Features Introduced in June 2021

New Features

Support for AWS Cape Town and AWS Osaka
Prisma Cloud can now ingest data for resources deployed in the Cape Town and Osaka regions on AWS.
To review a list of supported regions, select
Inventory
Assets
Cloud Region
.
Service Accounts
Prisma Cloud is adding support for service accounts to help with your automation needs. Service accounts differ from the standard user accounts in that you don't need to associate an email address with them and they do not have to be validated or activated before use. With this capability, you can now use a non-human entity to interact programmatically with the Prisma Cloud APIs directly.
Only System Administrators can create Prisma Cloud service accounts. When you add a service account (
Settings
Users
Add New
Service Account
), you must specify a name, a role, and a time zone. To enable key rotation, a service account can have up to two access keys. The audit logs record all activity performed by the associated access keys and attribute them directly to the service account.
Resource Tag for Filtering Alerts
The new
Resource Tag
filter on
Alerts
Overview
, enables you to filter for alerts that pertain to resources with the specified tag value. When you add the new filter and specify a
key:value
, the results on the page update to list the alerts that match the resource tag.
The Resource Tag syntax uses a colon,
:
to separate the key and value to match, performs an exact match; it does not support white spaces or wildcard characters. You can multiple key:value pairs, or use the key without the
:
and an associated value to find all values that match the key.
The key:value is free-form text. Log in to the cloud service provider environment and find the exact tags for your resource to confirm.

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
New Policies
AWS ECS Cluster instance volume encryption for data at rest is disabled
Identifies the ECS Cluster instance volumes for which encryption for data at rest is disabled. Encrypting data at rest reduces unintentional exposure of data and prevents unauthorized users from accessing sensitive data on your AWS ECS clusters. As a best practice, configure encryption for your ECS cluster instance volumes using an encryption key.
config from cloud.resource where api.name = 'aws-ecs-container-instance' AND json.rule = status equals ACTIVE as X; config from cloud.resource where api.name = 'aws-ec2-describe-volumes' AND json.rule = state contains in-use and encrypted is false as Y; filter '$.Y.attachments[*].instanceId contains $.X.ec2InstanceId'; show Y;
AWS Elasticsearch domain is not configured with HTTPS
Identifies Elasticsearch domains that are not configured with HTTPS. Amazon Elasticsearch domains allow all traffic to be submitted over HTTPS, ensuring all communications between application and domain are encrypted. As a best practice, enable HTTPS so that all communication between the application and all data access goes across an encrypted communication channel to eliminate man-in-the-middle attacks.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-es-describe-elasticsearch-domain' AND json.rule = processing is false and domainEndpointOptions.enforceHTTPS is false
AWS EC2 instance detailed monitoring disabled
Identifies EC2 instances that have detailed monitoring disabled. With detailed monitoring, you can also get aggregated data across groups of similar EC2 instances; it is therefore a best practice to enable detailed monitoring for your production instances.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-instances' AND json.rule = state.name equals running and monitoring.state equals disabled
AWS IAM policy allows decryption actions on all KMS keys
Identifies IAM policies that allow decryption actions on all KMS keys. Instead of granting permissions for all keys, determine the minimum set of keys that users need in order to access encrypted data. You should grant to identities only the
kms:Decrypt
or
kms:ReEncryptFrom
permissions and only for the keys that are required to perform a task. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data.
config from cloud.resource where cloud.type = 'aws' AND api.name= 'aws-iam-get-policy-version' AND json.rule = document.Statement[?any(Effect equals Allow and Resource equals * and (Action contains kms:* or Action contains kms:Decrypt or Action contains kms:ReEncryptFrom) and Condition does not exist)] exists
AWS CloudWatch Log groups encrypted using default encryption key instead of KMS CMK
Identifies CloudWatch Log groups that are encrypted using default encryption key instead of Key Management Service (KMS) Customer Master Key (CMK). As a best practice, use Customer Master Keys (CMK) to encrypt the data in your CloudWatch Log groups to ensure full control over your data.
config from cloud.resource where api.name = 'aws-cloudwatch-log-group' as X; config from cloud.resource where api.name = 'aws-kms-get-key-rotation-status' as Y; filter '($.X.kmsKeyId does not exist) or ($.X.kmsKeyId exists and $.Y.keyMetadata.keyState equals Disabled) and $.X.kmsKeyId equals $.Y.keyMetadata.arn'; show X;
AWS VPC endpoint policy is overly permissive
Identifies VPC endpoints that have a VPC endpoint (VPCE) policy that is overly permissive. When the Principal element value is set to (
*
) within the access policy, the VPC endpoint allows full access to any IAM user or service within the VPC using credentials from any AWS account. As a best practice, use the least privileged VPCE policy to protect against data leakage and unauthorized access.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-describe-vpc-endpoints' AND json.rule = policyDocument.Statement[?any( Effect equals Allow and (Principal.AWS equals * or Principal equals *) and Action contains * and Condition does not exist)] exists
GCP App Engine Identity-Aware Proxy is disabled
Identifies GCP App Engine applications for which Identity-Aware Proxy (IAP) is disabled. IAP is used to enforce access control policies for applications and resources, and works with signed headers for the App Engine standard environment to secure your app. As a best practice, enable Identity-Aware Proxy for securing the App Engine.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-app-engine-application' AND json.rule = servingStatus equals SERVING and (iap does not exist or iap.enabled does not exist or iap.enabled is false)
Policy Updates—RQL and Metadata
Amazon Elasticsearch
Changes
—The policy RQL and recommendation steps have been updated.
If the processing state of AWS Elasticsearch is false, it implies it is in active state and will be reported. The RQL for the following policies have been enhanced to give precise alerts by only checking the 'processing' state of AWS Elasticsearch:
  • AWS Elasticsearch domain Encryption for data at rest is disabled
  • AWS Elasticsearch domain has Zone Awareness set to disabled
  • AWS Elasticsearch domain has Dedicated master set to disabled
  • AWS Elasticsearch domain has Search slow logs set to disabled
  • AWS Elasticsearch domain has Index slow logs set to disabled
The recommendation steps for the following policies has been updated as per the AWS GUI changes:
  • AWS Elasticsearch domain Encryption for data at rest is disabled
  • AWS Elasticsearch domain has Zone Awareness set to disabled
  • AWS Elasticsearch domain has Dedicated master set to disabled
Impact
—Alerts generated previously for non-active resources will be deleted as Policy_Updated.
AWS Elasticsearch domain publicly accessible
Changes
—The policy RQL has been enhanced by adding an extra processing status check to optimize alerts count. The recommendation steps have also been updated as the AWS GUI has changed.
Impact
—Alerts generated previously for non-processing resources will be resolved as Policy_Updated.
Policy deletion—Similar RQL
AWS ElasticSearch cluster not in a VPC
policy is deleted
Changes
—The
AWS ElasticSearch cluster not in a VPC
policy and its respective compliance mappings have been deleted; it was reporting the same resources as the
AWS Elasticsearch domain publicly accessible
policy which will stay.
Impact
—Alerts related to the
AWS ElasticSearch cluster not in a VPC
policy will be resolved as Policy_Deleted.

REST API Updates

API Support for Service Accounts
The following new API endpoints are available:
  • POST /v3/user
    Adds a Prisma Cloud user or service account profile.
  • GET /v3/user
    Lists all Prisma Cloud user and service account profiles.
The following existing user profile endpoint now enables you to delete either a user profile or a service account profile:
  • DELETE /user/{id}
The following endpoint has a new optional request body parameter for a service account name:
  • POST /access_keys

New Features

FEATURE
DESCRIPTION
JSON Preview
JSON Preview
available for configuration queries only, simplifies the JSON selection experience by creating a visually interactive experience where you can see the full JSON configuration schema based on the API you select in your Config query. JSON Preview makes query building a keyboard-less process where you can create a complex query without manually typing each character.
In this release, JSON Preview is disabled, by default. Toggle
JSON Preview
on the
Investigate
page to start using it.
This is not yet available for the OCI APIs.
Storage Estimate Retrieval Schedule
The
Settings
Data
Scan Settings
page provides an estimate of the total data in the S3 bucket, and the volume of data eligible for sensitive data scanning, malware scanning, or both based on the supported file types and file size. Previously, these values got updated weekly. You can now set the estimate retrieval schedule to either
Daily
,
Weekly
(default), or
None
. This is a tenant-level configuration and the schedule you set will affect all the accounts under that tenant. You can change the schedule once every 24 hours.
List Cloud Account Owners
On the Cloud Accounts page, Prisma Cloud displays the number of
Cloud Account Owners
for a given account. It is a collapsed view that displays only the first owner’s email address. Clicking the number link, for example,
+3 more
, opens a pop-up that lists the cloud account owner email addresses in an alphabetical order for that account.
Support for Azure Resource Groups on Compliance and Inventory Dashboards
Prisma Cloud now enables you to create resource lists for Azure Resource Groups. When a resource list is attached to a role, that role will have access to only that data in the resource list which thereby restricts user permissions.
After you onboard your Azure subscriptions the corresponding resource lists are automatically ingested and can be filtered in the Compliance and Asset Inventory dashboards for granular visibility into your Azure resources. You can view the data on your Azure assets for specific resource lists or generate custom compliance reports for only the resource lists you selected.
You can reach out to Prisma Cloud Customer Success if you want to try it on your Prisma Cloud instance.
API Ingestion
Azure Active Directory
azure-active-directory-service-principal-aws-app
Additional permissions required: None
Update
Ingestion for aws-iam-service-last-accessed-details
The default interval for ingesting resources of
aws-iam-service-last-accessed-details
API for all users, roles, and policies is updated to once in 24 hours.
Update
Ingestion for aws-iam-get-policy-version
For the
aws-iam-get-policy-version
API, Prisma Cloud currently ingests all policies including
Unattached AWS Managed Policies
. Starting with 21.6.2, any Unattached AWS Managed Policies, which are policies that are not attached to any group, user, or role, are no longer ingested on Prisma Cloud.
With this change, the metadata is not available for RQL queries and therefore, you cannot create custom policies for Unattached AWS Managed Policies.

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
New Policies
AWS CloudWatch Log groups not configured with definite retention days
Identifies CloudWatch Log groups that are not configured with definite retention days. The retention period should be used to specify how long log events are kept in CloudWatch Logs. Expired log events get deleted automatically. If the retention period is not configured then logs will be retained indefinitely which increases the cost. Different log groups may require different retention periods, depending on operational and regulatory constraints. It is recommended to set a definite retention period for each CloudWatch Log group depending on your operational and regulatory constraints instead of being retained indefinitely.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-cloudwatch-log-group' AND json.rule = retentionInDays does not exist
AWS ElastiCache Redis cluster encryption not configured with CMK key
Identifies ElastiCache Redis clusters that are encrypted using the default KMS key instead of Customer Managed CMK (Customer Master Key) or the CMK key used for encryption is disabled. As a security best practice, enabled CMK should be used instead of the default KMS key for encryption to gain the ability to rotate the key according to your own policies, delete the key, and control access to the key via KMS policies and IAM policies.
config from cloud.resource where api.name = 'aws-elasticache-describe-replication-groups' AND json.rule = status equals available and atRestEncryptionEnabled is true as X; config from cloud.resource where api.name = 'aws-kms-get-key-rotation-status' as Y; filter '($.X.kmsKeyId does not exist) or ($.X.kmsKeyId exists and $.Y.keyMetadata.keyState equals Disabled) and $.X.kmsKeyId equals $.Y.keyMetadata.arn'; show X;
AWS IAM policy is overly permissive to all traffic via condition clause
Identifies IAM policies that have a policy that is overly permissive to all traffic via condition clause. If any IAM policy statement that has a condition containing
0.0.0.0/0
or
::/0
, it allows all traffic to resources attached to that IAM policy. It is highly recommended to have the least privileged IAM policy to protect data leakage and unauthorized access.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-policy-version' AND json.rule = document.Statement[?any((Condition.ForAnyValue:IpAddress.aws:SourceIp contains 0.0.0.0/0 or Condition.IpAddress.aws:SourceIp contains 0.0.0.0/0 or Condition.IpAddress.aws:SourceIp contains ::/0 or Condition.ForAnyValue:IpAddress.aws:SourceIp contains ::/0) and Effect equals Allow and Action contains *)] exists
AWS IAM policy overly permissive to STS services
Identifies IAM policies that are overly permissive to STS services. AWS Security Token Service (AWS STS) is a web service that enables you to request temporary credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). It is recommended to follow the principle of least privileges ensuring only restricted STS services for restricted resources.
config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-policy-version' AND json.rule = isAttached is true and document.Statement[?any(Effect equals Allow and Action contains sts:* and Resource equals * and Condition does not exist)] exists
Policy Updates—RQL and Metadata
AWS EC2 instance allowing public IP in subnets
The RQL has been updated to check subnet levels instead of route table rules. The policy name, description, and recommendation have been updated accordingly.
Impact
—New alerts will be generated based on current configurations and previously generated alerts will be resolved as Policy_Updated.
AWS ECS/Fargate task definition execution IAM Role not found
The policy RQL has been updated with an extra status check to report only active resources, and the policy name has been updated to remove an extra space.
Impact
—Alerts generated previously for non-active resources will be resolved as Policy_Updated.
AWS ECS task definition elevated privileges enabled
The policy RQL has been enhanced with a status check to report only running resources. The policy description has also been updated.
Impact
—Alerts generated previously for non-running resources will be resolved as Policy_Updated.
AWS Security Group allows all traffic on ports which are not commonly used
The policy RQL has been enhanced to check for the additional ports 1194 and 5672. The policy description has been updated accordingly.
Impact
—New alerts might be raised for newly added ports according to the configurations.
Azure Key Vault Audit Logging is disabled
The policy recommendation has been updated as per the changes in Azure.
Impact
—No impact on existing alerts.
Azure Security Center ‘Standard pricing tier’ is not selected
The policy name has been changed to
Azure Security Center Defender plans is set to Off
.
Impact
—No impact on existing alerts.
Azure SQL databases Defender setting is set to Off
The policy name, description, and recommendation have been updated as per the changes in Azure.
Impact
—No impact on existing alerts.
Azure SQL server Defender setting is set to Off
The policy name, description, and recommendation have been updated as per the changes in Azure.
Impact
—No impact on existing alerts.
Azure Virtual Network subnet is not configured with a Network Security Group
The policy description and RQL has been updated.
Impact
—Existing open alerts related to subnets which have been configured with GatewaySubnet, AzureFirewallSubnet, and NetApp file shares will be resolved as Policy_Updated.
Storage Bucket does not have Access and Storage Logging enabled
The policy name has been updated to
GCP Storage Bucket does not have Access and Storage Logging enabled
and the policy RQL has been modified.
Impact
—No impact on existing alerts.
GCP User managed service account keys are not rotated for 90 days
The RQL has been modified to alert only user-managed keys; system-managed keys won't generate any alerts. The metadata has also been updated based on the GCP UI change.
Impact
—Existing open alerts associated with the system-managed keys will be resolved as Policy_Updated.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Hitrust v.9.4: New Compliance support AWS, GCP, Azure, OCI
The HITRUST Common Security Framework (CSF) is a prescriptive set of controls that meet the requirements of multiple regulations and standards. The framework provides a way to comply with standards, such as ISO/IEC 27000-series and HIPAA. Since the HITRUST CSF incorporates various security, privacy, and other regulatory requirements from existing frameworks and standards, some organizations utilize this framework to demonstrate their security and compliance in a consistent and streamlined manner. Organizations can complete a self-assessment using the HITRUST framework, or they can engage with a HITRUST assessor for an external, third-party engagement.

REST API Updates

CHANGE
DESCRIPTION
New Prisma Cloud API Requests to List Cloud Account Owners
The following new Prisma Cloud API request is available to request a list of cloud account owner email addresses for a given account:
  • GET cloud/{accountId}/owners
Cloud Account API Requests to Get Cloud Account Information
The response objects for the following API requests include a new attribute
cloudAccountOwnerCount
, which contains the number of cloud account owners for a specific account:
  • GET /cloud
  • GET /cloud/{cloud_type}/{id}

New Features

FEATURE
DESCRIPTION
Condition support for IAM Security
The IAM Security module now supports conditions which enable you to apply conditions when you use the
config from iam where
query.
For example, you can look for a specific condition within the JSON metadata:
config from iam where source.public = true AND grantedby.cloud.policy.condition('aws:SourceIp', 'IpAddress') exists
A range of RQL operators are supported to filter results.
Support for Onboarding Azure Resource Hierarchy
You can now build a flexible structure of management groups and subscriptions to organize your resources into a hierarchy.
Prisma Cloud supports the ability to onboard all or a subset of cloud resources based on how they are grouped under management groups and subscriptions.
This capability is available across all Azure Commercial, Government, and China regions.
Addition of Non-Onboarded Account IDs to an Account Group
If you have an Alibaba, AWS, Azure, or GCP account that is not being monitored on Prisma Cloud, you can manually add the Account IDs as a string to an existing account group or to a new account group. These accounts, called
Non-Onboarded Account IDs
, are then available for users who have access to the
Compute
tab. You can assign these accounts to roles and enable granular access to data and configuration on the Compute tab.
Granular RBAC for Prisma Cloud Roles
For the existing Prisma Cloud administrator roles, the following enhancements are now available:
  • Ability to select account groups for Cloud Provisioning Admin.
  • Ability to assign resource lists (or Collections) for Account and Cloud Provisioning Admin, Account Group Admin, Account Group Read Only, and Build and Deploy Security.
  • Ability to view data collected from Prisma Cloud Defenders deployed
    On-prem/Other cloud providers
    . This includes cloud environments other than AWS, Azure, GCP, and Alibaba clouds for the Account and Cloud Provisioning Admin and the Account Group Admin roles.
Resource List for Compute Access Group
The
Compute Access Group
resource list provides you the ability to enable granular access to a specified list of Compute workloads or resources such as images, code repositories, or hosts instead of granting access to all resources within an account. When you create a resource list on Prisma Cloud (
Settings
Resource Lists
, you can assign it to a role. The workloads you include in the list match criteria are within scope and accessible to the user who is assigned to the role.
On Prisma Cloud Compute, this resource list is referred to as an assigned collection that allows the user to view data on the resources to which you assigned access.
The resource list is automatically added to the list of Collections (
Manage
Collections and Tags
Collections
). Although the Resource List for Compute Access Group is included in the list of collections, you cannot edit it on the Compute tab or use it when you add or edit rules for enforcing security checks on your resources.
Limited GA
Alert Notifications for All States
Prisma Cloud can now send notifications to external integrations for all states—Open, Dismissed,Resolved, Snoozed—when the status of an alert changes.
This feature requires the alerts version 2.0 subsystem and is in
Limited GA
; You can reach out to Prisma Cloud Customer Success if you want to try it on your Prisma Cloud instance.
All integrations except Jira and Cortex XSOAR support notifications for all states.
Update
Alert Notifications to External Integrations
If you have configured Prisma Cloud to send alert notifications to any external integration such as email or Splunk, the link in the URL is formatted differently. The link includes the selected filters as an array, instead of as a string, in the query. For example:
Behavior was—
alerts/overview#alert.status=open&policy.name=${value}
New Behavior:
alerts/overview#alert.status[]=open&policy.name[]=${value}
With this change, all links from notifications that were sent previously will no longer work.
API Ingestion
Amazon S3
aws-s3-access-point
Additional permissions required:
s3:GetAccessPoint
s3:GetAccessPointPolicyStatus
s3:GetAccessPointPolicy
The Security Audit role includes these permissions.
Azure Active Directory Domains
azure-active-directory-custom-domain
Additional permission required:
Domain.Read.All
Support for AWS Milan
Prisma Cloud can now ingest data for the AWS Milan region.
To review a list of supported regions, select
Inventory
Assets
Cloud Region.

Change in Default Behavior

Feature
Change in Behavior
Automated Remediation
As announced in the 21.5.1 release notes, Prisma Cloud is rolling out Alerts 2.0, and the automated remediation behavior is different, depending on whether you are on the alert subsystem version 1.0 or 2.0:
  • Alerts 2.0—When you enable auto-remediation on version 2.0, all applicable open alerts regardless of when they were generated are fixed, and the alert status is updated as
    Resolved
    .
  • Alerts 1.0—When you enable auto-remediation on version 1.0, the CLI commands are only executed for resources where alerts were generated or updated in the last 24 hours. Alerts that were generated before the 24-hour period will not be auto remediated.
To identify the alerts subsystem version, check
Alerts
Overview
. If the
Version: 2
label displays on the top right above the Search box, you are not on version 1.

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
New Policies
AWS IAM configuration updates invoked from Pentoo Linux machine
Identifies AWS IAM configuration updates invoked from the Pentoo Linux machine. Pentoo Linux is a popular penetration testing tool that security professionals use to identify weaknesses in unpatched instances. Attackers might use this tool to find configuration weaknesses and gain unauthorized access to your AWS environment.
event from cloud.audit_logs where cloud.service = 'iam.amazonaws.com' AND json.rule = $.userAgent contains 'pentoo'
AWS IAM configuration updates invoked from Parrot Security Linux machine
Identifies AWS IAM configuration updates invoked from the Parrot Security Linux machine. Parrot Security Linux is a popular penetration testing tool that security professionals use to identify weaknesses in unpatched instances. Attackers might use this tool to find configuration weaknesses and gain unauthorized access to your AWS environment.
event from cloud.audit_logs where cloud.service = 'iam.amazonaws.com' AND json.rule = $.userAgent contains 'parrot'
AWS IAM configuration updates invoked from Kali Linux machine
Identifies AWS IAM configuration updates invoked from the Kali Linux machine. Kali Linux is a popular penetration testing tool that security professionals use to identify weaknesses in unpatched instances. Attackers might use this tool to find configuration weaknesses and gain unauthorized access to your AWS environment.
event from cloud.audit_logs where cloud.service = 'iam.amazonaws.com' AND json.rule = $.userAgent contains 'kali'
Policy Updates—RQL and Metadata
AWS Lambda Environment Variables not encrypted at-rest using CMK
Recommendation update
—The policy recommendation has been updated according to the new changes introduced by AWS.
Impact
—No impact on alerts.
AWS Elastic Load Balancer (Classic) with access log disabled
Recommendation update
—The policy recommendation has been updated according to the new changes introduced by AWS.
Impact
—No impact on alerts.
AWS Lambda Function is not assigned to access within VPC
Recommendation update
—The policy recommendation has been updated according to the new changes introduced by AWS.
Impact
—No impact on alerts.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Support for CIS GCP v.1.2.0
Prisma Cloud supports CIS Google Cloud Platform Foundation Benchmark v.1.2.0, which includes policy checks for the following GCP services:
  1. Identity and Access Management
  2. Logging and Monitoring
  3. Networking
  4. Virtual Machines
  5. Storage
  6. Cloud SQL Database Services
  7. BigQuery
Impact
—v.1.2.0 supersedes version 1.1.0; v1.1.0 is deprecated and support will be removed in a future release.

REST API Updates

CHANGE
DESCRIPTION
Prisma Cloud API Endpoints for Azure Management Groups
New Prisma Cloud API endpoints are available to help you visualize the management group hierarchy of your onboarded Azure tenant.
The following request lists the Azure management groups and subscriptions under a given parent:
  • POST /cloud-accounts-manager/v1/cloudAccounts/azureAccounts/{parent_id}/children
The following request lists the ancestors of a given list of Azure management groups and/or subscriptions:
  • POST /cloud-accounts-manager/v1/cloudAccounts/azureAccounts/{account_id}/ancestors
Update
Cloud Workload Protection Platform (CWPP) API
Starting on June 14, 2021, the API reference for Compute (CWPP capabilities on Prisma Cloud) will include only stable endpoints.

Recommended For You