Features Introduced in January 2022
Learn what’s new on Prisma™ Cloud in January 2022.
New Features Introduced in 22.1.2
New Features
FEATURE | DESCRIPTION |
Alert Details Updates
| The drill-downs for alerts have a new look and the navigation in the console is updated. You can easily edit the policy that triggered the alert, view the details on the resources and the policy recommendations in separate tabs, and when you select the Alert ID, the slide-out panel provides a better view of the alert details. In addition, the page load time is much faster. ![]() |
Length Limit for Field Names | The number of characters in user role name, access keys, and IP allow list names for Administrative users and Service Account names on Prisma Cloud is now set to a maximum of 300 characters for each field. |
Display Cloud Account Owner Details for AWS Organizations and Member Accounts | The account owner information of AWS Organization and member accounts are now fetched from the AWS account and displayed on Settings Cloud Accounts Note: For AWS standalone accounts this is not supported. |
API Ingestions | AWS Data Pipeline aws-datapipeline-pipeline Additional permissions required:
|
Amazon S3 aws-s3api-get-bucket-acl Additional permission required:
| |
Azure Application Insights azure-application-insights-component Additional permission required:
| |
Azure Storage Sync Services azure-storage-sync-service Additional permission required:
| |
The following OCI APIs are ingested: OCI Bare Metal and VM Databases oci-oracledatabase-bmvm-dbsystem Network Load Balancer oci-networking-loadbalancer With the ingestion of these APIs, Prisma Cloud now includes OCI Bare Metal and VM Databases and Network Load Balancer as licensable assets that use Prisma Cloud credits. These resources are added to the count of monitored resources on the Licensing page of the Prisma Cloud administrator console. |
New Policies and Policy Updates
POLICY UPDATES | DESCRIPTION |
New Policies | AWS RDS Cluster snapshot is accessible to public Identifies AWS RDS Cluster snapshots which are publicly accessible. Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to setup and manage databases. If RDS Cluster snapshots are inadvertently publicly shared, any unauthorized user with AWS console access can gain access to the snapshots and access sensitive data.
|
Azure AD MFA is not enabled for the user Identifies Azure users that do not have Active Directory Multi-Factor Authentication (AD MFA) enabled. Azure AD MFA is a best practice that adds an extra layer of protection on top of your username and password. MFA provides increased security for your Azure account settings and resources. As a best practice, enable AD MFA using Conditional Access policies to protect your users.
| |
Azure Key Vault Key has no expiration date (Non-RBAC Key vault) Identifies Azure Key Vault keys that do not have an expiration date for the Non-RBAC Key vaults. As a best practice, set an expiration date for each key and rotate your keys regularly.
| |
Azure Key Vault secret has no expiration date (Non-RBAC Key vault) Identifies Azure Key Vault secrets that do not have an expiry date for the Non-RBAC Key vaults. As a best practice, set an expiration date for each secret and rotate the secret regularly.
| |
Azure Service bus namespace configured with overly permissive authorization rules Identifies Azure Service Bus namespaces configured with overly permissive authorization rules. Service Bus clients should not use a namespace level access policy that provides access to all queues and topics in a namespace.As a best practice, follow the least privileged security model to create access policies at the entity level for queues and topics to provide access to only the specific entity. All authorization rules except RootManageSharedAccessKey should be removed from the Service bus namespace.
| |
GCP API key not restricting any specific API Identifies GCP API keys that are not restricting any specific APIs. API keys that are insecure can be viewed publicly such as from a browser, or accessed on a device where the key resides. As a best practice, restrict API keys to use only APIs required by an application.
| |
GCP API key not rotating in every 90 days Identifies GCP API keys that are created more than 90 days ago. Google recommends using the standard authentication flow instead of API Keys, but there are limited scenarios where API keys are more appropriate. As a best practice, rotate your API keys every 90-days to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.
| |
Policy Updates—Metadata | GCP VPC Flow logs for the subnet is set to off Changes— The CLI command now requires the following permission to enable GCP Flow logs to capture information about the IP traffic going to-and-from networks in VPC Subnets:
Impact— If auto-remediation is enabled then alerts will be resolved as Remediated. |
GCP Kubernetes Engine private cluster has private endpoint disabled Changes— The RQL has been modified to be compliant with the latest CIS guidelines. Also, the private cluster check is modified to private endpoint check as the former is now deprecated. And, the recommended steps have been updated to reflect the latest UI changes.Current name— GCP Kubernetes Engine Clusters not configured with private cluster Updated to— GCP Kubernetes Engine private cluster has private endpoint disabled Current description— This policy identifies Kubernetes Engine Clusters which are not configured with the Private cluster. Private cluster makes your master inaccessible from the public internet and nodes do not have public IP addresses, so your workloads run in an environment that is isolated from the internet.Updated to— This policy identifies GCP Kubernetes Engine private clusters with private endpoint disabled. A public endpoint might expose the current cluster and Kubernetes API version and an attacker may be able to determine whether it is vulnerable to an attack. Unless required, disabling the public endpoint will help prevent such threats, and require the attacker to be on the master’s VPC network to perform any attack on the Kubernetes API. It is recommended to enable the private endpoint and disable public access on Kubernetes clusters.Current RQL—
Updated to—
Impact— Previously generated alerts will be resolved as Policy_Updated. | |
Azure Key Vault secret has no expiration date (Non-RBAC Key vault) Changes— In CIS v1.4.0 section 8.3, the guideline name was changed and RBAC validation was introduced. The policy name and its RQL is updated to implement the name change and RBAC check.Current name— Azure Key Vault secrets have no expiration date Updated to— Azure Key Vault secret has no expiration date (Non-RBAC Key vault) Impact— Previously generated alerts for Non-RBAC key vaults will be resolved as Policy_Updated. | |
Azure Key Vault Key has no expiration date (RBAC Key vault) Changes— In CIS v1.4.0 section 8.3, the guideline name was changed and RBAC validation was introduced. The policy name and its RQL is updated to implement the name change and RBAC check.Current name— Azure Key Vault Key have no expiration date Updated to— Azure Key Vault Key has no expiration date (RBAC Key vault) Impact— Previously generated alerts for Non-RBAC key vaults will be resolved as Policy_Updated. | |
AWS SQS queue access policy is overly permissive The RQL has been updated to include the Condition statement when reporting the AWS SQS resources.Current name—
Updated to—
Impact— Previously generated alerts for resources which has the Condition statement will be resolved as Policy_Updated. | |
Policy{Unhandled element parmname}
Deletions | The AWS entities with risky permissions policy is deleted to avoid duplicate alert after releasing the new OOTB policies for AWS. It can be replaced by the following new AWS policies for specific entity types:
Impact— Previously generated alerts will be resolved as Policy_Deleted. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
Support for Azure Security Benchmark (V3) | The Azure Security Benchmark (ASB) is a set of best practices for improving the security of workloads, data, and services on Azure. ASB is part of a set of holistic security guidelines that includes:
|
Updates for Azure Key Vault Policies | The following Azure Key Vaults related policies have been updated to include mappings for RBAC and Non-RBAC user roles:
Impact— No impact on alerts.The updated compliance benchmarks are: APRA, azure_pipeda, azure_mitre_attack_framework, CIS_Azure_130, cis_azure, NIST_800_172, CMMC_1_02, mlps20_azure, LGPD, CIS_Azure_120, NIST_800_53_R4_Azu_leg, NIST_CSF_v_1_1, CIS_Azure_131, CIS_Azure_140, NIST_800_171R2, CSA_CCM_v4, HITRUST942, NIST_800_53_R5_Azure, azure_mitre_attack_v8_framework, azure_ccpa, ISO_27017_2015, PCIDSS_321, and ISO_27002_2013. |
REST API Updates
CHANGE | DESCRIPTION |
Removal of Deprecated Integration API Endpoints | The following deprecated integration endpoints have been removed except for integrations with Okta, Tenable, and Qualys:
A new Integration API is available to replace all the endpoints above except GET /integration/name |
Removal of Deprecated Notification Template API Endpoints | The following deprecated notification template endpoints has been removed:
A new Notification Template API is available to replace the endpoints above. The following deprecated endpoints have been removed with no replacement:
|
Removal of Access Key API Ability to Update Expiration Timestamp | The following endpoint no longer supports the ability to update the access key expiration timestamp:
|
Removal of Deprecated Alert Rules Endpoint to List Alert Rules | The following deprecated alert rules API endpoint has been removed:
The following alert rules API endpoint provides similar functionality:
|
Enterprise Settings API | A new request body parameter accessKeyMaxValidity exists for the following enterprise settings endpoint:
You can use this parameter to set the maximum number of days an access key is valid. Further, accessKeyMaxValidity is available through the response object of the following endpoints:
|
Role Info in Login Refresh Session Endpoint Response | The response object for the following endpoint now includes a roles attribute, which contains a list of permissions based on the user role type:
|
New Features Introduced in 22.1.1
New Features
FEATURE | DESCRIPTION |
Limited GA Adoption Advisor | Tracking and measuring your adoption of new features and existing capabilities on Prisma Cloud just got easier! The Adoption Advisor gives visibility into your adoption journey, identifies your unexplored features, helps you make the most of your investment, and provides guidance on where to take action. ![]() |
Code Security | The all new Code Security module is here for Prisma Cloud Enterprise Edition! To proactively improve the security posture of cloud infrastructure as you create, deploy and maintain your business impacting resources using IaC templates and automation pipelines, use the Code Security module to identify and protect from vulnerabilities, misconfigurations and compliance violations in IaC templates such as Terraform, CloudFormation, Helm. These capabilities enable you to be tightly embedded in DevOps workflows and tooling to provide fast feedback and enforce guardrails in code during the development lifecycle. Armed with a centralized view of all misconfigurations across scanned repositories on the Prisma Cloud administrative console that provides filtering and searching to find code blocks and owners, you can review and address misconfigurations or violations very quickly. See Features Introduced in January 2022 for more. ![]() |
Refreshed Enterprise Settings UI | The Enterprise Settings page is refreshed to provide a better user experience.![]() |
Length Limit for User Profile Name Fields | The number of characters in username, first name, and last name for Administrative users and Service Account names on Prisma Cloud is now set to a maximum of 300 characters for each field. |
New Operator for Wildcard Support in RQL Attributes | The like operator is added to enable wildcard (*) support so that all available permissions in your cloud accounts are displayed.The following example uses the like operator:
In this example, the results displayed will match all of the available permissions in account-dev-3 .If you want to see the exact result for the search value, use the = operator. |
Automatic Time Zone Detection— Change in Behavior | The time zone is now set automatically for Prisma Cloud administrators. It is derived from the user’s web browser and is based on the operating system that is used to access the Prisma Cloud administrative console. The Time Zone field that allowed you to select the timezone is removed from the User Profile , Settings Users Service Account Settings SSO |
API Ingestions | *aws-waf-classic-global-web-acl-resource and aws-waf-v2-global-web-acl-resource for Log4j vulnerability*In addition to the existing APIs for and , now the following API is also ingested to protect from Log4j vulnerability:
|
AWS AppSync aws-appsync-graphql-api Additional permissions required:
| |
Amazon DAX aws-dax-cluster Additional permissions required:
| |
Amazon DocumentDB aws-docdb-db-cluster-parameter-group Additional permissions required:
| |
Amazon FSx aws-fsx-file-system Additional permissions required:
| |
Amazon RDS aws-rds-db-cluster-parameter-group Additional permissions required:
| |
Amazon QuickSight aws-quicksight-dataset Additional permissions required:
| |
Amazon QuickSight aws-quicksight-datasource Additional permissions required:
| |
Update AWS ECR Ingestion to ingest public repositories The API has been updated with the following information:New API name:
New permissions added to the CFT templates:
| |
Update Amazon Cognito*The following new permission is required to ingest the *aws-cognito-identity-pool API:Without this permission, identity pool resources will not be ingested and all the existing resources will be marked as deleted. | |
Update Amazon EC2*The following new permission is required to ingest the API:disableApiTermination field in the *aws-ec2-describe-instances
| |
Amazon Simple Email Service aws-ses-identities Additional permissions required:
| |
AWS Web Application Firewall (WAF) and WAFv2 aws-waf-classic-web-acl-resource aws-waf-v2-web-acl-resource | |
Azure Cognitive Services azure-cognitive-services-account Additional permission required:
| |
Azure Virtual Network Gateway azure-virtual-network-gateway Additional permission required:
| |
Azure Virtual Network azure-private-link-service Additional permission required:
| |
Azure Virtual Network azure-bastion-host Additional permission required:
| |
Azure Machine Learning azure-machine-learning-workspace Additional permission required:
| |
Azure Recovery Services azure-recovery-service-backup-protected-item Additional permission required:
| |
Azure Recovery Services azure-recovery-service-vault Additional permission required:
| |
Azure Web Application Firewall azure-application-gateway-waf-policy Additional permission required:
| |
Google API Key gcloud-api-key Additional permission required:
| |
Google Cloud Data Fusion gcloud-datafusion-instance Additional permission required:
| |
Google Container Analysis gcloud-container-analysis-vulnerability-summary Additional permission required:
| |
Google Cloud Data Fusion gcloud-datafusion-instance Additional permission required:
| |
Google Cloud Memorystore gcloud-redis-instances-list Additional permission required:
| |
Google Compute Engine gcloud-ssl-certificate Additional permission required:
| |
Google Cloud DNS gcloud-dns-policy Additional permission required:
| |
Google Cloud Armor gcloud-armor-security-policy Additional permission required:
| |
Google Cloud Resource Manager gcloud-organization-project-info Additional permission required:
| |
Google Stackdriver Monitoring gcloud-monitoring-notification-channel Additional permission required:
| |
Update Google Cloud Tasks and Google Cloud Run Permissions The gcloud-cloud-task and gcloud-cloud-run-services-list APIs now require the cloudtasks.locations.list and run.locations.list permissions . | |
OCI Containers And Artifacts oci-containers-artifacts-kubernetes-cluster-nodepool Additional permission required:
| |
OCI Networking oci-networking-subnet Additional permission required:
|
New Policies and Policy Updates
POLICY UPDATES | DESCRIPTION |
New Policies | AWS AppSync attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability This policy identifies AppSync attached with WAFv2 Web Access Control List (ACL) that are not configured with AWS Managed Rules (AMR) for Log4j vulnerability. As per AWS, configure the AppSync attached with WAFv2 Web ACL with AMR AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList to protect from Log4j vulnerability (CVE-2021-44228).
|
AWS AppSync not configured with AWS Web Application Firewall v2 (AWS WAFv2) This policy identifies AWS AppSync that is not configured with AWS Web Application Firewall (WAF). It is recommended to enable the AWS WAF service on API Gateway to protect against application layer attacks. To block malicious requests to your API Gateway, define the block criteria in the WAF Web Access Control List (ACL).
| |
AWS API Gateway Rest API attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability This policy identifies AWS API Gateway Rest API attached with AWS Web Application Firewall v2 (WAFv2) Web ACL that are not configured with AWS Managed Rules (AMR) for Log4j vulnerability. As per AWS, configure the API Gateway Rest API attached with WAFv2 Web ACL with AWS AMR AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList to protect from Log4j vulnerability (CVE-2021-44228).
| |
AWS ALB attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability This policy identifies AWS Application Load Balancer (ALB) attached with WAFv2 Web ACL that are not configured with AWS Managed Rules (AMR) for Log4j vulnerability. As per AWS, configure the ALB attached with WAFv2 WebACL with AMR AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList to protect from Log4j vulnerability (CVE-2021-44228).
| |
AWS CloudFront attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability This policy identifies the AWS CloudFront attached with WAFv2 Web ACL that are not configured with AWS Managed Rules (AMR) for Log4j vulnerability. As per AWS, configure the CloudFront attached with WAFv2 Web ACL with AMR AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList to protect from Log4j vulnerability (CVE-2021-44228).
| |
AWS WAF Classic (Regional) in use This policy identifies AWS Classic that are in use. It is recommended to configure the AWS WAFv2 service to protect against application-layer attacks. To block malicious requests, define the block criteria in the WAFv2 Web ACL, which has more capability than the WAF Classic.
| |
AWS CloudFront not configured with AWS Web Application Firewall v2 (AWS WAFv2) This policy identifies AWS CloudFront that are not configured with AWS WAFv2. It is recommended to configure the AWS WAFv2 service on CloudFront to protect against application-layer attacks. To block malicious requests to your CloudFront, define the block criteria in the WAFv2 Web ACL.
| |
AWS API Gateway REST API not configured with AWS Web Application Firewall v2 (AWS WAFv2) This policy identifies AWS API Gateway REST API that is not configured with AWS WAF. It is recommended to enable the AWS WAF service on API Gateway REST API to protect against application layer attacks. To block malicious requests to your API Gateway REST API, define the block criteria in the WAF Web ACL.
| |
Azure Application Gateway Web application firewall (WAF) policy rule disabled for Remote Command Execution This policy identifies Azure Application Gateway Web Application Firewall (WAF) policies that have the ‘Remote Command Execution’ rule disabled, which is known for Log4j vulnerability. It is recommended to define the criteria in the WAF policy with the ‘Remote Command Execution’ rule under managed rules to help detect and mitigate Log4j vulnerability.
| |
Azure Front Door Web application firewall (WAF) policy rule for Remote Command Execution is disabled This policy identifies Azure Front Door WAF policies that have the ‘Remote Command Execution’ rule disabled, which is known for Log4j vulnerability. It is recommended to define the criteria in the WAF policy with the ‘Remote Command Execution’ rule under managed rules to help detect and mitigate Log4j vulnerability.
| |
Azure Front Door does not have the Azure Web application firewall (WAF) enabled This policy identifies Azure Front Doors that do not have Azure WAF enabled. It is recommended to configure the Azure WAF service on the Front Doors to protect against application-layer attacks. To block malicious requests to your Front Doors, define the block criteria in the WAF rules.
| |
GCP Cloud Armor rule not configured with cve-canary This policy identifies GCP Cloud Armor rules where cve-canary is not enabled. The preconfigured cve-canary WAF rule can help detect and block exploit attempts of CVE-2021-44228 and CVE-2021-45046 to address the Apache Log4j vulnerability. It is recommended to create a Cloud Armor security policy with rule blocking Apache Log4j exploit attempts.
| |
OCI IAM policy with full administrative privileges across the tenancy to non Administrator This policy identifies IAM policies with full administrative privileges across the tenancy to non Administrators. It is recommended to practice the principle of least privilege, which limits users' access rights strictly to only what is required to do their jobs.
| |
Policy Updates—Metadata | AWS CloudFront origin protocol policy does not enforce HTTPS-only Changes— The RQL has been updated to report only custom origins that supports HTTPS communication; it ignores website endpoints from S3 buckets, EC2 instances, and custom websites. The policy description has been updated with newer standards.Current—
Updated to—
Impact— Low impact on existing alerts. Alerts with custom origins related to S3 buckets, EC2 instances, and custom websites will be resolved as Policy_Updated. |
Azure Network Security Group allows all traffic on ports which are not commonly used Changes— The RQL has been updated to include the existence check for the destinationPortRange parameter which will increase the accuracy of results.Current—
Updated to—
Impact— Previously reported alerts may be resolved as Policy_Updated. | |
Azure App Service Web app doesn’t use latest Java version Changes— The RQL has been updated to consider Java 8 and Windows web app service for Java. The policy description and recommendation steps have been updated accordingly.Updated to—
Impact— New alerts might be triggered for Java 8 and Windows web app services that uses Java. | |
Azure SQL Server ADS Vulnerability Assessment is disabled andSQL servers which do not have Azure Active Directory admin configured The severity of the above policies has been changed from Medium to Low. Impact— No impact on alerts. | |
SQL databases has encryption disabled Changes— The policy name, description, and recommendation have been updated to maintain uniformity across all policies. The RQL syntax has also been updated.Current name— SQL databases has encryption disabled Updated to— Azure SQL database TDE encryption disabled
Impact— No impact on existing alerts. | |
Update policy names and remediation actions for Microsoft Defender for Cloud (previously Azure Security Centre) Changes— The policy names and remediation actions for Microsoft Defender for Cloud (previously Azure Security Centre) have been updated for the following policies to reflect the recent changes of CIS v1.4.0:
| |
GCP Kubernetes Engine Clusters Client Certificate is set to Disabled Changes— The policy name and RQL are modified to support the latest CIS guideline to check if the clusters are configured with the old method of authentication. The policy metadata is updated as per the latest UI.Current Policy Name— GCP Kubernetes Engine Clusters Client Certificate is set to Disabled Updated Policy Name— GCP Kubernetes Engine Cluster Client Certificate is not disabled Current RQL—
Updated to—
Impact— Low impact on existing alerts. | |
Updates to the CLI for remediable GCP firewall policies The CLI of the following policies are updated to disable the firewall rule instead of deleting the rule:
Additional permissions required:
Impact— No direct impact on alerts. If you have enabled auto-remediation for the policy, alerts will be resolved as ‘Remediated’. | |
Updates to the RQL and CLI for GCP Firewall Policies GCP Firewall rule allows all traffic on DNS port (53) Change— The RQL is modified to check if the firewall rule is disabled and include IPv6 checks. The CLI is updated to disable the firewall rule instead of deleting the rule.Current RQL—
Updated to—
Impact— Low impact on existing alerts.GCP Firewall rule allows all traffic on FTP port (21) Change— The RQL is modified to check if the firewall rule is disabled and include IPv6 checks. The CLI is updated to disable the firewall rule instead of deleting the rule.Current RQL—
Updated to—
| |
GCP storage bucket is not configured with default Event-Based Hold Changes— The recommendation steps are updated to be compliant with the latest UI updates on Google Cloud Platform.Impact— No impact on alerts as the change includes only metadata modifications. | |
OCI IAM policy with full administrative privileges across the tenancy to non Administrator Update— The policy is updated to map to OCI CIS v1.0.0 and v1.1.0 requirement 1.2.Impact— The compliance score will change. | |
Policy Deletions | AWS entities with risky permissions This policy is being deprecated and we are adding policies that identify write permissions for different services on AWS that are risky.Impact— All existing alerts related to this policy will be removed. To activate all the new policies verify your global policy defaults for automatically enabling policies based on severity by selecting Settings Enterprise Settings Auto enable default policies of the type |
AWS SNS subscription is not configured with HTTPS The policy has been deleted due to a high volume of SNS subscriptions and its impact on Time to Ingest (TTI). Support for aws-sns-get-subscription-attribute will be discontinued, and compliance standards referred by this policy are also deleted.Impact— Alerts generated for these policies will be resolved as Policy_Deleted. | |
New IAM Policies | Learn about the new IAM out-of-the-box (OOTB) policies. |
AWS EC2 instance with IAM write access level Identifies IAM write permissions that are defined as risky permissions. This policy minimizes security risks in your AWS account by ensuring that the AWS EC2 instances provisioned in your account don’t have a risky set of write permissions. | |
AWS Lambda Function with IAM write access level Identifies IAM write permissions that are defined as risky permissions in your AWS account. This policy minimizes security risks by ensuring that the AWS Lambda Function instances provisioned in your AWS account don’t have a risky set of write permissions. | |
Elasticbeanstalk Platform with IAM write access level Identifies IAM write permissions that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don’t have a risky set of write permissions associated with it. | |
ECS Task Definition with IAM write access level Identifies IAM write permissions that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS ECS Task Definition instances provisioned in your AWS account don’t have a risky set of write permissions associated with it. | |
Okta User with IAM write access level Identifies IAM write permissions that are defined as risky permissions. This policy minimizes security risks by ensuring that the Okta users in your AWS account don’t have a risky set of write permissions associated with it. | |
IAM User with IAM write access level Identifies IAM write permissions that are defined as risky permissions. This policy minimizes security risks by ensuring that the IAM Users in your AWS account don’t have a risky set of write permissions associated with it. | |
AWS EC2 instance with IAM permissions management access level Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS EC2 instances provisioned in your AWS account don’t have a risky set of write permissions associated with it. | |
AWS Lambda Function with IAM permissions management access level Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS Lambda Function instances provisioned in your AWS account don’t have a risky set of write permissions associated with it. | |
Elasticbeanstalk Platform with IAM permissions management access level Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don’t have a risky set of write permissions associated with them. | |
ECS Task Definition with IAM permissions management access level Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by ensuring that the AWS ECS Task Definition instances provisioned in your AWS account don’t have a risky set of write permissions associated with them. | |
Okta User with IAM permissions management access level Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by Ensure that the Okta Users in your AWS account don’t have a risky set of write permissions to minimize security risks. | |
IAM User with IAM permissions management access level Identifies IAM permissions management access that are defined as risky permissions. This policy minimizes security risks by ensuring that the IAM Users in your AWS account don’t have a risky set of write permissions. | |
AWS EC2 instance with org write access level Identifies org write access that is defined as risky permissions. This policy ensures that the AWS EC2 instances provisioned in your AWS account don’t have a risky set of write permissions. | |
AWS Lambda Function with org write access level Identifies org write access that is defined as risky permissions. This policy minimize security risks by ensuring that the AWS Lambda Function instances provisioned in your AWS account don’t have a risky set of write permissions. | |
Elasticbeanstalk Platform with org write access level Identifies org write access that is defined as risky permissions. This policy minimize security risks by ensuring that the AWS Elasticbeanstalk Platform instances provisioned in your AWS account don’t have a risky set of write permissions. | |
ECS Task Definition with org write access level Identifies org write access that is defined as risky permissions. This policy minimize security risks by ensuring that the AWS ECS Task Definition instances provisioned in your AWS account don’t have a risky set of write permissions. | |
Okta User with org write access level Identifies org write access that is defined as risky permissions. This policy ensures that the Okta Users in your AWS account don’t have a risky set of write permissions. | |
IAM User with org write access level Identifies org write access that is defined as risky permissions. This policy minimize security risks by ensuring that the IAM Users in your AWS account don’t have a risky set of write permissions. | |
AWS Lambda Layer Version that is publicly accessible through IAM policies Identifies the AWS Lambda Layer Version resources which are publicly accessible through IAM policies. This policy prevents the exposure of sensitive data by ensuring that the AWS Lambda Layer Version resources provisioned in your AWS account are not publicly accessible from the Internet. | |
AWS ECR Repository that is publicly accessible through IAM policies Identifies the AWS ECR Repository resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS ECR Repository resources provisioned in your AWS account are not publicly accessible from the Internet. | |
AWS Lambda Function that is publicly accessible through IAM policies Identifies the AWS Lambda Function resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS Lambda Function resources provisioned in your AWS account are not publicly accessible from the Internet. | |
AWS S3 bucket that is publicly accessible through IAM policies Identifies the AWS S3 bucket resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS S3 bucket resources provisioned in your AWS account are not publicly accessible from the Internet. | |
AWS SQS Queue that is publicly accessible through IAM policies Identifies the AWS SQS Queue resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS SQS Queue resources provisioned in your AWS account are not publicly accessible from the Internet. | |
AWS SNS Topic that is publicly accessible through IAM policies Identifies the AWS SNS Topic resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS SNS Topic resources provisioned in your AWS account are not publicly accessible from the Internet. | |
AWS Secret Manager Secret that is publicly accessible through IAM policies Identifies the AWS Secret Manager Secret resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS Secret Manager Secret resources provisioned in your AWS account are not publicly accessible from the Internet. | |
AWS KMS Key that is publicly accessible through IAM policies Identifies the AWS KMS Key resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS KMS Key resources provisioned in your AWS account are not publicly accessible from the Internet. | |
AWS EC2 with IAM wildcard resource access Identifies AWS EC2 instances with the AWS resources which are publicly accessible through IAM policies. This minimizes the exposure of sensitive data by ensuring that the AWS resources provisioned in your AWS account are not publicly accessible from the Internet. | |
AWS Lambda Function with IAM wildcard resource access Identifies AWS IAM permissions that contain an asterisk ( * ) in the resource section of the policy statement. The policy will identify those asterisks only in case using an asterisk is not mandatory; this ensures that the AWS policies don’t have an asterisk in the resource section of the policy statement. | |
AWS Elasticbeanstalk Platform with IAM wildcard resource access Identifies AWS IAM permissions that contain an asterisk ( * ) in the resource section of the policy statement. The policy will identify those asterisks only in case using an asterisk is not mandatory; this ensures that the AWS policies don’t have an asterisk in the resource section of the policy statement. | |
AWS ECS Task Definition with IAM wildcard resource access Identifies AWS IAM permissions that contain an asterisk ( * ) in the resource section of the policy statement. The policy will identify those asterisks only in case using an asterisk is not mandatory; this ensures that the AWS policies don’t have an asterisk in the resource section of the policy statement. | |
Okta User with IAM wildcard resource access Identifies Okta Users with AWS IAM permissions that contain an apostrophe ( '' ) in the resource section of the policy statement. The policy will identify those apostrophes only in case using an apostrophe is not mandatory; this ensure that the AWS policies don’t have an apostrophe in the resource section of the policy statement. | |
IAM User with IAM wildcard resource access Identifies IAM Users with AWS IAM permissions that contain an apostrophe '' in the resource section of the policy statement. The policy will identify those apostrophes only in case using an apostrophe is not mandatory; this ensures that the AWS policies don’t have an apostrophe in the resource section of the policy statement. | |
Azure AD user with effective permissions to create AWS IAM users Identifies Azure AD users that can create an AWS IAM user as this can lead to a backdoor in the cloud environment. This policy ensure that Azure AD users have the least privilege access by granting only the permissions required to perform a task, instead of providing excessive permissions. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
NIST_800_53_R4 , NIST_800_53_R5 , and NIST_CSF | The AWS CloudFormation stack configured without SNS topic policy has been removed from NIST_800_53_R4 , NIST_800_53_R5 , and NIST_CSF compliance benchmarks because it was incorrectly mapped.Impact— The compliance score will change. |
CIS Azure v1.4.0 | Prisma Cloud provides compliance support for CIS Microsoft Azure Foundations Benchmark v1.4.0. The CIS Azure v1.4.0 has 9 sections with 115 requirements and Prisma Cloud supports 86 requirements across all sections. |
REST API Updates
CHANGE | DESCRIPTION |
Length Limit for Some User Profile API Request Body Parameters | A 300-character limit now applies to request parameters for user and account service names. This limit affects the request body parameters for the User Profile API endpoints shown below. The affected request body parameters are listed after each endpoint:
|
New Integration and Notification Template API Endpoints | New Integration API endpoints are available to replace the endpoints that have been deprecated for all integrations except Okta, Qualys, and Tenable. New Notification Template API endpoints are also available to replace some of the deprecated Notification Template endpoints. |
Response Property for Some Resource and Search API Endpoints Removed | The property ResourceMetaModel.hasAlert has been removed. This property no longer appears in the response objects for the following requests:
|
Resource Discovery Timestamp Available Through Search API Endpoints | A new property ResourceMetaModel.createTs identifies the timestamp when Prisma Cloud first discovered a given resource. This property is available in the response objects for the following requests:
|
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.