Features Introduced in November 2021

Learn what’s new on Prisma™ Cloud in November 2021.

New Features Introduced in 21.11.1

New Features

FEATURE
DESCRIPTION
IAM Security Supports IAM Azure
IAM Security on Prisma Cloud now supports enhanced capabilities to calculate effective permissions, detect overly permissive access, and suggest corrections to reach least privilege entitlements in your Azure environments. It includes out-of-the-box policies that govern IAM best practices to help you identify risky permissions and get to the ideal set of privileges for your deployment in Azure.
IAM Security Integrates with Azure Active Directory
IAM Security now integrates with Azure Active Directory, and calculates effective permissions and over permissive access for Azure Active Directory (AD); whether it is used within Azure or as a SSO for AWS accounts.
This gives you visibility into your Azure AD identities and their permissions across your AWS and Azure accounts.
_IPAddress.areAnyOutsideCIDRRange()
RQL Function
A new
_IPAddress.areAnyOutsideCIDRRange()
RQL function allows you to write config RQL queries that check if any IP/CIDR blocks are outside of a given list of permitted CIDR blocks. You can use this function to check if any resources have exposure to IP addresses outside of the RFC 1918 private CIDR blocks.
The first argument is a JSON expression that evaluates against one or more IP or CIDR addresses. The second and subsequent arguments list the IP/CIDR addresses and/or ranges to test against. IPV4 and IPV6 address formats are accepted. If the address is not a valid IP or CIDR it’s not considered to be a match, which means while checking a valid IP against an invalid range that IP is considered outside of the specified range.
Example:
_IPAddress.areAnyOutsideCIDRRange(ipPermissions[*].ipv4Ranges[*].cidrIp,192.0.0.0/24,172.31.0.0/16)
Limited GA
Automatically Dismiss Alerts
You can now automatically dismiss alerts that have specific tags as defined on the resource and added to the Resource List on Prisma Cloud. This enhancement enables you to add a
Reason
,
Requestor
, and
Approver
for the automatic dismissal. The details of the reason for dismissal is included in the alert rule L2 view.
With
Auto Dismissal
, when you update an alert rule, all existing alerts with matching tags are auto dismissed. When an alert has been dismissed and you update the alert rule, the alert will continue to stay dismissed.
API Ingestions
Amazon Elastic Load Balancing
aws-elbv2-target-health
No additional permissions required.
AWS S3
getBucketReplicationConfiguration
Additional permissions required:
s3:GetReplicationConfiguration
AWS Systems Manager
aws-ssm-document
Additional permissions required:
ssm:DescribeDocument
ssm:DescribeDocumentPermission
ssm:GetDocument
ssm:ListDocuments
AWS Shield
aws-shield-advanced-status
Additional permissions required:
shield:GetSubscriptionState
Azure Service Bus
azure-service-bus-topic-subscription
Additional permissions required:
Microsoft.ServiceBus/namespaces/topics/subscriptions/read
Microsoft.ServiceBus/namespaces/topics/subscriptions/rules/read
The Reader role includes these permissions.
Azure Service Bus
azure-service-bus-topic
Additional permissions required:
Microsoft.ServiceBus/namespaces/topics/read
Microsoft.ServiceBus/namespaces/topics/authorizationRules/read
The Reader role includes these permissions.
Azure Service Bus
azure-service-bus-queue
Additional permissions required:
Microsoft.ServiceBus/namespaces/queues/read
Microsoft.ServiceBus/namespaces/queues/authorizationRules/read
The Reader role includes these permissions.
Google Firebase Rules
gcloud-firebaserules-ruleset
Additional permissions required:
firebaserules.rulesets.get
firebaserules.rulesets.list
firebaserules.releases.list
Google Cloud Composer
gcloud-composer-environment
Additional permissions required:
composer.environments.list

Changes in Existing Behavior

FEATURE
CHANGE
Update
AWS Snapshot API Ingestion of Public AMIs
Prisma Cloud now supports AWS Snapshot API ingestion of additional public AMIs. This is used by the auto-defend feature in Compute to get the image platform information that is used to check if the image is Windows-or-Linux based, depending on which the specific type of Defender for the image is deployed.
The default time interval for the ingestion of public AMIs is 24 hours.
If you have a custom policy with RQL that checks for the JSON metadata
image.public=true
, it now displays results for all the AMIs that are public.
Old Behavior
—The following RQL displays results for all AMIs that are public and shared with the account:
config from cloud.resource where cloud.type= 'aws' AND api.name= 'aws-ec2-describe-images' and json.rule = image.public is true
New Behavior
—The same RQL now displays all images that are public, both shared with the account and those that are not shared with the account. To retain the behavior prior to the change, you must modify the custom policies to add an additional condition of
image.shared=false
along with
image.public=true
api.name= 'aws-ec2-describe-images' and json.rule = image.public is true and image.shared=false
Update
AWS SSM Document API
AWS Systems Manager
aws-ssm-document
The
aws-ssm-document
API that Prisma Cloud currently ingests is updated to fetch more resource metadata on the AWS Systems Manager service. The permissions required are:
  • ssm:DescribeDocument
  • ssm:DescribeDocumentPermission
  • ssm:GetDocument
  • ssm:ListDocuments
Impact
—The
isShared
attribute in the API is replaced with
accountSharingInfoList
. As a best practice, update any custom policies that use
isShared
and replace it with the new
accountSharingInfoList
attribute:
config from cloud.resource where api.name = 'aws-ssm-document' AND json.rule = isShared is true
Updates
API Ingestions
Azure Active Directory
The
azure-active-directory-group-members
API along with any default policies on the API are deprecated.
The same ingestion capabilities are provided by the new
azure-active-directory-iam-group
API.
Old
azure-active-directory-group-members
New
azure-active-directory-iam-group
Deprecated Permissions Removed from GCP APIs
The
cloudfunctions.locations.list
,
cloudtasks.locations.list
, and
run.locations.list
permissions are not mandatory permissions for the
gcloud-cloud-function
,
gcloud-cloud-run-services-list
, and
gcloud-cloud-task
APIs respectively.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Azure Security Benchmark (ASB) v2
New compliance support for Azure Security Benchmark (ASB) v2.
CIS Azure v1.3.1
New compliance support for CIS Microsoft Azure Foundations Benchmark v1.3.1.

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
New Policies
GCP Cloud Run service with overly permissive ingress rule
Identifies GCP Cloud Run services configured with overly permissive ingress rules. It is recommended to restrict the traffic from public and other resources by allowing traffic to enter through load balancers or internal traffic for better network-based access control.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-cloud-run-services-list' AND json.rule = "status.conditions[?any(type equals Ready and status equals True)] exists and status.conditions[?any(type equals RoutesReady and status equals True)] exists and ['metadata'].['annotations'].['run.googleapis.com/ingress'] equals all"
GCP Cloud Function HTTP trigger is not secured
Identifies GCP Cloud Functions for which the HTTP trigger is not secured. When you configure HTTP functions to be triggered only with HTTPS, user requests are redirected to use the HTTPS protocol, which is more secure. It is recommended to set the 'Require HTTPS' for configuring HTTP triggers while deploying your GCP Cloud Function.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-cloud-function' AND json.rule = status equals ACTIVE and httpsTrigger.securityLevel does not equal SECURE_ALWAYS
GCP Cloud Function configured with overly permissive Ingress setting
Identifies GCP Cloud functions configured with overly permissive ingress setting. It is recommended to restrict the traffic from public and other resources by allowing traffic to enter from VPC networks in the same project or through cloud load balancers for better network-based access control.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-cloud-function' AND json.rule = status equals ACTIVE and ingressSettings equals ALLOW_ALL
Policy Updates—Metadata
AWS access keys not used for more than 90 days
Changes
—The policy recommendation has been updated.
Impact
—This change does not impact existing alerts.
Policy Updates—RQL
AWS Amazon Machine Image (AMI) is publicly accessible
The update for the api—
aws-ec2-describe-images
—ingests resources that are not owned by the AWS account which causes excess alerts. The RQL has been updated to generate alerts only for customer owned AMI images that are public. The description and recommendation steps have also been updated.
Current
config from cloud.resource where cloud.type = 'aws' AND api.name='aws-ec2-describe-images' AND json.rule = 'image.public is true'
Updated to
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-images' AND json.rule = image.public is true and image.shared is false and image.imageOwnerAlias does not exist
Impact
—This change does not impact existing alerts.
AWS resources that are publicly accessible through IAM policies
The RQL for this policy now includes an additional attribute—
cloud.policy.conditions
.
Current
config from iam where dest.cloud.type = 'AWS' and source.public = true
Updated to
config from iam where dest.cloud.type = 'AWS' and source.public = true AND grantedby.cloud.policy.condition ( 'aws:SourceArn' ) does not exist AND grantedby.cloud.policy.condition ( 'aws:VpcSourceIp' ) does not exist AND grantedby.cloud.policy.condition ( 'aws:username' ) does not exist AND grantedby.cloud.policy.condition ( 'aws:userid' ) does not exist AND grantedby.cloud.policy.condition ( 'aws:SourceVpc' ) does not exist AND grantedby.cloud.policy.condition ( 'aws:SourceIp' ) does not exist AND grantedby.cloud.policy.condition ( 'aws:SourceIdentity' ) does not exist AND grantedby.cloud.policy.condition ( 'aws:SourceAccount' ) does not exist AND grantedby.cloud.policy.condition ( 'aws:PrincipalOrgID' ) does not exist AND grantedby.cloud.policy.condition ( 'aws:PrincipalArn' ) does not exist AND grantedby.cloud.policy.condition ( 'aws:SourceOwner' ) does not exist AND grantedby.cloud.policy.condition ( 'kms:CallerAccount' ) does not exist
Impact
—The accuracy of alerts are improved.

REST API Updates

CHANGE
DESCRIPTION
Prisma Cloud CSPM REST API Schema Properties for AWS Cloud Accounts
The following CSPM API schema properties have been removed:
  • AwsCloudAccountModel.canonicalId
  • AwsCloudAccountModel.cloudAccountStatus
AwsCloudAccountModel
is the response schema for the following API request:
  • GET /cloud/aws/{id}

Recommended For You