Features Introduced in January 2022

Learn what’s new on Prisma™ Cloud in January 2022.

New Features Introduced in 22.1.2

New Features

FEATURE
DESCRIPTION
Alert Details Updates
The drill-downs for alerts have a new look and the navigation in the console is updated. You can easily edit the policy that triggered the alert, view the details on the resources and the policy recommendations in separate tabs, and when you select the Alert ID, the slide-out panel provides a better view of the alert details.
In addition, the page load time is much faster.
Length Limit for Field Names
The number of characters in user role name, access keys, and IP allow list names for Administrative users and Service Account names on Prisma Cloud is now set to a maximum of 300 characters for each field.
Display Cloud Account Owner Details for AWS Organizations and Member Accounts
The account owner information of AWS Organization and member accounts are now fetched from the AWS account and displayed on
Settings
Cloud Accounts
.
Note: For AWS standalone accounts this is not supported.
API Ingestions
AWS Data Pipeline
aws-datapipeline-pipeline
Additional permissions required:
datapipeline:DescribePipelines
datapipeline:GetPipelineDefinition
datapipeline:ListPipelines
Amazon S3
aws-s3api-get-bucket-acl
Additional permission required:
s3:GetBucketCORS
Azure Application Insights
azure-application-insights-component
Additional permission required:
Microsoft.Insights/Components/Read
Azure Storage Sync Services
azure-storage-sync-service
Additional permission required:
microsoft.storagesync/storageSyncServices/read
The following OCI APIs are ingested:
OCI Bare Metal and VM Databases
oci-oracledatabase-bmvm-dbsystem
Network Load Balancer
oci-networking-loadbalancer
With the ingestion of these APIs, Prisma Cloud now includes OCI Bare Metal and VM Databases and Network Load Balancer as licensable assets that use Prisma Cloud credits. These resources are added to the count of monitored resources on the Licensing page of the Prisma Cloud administrator console.

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
New Policies
AWS RDS Cluster snapshot is accessible to public
Identifies AWS RDS Cluster snapshots which are publicly accessible. Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to setup and manage databases. If RDS Cluster snapshots are inadvertently publicly shared, any unauthorized user with AWS console access can gain access to the snapshots and access sensitive data.
config from cloud.resource where cloud.type = 'aws' and api.name= 'aws-rds-db-cluster-snapshots' AND json.rule = dbclusterSnapshotAttributes[?any( attributeName equals restore and attributeValues[*] contains "all" )] exists
Azure AD MFA is not enabled for the user
Identifies Azure users that do not have Active Directory Multi-Factor Authentication (AD MFA) enabled. Azure AD MFA is a best practice that adds an extra layer of protection on top of your username and password. MFA provides increased security for your Azure account settings and resources. As a best practice, enable AD MFA using Conditional Access policies to protect your users.
config from cloud.resource where api.name = 'azure-active-directory-credential-user-registration-details' AND json.rule = isMfaRegistered is false as X; config from cloud.resource where api.name = 'azure-active-directory-user' AND json.rule = accountEnabled is true as Y; filter '$.X.userDisplayName equals $.Y.displayName'; show X;
Azure Key Vault Key has no expiration date (Non-RBAC Key vault)
Identifies Azure Key Vault keys that do not have an expiration date for the Non-RBAC Key vaults. As a best practice, set an expiration date for each key and rotate your keys regularly.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-key-vault-list' and json.rule = keys[?any(attributes.exp equals -1 and attributes.enabled contains true)] exists and properties.enableRbacAuthorization is false
Azure Key Vault secret has no expiration date (Non-RBAC Key vault)
Identifies Azure Key Vault secrets that do not have an expiry date for the Non-RBAC Key vaults. As a best practice, set an expiration date for each secret and rotate the secret regularly.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-key-vault-list' and json.rule = secrets[?any(attributes.exp equals -1 and attributes.enabled contains true)] exists and properties.enableRbacAuthorization is false
Azure Service bus namespace configured with overly permissive authorization rules
Identifies Azure Service Bus namespaces configured with overly permissive authorization rules. Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace.
As a best practice, follow the least privileged security model to create access policies at the entity level for queues and topics to provide access to only the specific entity. All authorization rules except RootManageSharedAccessKey should be removed from the Service bus namespace.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-service-bus-namespace' AND json.rule = authorizationRules[*] size greater than 1 and authorizationRules[?any(name does not equal RootManageSharedAccessKey and properties.rights contains Manage)] exists
GCP API key not restricting any specific API
Identifies GCP API keys that are not restricting any specific APIs. API keys that are insecure can be viewed publicly such as from a browser, or accessed on a device where the key resides. As a best practice, restrict API keys to use only APIs required by an application.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-api-key' AND json.rule = restrictions.apiTargets does not exist
GCP API key not rotating in every 90 days
Identifies GCP API keys that are created more than 90 days ago. Google recommends using the standard authentication flow instead of API Keys, but there are limited scenarios where API keys are more appropriate. As a best practice, rotate your API keys every 90-days to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-api-key' AND json.rule = "_DateTime.ageInDays(createTime) > 90"
Policy Updates—Metadata
GCP VPC Flow logs for the subnet is set to off
Changes—
The CLI command now requires the following permission to enable GCP Flow logs to capture information about the IP traffic going to-and-from networks in VPC Subnets:
compute.subnetworks.update
Impact—
If auto-remediation is enabled then alerts will be resolved as Remediated.
GCP Kubernetes Engine private cluster has private endpoint disabled
Changes—
The RQL has been modified to be compliant with the latest CIS guidelines. Also, the private cluster check is modified to private endpoint check as the former is now deprecated. And, the recommended steps have been updated to reflect the latest UI changes.
Current name—
GCP Kubernetes Engine Clusters not configured with private cluster
Updated to—
GCP Kubernetes Engine private cluster has private endpoint disabled
Current description—
This policy identifies Kubernetes Engine Clusters which are not configured with the Private cluster. Private cluster makes your master inaccessible from the public internet and nodes do not have public IP addresses, so your workloads run in an environment that is isolated from the internet.
Updated to—
This policy identifies GCP Kubernetes Engine private clusters with private endpoint disabled. A public endpoint might expose the current cluster and Kubernetes API version and an attacker may be able to determine whether it is vulnerable to an attack. Unless required, disabling the public endpoint will help prevent such threats, and require the attacker to be on the master’s VPC network to perform any attack on the Kubernetes API. It is recommended to enable the private endpoint and disable public access on Kubernetes clusters.
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = 'privateCluster does not exist or privateCluster is false'
Updated to—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = status equals RUNNING and privateClusterConfig exists and privateClusterConfig.enablePrivateEndpoint does not exist
Impact—
Previously generated alerts will be resolved as Policy_Updated.
Azure Key Vault secret has no expiration date (Non-RBAC Key vault)
Changes—
In CIS v1.4.0 section 8.3, the guideline name was changed and RBAC validation was introduced. The policy name and its RQL is updated to implement the name change and RBAC check.
Current name—
Azure Key Vault secrets have no expiration date
Updated to—
Azure Key Vault secret has no expiration date (Non-RBAC Key vault)
Impact—
Previously generated alerts for Non-RBAC key vaults will be resolved as Policy_Updated.
Azure Key Vault Key has no expiration date (RBAC Key vault)
Changes—
In CIS v1.4.0 section 8.3, the guideline name was changed and RBAC validation was introduced. The policy name and its RQL is updated to implement the name change and RBAC check.
Current name—
Azure Key Vault Key have no expiration date
Updated to—
Azure Key Vault Key has no expiration date (RBAC Key vault)
Impact—
Previously generated alerts for Non-RBAC key vaults will be resolved as Policy_Updated.
AWS SQS queue access policy is overly permissive
The RQL has been updated to include the
Condition
statement when reporting the AWS SQS resources.
Current name—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sqs-get-queue-attributes' AND json.rule = attributes.Policy.Statement[?any(Principal equals * and Effect equals Allow)] exists
Updated to—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-sqs-get-queue-attributes' AND json.rule = attributes.Policy.Statement[?any(Effect equals Allow and Action anyStartWith sqs: and (Principal.AWS contains * or Principal equals *) and Condition does not exist)] exists
Impact—
Previously generated alerts for resources which has the
Condition
statement will be resolved as Policy_Updated.
Policy{Unhandled element parmname} Deletions
The
AWS entities with risky permissions
policy is deleted to avoid duplicate alert after releasing the new OOTB policies for AWS. It can be replaced by the following new AWS policies for specific entity types:
  • AWS EC2 instance with IAM write access level
  • AWS Lambda Function with IAM write access level
  • Elasticbeanstalk Platform with IAM write access level
  • ECS Task Definition with IAM write access level
  • Okta User with IAM write access level
  • IAM User with IAM write access level
  • AWS EC2 instance with IAM permissions management access level
  • AWS Lambda Function with IAM permissions management access leve
  • Elasticbeanstalk Platform with IAM permissions management access level
  • ECS Task Definition with IAM permissions management access level
  • Okta User with IAM permissions management access level
  • IAM User with IAM permissions management access level
  • AWS EC2 instance with org write access level
  • AWS Lambda Function with org write access level
  • Elasticbeanstalk Platform with org write access level
  • ECS Task Definition with org write access level
  • Okta User with org write access level
  • IAM User with org write access level
Impact—
Previously generated alerts will be resolved as Policy_Deleted.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
Support for Azure Security Benchmark (V3)
The Azure Security Benchmark (ASB) is a set of best practices for improving the security of workloads, data, and services on Azure. ASB is part of a set of holistic security guidelines that includes:
  • Cloud Adoption Framework
  • Azure Well-Architected Framework
  • Microsoft Security Best Practices
  • Microsoft Cybersecurity Reference Architectures (MCRA)
Updates
for Azure Key Vault Policies
The following Azure Key Vaults related policies have been updated to include mappings for RBAC and Non-RBAC user roles:
  • Azure Key Vault secret has no expiration date (Non-RBAC Key vault)
  • Azure Key Vault Key has no expiration date (Non-RBAC Key vault)
Impact—
No impact on alerts.
The updated compliance benchmarks are: APRA, azure_pipeda, azure_mitre_attack_framework, CIS_Azure_130, cis_azure, NIST_800_172, CMMC_1_02, mlps20_azure, LGPD, CIS_Azure_120, NIST_800_53_R4_Azu_leg, NIST_CSF_v_1_1, CIS_Azure_131, CIS_Azure_140, NIST_800_171R2, CSA_CCM_v4, HITRUST942, NIST_800_53_R5_Azure, azure_mitre_attack_v8_framework, azure_ccpa, ISO_27017_2015, PCIDSS_321, and ISO_27002_2013.

REST API Updates

CHANGE
DESCRIPTION
Removal of Deprecated Integration API Endpoints
The following deprecated integration endpoints have been removed except for integrations with Okta, Tenable, and Qualys:
  • DELETE /integration/{id}
  • POST /integration
  • PUT /integration/{id}
  • GET /integration
  • GET /integration/{id}
  • GET /integration/name
  • POST /integration/test
A new Integration API is available to replace all the endpoints above except
GET /integration/name
Removal of Deprecated Notification Template API Endpoints
The following deprecated notification template endpoints has been removed:
  • DELETE /notification/template/{id}
  • POST /notification/template
  • PUT /notification/template/{id}
  • GET /notification/template/{id}
  • GET /notification/template
  • POST /notification/template/clone/{id}
A new Notification Template API is available to replace the endpoints above.
The following deprecated endpoints have been removed with no replacement:
  • GET /template/servicenow/{integrationId}/{incidentType}/fields
  • GET /template/servicenow/{integrationId}/{incidentType}/fields/{objectName}/{referenceField}/suggestions
  • GET /template/servicenow/{integrationId}/types
  • GET /template/fields/jira/projects/{integrationId}/types
  • GET /template/fields/jira/{integrationId}/{project}/{issueType}
  • GET /template/fields/jira/issues/{integrationId}/{projectKey}
  • GET /template/fields/jira/{integrationId}/{project}/{issueType}/users/{searchKey}
  • GET /template/fields/jira/{integrationId}/{project}/{issueType}/{jiraEndpoint}/{fieldType}/{field}
Removal of Access Key API Ability to Update Expiration Timestamp
The following endpoint no longer supports the ability to update the access key expiration timestamp:
  • PUT /access_keys/{id}
Removal of Deprecated Alert Rules Endpoint to List Alert Rules
The following deprecated alert rules API endpoint has been removed:
  • GET /alert/rules
The following alert rules API endpoint provides similar functionality:
  • GET /v2/alert/rule
Enterprise Settings API
A new request body parameter
accessKeyMaxValidity
exists for the following enterprise settings endpoint:
  • POST /settings/enterprise
You can use this parameter to set the maximum number of days an access key is valid.
Further,
accessKeyMaxValidity
is available through the response object of the following endpoints:
  • GET /settings/enterprise
  • POST /settings/enterprise
Role Info in Login Refresh Session Endpoint Response
The response object for the following endpoint now includes a
roles
attribute, which contains a list of permissions based on the user role type:
  • GET /auth_token/extend

New Features Introduced in 22.1.1

New Features

FEATURE
DESCRIPTION
Limited GA
Adoption Advisor
Tracking and measuring your adoption of new features and existing capabilities on Prisma Cloud just got easier!
The Adoption Advisor gives visibility into your adoption journey, identifies your unexplored features, helps you make the most of your investment, and provides guidance on where to take action.
Code Security
The all new Code Security module is here for Prisma Cloud Enterprise Edition! To proactively improve the security posture of cloud infrastructure as you create, deploy and maintain your business impacting resources using IaC templates and automation pipelines, use the Code Security module to identify and protect from vulnerabilities, misconfigurations and compliance violations in IaC templates such as Terraform, CloudFormation, Helm.
These capabilities enable you to be tightly embedded in DevOps workflows and tooling to provide fast feedback and enforce guardrails in code during the development lifecycle. Armed with a centralized view of all misconfigurations across scanned repositories on the Prisma Cloud administrative console that provides filtering and searching to find code blocks and owners, you can review and address misconfigurations or violations very quickly. See Features Introduced in January 2022 for more.
Refreshed Enterprise Settings UI
The
Enterprise Settings
page is refreshed to provide a better user experience.
Length Limit for User Profile Name Fields
The number of characters in username, first name, and last name for Administrative users and Service Account names on Prisma Cloud is now set to a maximum of 300 characters for each field.
New Operator for Wildcard Support in RQL Attributes
The
like
operator is added to enable wildcard (*) support so that all available permissions in your cloud accounts are displayed.
The following example uses the
like
operator:
config from iam where dest.cloud.account LIKE 'account-dev-3'
In this example, the results displayed will match all of the available permissions in
account-dev-3
.
If you want to see the exact result for the search value, use the
=
operator.
Automatic Time Zone Detection—
Change in Behavior
The time zone is now set automatically for Prisma Cloud administrators. It is derived from the user’s web browser and is based on the operating system that is used to access the Prisma Cloud administrative console.
The
Time Zone
field that allowed you to select the timezone is removed from the
User Profile
,
Settings
Users
Service Account
, and
Settings
SSO
pages.
API Ingestions
*aws-waf-classic-global-web-acl-resource and aws-waf-v2-global-web-acl-resource for Log4j vulnerability*In addition to the existing APIs for
aws-waf-classic-global-web-acl-resource
and
aws-waf-v2-global-web-acl-resource
, now the following API is also ingested to protect from Log4j vulnerability:
wafv2:ListResourcesForWebACL
AWS AppSync
aws-appsync-graphql-api
Additional permissions required:
appsync:ListGraphqlApis
Amazon DAX
aws-dax-cluster
Additional permissions required:
  • dax:DescribeClusters
  • dax:ListTags
Amazon DocumentDB
aws-docdb-db-cluster-parameter-group
Additional permissions required:
  • rds:DescribeDBClusterParameters
  • rds:DescribeDBClusterParameterGroups
  • rds:ListTagsForResource
Amazon FSx
aws-fsx-file-system
Additional permissions required:
fsx:DescribeFileSystems
Amazon RDS
aws-rds-db-cluster-parameter-group
Additional permissions required:
  • rds:DescribeDBClusterParameters
  • rds:DescribeDBClusterParameterGroups
  • rds:ListTagsForResource
Amazon QuickSight
aws-quicksight-dataset
Additional permissions required:
  • quicksight:ListDataSets
  • quicksight:ListTagsForResource
Amazon QuickSight
aws-quicksight-datasource
Additional permissions required:
  • quicksight:ListDataSources
  • quicksight:ListTagsForResource
Update
AWS ECR Ingestion to ingest public repositories
The API has been updated with the following information:
New
API name:
aws-ecr-public-repositories
New permissions added to the CFT templates:
  • ecr-public:DescribeRepositories
  • ecr-public:GetRepositoryCatalogData
  • ecr-public:GetRepositoryPolicy
  • ecr-public:ListTagsForResource
Update
Amazon Cognito*The following new permission is required to ingest the *aws-cognito-identity-pool
API:
cognito-identity:DescribeIdentityPool
Without this permission, identity pool resources will not be ingested and all the existing resources will be marked as deleted.
Update
Amazon EC2*The following new permission is required to ingest the
disableApiTermination
field in the *aws-ec2-describe-instances
API:
ec2:DescribeInstanceAttribute
Amazon Simple Email Service
aws-ses-identities
Additional permissions required:
  • ses:GetIdentityDkimAttributes
  • ses:GetIdentityPolicies
  • ses:ListIdentityPolicies
  • ses:ListIdentities
AWS Web Application Firewall (WAF) and WAFv2
aws-waf-classic-web-acl-resource
aws-waf-v2-web-acl-resource
Azure Cognitive Services
azure-cognitive-services-account
Additional permission required:
Microsoft.CognitiveServices/accounts/read
Azure Virtual Network Gateway
azure-virtual-network-gateway
Additional permission required:
Microsoft.Network/virtualNetworkGateways/read
Azure Virtual Network
azure-private-link-service
Additional permission required:
Microsoft.Network/privateLinkServices/read
Azure Virtual Network
azure-bastion-host
Additional permission required:
Microsoft.Network/bastionHosts/read
Azure Machine Learning
azure-machine-learning-workspace
Additional permission required:
Microsoft.MachineLearningServices/workspaces/read
Azure Recovery Services
azure-recovery-service-backup-protected-item
Additional permission required:
Microsoft.RecoveryServices/Vaults/backupProtectedItems/read
Azure Recovery Services
azure-recovery-service-vault
Additional permission required:
Microsoft.RecoveryServices/Vaults/read
Azure Web Application Firewall
azure-application-gateway-waf-policy
Additional permission required:
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read
Google API Key
gcloud-api-key
Additional permission required:
apikeys.keys.list
Google Cloud Data Fusion
gcloud-datafusion-instance
Additional permission required:
  • datafusion.instances.list
  • datafusion.instances.getIamPolicy
Google Container Analysis
gcloud-container-analysis-vulnerability-summary
Additional permission required:
  • containeranalysis.occurrences.list
Google Cloud Data Fusion
gcloud-datafusion-instance
Additional permission required:
  • datafusion.instances.list
  • datafusion.instances.getIamPolicy
Google Cloud Memorystore
gcloud-redis-instances-list
Additional permission required:
  • redis.instances.list
Google Compute Engine
gcloud-ssl-certificate
Additional permission required:
compute.sslCertificates.list
Google Cloud DNS
gcloud-dns-policy
Additional permission required:
dns.policies.list
Google Cloud Armor
gcloud-armor-security-policy
Additional permission required:
compute.securityPolicies.list
Google Cloud Resource Manager
gcloud-organization-project-info
Additional permission required:
resourcemanager.projects.list
Google Stackdriver Monitoring
gcloud-monitoring-notification-channel
Additional permission required:
monitoring.notificationChannels.list
Update
Google Cloud Tasks and Google Cloud Run Permissions
The
gcloud-cloud-task
and
gcloud-cloud-run-services-list
APIs now require the
cloudtasks.locations.list
and
run.locations.list permissions
.
OCI Containers And Artifacts
oci-containers-artifacts-kubernetes-cluster-nodepool
Additional permission required:
inspect cluster-node-pools
OCI Networking
oci-networking-subnet
Additional permission required:
inspect subnets

New Policies and Policy Updates

POLICY UPDATES
DESCRIPTION
New Policies
AWS AppSync attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability
This policy identifies AppSync attached with WAFv2 Web Access Control List (ACL) that are not configured with AWS Managed Rules (AMR) for Log4j vulnerability. As per AWS, configure the AppSync attached with WAFv2 Web ACL with AMR
AWSManagedRulesKnownBadInputsRuleSet
and
AWSManagedRulesAnonymousIpList
to protect from Log4j vulnerability (CVE-2021-44228).
config from cloud.resource where api.name = 'aws-appsync-graphql-api' AND json.rule = wafWebAclArn is not empty as X; config from cloud.resource where api.name = 'aws-waf-v2-web-acl-resource' AND json.rule = NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.webACL.arn equals $.X.wafWebAclArn'; show X;
AWS AppSync not configured with AWS Web Application Firewall v2 (AWS WAFv2)
This policy identifies AWS AppSync that is not configured with AWS Web Application Firewall (WAF). It is recommended to enable the AWS WAF service on API Gateway to protect against application layer attacks. To block malicious requests to your API Gateway, define the block criteria in the WAF Web Access Control List (ACL).
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-appsync-graphql-api' AND json.rule = wafWebAclArn does not exist
AWS API Gateway Rest API attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability
This policy identifies AWS API Gateway Rest API attached with AWS Web Application Firewall v2 (WAFv2) Web ACL that are not configured with AWS Managed Rules (AMR) for Log4j vulnerability. As per AWS, configure the API Gateway Rest API attached with WAFv2 Web ACL with AWS AMR
AWSManagedRulesKnownBadInputsRuleSet
and
AWSManagedRulesAnonymousIpList
to protect from Log4j vulnerability (CVE-2021-44228).
config from cloud.resource where api.name = 'aws-apigateway-get-stages' AND json.rule = webAclArn is not empty as X; config from cloud.resource where api.name = 'aws-waf-v2-web-acl-resource' AND json.rule = NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.webACL.arn equals $.X.webAclArn'; show X;
AWS ALB attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability
This policy identifies AWS Application Load Balancer (ALB) attached with WAFv2 Web ACL that are not configured with AWS Managed Rules (AMR) for Log4j vulnerability. As per AWS, configure the ALB attached with WAFv2 WebACL with AMR
AWSManagedRulesKnownBadInputsRuleSet
and
AWSManagedRulesAnonymousIpList
to protect from Log4j vulnerability (CVE-2021-44228).
config from cloud.resource where api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = scheme equals internet-facing and type equals application as X; config from cloud.resource where api.name = 'aws-waf-v2-web-acl-resource' AND json.rule = NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.resources.applicationLoadBalancer[*] contains $.X.loadBalancerArn'; show X;
AWS CloudFront attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability
This policy identifies the AWS CloudFront attached with WAFv2 Web ACL that are not configured with AWS Managed Rules (AMR) for Log4j vulnerability. As per AWS, configure the CloudFront attached with WAFv2 Web ACL with AMR
AWSManagedRulesKnownBadInputsRuleSet
and
AWSManagedRulesAnonymousIpList
to protect from Log4j vulnerability (CVE-2021-44228).
config from cloud.resource where api.name = 'aws-cloudfront-list-distributions' AND json.rule = webACLId is not empty as X; config from cloud.resource where api.name = 'aws-waf-v2-global-web-acl-resource' AND json.rule = NOT ( webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesAnonymousIpList and webACL.rules[*].statement.managedRuleGroupStatement.name contains AWSManagedRulesKnownBadInputsRuleSet ) as Y; filter '$.Y.webACL.arn equals $.X.webACLId'; show X;
AWS WAF Classic (Regional) in use
This policy identifies AWS Classic that are in use. It is recommended to configure the AWS WAFv2 service to protect against application-layer attacks. To block malicious requests, define the block criteria in the WAFv2 Web ACL, which has more capability than the WAF Classic.
config from cloud.resource where api.name = 'aws-waf-classic-web-acl-resource' AND json.rule = resources.apiGateway[*] exists or resources.applicationLoadBalancer[*] exists
AWS CloudFront not configured with AWS Web Application Firewall v2 (AWS WAFv2)
This policy identifies AWS CloudFront that are not configured with AWS WAFv2. It is recommended to configure the AWS WAFv2 service on CloudFront to protect against application-layer attacks. To block malicious requests to your CloudFront, define the block criteria in the WAFv2 Web ACL.
config from cloud.resource where api.name = 'aws-waf-classic-global-web-acl-resource' as X; config from cloud.resource where api.name = 'aws-cloudfront-list-distributions' AND json.rule = webACLId is not empty as Y; filter '$.X.webACL.webACLId equals $.Y.webACLId'; show Y;
AWS API Gateway REST API not configured with AWS Web Application Firewall v2 (AWS WAFv2)
This policy identifies AWS API Gateway REST API that is not configured with AWS WAF. It is recommended to enable the AWS WAF service on API Gateway REST API to protect against application layer attacks. To block malicious requests to your API Gateway REST API, define the block criteria in the WAF Web ACL.
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-apigateway-get-stages' AND json.rule = webAclArn does not exist or webAclArn does not start with arn:aws:wafv2
Azure Application Gateway Web application firewall (WAF) policy rule disabled for Remote Command Execution
This policy identifies Azure Application Gateway Web Application Firewall (WAF) policies that have the ‘Remote Command Execution’ rule disabled, which is known for Log4j vulnerability. It is recommended to define the criteria in the WAF policy with the ‘Remote Command Execution’ rule under managed rules to help detect and mitigate Log4j vulnerability.
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-application-gateway-waf-policy' AND json.rule = properties.policySettings.state equals Enabled and properties.managedRules.managedRuleSets is not empty and properties.managedRules.managedRuleSets[*].ruleGroupOverrides[*].rules[?any(ruleId equals 944240 and state equals Disabled)] exists and properties.applicationGateways[*] is not empty
Azure Front Door Web application firewall (WAF) policy rule for Remote Command Execution is disabled
This policy identifies Azure Front Door WAF policies that have the ‘Remote Command Execution’ rule disabled, which is known for Log4j vulnerability. It is recommended to define the criteria in the WAF policy with the ‘Remote Command Execution’ rule under managed rules to help detect and mitigate Log4j vulnerability.
config from cloud.resource where api.name = 'azure-frontdoor-waf-policy' AND json.rule = properties.policySettings.enabledState equals Enabled and properties.managedRules.managedRuleSets is not empty and properties.managedRules.managedRuleSets[*].ruleGroupOverrides[*].rules[?any(action equals Block and ruleId equals 944240 and enabledState equals Disabled)] exists as X; config from cloud.resource where api.name = 'azure-frontdoor' AND json.rule = properties.frontendEndpoints[*].properties.webApplicationFirewallPolicyLink exists and properties.provisioningState equals Succeeded as Y; filter '$.Y.properties.frontendEndpoints[*].properties.webApplicationFirewallPolicyLink.id contains $.X.name'; show X;
Azure Front Door does not have the Azure Web application firewall (WAF) enabled
This policy identifies Azure Front Doors that do not have Azure WAF enabled. It is recommended to configure the Azure WAF service on the Front Doors to protect against application-layer attacks. To block malicious requests to your Front Doors, define the block criteria in the WAF rules.
config from cloud.resource where api.name = 'azure-frontdoor' AND json.rule = properties.provisioningState equals Succeeded as X; config from cloud.resource where api.name = 'azure-frontdoor-waf-policy' as Y; filter '$.X.properties.frontendEndpoints[*].properties.webApplicationFirewallPolicyLink.id does not exist or ($.X.properties.frontendEndpoints[*].properties.webApplicationFirewallPolicyLink.id contains $.Y.name and $.Y.properties.policySettings.enabledState equals Disabled)'; show X;
GCP Cloud Armor rule not configured with cve-canary
This policy identifies GCP Cloud Armor rules where cve-canary is not enabled. The preconfigured
cve-canary
WAF rule can help detect and block exploit attempts of CVE-2021-44228 and CVE-2021-45046 to address the Apache Log4j vulnerability. It is recommended to create a Cloud Armor security policy with rule blocking Apache Log4j exploit attempts.
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-armor-security-policy' AND json.rule = rules[*].match.expr.expression does not contain cve-canary or rules[?any(match.expr.expression contains cve-canary and action equals allow)] exists
OCI IAM policy with full administrative privileges across the tenancy to non Administrator
This policy identifies IAM policies with full administrative privileges across the tenancy to non Administrators. It is recommended to practice the principle of least privilege, which limits users' access rights strictly to only what is required to do their jobs.
config from cloud.resource where cloud.type = 'oci' AND api.name = 'oci-iam-policy' AND json.rule = lifecycleState equals ACTIVE and (statements[*] contains "to manage all-resources in tenancy" or statements[*] contains "to manage all-resources IN TENANCY") and name does not contain "Tenant Admin Policy"
Policy Updates—Metadata
AWS CloudFront origin protocol policy does not enforce HTTPS-only
Changes—
The RQL has been updated to report only custom origins that supports HTTPS communication; it ignores website endpoints from S3 buckets, EC2 instances, and custom websites. The policy description has been updated with newer standards.
Current—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-cloudfront-list-distributions' AND json.rule = (origins.items[*] contains "customOriginConfig") and (origins.items[?(@.customOriginConfig.originProtocolPolicy)] does not contain "https-only")
Updated to—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-cloudfront-list-distributions' AND json.rule = enabled is true and origins.items[*] contains customOriginConfig and origins.items[?any(customOriginConfig.originProtocolPolicy does not contain https-only and ( domainName contains ".data.mediastore." or domainName contains ".mediapackage." or domainName contains ".elb." ))] exists
Impact—
Low impact on existing alerts. Alerts with custom origins related to S3 buckets, EC2 instances, and custom websites will be resolved as Policy_Updated.
Azure Network Security Group allows all traffic on ports which are not commonly used
Changes—
The RQL has been updated to include the existence check for the
destinationPortRange
parameter which will increase the accuracy of results.
Current—
config from cloud.resource where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals Udp or protocol equals Icmp or protocol equals *) and (destinationPortRange is not member of (20, 21, 22, 23, 25, 53, 80, 135, 137, 138, 443, 445, 1433, 1434, 3306, 3389, 4333, 5432, 5500, 5900, ) or destinationPortRanges[*] is not member of (20, 21, 22, 23, 25, 53, 80, 135, 137, 138, 443, 445, 1433, 1434, 3306, 3389, 4333, 5432, 5500, 5900, *) ))] exists
Updated to—
config from cloud.resource where cloud.type = 'azure' AND api.name= 'azure-network-nsg-list' AND json.rule = securityRules[?any(access equals Allow and direction equals Inbound and (sourceAddressPrefix equals Internet or sourceAddressPrefix equals * or sourceAddressPrefix equals 0.0.0.0/0 or sourceAddressPrefix equals ::/0) and (protocol equals Tcp or protocol equals Udp or protocol equals Icmp or protocol equals *) and ((destinationPortRange exists and destinationPortRange is not member of (20, 21, 22, 23, 25, 53, 80, 135, 137, 138, 443, 445, 1433, 1434, 3306, 3389, 4333, 5432, 5500, 5900, *)) or (destinationPortRanges is not empty and destinationPortRanges[*] is not member of (20, 21, 22, 23, 25, 53, 80, 135, 137, 138, 443, 445, 1433, 1434, 3306, 3389, 4333, 5432, 5500, 5900, *))) )] exists
Impact—
Previously reported alerts may be resolved as Policy_Updated.
Azure App Service Web app doesn’t use latest Java version
Changes—
The RQL has been updated to consider Java 8 and Windows web app service for Java. The policy description and recommendation steps have been updated accordingly.
Updated to—
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-app-service' AND json.rule = 'properties.state equals Running and ((config.isJava11VersionLatest exists and config.isJava11VersionLatest equals false) or (config.javaVersion exists and (config.javaVersion does not equal 1.8 and config.javaVersion does not equal 11)) or (config.linuxFxVersion is not empty and config.linuxFxVersion contains JAVA and config.linuxFxVersion contains 8 and config.linuxFxVersion does not contain 8-jre8) or (config.linuxFxVersion is not empty and config.linuxFxVersion contains JBOSSEAP and config.linuxFxVersion does not contain 7-java8) or (config.linuxFxVersion is not empty and config.linuxFxVersion contains TOMCAT and config.linuxFxVersion does not contain -jre8))'
Impact—
New alerts might be triggered for Java 8 and Windows web app services that uses Java.
Azure SQL Server ADS Vulnerability Assessment is disabled
and
SQL servers which do not have Azure Active Directory admin configured
The severity of the above policies has been changed from Medium to Low.
Impact—
No impact on alerts.
SQL databases has encryption disabled
Changes—
The policy name, description, and recommendation have been updated to maintain uniformity across all policies. The RQL syntax has also been updated.
Current name—
SQL databases has encryption disabled
Updated to—
Azure SQL database TDE encryption disabled
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-sql-db-list' AND json.rule = transparentDataEncryption is false
Impact—
No impact on existing alerts.
Update policy names and remediation actions for Microsoft Defender for Cloud (previously Azure Security Centre)
Changes—
The policy names and remediation actions for Microsoft Defender for Cloud (previously Azure Security Centre) have been updated for the following policies to reflect the recent changes of CIS v1.4.0:
  • Azure Security Center Defender set to Off for Servers
  • Azure Security Center Defender set to Off for App Service
  • Azure Security Center Defender set to Off for Azure SQL database servers
  • Azure Security Center Defender set to Off for SQL servers on machines
  • Azure Security Center Defender set to Off for Storage
  • Azure Security Center Defender set to Off for Kubernetes
  • Azure Security Center Defender set to Off for Container Registries
  • Azure Security Center Defender set to Off for Key Vault
  • Azure Security Center WDATP integration Disabled
  • Azure Security Center MCAS integration Disabled
  • Azure Security Center automatic provisioning of monitoring agent is set to Off
  • Azure Security Center contact email not set
  • Azure Security Center send email notifications set to 'Off'
  • Azure Security Center email notification for subscription owner is not set
GCP Kubernetes Engine Clusters Client Certificate is set to Disabled
Changes—
The policy name and RQL are modified to support the latest CIS guideline to check if the clusters are configured with the old method of authentication. The policy metadata is updated as per the latest UI.
Current Policy Name—
GCP Kubernetes Engine Clusters Client Certificate is set to Disabled
Updated Policy Name—
GCP Kubernetes Engine Cluster Client Certificate is not disabled
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = 'masterAuth.clientKey does not exist or masterAuth.clientCertificate does not exist'
Updated to—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = status equals RUNNING and (masterAuth.clientKey exists or masterAuth.clientCertificate exists)
Impact—
Low impact on existing alerts.
Updates to the CLI for remediable GCP firewall policies
The CLI of the following policies are updated to disable the firewall rule instead of deleting the rule:
  • GCP Firewall rule allows all traffic on SSH port (22)
  • GCP Firewall rule allows all traffic on RDP port (3389)
  • GCP Firewall rule allows inbound traffic from anywhere with no specific target set
  • GCP Default Firewall rule is overly permissive (except http and https)
Additional permissions required:
compute.firewalls.update
compute.networks.updatePolicy
Impact—
No direct impact on alerts. If you have enabled auto-remediation for the policy, alerts will be resolved as ‘Remediated’.
Updates to the RQL and CLI for GCP Firewall Policies
GCP Firewall rule allows all traffic on DNS port (53)
Change—
The RQL is modified to check if the firewall rule is disabled and include IPv6 checks. The CLI is updated to disable the firewall rule instead of deleting the rule.
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Updated to—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists'
Impact—
Low impact on existing alerts.
GCP Firewall rule allows all traffic on FTP port (21)
Change—
The RQL is modified to check if the firewall rule is disabled and include IPv6 checks. The CLI is updated to disable the firewall rule instead of deleting the rule.
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
Updated to—
config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists'
GCP storage bucket is not configured with default Event-Based Hold
Changes—
The recommendation steps are updated to be compliant with the latest UI updates on Google Cloud Platform.
Impact—
No impact on alerts as the change includes only metadata modifications.
OCI IAM policy with full administrative privileges across the tenancy to non Administrator
Update—
The policy is updated to map to OCI CIS v1.0.0 and v1.1.0 requirement 1.2.
Impact—
The compliance score will change.
Policy Deletions
AWS entities with risky permissions
This policy is being deprecated and we are adding policies that identify write permissions for different services on AWS that are risky.
Impact—
All existing alerts related to this policy will be removed. To activate all the new policies verify your global policy defaults for automatically enabling policies based on severity by selecting
Settings
Enterprise Settings
Auto enable default policies of the type
.
AWS SNS subscription is not configured with HTTPS
The policy has been deleted due to a high volume of SNS subscriptions and its impact on Time to Ingest (TTI). Support for
aws-sns-get-subscription-attribute
will be discontinued, and compliance standards referred by this policy are also deleted.
Impact—
Alerts generated for these policies will be resolved as Policy_Deleted.
New IAM Policies
Learn about the new IAM out-of-the-box (OOTB) policies.
AWS EC2 instance with IAM write access level
Identifies IAM write permissions that are defined as risky permissions. This policy minimizes security risks in your AWS account by ensuring that the AWS EC2 instances provisioned in your account don’t have a risky set of write permissions.
AWS Lambda Function with IAM write access level
Identifies IAM write permissions that are defined as risky permissions in your AWS account. This policy minimizes security risks by ensuring that the AWS Lambda Function instances provisioned in your AWS account don’t have a risky set of write permissions.
Elasticbeanstalk Platform with IAM write access level
Identifies IAM write permissions that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don’t have a risky set of write permissions associated with it.
ECS Task Definition with IAM write access level
Identifies IAM write permissions that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS ECS Task Definition instances provisioned in your AWS account don’t have a risky set of write permissions associated with it.
Okta User with IAM write access level
Identifies IAM write permissions that are defined as risky permissions. This policy minimizes security risks by ensuring that the Okta users in your AWS account don’t have a risky set of write permissions associated with it.
IAM User with IAM write access level
Identifies IAM write permissions that are defined as risky permissions. This policy minimizes security risks by ensuring that the IAM Users in your AWS account don’t have a risky set of write permissions associated with it.
AWS EC2 instance with IAM permissions management access level
Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS EC2 instances provisioned in your AWS account don’t have a risky set of write permissions associated with it.
AWS Lambda Function with IAM permissions management access level
Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS Lambda Function instances provisioned in your AWS account don’t have a risky set of write permissions associated with it.
Elasticbeanstalk Platform with IAM permissions management access level
Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don’t have a risky set of write permissions associated with them.
ECS Task Definition with IAM permissions management access level
Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS ECS Task Definition instances provisioned in your AWS account don’t have a risky set of write permissions associated with them.
Okta User with IAM permissions management access level
Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by Ensure that the Okta Users in your AWS account don’t have a risky set of write permissions to minimize security risks.
IAM User with IAM permissions management access level
Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by ensuring that the IAM Users in your AWS account don’t have a risky set of write permissions.
AWS EC2 instance with org write access level
Identifies org write access that is defined as risky permissions. This policy ensures that the AWS EC2 instances provisioned in your AWS account don’t have a risky set of write permissions.
AWS Lambda Function with org write access level
Identifies org write access that is defined as risky permissions. This policy minimize security risks by ensuring that the AWS Lambda Function instances provisioned in your AWS account don’t have a risky set of write permissions.
Elasticbeanstalk Platform with org write access level
Identifies org write access that is defined as risky permissions. This policy minimize security risks by ensuring that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don’t have a risky set of write permissions.
ECS Task Definition with org write access level
Identifies org write access that is defined as risky permissions. This policy minimize security risks by ensuring that the AWS ECS Task Definition instances provisioned in your AWS account don’t have a risky set of write permissions.
Okta User with org write access level
Identifies org write access that is defined as risky permissions. This policy ensures that the Okta Users in your AWS account don’t have a risky set of write permissions.
IAM User with org write access level
Identifies org write access that is defined as risky permissions. This policy minimize security risks by ensuring that the IAM Users in your AWS account don’t have a risky set of write permissions.
AWS Lambda Layer Version that is publicly accessible through IAM policies
Identifies the AWS Lambda Layer Version resources which are publicly accessible through IAM policies. This policy prevents the exposure of sensitive data by ensuring that the AWS Lambda Layer Version resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS ECR Repository that is publicly accessible through IAM policies
Identifies the AWS ECR Repository resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS ECR Repository resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS Lambda Function that is publicly accessible through IAM policies
Identifies the AWS Lambda Function resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS Lambda Function resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS S3 bucket that is publicly accessible through IAM policies
Identifies the AWS S3 bucket resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS S3 bucket resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS SQS Queue that is publicly accessible through IAM policies
Identifies the AWS SQS Queue resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS SQS Queue resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS SNS Topic that is publicly accessible through IAM policies
Identifies the AWS SNS Topic resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS SNS Topic resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS Secret Manager Secret that is publicly accessible through IAM policies
Identifies the AWS Secret Manager Secret resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS Secret Manager Secret resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS KMS Key that is publicly accessible through IAM policies
Identifies the AWS KMS Key resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS KMS Key resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS EC2 with IAM wildcard resource access
Identifies AWS EC2 instances with the AWS resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS resources provisioned in your AWS account are not publicly accessible from the Internet.
AWS Lambda Function with IAM wildcard resource access
Identifies AWS IAM permissions that contain an asterisk (
*
) in the resource section of the policy statement. The policy will identify those asterisks only in case using an asterisk is not mandatory; this ensures that the AWS policies don’t have an asterisk in the resource section of the policy statement.
AWS Elasticbeanstalk Platform with IAM wildcard resource access
Identifies AWS IAM permissions that contain an asterisk (
*
) in the resource section of the policy statement. The policy will identify those asterisks only in case using an asterisk is not mandatory; this ensures that the AWS policies don’t have an asterisk in the resource section of the policy statement.
AWS ECS Task Definition with IAM wildcard resource access
Identifies AWS IAM permissions that contain an asterisk (
*
) in the resource section of the policy statement. The policy will identify those asterisks only in case using an asterisk is not mandatory; this ensures that the AWS policies don’t have an asterisk in the resource section of the policy statement.
Okta User with IAM wildcard resource access
Identifies Okta Users with AWS IAM permissions that contain an apostrophe (
''
) in the resource section of the policy statement. The policy will identify those apostrophes only in case using an apostrophe is not mandatory; this ensure that the AWS policies don’t have an apostrophe in the resource section of the policy statement.
IAM User with IAM wildcard resource access
Identifies IAM Users with AWS IAM permissions that contain an apostrophe
''
in the resource section of the policy statement. The policy will identify those apostrophes only in case using an apostrophe is not mandatory; this ensures that the AWS policies don’t have an apostrophe in the resource section of the policy statement.
Azure AD user with effective permissions to create AWS IAM users
Identifies Azure AD users that can create an AWS IAM user as this can lead to a backdoor in the cloud environment. This policy ensure that Azure AD users have the least privilege access by granting only the permissions required to perform a task, instead of providing excessive permissions.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
NIST_800_53_R4
,
NIST_800_53_R5
, and
NIST_CSF
The
AWS CloudFormation stack configured without SNS topic
policy has been removed from
NIST_800_53_R4
,
NIST_800_53_R5
, and
NIST_CSF
compliance benchmarks because it was incorrectly mapped.
Impact—
The compliance score will change.
CIS Azure v1.4.0
Prisma Cloud provides compliance support for CIS Microsoft Azure Foundations Benchmark v1.4.0. The CIS Azure v1.4.0 has 9 sections with 115 requirements and Prisma Cloud supports 86 requirements across all sections.

REST API Updates

CHANGE
DESCRIPTION
Length Limit for Some User Profile API Request Body Parameters
A 300-character limit now applies to request parameters for user and account service names. This limit affects the request body parameters for the User Profile API endpoints shown below. The affected request body parameters are listed after each endpoint:
  • PUT /user/me
    • firstName
    • lastName
  • POST /v3/user
    • firstName
    • lastName
    • username
  • PUT /v3/user
    • firstName
    • lastName
    • username
  • POST /v2/user
    • firstName
    • lastName
  • PUT /v2/user
    • firstName
    • lastName
New Integration and Notification Template API Endpoints
New Integration API endpoints are available to replace the endpoints that have been deprecated for all integrations except Okta, Qualys, and Tenable.
New Notification Template API endpoints are also available to replace some of the deprecated Notification Template endpoints.
Response Property for Some Resource and Search API Endpoints Removed
The property
ResourceMetaModel.hasAlert
has been removed. This property no longer appears in the response objects for the following requests:
  • POST /resource
  • POST /search/config
  • POST /search/config/page
Resource Discovery Timestamp Available Through Search API Endpoints
A new property
ResourceMetaModel.createTs
identifies the timestamp when Prisma Cloud first discovered a given resource. This property is available in the response objects for the following requests:
  • POST /search/config
  • POST /search/config/page

Recommended For You