Features Introduced in October 2019

Learn what’s new on Prisma™ Cloud in October 2019.

Features Introduced on October 16, 2019

New Features

Feature
Description
Alert Dismissal Restrictions
Prisma Cloud system administrators with the
System Admin
role can now specify whether other administrators who belong to a different role can dismiss or resolve alerts. When
Restrict alert dismissal
is enabled, only the System Admin role has the permissions to manage alerts triggered for policies defined by System Administrators. The Account Group Admin and Account and Cloud Provisioning Admin roles cannot dismiss or resolve these alerts.
alert-dismissal-restriction.png

Policy Updates

Policy
Description
AWS RDS DB cluster encryption is disabled
Identifies Aurora database clusters for which data-at-rest encryption is disabled
AWS Route53 Public Zone with Private Records
Identifies a risky configuration where AWS Route 53 Public Hosted Zones contain DNS records for private IP addresses or resources within your AWS account.
GCP Firewall Rules Allow Inbound Traffic from Anywhere with no Target Tags Set
Identifies GCP Firewall rules that allow inbound traffic from anywhere, and is restricted or filtered access to limit access for specified targets only.
Policy Removed
VPC Endpoints were not used for Consuming S3 storage from within the VPC
This policy has been removed, and is no longer mapped to the compliance standards available on Prisma Cloud.

Features Introduced on October 2, 2019

New Features

Feature
Description
Cloud Security Alliance (CSA) Compliance Standards Support
Prisma Cloud adds support for Cloud Security Alliance: Cloud Controls Matrix (CCM) Version 3.0.1 for AWS, Azure and GCP. CSA is an organization that ensures security, trust and assurance to promote the use of best practices and regulations to effectively manage cloud-specific security controls. This standard includes 136 policies—136 for AWS, 41 for GCP, 30 for Azure.
Azure Key Vault Configuration Checks
The Azure Key Vault configuration checks have been updated to retrieve more information so that you can define custom policy for Azure Key Vault certificates that check for:
  • Maximum validity period
  • Status of the reuse key on renewal
  • Exportable private key
  • Key type and key size
Support for Monitoring Resources on Azure Government.
To help government agencies adopt a cloud-first approach and meet the security-related objectives, Prisma Cloud now supports Azure Government Cloud across the following Azure Government regions
  • Azure Gov Virginia (US)
  • Azure Gov Iowa (US)
  • Azure Gov Texas (US)
  • Azure Gov Arizona (US)
Temporary Alert Dismissal
Instead of completely dismissing an alert, with this enhancement you can now snooze open alerts for a specified duration of time. On
Alerts
Overview
, you can use the
Alert Status
filter to find
Snoozed
alerts. After the specified time period, the alert is automatically reopened or resolved depending on whether or not the underlying violation is addressed.
snooze-alerts.png
New Role—Account and Cloud Provisioning Admin.
This new role combines the permissions available for the Cloud Admin and the Account Group Admin to enable administrators who are responsible for adding and managing designated accounts. With this role, in addition to being able to onboard cloud accounts, the administrator can access the dashboard, manage the security policies, investigate issues, view alerts and compliance details for the designated accounts only.
View permissions
associated with this role on
Settings
Roles
+Add New
.
admin-view-permissions.png
Remediable Policies for Azure Security Center
15 Prisma Cloud default policies for Azure Security Center now include CLI for auto-remediation; only the Azure Security Center default policies that require a contact email address or phone number are not remediable. If Prisma Cloud is set up with the required read-write permissions, any alert rules that are enabled to auto-remediate and include these policies will automatically remediate new alerts that are generated after this Prisma Cloud update.
asc-remediable-policies.png
New CLI Variables for Custom Policy
When you create a policy you have two new CLI variables to enable auto-remediation. The GCP Zone ${gcpZoneId} and Azure Scope ${azureScope} variables enable you to specify the GCP zone or Azure scope to indicate the node within the Azure resource hierarchy in which the resource is deployed.
cli-variables.png
API Ingestion Updates
Prisma Cloud has added coverage for the API:
GCP App Engine—
gcloud-app-engine-firewall-rule
AWS ActiveMQ—
aws-mq-broker

Recommended For You