to an administrative user, they inherit the ability to create and manage Account Groups, in addition to onboarding cloud accounts. With this permission group, the administrator does not have access to other features on Prisma Cloud.
Tenable Integration for Azure accounts
Prisma Cloud now supports integration with Tenable on Azure cloud environments, in addition to the existing support for AWS cloud environment.
This integration provides additional context around potential threats in cloud workloads and helps customers with prioritization. For example, you can address high severity vulnerabilities on hosts that are internet facing and are receiving malicious traffic ahead of other types of hosts.
Cloud Account Permission Checks Enhancement
To verify that Prisma Cloud has the correct permissions required to continuously monitor your cloud environments, the status for the AWS and Azure cloud accounts are automatically updated after every ingestion cycle on
Settings
Cloud Accounts
.
Saved Search Additions
Use the following new saved searches to create custom policies:
Azure Virtual Network nearing public IP (static) limit
AWS IAM SupportAccess policy assigned
AWS IAM Users API keys detected
AWS CloudFront CDN in use

Policy Updates

FEATURES
DESCRIPTION
Azure disk for VM operating system is not encrypted at rest using ADE
Detects Virtual Machine (VM) OS disks that are not encrypted at rest using Azure Disk Encryption.
Azure Virtual Machine is not assigned to an availability set
Identifies Azure VMs that are not deployed in an availability set. As a high availability (HA) best practice, deploy your VMs in an availability set.
Azure Application Gateway allows TLSv1.1 or lower
Identifies the Application Gateway instances that are configured to use TLS versions 1.1 or lower as the minimum protocol version.

Features Introduced on February 14, 2019

New Features

This release of Prisma Cloud includes these improvements:
FEATURES
DESCRIPTION
Cloud Account Permissions Checks
When you onboard a new cloud account on Prisma Cloud, you can now review errors, inadequate or missing permissions, or API configurations that lead to unsuccessful or partial onboarding of your AWS and Azure accounts on to Prisma Cloud. The status messages on the cloud accounts page, enable you to take the necessary actions to successfully onboard and ingest data about your cloud resources deployed on the cloud environment.
On AWS, the checks verify:
  • List of permissions for AWS Services defined in the Prisma Cloud AWS CFT
  • VPC Flow Logs configuration 
  • VPCs configured to send flow logs to CloudWatch Logs
  • One Cloud Trail, at least, configured to apply for all regions
  • Cloud Watch logs configuration for Cloud Trail
  • Flow logs enabled with the filter to All or Accept traffic flows
On Azure, the checks verify:
  • Reader and Data access role at the subscription level
  • Custom role created for flow logs or Network contributor role
  • Access to Storage bucket which has flow logs
  • Check if the flow logs are present in the storage bucket
Support for ISO27001:2013
ISO27001:2013 compliance reporting is now available on Prisma Cloud for AWS, Azure, and GCP cloud platforms. In addition to using the default policy mappings to various ISO27001:2013 articles, you can create custom mappings to meet your specific enterprise needs.
Qualys Integration for Azure accounts
Prisma Cloud now supports integration with Qualys for Azure cloud environments, in addition to the existing support for AWS cloud environments.This integration provides additional context around potential threats in cloud workloads and helps you prioritize potential issues. For example, you can address high-severity vulnerabilities on internet facing hosts that are receiving malicious traffic before you look in to issues on other types of hosts.
Account Lockout
To enhance security and prevent brute force attacks, after five unsuccessful attempts to log in to the application, you will be locked out of the application.To log back in, you must reset your password using the 
Forgot Password
 link or contact your System Administrator.
API Ingestion
Support for the API
aws-elasticache-parameter-groups
is removed from the application.

Policy Updates

FEATURES
DESCRIPTION
AWS Elastic Load Balancer (ELB) with ACM certificate expiring in 90 days
Identifies Elastic Load Balancers (ELB) which are using ACM certificates expiring in 90 days or using expired certificates.
AWS Redshift Cluster not encrypted using Customer Managed Key
Identifies Redshift Clusters which are encrypted with default KMS keys and not with Customer Managed Keys.
AWS S3 bucket not configured with secure data transport policy
Identifies S3 buckets which are not configured with secure data transport policy. AWS S3 buckets should enforce encryption of data over the network using Secure Sockets Layer (SSL).
AWS VPC not in use
Identifies VPC which are not in use. These VPC resources might be unintentionally launched and AWS also imposes a limit to the number of VPCs allowed per region.
AWS Elastic Load Balancer (ELB) with IAM certificate expiring in 90 days
Identifies Elastic Load Balancers (ELB) which are using IAM certificates expiring in 90 days or using expired certificates. 
AWS Elastic File System (EFS) not encrypted using Customer Managed Key
Identifies Elastic File Systems (EFSs) which are encrypted with default KMS keys and not with Customer Managed keys.
AWS S3 Bucket Policy allows public access to CloudTrail logs
Scans your bucket policy that is applied to the S3 bucket to prevent public access to the CloudTrail logs. 
AWS EC2 instance is not configured with VPC
Identifies the EC2 instances which are still using EC2 Classic. 
AWS Elastic Load Balancer (ELB) has security group with no inbound rules
Identifies Elastic Load Balancers (ELB) which have security group with no inbound rules. A security group with no inbound rule will deny all incoming requests.
AWS EC2 Instance Scheduled Events
Identifies your Amazon EC2 instances which have a scheduled event. AWS can schedule events for your instances, such as a reboot, stop/start, or retirement. If one of your instances will be affected by a scheduled event, AWS sends an email to your email address prior to the scheduled event, with details about the event, including the start and end date. If AWS scheduled event is planned for within 7 days, this signature triggers an alert.
AWS EBS volumes are not encrypted—updated
The RQL for the policy AWS EBS volumes are not encrypted has been updated. Alerts that were generated for this policy, using the previous version of the RQL, will be marked as resolved in your environment.
Azure Key Vault audit logging is disabled
Identifies Azure Key Vault instances for which audit logging is disabled. As a best practice, enable audit event logging for Key Vault instances to monitor how and when your key vaults are accessed, and by whom.
Creation of new policies through APIs that were using preprocessor as a parameter are now disabled.

Features Introduced on February 8, 2019

New Features

This release of Prisma Cloud includes these improvements:
FEATURES
DESCRIPTION
Support for AWS Stockholm region
Prisma Cloud now ingests data from AWS Stockholm region. You can use this region to refine your searches in search filters across the application.
cloud-360-platform-support-aws-stockholm-region.png
API ingestion
The
azure-vm-list
and
azure-sql-server-list
APIs are enhanced to support additional parameters.

Policy Updates

POLICY
DESCRIPTION
AWS EBS volume not encrypted using Customer Managed Key
Identifies EBS volumes which are encrypted with default KMS keys and not with customer managed keys that give you full control over your encryption keys.
AWS RDS database not encrypted using Customer Managed Key
Identifies RDS databases which are encrypted with default KMS keys and not with customer managed keys that give you full control over your encryption keys.
AWS CloudTrail S3 buckets have not enabled MFA delete
Identifies S3 buckets which do not have Multi Factor Authentication enabled for CloudTrails.
AWS VPC subnets nearing availability limit
Identifies VPCs which are nearing the availability limit for subnets. AWS provides a starting limitation for the maximum number of VPC subnets that you can assign in each VPC.
According to https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html, Subnets per VPC limit is currently at 200. This policy generates an alert if you have reached 80% of the allocated resource availability limit, which is 160.
AWS VPC security group nearing availability limit
Identifies VPCs which are nearing the availability limit for security groups. AWS provides a starting limitation for the maximum number of security groups you can assign in a VPC.
According to https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html, VPC Security groups per region limit is 2500. This policy will trigger an alert if VPC Security groups per region reached 80% (i.e. 2000) of resource availability limit allocated.
AWS regions nearing VPC Private Gateway limit
Identifies if your account is nearing the virtual private gateway limit for a VPC within a region. AWS provides a starting limitation for the maximum number of virtual private gateways you can assign in each VPC.
According to http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html, Virtual private gateway per region limit is 5. This policy will trigger an alert if virtual private gateway per region reached 80% (i.e. 4) of resource availability limit allocated.
AWS Elastic Load Balancer (ELB) has security group with no outbound rules
Identifies Elastic Load Balancers (ELBs) which have a security group with no outbound rules. A security group with no outbound rule will deny all traffic going to any EC2 instances or resources configured behind that ELB.

Recommended For You