Features Introduced in January 2022
Learn what’s new on Prisma™ Cloud in January 2022.
New Features Introduced in 22.1.2
New Features
FEATURE | DESCRIPTION |
---|---|
Alert Details Updates | The drill-downs for alerts have a new look
and the navigation in the console is updated. You can easily edit
the policy that triggered the alert, view the details on the resources
and the policy recommendations in separate tabs, and when you select
the Alert ID, the slide-out panel provides a better view of the
alert details. In addition, the page load time is much faster. ![]() |
Length Limit for Field Names | The number of characters in user role name,
access keys, and IP allow list names for Administrative users and Service
Account names on Prisma Cloud is now set to a maximum of 300 characters
for each field. |
Display Cloud Account Owner Details for AWS
Organizations and Member Accounts | The account owner information of AWS Organization
and member accounts are now fetched from the AWS account and displayed
on Settings Cloud Accounts Note:
For AWS standalone accounts this is not supported. |
API Ingestions | AWS Data Pipeline aws-datapipeline-pipeline Additional
permissions required:
|
Amazon S3 aws-s3api-get-bucket-acl Additional
permission required:
| |
Azure Application Insights azure-application-insights-component Additional
permission required:
| |
Azure Storage Sync Services azure-storage-sync-service Additional
permission required:
| |
The following OCI APIs are ingested: OCI
Bare Metal and VM Databases oci-oracledatabase-bmvm-dbsystem Network
Load Balancer oci-networking-loadbalancer With
the ingestion of these APIs, Prisma Cloud now includes OCI Bare
Metal and VM Databases and Network Load Balancer as licensable assets
that use Prisma Cloud credits. These resources are added to the
count of monitored resources on the Licensing page of the Prisma
Cloud administrator console. |
New Policies and Policy Updates
POLICY UPDATES | DESCRIPTION |
---|---|
New Policies | AWS RDS Cluster snapshot is accessible
to public Identifies AWS RDS Cluster snapshots which
are publicly accessible. Amazon Relational Database Service (Amazon RDS)
is a web service that makes it easier to setup and manage databases.
If RDS Cluster snapshots are inadvertently publicly shared, any
unauthorized user with AWS console access can gain access to the
snapshots and access sensitive data.
|
Azure AD MFA is not enabled for
the user Identifies Azure users that do not have Active
Directory Multi-Factor Authentication (AD MFA) enabled. Azure AD
MFA is a best practice that adds an extra layer of protection on
top of your username and password. MFA provides increased security
for your Azure account settings and resources. As a best practice,
enable AD MFA using Conditional Access policies to protect your
users.
| |
Azure Key Vault Key has no expiration
date (Non-RBAC Key vault) Identifies Azure Key Vault
keys that do not have an expiration date for the Non-RBAC Key vaults.
As a best practice, set an expiration date for each key and rotate
your keys regularly.
| |
Azure Key Vault secret has no expiration date
(Non-RBAC Key vault) Identifies Azure Key Vault secrets
that do not have an expiry date for the Non-RBAC Key vaults. As
a best practice, set an expiration date for each secret and rotate
the secret regularly.
| |
Azure Service bus namespace configured with
overly permissive authorization rules Identifies Azure
Service Bus namespaces configured with overly permissive authorization
rules. Service Bus clients should not use a namespace level access
policy that provides access to all queues and topics in a namespace. As
a best practice, follow the least privileged security model to create
access policies at the entity level for queues and topics to provide
access to only the specific entity. All authorization rules except
RootManageSharedAccessKey should be removed from the Service bus
namespace.
| |
GCP API key not restricting any
specific API Identifies GCP API keys that are not
restricting any specific APIs. API keys that are insecure can be
viewed publicly such as from a browser, or accessed on a device
where the key resides. As a best practice, restrict API keys to
use only APIs required by an application.
| |
GCP API key not rotating in every
90 days Identifies GCP API keys that are created more
than 90 days ago. Google recommends using the standard authentication
flow instead of API Keys, but there are limited scenarios where
API keys are more appropriate. As a best practice, rotate your API
keys every 90-days to ensure that data cannot be accessed with an
old key that might have been lost, cracked, or stolen.
| |
Policy Updates—Metadata | GCP VPC Flow logs for the subnet
is set to off Changes —The CLI command now
requires the following permission to enable GCP Flow logs to capture information
about the IP traffic going to-and-from networks in VPC Subnets:
Impact —If
auto-remediation is enabled then alerts will be resolved as Remediated. |
GCP Kubernetes
Engine private cluster has private endpoint disabled Changes —The
RQL has been modified to be compliant with the latest CIS guidelines.
Also, the private cluster check is modified to private endpoint
check as the former is now deprecated. And, the recommended steps
have been updated to reflect the latest UI changes.Current
name —GCP Kubernetes Engine Clusters not configured
with private cluster Updated to —GCP Kubernetes
Engine private cluster has private endpoint disabled Current
description —This policy identifies Kubernetes Engine Clusters
which are not configured with the Private cluster. Private cluster
makes your master inaccessible from the public internet and nodes
do not have public IP addresses, so your workloads run in an environment
that is isolated from the internet.Updated to —This
policy identifies GCP Kubernetes Engine private clusters with private
endpoint disabled. A public endpoint might expose the current cluster and
Kubernetes API version and an attacker may be able to determine
whether it is vulnerable to an attack. Unless required, disabling
the public endpoint will help prevent such threats, and require
the attacker to be on the master's VPC network to perform any attack
on the Kubernetes API. It is recommended to enable the private endpoint
and disable public access on Kubernetes clusters.Current
RQL —
Updated
to —
Impact —Previously
generated alerts will be resolved as Policy_Updated. | |
Azure Key Vault secret has no expiration
date (Non-RBAC Key vault) Changes —In CIS
v1.4.0 section 8.3, the guideline name was changed and RBAC validation
was introduced. The policy name and its RQL is updated to implement
the name change and RBAC check.Current name —Azure
Key Vault secrets have no expiration date Updated
to —Azure Key Vault secret has no expiration date
(Non-RBAC Key vault) Impact —Previously
generated alerts for Non-RBAC key vaults will be resolved as Policy_Updated. | |
Azure Key Vault Key has no expiration date
(RBAC Key vault) Changes— In CIS v1.4.0
section 8.3, the guideline name was changed and RBAC validation
was introduced. The policy name and its RQL is updated to implement
the name change and RBAC check.Current name —Azure
Key Vault Key have no expiration date Updated
to— Azure Key Vault Key has no expiration date (RBAC
Key vault) Impact— Previously generated
alerts for Non-RBAC key vaults will be resolved as Policy_Updated. | |
AWS SQS queue access policy is
overly permissive The RQL has been updated to
include the Condition statement when reporting
the AWS SQS resources.Current name —
Updated
to —
Impact —Previously
generated alerts for resources which has the Condition statement
will be resolved as Policy_Updated. | |
Policy Deletions | The AWS entities with risky permissions policy
is deleted to avoid duplicate alert after releasing the new OOTB
policies for AWS. It can be replaced by the following new AWS policies
for specific entity types:
Impact —Previously
generated alerts will be resolved as Policy_Deleted. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
---|---|
Support for Azure Security Benchmark (V3) | The Azure Security Benchmark (ASB) is a
set of best practices for improving the security of workloads, data,
and services on Azure. ASB is part of a set of holistic security guidelines
that includes:
|
Updates for Azure Key Vault Policies | The following Azure Key Vaults related policies
have been updated to include mappings for RBAC and Non-RBAC user
roles:
Impact —No impact on
alerts.The updated compliance benchmarks are: APRA,
azure_pipeda, azure_mitre_attack_framework, CIS_Azure_130, cis_azure,
NIST_800_172, CMMC_1_02, mlps20_azure, LGPD, CIS_Azure_120, NIST_800_53_R4_Azu_leg,
NIST_CSF_v_1_1, CIS_Azure_131, CIS_Azure_140, NIST_800_171R2, CSA_CCM_v4,
HITRUST942, NIST_800_53_R5_Azure, azure_mitre_attack_v8_framework,
azure_ccpa, ISO_27017_2015, PCIDSS_321, and ISO_27002_2013. |
REST API Updates
CHANGE | DESCRIPTION |
---|---|
Removal of Deprecated Integration API Endpoints | The following deprecated integration endpoints
have been removed except for integrations with Okta, Tenable, and Qualys:
A
new Integration API is available
to replace all the endpoints above except GET /integration/name |
Removal of Deprecated Notification Template
API Endpoints | The following deprecated notification template
endpoints has been removed:
A
new Notification Template API is available
to replace the endpoints above. The following deprecated endpoints
have been removed with no replacement:
|
Removal of Access Key API Ability to Update
Expiration Timestamp | The following endpoint no longer supports
the ability to update the access key expiration timestamp:
|
Removal of Deprecated Alert Rules Endpoint
to List Alert Rules | The following deprecated alert rules API
endpoint has been removed:
The
following alert rules API endpoint provides similar functionality:
|
Enterprise Settings API | A new request body parameter accessKeyMaxValidity exists
for the following enterprise settings endpoint:
You
can use this parameter to set the maximum number of days an access
key is valid. Further, accessKeyMaxValidity is
available through the response object of the following endpoints:
|
Role Info in Login Refresh Session Endpoint Response | The response object for the following endpoint
now includes a roles attribute, which contains
a list of permissions based on the user role type:
|
New Features Introduced in 22.1.1
New Features
FEATURE | DESCRIPTION |
---|---|
Limited GA Adoption Advisor | Tracking and measuring your adoption of
new features and existing capabilities on Prisma Cloud just got
easier! The Adoption Advisor gives visibility into your adoption journey,
identifies your unexplored features, helps you make the most of
your investment, and provides guidance on where to take action. ![]() |
Code Security | The all new Code Security module is here
for Prisma Cloud Enterprise Edition! To proactively improve the
security posture of cloud infrastructure as you create, deploy and maintain
your business impacting resources using IaC templates and automation
pipelines, use the Code Security module to identify and protect
from vulnerabilities, misconfigurations and compliance violations
in IaC templates such as Terraform, CloudFormation, Helm. These
capabilities enable you to be tightly embedded in DevOps workflows
and tooling to provide fast feedback and enforce guardrails in code
during the development lifecycle. Armed with a centralized view
of all misconfigurations across scanned repositories on the Prisma
Cloud administrative console that provides filtering and searching
to find code blocks and owners, you can review and address misconfigurations
or violations very quickly. See Features Introduced in January 2022 for more. ![]() |
Refreshed Enterprise Settings UI | The Enterprise Settings page is
refreshed to provide a better user experience.![]() |
Length Limit for User Profile Name Fields | The number of characters in username, first
name, and last name for Administrative users and Service Account
names on Prisma Cloud is now set to a maximum of 300 characters for
each field. |
New Operator for Wildcard Support in
RQL Attributes | The like operator
is added to enable wildcard (*) support so that all available permissions
in your cloud accounts are displayed.The following example
uses the like operator:
In
this example, the results displayed will match all of the available
permissions in account-dev-3 .If
you want to see the exact result for the search value, use the = operator. |
Automatic Time Zone Detection —Change in
Behavior | The time zone is now set automatically for
Prisma Cloud administrators. It is derived from the user’s web browser
and is based on the operating system that is used to access the Prisma
Cloud administrative console. The Time Zone field
that allowed you to select the timezone is removed from the User
Profile , Settings Users Service Account Settings SSO |
API Ingestions | aws-waf-classic-global-web-acl-resource and
aws-waf-v2-global-web-acl-resource for Log4j vulnerability In
addition to the existing APIs for and , now the following API is also ingested to protect from Log4j vulnerability:
|
AWS AppSync aws-appsync-graphql-api Additional
permissions required:
| |
Amazon DAX aws-dax-cluster Additional
permissions required:
| |
Amazon DocumentDB aws-docdb-db-cluster-parameter-group Additional
permissions required:
| |
Amazon FSx aws-fsx-file-system Additional
permissions required:
| |
Amazon RDS aws-rds-db-cluster-parameter-group Additional
permissions required:
| |
Amazon QuickSight aws-quicksight-dataset Additional
permissions required:
| |
Amazon QuickSight aws-quicksight-datasource Additional
permissions required:
| |
Update AWS ECR Ingestion
to ingest public repositories The API has been updated
with the following information: New API name:
New
permissions added to the CFT templates:
| |
Update Amazon Cognito The
following new permission is required to ingest the aws-cognito-identity-pool API:
Without
this permission, identity pool resources will not be ingested and
all the existing resources will be marked as deleted. | |
Update Amazon EC2 The
following new permission is required to ingest the disableApiTermination field
in the aws-ec2-describe-instances API:
| |
Amazon Simple Email Service aws-ses-identities Additional
permissions required:
| |
AWS Web Application Firewall
(WAF) and WAFv2 aws-waf-classic-web-acl-resource aws-waf-v2-web-acl-resource | |
Azure Cognitive Services azure-cognitive-services-account Additional
permission required:
| |
Azure Virtual Network Gateway azure-virtual-network-gateway Additional
permission required:
| |
Azure Virtual Network azure-private-link-service Additional
permission required:
| |
Azure Virtual Network azure-bastion-host Additional
permission required:
| |
Azure Machine Learning azure-machine-learning-workspace Additional
permission required:
| |
Azure Recovery Services azure-recovery-service-backup-protected-item Additional
permission required:
| |
Azure Recovery Services azure-recovery-service-vault Additional
permission required:
| |
Azure Web Application Firewall azure-application-gateway-waf-policy Additional
permission required:
| |
Google API Key gcloud-api-key Additional
permission required:
| |
Google Cloud Data Fusion gcloud-datafusion-instance Additional
permission required:
| |
Google Container Analysis gcloud-container-analysis-vulnerability-summary Additional
permission required:
| |
Google Cloud Data Fusion gcloud-datafusion-instance Additional
permission required:
| |
Google Cloud Memorystore gcloud-redis-instances-list Additional
permission required:
| |
Google Compute Engine gcloud-ssl-certificate Additional
permission required:
| |
Google Cloud DNS gcloud-dns-policy Additional
permission required:
| |
Google Cloud Armor gcloud-armor-security-policy Additional
permission required:
| |
Google Cloud Resource Manager gcloud-organization-project-info Additional
permission required:
| |
Google Stackdriver Monitoring gcloud-monitoring-notification-channel Additional
permission required:
| |
Update Google Cloud Tasks and Google
Cloud Run PermissionsThe gcloud-cloud-task and gcloud-cloud-run-services-list APIs
now require the cloudtasks.locations.list and run.locations.list permissions . | |
OCI Containers And Artifacts oci-containers-artifacts-kubernetes-cluster-nodepool Additional
permission required:
| |
OCI Networking oci-networking-subnet Additional
permission required:
|
New Policies and Policy Updates
POLICY UPDATES | DESCRIPTION |
---|---|
New Policies | AWS AppSync attached WAFv2 WebACL
is not configured with AMR for Log4j Vulnerability This
policy identifies AppSync attached with WAFv2 Web Access Control
List (ACL) that are not configured with AWS Managed Rules (AMR)
for Log4j vulnerability. As per AWS, configure the AppSync attached
with WAFv2 Web ACL with AMR AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList to
protect from Log4j vulnerability (CVE-2021-44228).
|
AWS AppSync not configured with
AWS Web Application Firewall v2 (AWS WAFv2) This policy
identifies AWS AppSync that is not configured with AWS Web Application
Firewall (WAF). It is recommended to enable the AWS WAF service
on API Gateway to protect against application layer attacks. To
block malicious requests to your API Gateway, define the block criteria
in the WAF Web Access Control List (ACL).
| |
AWS API Gateway Rest API attached
WAFv2 WebACL is not configured with AMR for Log4j Vulnerability This
policy identifies AWS API Gateway Rest API attached with AWS Web
Application Firewall v2 (WAFv2) Web ACL that are not configured
with AWS Managed Rules (AMR) for Log4j vulnerability. As per AWS,
configure the API Gateway Rest API attached with WAFv2 Web ACL with
AWS AMR AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList to
protect from Log4j vulnerability (CVE-2021-44228).
| |
AWS ALB attached WAFv2 WebACL is
not configured with AMR for Log4j Vulnerability This
policy identifies AWS Application Load Balancer (ALB) attached with
WAFv2 Web ACL that are not configured with AWS Managed Rules (AMR)
for Log4j vulnerability. As per AWS, configure the ALB attached
with WAFv2 WebACL with AMR AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList to
protect from Log4j vulnerability (CVE-2021-44228).
| |
AWS CloudFront attached WAFv2 WebACL
is not configured with AMR for Log4j Vulnerability This
policy identifies the AWS CloudFront attached with WAFv2 Web ACL
that are not configured with AWS Managed Rules (AMR) for Log4j vulnerability.
As per AWS, configure the CloudFront attached with WAFv2 Web ACL
with AMR AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList to
protect from Log4j vulnerability (CVE-2021-44228).
| |
AWS WAF Classic (Regional) in use This
policy identifies AWS Classic that are in use. It is recommended
to configure the AWS WAFv2 service to protect against application-layer
attacks. To block malicious requests, define the block criteria
in the WAFv2 Web ACL, which has more capability than the WAF Classic.
| |
AWS CloudFront not configured with
AWS Web Application Firewall v2 (AWS WAFv2) This policy
identifies AWS CloudFront that are not configured with AWS WAFv2.
It is recommended to configure the AWS WAFv2 service on CloudFront
to protect against application-layer attacks. To block malicious
requests to your CloudFront, define the block criteria in the WAFv2
Web ACL.
| |
AWS API Gateway REST API not configured with
AWS Web Application Firewall v2 (AWS WAFv2) This policy
identifies AWS API Gateway REST API that is not configured with
AWS WAF. It is recommended to enable the AWS WAF service on API
Gateway REST API to protect against application layer attacks. To
block malicious requests to your API Gateway REST API, define the
block criteria in the WAF Web ACL.
| |
Azure Application Gateway Web application firewall
(WAF) policy rule disabled for Remote Command Execution This
policy identifies Azure Application Gateway Web Application Firewall
(WAF) policies that have the ‘Remote Command Execution’ rule disabled,
which is known for Log4j vulnerability. It is recommended to define
the criteria in the WAF policy with the ‘Remote Command Execution’
rule under managed rules to help detect and mitigate Log4j vulnerability.
| |
Azure Front Door Web application
firewall (WAF) policy rule for Remote Command Execution is disabled This
policy identifies Azure Front Door WAF policies that have the ‘Remote
Command Execution’ rule disabled, which is known for Log4j vulnerability.
It is recommended to define the criteria in the WAF policy with
the ‘Remote Command Execution’ rule under managed rules to help
detect and mitigate Log4j vulnerability.
| |
Azure Front Door does not have the
Azure Web application firewall (WAF) enabled This
policy identifies Azure Front Doors that do not have Azure WAF enabled.
It is recommended to configure the Azure WAF service on the Front
Doors to protect against application-layer attacks. To block malicious
requests to your Front Doors, define the block criteria in the WAF
rules.
| |
GCP Cloud Armor rule not configured
with cve-canary This policy identifies GCP Cloud Armor
rules where cve-canary is not enabled. The preconfigured cve-canary WAF
rule can help detect and block exploit attempts of CVE-2021-44228
and CVE-2021-45046 to address the Apache Log4j vulnerability. It is
recommended to create a Cloud Armor security policy with rule blocking
Apache Log4j exploit attempts.
| |
OCI IAM policy with full administrative privileges
across the tenancy to non Administrator This policy
identifies IAM policies with full administrative privileges across
the tenancy to non Administrators. It is recommended to practice
the principle of least privilege, which limits users' access rights
strictly to only what is required to do their jobs.
| |
Policy Updates—Metadata | AWS CloudFront origin protocol policy
does not enforce HTTPS-only Changes —The RQL
has been updated to report only custom origins that supports HTTPS communication;
it ignores website endpoints from S3 buckets, EC2 instances, and
custom websites. The policy description has been updated with newer
standards.Current —
Updated
to —
Impact —Low
impact on existing alerts. Alerts with custom origins related to
S3 buckets, EC2 instances, and custom websites will be resolved
as Policy_Updated. |
Azure Network Security Group allows
all traffic on ports which are not commonly used Changes —The
RQL has been updated to include the existence check for the destinationPortRange parameter which
will increase the accuracy of results.Current —
Updated
to —
Impact —Previously
reported alerts may be resolved as Policy_Updated. | |
Azure App Service Web app doesn't
use latest Java version Changes —The RQL has
been updated to consider Java 8 and Windows web app service for
Java. The policy description and recommendation steps have been updated
accordingly.Updated to —
Impact —New
alerts might be triggered for Java 8 and Windows web app services
that uses Java. | |
Azure SQL Server ADS Vulnerability Assessment
is disabled and SQL servers which
do not have Azure Active Directory admin configured The
severity of the above policies has been changed from Medium to Low. Impact —No
impact on alerts. | |
SQL databases has encryption disabled Changes —The
policy name, description, and recommendation have been updated to
maintain uniformity across all policies. The RQL syntax has also
been updated.Current name —SQL databases
has encryption disabled Updated to —Azure
SQL database TDE encryption disabled
Impact —No
impact on existing alerts. | |
Update policy names and remediation actions
for Microsoft Defender for Cloud (previously Azure Security Centre) Changes —The
policy names and remediation actions for Microsoft Defender for
Cloud (previously Azure Security Centre) have been updated for the following
policies to reflect the recent changes of CIS v1.4.0:
| |
GCP Kubernetes Engine Clusters Client Certificate
is set to Disabled Changes —The policy name
and RQL are modified to support the latest CIS guideline to check
if the clusters are configured with the old method of authentication. The
policy metadata is updated as per the latest UI.Current
Policy Name —GCP Kubernetes Engine Clusters Client
Certificate is set to Disabled Updated Policy
Name —GCP Kubernetes Engine Cluster Client Certificate
is not disabled Current RQL —
Updated
to —
Impact —Low
impact on existing alerts. | |
Updates to the CLI for remediable GCP firewall policies The
CLI of the following policies are updated to disable the firewall
rule instead of deleting the rule:
Additional permissions
required:
Impact —No
direct impact on alerts. If you have enabled auto-remediation for
the policy, alerts will be resolved as ‘Remediated’. | |
Updates to the RQL and CLI for GCP Firewall Policies GCP
Firewall rule allows all traffic on DNS port (53) Change —The
RQL is modified to check if the firewall rule is disabled and include
IPv6 checks. The CLI is updated to disable the firewall rule instead
of deleting the rule.Current RQL —
Updated
to —
Impact —Low
impact on existing alerts.GCP
Firewall rule allows all traffic on FTP port (21) Change —The
RQL is modified to check if the firewall rule is disabled and include
IPv6 checks. The CLI is updated to disable the firewall rule instead
of deleting the rule.Current RQL —
Updated to —
| |
GCP storage bucket is not configured
with default Event-Based Hold Changes —The recommendation
steps are updated to be compliant with the latest UI updates on
Google Cloud Platform.Impact —No impact on alerts as
the change includes only metadata modifications. | |
OCI IAM policy with full administrative privileges
across the tenancy to non Administrator Update —The
policy is updated to map to OCI CIS v1.0.0 and v1.1.0 requirement
1.2.Impact —The compliance score will change. | |
Policy Deletions | AWS entities with risky permissions This
policy is being deprecated and we are adding policies that identify
write permissions for different services on AWS that are risky. Impact —All
existing alerts related to this policy will be removed. To activate
all the new policies verify your global policy defaults for automatically
enabling policies based on severity by selecting Settings Enterprise Settings Auto enable default policies of the type |
AWS SNS subscription is not configured
with HTTPS The policy has been deleted due to a high
volume of SNS subscriptions and its impact on Time to Ingest (TTI). Support
for aws-sns-get-subscription-attribute will be
discontinued, and compliance standards referred by this policy are
also deleted.Impact —Alerts generated for these policies will
be resolved as Policy_Deleted. | |
New IAM Policies | Learn about the new IAM out-of-the-box
(OOTB) policies. |
AWS EC2 instance with IAM write access
level Identifies IAM write permissions that are
defined as risky permissions. This policy minimizes security risks
in your AWS account by ensuring that the AWS EC2 instances provisioned
in your account don't have a risky set of write permissions. | |
AWS Lambda Function with IAM
write access level Identifies IAM write permissions
that are defined as risky permissions in your AWS account. This
policy minimizes security risks by ensuring that the AWS Lambda
Function instances provisioned in your AWS account don’t have a
risky set of write permissions. | |
Elasticbeanstalk Platform with
IAM write access level Identifies IAM write permissions
that are defined as risky permissions. This policy minimizes security
risks by ensuring that the AWS Elasticbeanstalk Platform instances provisioned
in your AWS account don't have a risky set of write permissions
associated with it. | |
ECS Task Definition with IAM
write access level Identifies IAM write permissions
that are defined as risky permissions. This policy minimizes security
risks by ensuring that the AWS ECS Task Definition instances provisioned
in your AWS account don't have a risky set of write permissions
associated with it. | |
Okta User with IAM write access level Identifies
IAM write permissions that are defined as risky permissions. This
policy minimizes security risks by ensuring that the Okta users
in your AWS account don't have a risky set of write permissions
associated with it. | |
IAM User with IAM write access level Identifies
IAM write permissions that are defined as risky permissions. This
policy minimizes security risks by ensuring that the IAM Users in
your AWS account don't have a risky set of write permissions associated
with it. | |
AWS EC2 instance with IAM permissions
management access level Identifies IAM permissions
management access that are defined as risky permissions. This policy
minimizes security risks by ensuring that the AWS EC2 instances
provisioned in your AWS account don't have a risky set of write
permissions associated with it. | |
AWS Lambda Function with IAM permissions
management access level Identifies IAM permissions
management access that are defined as risky permissions. This policy
minimizes security risks by ensuring that the AWS Lambda Function
instances provisioned in your AWS account don't have a risky set
of write permissions associated with it. | |
Elasticbeanstalk Platform with
IAM permissions management access level Identifies
IAM permissions management access that are defined as risky permissions.
This policy minimizes security risks by ensuring that the AWS Elasticbeanstalk
Platform instances provisioned in your AWS account don't have a
risky set of write permissions associated with them. | |
ECS Task Definition with IAM permissions
management access level Identifies IAM permissions
management access that are defined as risky permissions. This policy
minimizes security risks by ensuring that the AWS ECS Task Definition
instances provisioned in your AWS account don't have a risky set
of write permissions associated with them. | |
Okta User with IAM permissions management
access level Identifies IAM permissions management
access that are defined as risky permissions. This policy minimizes
security risks by Ensure that the Okta Users in your AWS account
don't have a risky set of write permissions to minimize security risks. | |
IAM User with IAM permissions management
access level Identifies IAM permissions management
access that are defined as risky permissions. This policy minimizes
security risks by ensuring that the IAM Users in your AWS account don't
have a risky set of write permissions. | |
AWS EC2 instance with org write access
level Identifies org write access that is defined
as risky permissions. This policy ensures that the AWS EC2 instances provisioned
in your AWS account don't have a risky set of write permissions. | |
AWS Lambda Function with org
write access level Identifies org write access
that is defined as risky permissions. This policy minimize security
risks by ensuring that the AWS Lambda Function instances provisioned
in your AWS account don't have a risky set of write permissions. | |
Elasticbeanstalk Platform with
org write access level Identifies org write access
that is defined as risky permissions. This policy minimize security
risks by ensuring that the AWS Elasticbeanstalk Platform instances
provisioned in your AWS account don't have a risky set of write permissions. | |
ECS Task Definition with org
write access level Identifies org write access
that is defined as risky permissions. This policy minimize security
risks by ensuring that the AWS ECS Task Definition instances provisioned
in your AWS account don't have a risky set of write permissions. | |
Okta User with org write access level Identifies
org write access that is defined as risky permissions. This policy
ensures that the Okta Users in your AWS account don't have a risky
set of write permissions. | |
IAM User with org write access level Identifies
org write access that is defined as risky permissions. This policy
minimize security risks by ensuring that the IAM Users in your AWS
account don't have a risky set of write permissions. | |
AWS Lambda Layer Version that
is publicly accessible through IAM policies Identifies
the AWS Lambda Layer Version resources which are publicly accessible
through IAM policies. This policy prevents the exposure of sensitive
data by ensuring that the AWS Lambda Layer Version resources provisioned
in your AWS account are not publicly accessible from the Internet. | |
AWS ECR Repository that is publicly accessible
through IAM policies Identifies the AWS ECR Repository
resources which are publicly accessible through IAM policies. This
minimizes the exposure of sensitive data by ensuring that the AWS
ECR Repository resources provisioned in your AWS account are not publicly
accessible from the Internet. | |
AWS Lambda Function that is publicly accessible
through IAM policies Identifies the AWS Lambda
Function resources which are publicly accessible through IAM policies.
This minimizes the exposure of sensitive data by ensuring that the
AWS Lambda Function resources provisioned in your AWS account are
not publicly accessible from the Internet. | |
AWS S3 bucket that is publicly accessible
through IAM policies Identifies the AWS S3 bucket
resources which are publicly accessible through IAM policies. This
minimizes the exposure of sensitive data by ensuring that the AWS
S3 bucket resources provisioned in your AWS account are not publicly accessible
from the Internet. | |
AWS SQS Queue that is publicly accessible
through IAM policies Identifies the AWS SQS Queue
resources which are publicly accessible through IAM policies. This
minimizes the exposure of sensitive data by ensuring that the AWS
SQS Queue resources provisioned in your AWS account are not publicly
accessible from the Internet. | |
AWS SNS Topic that is publicly accessible
through IAM policies Identifies the AWS SNS Topic
resources which are publicly accessible through IAM policies. This
minimizes the exposure of sensitive data by ensuring that the AWS
SNS Topic resources provisioned in your AWS account are not publicly
accessible from the Internet. | |
AWS Secret Manager Secret that
is publicly accessible through IAM policies Identifies
the AWS Secret Manager Secret resources which are publicly accessible
through IAM policies. This minimizes the exposure of sensitive data
by ensuring that the AWS Secret Manager Secret resources provisioned
in your AWS account are not publicly accessible from the Internet. | |
AWS KMS Key that is publicly accessible
through IAM policies Identifies the AWS KMS Key
resources which are publicly accessible through IAM policies. This
minimizes the exposure of sensitive data by ensuring that the AWS
KMS Key resources provisioned in your AWS account are not publicly
accessible from the Internet. | |
AWS EC2 with IAM wildcard resource access Identifies
AWS EC2 instances with the AWS resources which are publicly accessible
through IAM policies. This minimizes the exposure of sensitive data
by ensuring that the AWS resources provisioned in your AWS account
are not publicly accessible from the Internet. | |
AWS Lambda Function with IAM wildcard
resource access Identifies AWS IAM permissions
that contain an asterisk ( * ) in the resource
section of the policy statement. The policy will identify those
asterisks only in case using an asterisk is not mandatory; this
ensures that the AWS policies don't have an asterisk in the resource
section of the policy statement. | |
AWS Elasticbeanstalk Platform
with IAM wildcard resource access Identifies AWS
IAM permissions that contain an asterisk ( * )
in the resource section of the policy statement. The policy will
identify those asterisks only in case using an asterisk is not mandatory;
this ensures that the AWS policies don't have an asterisk in the
resource section of the policy statement. | |
AWS ECS Task Definition with
IAM wildcard resource access Identifies AWS IAM
permissions that contain an asterisk ( * )
in the resource section of the policy statement. The policy will
identify those asterisks only in case using an asterisk is not mandatory;
this ensures that the AWS policies don't have an asterisk in the
resource section of the policy statement. | |
Okta User with IAM wildcard resource access Identifies
Okta Users with AWS IAM permissions that contain an apostrophe ( '' )
in the resource section of the policy statement. The policy will identify
those apostrophes only in case using an apostrophe is not mandatory;
this ensure that the AWS policies don't have an apostrophe in the
resource section of the policy statement. | |
IAM User with IAM wildcard resource access Identifies
IAM Users with AWS IAM permissions that contain an apostrophe '' in
the resource section of the policy statement. The policy will identify
those apostrophes only in case using an apostrophe is not mandatory;
this ensures that the AWS policies don't have an apostrophe in the
resource section of the policy statement. | |
Azure AD user with effective permissions
to create AWS IAM users Identifies Azure AD users
that can create an AWS IAM user as this can lead to a backdoor in
the cloud environment. This policy ensure that Azure AD users have
the least privilege access by granting only the permissions required
to perform a task, instead of providing excessive permissions. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
---|---|
NIST_800_53_R4 , NIST_800_53_R5 ,
and NIST_CSF | The AWS CloudFormation stack configured
without SNS topic policy has been removed from NIST_800_53_R4 , NIST_800_53_R5 ,
and NIST_CSF compliance benchmarks because
it was incorrectly mapped.Impact —The compliance score
will change. |
CIS Azure v1.4.0 | Prisma Cloud provides compliance support
for CIS Microsoft Azure Foundations Benchmark v1.4.0. The CIS Azure v1.4.0
has 9 sections with 115 requirements and Prisma Cloud supports 86
requirements across all sections. |
REST API Updates
CHANGE | DESCRIPTION |
---|---|
Length Limit for Some User Profile API Request
Body Parameters | A 300-character limit now applies to request
parameters for user and account service names. This limit affects
the request body parameters for the User Profile API endpoints shown
below. The affected request body parameters are listed after each
endpoint:
|
New Integration and Notification Template API
Endpoints | New Integration API endpoints are available
to replace the endpoints that have been deprecated for all integrations
except Okta, Qualys, and Tenable. New Notification Template API endpoints are
also available to replace some of the deprecated Notification Template
endpoints. |
Response Property for Some Resource and
Search API Endpoints Removed | The property ResourceMetaModel.hasAlert has been
removed. This property no longer appears in the response objects
for the following requests:
|
Resource Discovery Timestamp Available
Through Search API Endpoints | A new property ResourceMetaModel.createTs identifies
the timestamp when Prisma Cloud first discovered a given resource.
This property is available in the response objects for the following
requests:
|
Recommended For You
Recommended Videos
Recommended videos not found.