Features Introduced in June 2019

Learn what’s new on Prisma™ Cloud in June 2019.

Features Introduced on June 22, 2019

New Features

Feature
Description
Amazon GuardDuty Findings on IAM Users
To help you to find potential security issues —malicious activity and unauthorized behavior— that pertain to IAM Users who are identified in Amazon GuardDuty findings, you can now specify
hostfinding.type = 'AWS GuardDuty IAM
' in a Config RQL query.
aws-guardduty-iam.png
Azure Network Security Group Rule Actions
To help you audit Network Security Groups (NSGs) directly from the RedLock console, the resource explorer and the network explorer display how Azure NSGs are configured to enforce traffic in your Azure environment.
To display the information on the Azure NSG rule, both the resource explorer and the network explorer, now have a new
Action
column, which indicates whether the NSG rule is set to
Allow
or
Deny
traffic.
API Ingestion Update
Prisma Cloud has improved coverage for the following API service that you can query using RQL:
The API
aws-elasticbeanstalk-environment
JSON is modified to include the response from the environment resources details in the
describeEnvironmentResources
field.

Policy Updates

The following new policies are available in this release:
Policy Name
Description
AWS EKS cluster control plane assigned to multiple security groups
Checks the number of security groups assigned to your AWS EKS cluster control plane and alerts if more than one security group is attached to the cluster.
AWS EKS cluster using the default VPC
Identifies AWS Kubernetes clusters which are configured with the default VPC instead of a custom VPC.
AWS EKS control plane logging disabled
Checks whether or not Kubernetes control plane logging for audit and diagnostic logs is enabled so that log data on your EKS cluster is directly written to CloudWatch Logs. This policy alerts you if logging is disabled.
AWS EKS cluster security group overly permissive to all traffic
Identifies security group rules that are attached to the cluster network and allow inbound traffic for all protocols from the public internet.
AWS EKS cluster endpoint access publicly enabled
Checks whether your Kubernetes cluster endpoint that enables the API server to communicate with all worker nodes within your cluster is publicly accessible. This policy alerts if you have not restricted public access to the Kubernetes cluster endpoint.

Features Introduced on June 6,2019

Learn what’s new on June 6, 2019.

New Features

Feature
Description
Just-In-Time Provisioning for SSO Users
To successfully access the RedLock service using Single Sign-on (SSO), every user (administrator) requires a local account on Prisma Cloud. With Just-In-Time (JIT) Provisioning, you no longer are required to create the user in advance on Prisma Cloud. After successful authentication with your SSO Identity Provider (IdP), users are now automatically provisioned on Prisma Cloud with the specified role. From
Settings
SSO
, Enable JIT Provisioning and specify the SAML attributes you configured for your users on your IdP.
Coverage for Azure Container Registry Webhooks and Azure App Service Authentication
When you onboard your Azure subscriptions to Prisma Cloud, you can now ingest additional information from the Azure Container Registry webhooks and the Azure App Service to provide more visibility and context.
Create a custom role or modify an existing role to include the following permissions:
  • Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action
    —To ingest data from Azure Container Registry webhooks that are triggered when a container image or Helm chart is pushed to a registry, or deleted from it.
  • Microsoft.Web/sites/config/list/action
    —To ingest Authentication/Authorization data from Azure App Service that hosts websites and web applications.
    This custom role is required in addition to the Reader Role, which is adequate to ingest configuration data from the Azure App Service.
Bypass DNS Resolution for SAML
If you have deployed your IdP on an internal network, and do not need a DNS look up for the URLs defined on the SSO configuration settings, you can now disable it. To disable DNS look ups, clear the
Enforce DNS resolution for RedLock Access SAML
on
Settings
SSO
.
New API Ingestion
Prisma Cloud adds coverage for the following new services that you can use in RQL:
  • GCP—gcloud-compute-target-https-proxies
  • AWS—aws-rds-db-clusters

API Ingestion Updates

API
Details on the Updates
aws-iam-get-policy-version
aws-iam-get-policy-version
API is modified to lists all IAM users, groups, and roles that the specified managed policy is attached to. With this change, this API now retrieves information about managed policies along with all IAM users, groups, and roles attached to the policies.
aws-rds-db-cluster-snapshots
The
aws-rds-db-cluster-snapshots
API now includes a new JSON field
dbclusterSnapshotAttributes
that provides information the attributes in an RDS database cluster snapshot.
aws-kms-get-key-rotation-status
The
aws-kms-get-key-rotation-status
API now includes a new JSON field
policies
. With this change, this API now retrieves KMS key rotation status along with the list of policies associated with the key.
aws-ecr-get-repository-policy
The
aws-ecr-get-repository-policy
is updated to include the IAM policy statement, which provides information on the operations performed on the ECR resource. With this change the JSON structure is fully revised.
If you have a custom policy that uses this API, modify the RQL in your policy to match the new JSON structure and ensure that the policy continues to work as expected.If you do not modify the policy, in the event that you update the settings for the ECR resource on AWS, your custom policy can no longer generate alerts. This occurs because Prisma Cloud will rescan the resource and retrieve data in the new JSON structure, and it will no longer match the conditions defined in the earlier format.
aws-sqs-get-queue-attributes
The
aws-sqs-get-queue-attributes
is updated to include the policy statement, which provides information on the operations performed on the SQS resource. With this change the JSON structure is fully revised.
If you have a custom policy that uses this API, modify the RQL in your policy to match the new JSON structure and ensure that the policy continues to work as expected.If you do not modify the policy, in the event that you update the settings for the SQS resource on AWS, your custom policy can no longer generate alerts. This occurs because Prisma Cloud will rescan the resource and retrieve data in the new JSON structure, and will not match the conditions defined in the earlier format.

Recommended For You