1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Release Notes
    5. Prisma™ Cloud Release Information
    6. Features Introduced in 2022
    7. Features Introduced in June 2022

    Features Introduced in June 2022

    Learn what’s new on Prisma™ Cloud in June 2022.

    New Features

    Feature
    Description
    API Ingestions
    Amazon Connect
    aws-connect-instance
    Additional permissions required:
    • connect:ListInstances
    • connect:ListInstanceStorageConfigs
    Amazon EventBridge
    aws-events-rule
    Additional permissions required:
    • events:ListRules
    • events:ListTargetsByRule
    • events:ListTagsForResource
    The Security Audit role includes these permissions.
    Amazon Pinpoint
    aws-pinpoint-email-channel
    Additional permissions required:
    • mobiletargeting:GetEmailChannel
    • mobiletargeting:GetApps
    Amazon Pinpoint
    aws-pinpoint-sms-channel
    Additional permissions required:
    • mobiletargeting:GetSmsChannel
    • mobiletargeting:GetApps
    Azure Synapse Analytics
    azure-synapse-privatelinkhub-privatelinkresource
    Additional permission required:
    Microsoft.Synapse/privateLinkHubs/privateLinkResources/read
    The Reader role includes this permission.
    Azure Synapse Analytics
    azure-synapse-privatelinkhub
    Additional permission required:
    Microsoft.Synapse/privateLinkHubs/read
    The Reader role includes this permission.
    Azure Synapse Analytics
    azure-synapse-privatelinkresource
    Additional permissions required:
    • Microsoft.Synapse/workspaces/read
    • Microsoft.Synapse/workspaces/privateLinkResources/read
    The Reader role includes these permissions.
    Google Cloud IAM
    gcloud-iam-organization-deny-policy
    Additional permissions required:
    • iam.denypolicies.get
    • iam.denypolicies.list
    The Viewer role includes these permissions.
    Google Cloud IAM
    gcloud-iam-project-deny-policy
    Additional permissions required:
    • iam.denypolicies.get
    • iam.denypolicies.list
    The Viewer role includes these permissions.
    Google Security Command Center
    gcloud-security-command-center-organization-setting
    Additional permission required:
    securitycenter.organizationsettings.get
    The Viewer role includes this permission.
    Google Security Command Center
    gcloud-security-command-center-organization-notification-config
    Additional permission required:
    securitycenter.notificationconfig.list
    The Viewer role includes this permission.
    Google Security Command Center
    gcloud-security-command-center-organization-mute-config
    Additional permission required:
    securitycenter.muteconfigs.list
    The Viewer role includes this permission.
    OCI Web Application Firewall
    oci-waf-networkaddresslist
    Additional permissions required:
    • inspect waf-network-address-list
    • read waf-network-address-list
    You must add the permissions manually.
    OCI Web Application Firewall
    oci-waf-waaspolicy
    Additional permissions required:
    • inspect waas-policy
    • read waas-policy
    You must add the permissions manually.
    Update
    Google Compute Engine API
    Google Compute Engine
    gcloud-ssl-certificate
    This API will be updated to remove the following fields in the resource JSON:
    • certificate
    • selfManaged.certificate
    Decommission of redlock.io Domain
    This change was first announced in the look ahead that was published with the 22.5.2 release.
    The announcement about replacing the redlock.io domain name with prismacloud.io was first sent in July, 2019. Due to this, the redirect from redlock.io to prismacloud.io is removed and no longer supported. The redlock.io domain is decommissioned.

    New Policies and Policy Updates

    See the look ahead updates for planned features and policy updates for 22.7.1
    Policy Updates
    Description
    New Policy
    AWS Lambda execution role having overly permissive inline policy
    Identifies AWS Lambda Function execution role having overly permissive inline policy embedded. Lambda functions having overly permissive policy could lead to lateral movement in account or privilege being escalated when compromised. It is highly recommended to have the least privileged access policy to protect the Lambda Functions from unauthorized access.
    config from cloud.resource where api.name = 'aws-lambda-list-functions' as X; config from cloud.resource where api.name = 'aws-iam-list-roles' AND json.rule = inlinePolicies[*].policyDocument.Statement[?any(Effect equals Allow and (Action equals "*" or Action contains :* or Action[*] contains :*) and (Resource equals "*" or Resource[*] anyStartWith "*"))] exists as Y; filter '$.X.role equals $.Y.role.arn'; show Y;
    AWS IAM policy attached to AWS Lambda execution role is overly permissive
    Identifies Lambda Functions execution role having overly permissive IAM policy attached to it. Lambda functions having overly permissive policy could lead to lateral movement in account or privilege being escalated when compromised. It is highly recommended to have the least privileged access policy to protect the Lambda Functions from unauthorized access.
    config from cloud.resource where api.name = 'aws-lambda-list-functions' as X; config from cloud.resource where api.name = 'aws-iam-list-roles' as Y; config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = isAttached is true and document.Statement[?any(Effect equals Allow and (Action equals "*" or Action contains :* or Action[*] contains :*) and (Resource equals "*" or Resource[*] anyStartWith "*") and Condition does not exist)] exists as Z; filter '$.X.role equals $.Y.role.arn and $.Y.attachedPolicies[*].policyName equals $.Z.policyName'; show Z;
    Azure Microsoft Defender for Cloud set to Off for DNS
    Identifies Azure Microsoft Defender for Cloud which has defender setting for DNS set to Off. Enabling Azure Defender provides advanced security capabilities like providing threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Defender for DNS monitors the queries and detects suspicious activities without the need for any additional agents on your resources. It is highly recommended to enable Azure Defender for DNS.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any(name equals Dns and properties.pricingTier does not equal Standard)] exists
    AWS DocumentDB Cluster is not enabled with data encryption in transit
    Identifies Amazon DocumentDB Clusters for which data encryption in transit is disabled. Each DocumentDB Cluster is associated with a Cluster Parameter Group. It is highly recommended to implement in-transit encryption in order to protect data from unauthorized access as it travels through the network, between clients and the cluster.
    config from cloud.resource where api.name = 'aws-docdb-db-cluster-parameter-group' AND json.rule = parameters.tls.ParameterValue equals "disabled" as X; config from cloud.resource where api.name = 'aws-docdb-db-cluster' AND json.rule = Status equals available as Y; filter '$.X.DBClusterParameterGroupName equals $.Y.DBClusterParameterGroup'; show Y;
    GCP Load Balancer SSL proxy permits SSL policies with weak cipher suites
    Identifies GCP SSL Load Balancers that permit SSL policies with weak cipher suites. GCP default SSL policy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the widest range of insecure cipher suites.
    To prevent usage of insecure features, SSL policies should use at least TLS 1.2 with the MODERN profile; or the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or a CUSTOM profile that does not support any of the following features:
    • TLS_RSA_WITH_AES_128_GCM_SHA256
    • TLS_RSA_WITH_AES_256_GCM_SHA384
    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_3DES_EDE_CBC_SHA
    config from cloud.resource where api.name = 'gcloud-compute-target-ssl-proxy' as X; config from cloud.resource where api.name = 'gcloud-compute-ssl-policies' as Y; filter "$.X.sslPolicy does not exist or ($.Y.sslPolicies[?(@.profile=='COMPATIBLE')].selfLink contains $.X.sslPolicy) or ($.Y.sslPolicies[?((@.profile=='MODERN'||@.profile=='CUSTOM') && (@.minTlsVersion!='TLS_1_2'))].selfLink contains $.X.sslPolicy or ($.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_128_GCM_SHA256' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_256_GCM_SHA384' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_128_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_256_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy))"; show X;
    GCP Load Balancer HTTPS proxy permits SSL policies with weak cipher suites
    Identifies GCP HTTPS Load Balancers that permit SSL policies with weak cipher suites. GCP default SSL policy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the widest range of insecure cipher suites.
    To prevent usage of insecure features, SSL policies should use at least TLS 1.2 with the MODERN profile; or the RESTRICTED profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or a CUSTOM profile that does not support any of the following features:
    • TLS_RSA_WITH_AES_128_GCM_SHA256
    • TLS_RSA_WITH_AES_256_GCM_SHA384
    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_3DES_EDE_CBC_SHA
    config from cloud.resource where api.name = 'gcloud-compute-target-https-proxies' as X; config from cloud.resource where api.name = 'gcloud-compute-ssl-policies' as Y; filter "($.Y.sslPolicies[?(@.profile=='COMPATIBLE')].selfLink contains $.X.sslPolicy) or ($.Y.sslPolicies[?((@.profile=='MODERN'||@.profile=='CUSTOM') && (@.minTlsVersion!='TLS_1_2'))].selfLink contains $.X.sslPolicy or ($.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_128_GCM_SHA256' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_256_GCM_SHA384' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_128_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_AES_256_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy or $.Y.sslPolicies[?(@.profile=='CUSTOM' && 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' in @.enabledFeatures)].selfLink contains $.X.sslPolicy))"; show X;
    Policy Updates-Metadata
    Azure Security Center system updates monitoring is set to disabled
    Changes—
     The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
    Current Name—
     Azure Security Center system updates monitoring is set to disabled
    Updated Name—
     Azure Microsoft Defender for Cloud system updates monitoring is set to disabled
    Updated Description—
     Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have system updates monitoring is set to disabled. It retrieves a daily list of available security and critical updates from Windows Update or Windows Server Update Services. The retrieved list depends on the service that’s configured for that virtual machine and recommends that the missing updates be applied. For Linux systems, the policy uses the distro-provided package management system to determine packages that have available updates. It also checks for security and critical updates from Azure Cloud Services virtual machines.
    Impact—
     No impact on alerts.
    Azure Security Center disk encryption monitoring is set to disabled
    Changes—
     The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
    Current Name—
     Azure Security Center disk encryption monitoring is set to disabled
    Updated Name—
     Azure Microsoft Defender for Cloud disk encryption monitoring is set to disabled
    Updated Description—
     Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have disk encryption monitoring set to disabled. Enabling disk encryption for virtual machines will secure the data by encrypting it. It is recommended to set disk encryption monitoring in Microsoft Defender for Cloud security policy.
    Impact—
     No impact on alerts.
    Azure Security Center adaptive application controls monitoring is set to disabled
    Changes—
     The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
    Current Name—
     Azure Security Center adaptive application controls monitoring is set to disabled
    Updated Name—
     Azure Microsoft Defender for Cloud adaptive application controls monitoring is set to disabled
    Updated Description—
     Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have adaptive application controls monitoring set to disabled. Adaptive Application Controls will make sure that only certain applications can run on your VMs in Microsoft Azure. This will prevent any malicious, unwanted, or unsupported software on the VMs.
    Impact—
     No impact on alerts.
    Azure Security Center endpoint protection monitoring is set to disabled
    Changes—
     The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
    Current Name—
     Azure Security Center endpoint protection monitoring is set to disabled
    Updated Name—
     Azure Microsoft Defender for Cloud endpoint protection monitoring is set to disabled
    Updated Description—
     Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have endpoint protection monitoring set to disabled. Enabling endpoint Protection will make sure that any issues or shortcomings in endpoint protection for all Microsoft Windows virtual machines are identified so that they can, in turn, be removed.
    Impact—
     No impact on alerts.
    Azure Security Center security configurations monitoring is set to disabled
    Changes—
     The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
    Current Name—
     Azure Security Center security configurations monitoring is set to disabled
    Updated Name—
     Azure Microsoft Defender for Cloud security configurations monitoring is set to disabled
    Updated Description—
     Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have security configurations monitoring set to disabled. Security configurations will enable the daily analysis of operating system configurations. The rules for hardening the operating system like firewall rules, password and audit policies are reviewed. Recommendations are made for setting the right level of security controls.
    Impact—
     No impact on alerts.
    Azure Security Center JIT network access monitoring is set to disabled
    Changes—
     The policy name, description, and remediation steps have been updated due to vendor UI setting changes.
    Current Name—
     Azure Security Center JIT network access monitoring is set to disabled
    Updated Name—
     Azure Microsoft Defender for Cloud JIT network access monitoring is set to disabled
    Updated Description—
     Identifies the Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender) policies which have JIT network access monitoring set to disabled. Enabling JIT Network Access will enhance the protection of VMs by creating a Just in Time VM. The JIT VM with NSG rule will restrict the availability of access to the ports to connect to the VM for a pre-set time and only after checking the Role Based Access Control permissions of the user. This feature will control the brute force attacks on the VMs.
    Impact—
     No impact on alerts.
    Policy Updates-RQL
    Azure Microsoft Defender for Cloud email notification for subscription owner is not set
    Changes—
     The policy RQL has been updated to only look for subscriptions where Defender is enabled and then check for email setting.
    Current RQL—
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[*].properties.email is empty or securityContacts[*].properties.alertsToAdmins equals Off'
    Updated RQL—
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = (securityContacts is empty or securityContacts[*].properties.email is empty or securityContacts[*].properties.alertsToAdmins equal ignore case Off) and pricings[?any(properties.pricingTier equals Standard)] exists
    Impact—
     Low. Previously generated alert for subscription where Defender is not enabled will be resolved as 'Policy_Updated'.
    Azure Security Center contact phone number not set
    Changes—
     The policy name, description, and remediation steps have been updated due to vendor UI setting changes. The policy RQL has been updated to consider only defender enabled subscriptions.
    Current Name—
     Azure Security Center contact phone number not set
    Updated Name—
     Azure Microsoft Defender for Cloud security contact phone number is not set
    Updated Description—
     Identifies Subscriptions that are not set with security contact phone number for Azure Microsoft Defender for Cloud (previously known as Azure Security Center and Azure Defender). It is recommended to set security contact phone number to receive notifications when Microsoft Defender for Cloud detects compromised resources.
    Current RQL—
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[?any(properties.phone is empty)] exists'
    Updated RQL—
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = (securityContacts is empty or securityContacts[?any(properties.phone is empty)] exists) and pricings[?any(properties.pricingTier equal ignore case Standard)] exists
    Impact—
     Low. Previously generated alert for subscription where Defender is not enabled will be resolved as 'Policy_Updated'.
    GCP HTTPS Load balancer is configured with SSL policy having TLS version 1.1 or lower
    Changes—
     The policy is modified to make it compliant with the CIS requirement to exclude alerting for SSL policy with profile type 'RESTRICTED'.
    Current RQL—
    config from cloud.resource where api.name = 'gcloud-compute-ssl-policies' as X; config from cloud.resource where api.name = 'gcloud-compute-target-https-proxies' as Y; filter "($.Y.sslPolicy exists and $.X.sslPolicies is not empty) and ($.X.sslPolicies[?(@.minTlsVersion!='TLS_1_2')].selfLink contains $.Y.sslPolicy)" ; show Y;
    Updated RQL—
    config from cloud.resource where api.name = 'gcloud-compute-ssl-policies' as X; config from cloud.resource where api.name = 'gcloud-compute-target-https-proxies' as Y; filter "($.Y.sslPolicy exists and $.X.sslPolicies is not empty) and ($.X.sslPolicies[?((@.profile=='MODERN'||@.profile=='CUSTOM') && @.minTlsVersion!='TLS_1_2')].selfLink contains $.Y.sslPolicy)" ; show Y;
    Impact—
     Low. The alerts associated with the profile type
    RESTRICTED
     will be resolved as 'Policy_Updated'.

    REST API Updates

    CHANGE
    DESCRIPTION
    Removal of Update Access Key API Endpoint
    The following endpoint has been removed:
    PUT /access_keys/{id}

    New Features

    Feature
    Description
    Change in Existing Behavior
    Alert Count on Policy Violations
    This change was first announced in the look ahead that was published with the 22.5.2 release.
    Earlier on Prisma Cloud, when an asset generated an alert for a policy violation, the alert was counted towards the most severe violation. For example, for an asset that had violations for low, medium, and high severity policies, the alert was only counted in the high category although it was also violating medium and low severity policies. In this method of counting alerts, when you view the total count of failed checks it adds up to the sum of all low, medium, and high severity failures.
    The above method of counting alerts is modified to display the total count of policy violations for each severity. So, using the same example, if an asset has violations for low, medium, and high severity policies, the alert will now be counted in each of the three categories. Therefore, when you view the total count of failed checks and compare it to the sum total of each category, the sum will be higher. This count is displayed on several places on the Prisma Cloud management console such as on the
    Compliance
    Overview
    ,
    Asset Inventory
     (Inventory > Assets), and
    Alerts
    Overview
    .
    This change in how Prisma Cloud count assets that failed policy checks will not be updated for any compliance reports generated before your Prisma Cloud instance is upgraded to the current release. This means that the count displayed in the table on
    Compliance
    Reports
     is a snapshot of the previous counting method for reports generated earlier. The count for failed checks in these reports will not match the data in the
    Compliance
    Overview
     page when you filter for the time period for which the report was generated.
    Skips API Ingestion when Cloud Billing on GCP is Disabled
    When the Cloud Asset Inventory (CAI) service is enabled and if Cloud Billing is disabled for a project by default, Prisma Cloud skips the ingestion of GCP APIs. This is true when the project is onboarded as a standalone or a child project of an organization, but not for a master service account (MSA).
    Impact—
     If you do not enable CAI, Prisma Cloud will ingest all the GCP APIs even if Cloud Billing is disabled for a project.
    Change in Existing Behavior
    Resolution of Undeletes for Google Cloud Resources
    This change was announced in the look ahead that was published with the 22.6.1 release.
    All the resources for
    gcloud-compute-networks-subnets-list
     and
    gcloud-compute-networks-list
     will be deleted once and then regenerated on the management console.
    Existing alerts corresponding to these resources will be resolved as
    Resource_Updated
    , and new alerts will be generated against policy violations.
    Impact—
     You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for
    gcloud-compute-networks-subnets-list
     and
    gcloud-compute-networks-list
     start ingesting data again.
    Prisma Cloud Data Security
    Download and Scan Files up to 100MB for Malware
    The file size for malware scanning is now increased from 20MB to 100MB. The uncompressed file size must be less than 100MB.
    Prisma Cloud Data Security
    Support for Big Data File Types
    Prisma Cloud supports the following file types for data profile and data patterns:
    • .avro
    • .ORC
    • .parquet
    The size of the .avro, .ORC, or .parquet files must be less than 2.5GB.
    API Ingestions
    Amazon Managed Workflows for Apache Airflow
    aws-mwaa-environment
    Additional permissions required:
    • airflow:GetEnvironment
    • airflow:ListEnvironments
    AWS Systems Manager
    aws-ssm-association
    Additional permissions required:
    • ssm:ListAssociations
    • ssm:DescribeAssociation
    The Security Audit role includes the permissions.
    Azure Batch Account
    azure-batch-account
    Additional permission required:
    Microsoft.Batch/batchAccounts/read
    The Reader role includes the permission.
    Azure Data Shares
    azure-data-shares-account
    Additional permission required:
    Microsoft.DataShare/accounts/read
    The Reader role includes the permission.
    Azure Red Hat OpenShift
    azure-redhat-openshift-cluster
    Additional permission required:
    Microsoft.RedHatOpenShift/openShiftClusters/read
    The Reader role includes the permission.
    Google Cloud Run Revision
    gcloud-cloud-run-revisions-list
    No new permissions, the Project Viewer role includes the required permissions.
    Google Data Catalog
    gcloud-data-catalog-taxonomy
    Additional permissions required:
    • datacatalog.taxonomies.list
    • datacatalog.taxonomies.getIamPolicy
    • datacatalog.taxonomies.get
    The Viewer role includes the permissions.
    Multi-region resources are not supported for Asia, EU, and US.
    Google Data Catalog
    gcloud-data-catalog-entry-group
    Additional permissions required:
    • datacatalog.entryGroups.list
    • datacatalog.entryGroups.getIamPolicy
    • datacatalog.entryGroups.get
    The Viewer role includes the permissions.
    Multi-region resources are not supported for Asia, EU, and US.
    Google Security Command Center
    gcloud-security-command-center-organization-source
    Additional permissions required:
    • securitycenter.sources.list
    • securitycenter.sources.getIamPolicy
    The Viewer role includes the permissions.
    OCI Compute
    oci-compute-vnics
    Additional permissions required:
    • inspect vnic-attachments
    • inspect vnics
    You must add the permissions manually.
    OCI Compute
    oci-compute-vnicattachments
    Additional permission required:
    inspect vnic-attachments
    You must add the permission manually.
    OCI Networking
    oci-networking-dns-tsigkeys
    Additional permissions required:
    • inspect dns-tsig-keys
    • read dns-tsig-keys
    You must add the permissions manually.
    Update
    API Ingestion—Amazon VPC Attribute
    The following API is updated with a new attribute
    authorizationRules
     which contains the authorization rules for Client VPN endpoint.
    aws-ec2-client-vpn-endpoint
    Additional permissions required:
    • ec2:DescribeClientVpnEndpoints
    • ec2:DescribeClientVpnAuthorizationRules
    The Security Audit role includes the permissions.
    Impact—
     No impact on alerts.

    New Policies and Policy Updates

    See the look ahead updates for planned features and policy updates for 22.6.3.
    Policy Updates
    Description
    New Policy
    AWS Lambda Function resource-based policy is overly permissive
    Identifies Lambda Functions that have overly permissive resource-based policy. Lambda functions having overly permissive policy could lead to lateral movement in account or privilege being escalated when compromised. It is highly recommended to have the least privileged access policy to protect the Lambda Functions from unauthorized access.
    cconfig from cloud.resource where api.name = 'aws-lambda-list-functions' AND json.rule = policy.Statement[?any(Effect equals Allow and Principal equals "*" and Condition does not exist and (Action equals "*" or Action equals lambda:*))] exists
    Azure MySQL database flexible server SSL enforcement is disabled
    Identifies Azure MySQL database flexible servers for which the SSL enforcement is disabled. SSL connectivity helps to provide a new layer of security by connecting database server to client applications using the Secure Sockets Layer (SSL). Enforcing SSL connections between the database server and client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and application.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-flexible-server' AND json.rule = properties.state equal ignore case "Ready" and require_secure_transport.value equal ignore case "OFF"
    Azure MySQL database flexible server using insecure TLS version
    Identifies Azure MySQL database flexible servers which are using insecure TLS version. As a security best practice, use the newer TLS version as the minimum TLS version for Azure MySQL database flexible server. Currently, Azure MySQL database flexible server supports TLS 1.2 version which resolves the security gap from its preceding versions.
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-mysql-flexible-server' AND json.rule = properties.state equal ignore case "Ready" and require_secure_transport.value equal ignore case "ON" and (tls_version.value does not equal ignore case "TLSV1.2" and tls_version.value does not equal ignore case "TLSV1.3" and tls_version.value does not equal ignore case "TLSV1.2,TLSV1.3" and tls_version.value does not equal ignore case "TLSV1.3,TLSV1.2")
    Policy Updates-Metadata
    AWS Lambda function communicating with ports known to mine Monero
    Changes—
     The policy description is updated for typos and the cloud is changed from ANY to AWS.
    Updated Description—
     This policy identifies AWS Lambda function which is communicating with ports known to mine Monero.AWS Lambda functions when infected with Denonia malware installs a XMRig mining software which is used for mining Monero. It is highly recommended to restrict Lambda function to known hosts or services only.
    Impact—
     No impact on alerts.
    Policy Updates—RQL
    AWS Certificate Manager (ACM) has certificates with Certificate Transparency Logging disabled
    Changes—
     The policy RQL has been updated to check for valid ACM certificate and added remediation support.
    Additional permission required to remediate the alert: 
    acm:UpdateCertificateOptions
    Current RQL—
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-acm-describe-certificate' AND json.rule = 'type does not equal IMPORTED and (options.certificateTransparencyLoggingPreference equals DISABLED or options.certificateTransparencyLoggingPreference does not exist)'
    Updated RQL—
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-acm-describe-certificate' AND json.rule = 'type does not equal IMPORTED and (options.certificateTransparencyLoggingPreference equals DISABLED or options.certificateTransparencyLoggingPreference does not exist) and status equals ISSUED and _DateTime.ageInDays($.notAfter) < 1'
    Remediation CLI—
    aws acm update-certificate-options --region ${region} --certificate-arn ${certificateArn} --options CertificateTransparencyLoggingPreference=ENABLED
    Impact—
     Low. Alerts will get resolved for expired or ACM certificates which does not have status as
    ISSUED
    .
    AWS Customer Master Key (CMK) rotation is not enabled
    Changes—
     The policy RQL has been updated to check only for KMS symmetric keys.
    Current RQL—
    config from cloud.resource where cloud.type = 'aws' AND api.name='aws-kms-get-key-rotation-status' AND json.rule='keyMetadata.keyState equals Enabled and keyMetadata.keyManager equals CUSTOMER and (rotation_status.keyRotationEnabled is false or rotation_status.keyRotationEnabled equals null)'
    Updated RQL—
    config from cloud.resource where cloud.type = 'aws' AND api.name='aws-kms-get-key-rotation-status' AND json.rule = keyMetadata.keyState equals Enabled and keyMetadata.keyManager equals CUSTOMER and (rotation_status.keyRotationEnabled is false or rotation_status.keyRotationEnabled equals "null") and keyMetadata.customerMasterKeySpec equals SYMMETRIC_DEFAULT
    Impact—
     Medium. The alerts will be resolved as ‘Policy_Updated’ for KMS resource that is configured with asymmetric keys.
    AWS Network Load Balancer (NLB) is not using the latest predefined security policy
    Changes—
     The policy RQL has been updated to include the latest "ELBSecurityPolicy-TLS13-1-2-2021-06" security policy and exclude the legacy security policy “ELBSecurityPolicy-2016-08”.
    Updated Description—
     This policy identifies Network Load Balancers (NLBs) which are not using the latest predefined security policy. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. So it is recommended to use the latest predefined security policy which uses only secured protocol and ciphers.
    Current RQL—
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code equals active and type equals "network" and listeners[?any(protocol equals TLS and sslPolicy exists and sslPolicy does not contain ELBSecurityPolicy-TLS13-1-0-2021-06 and sslPolicy does not contain ELBSecurityPolicy-2016-08)] exists
    Updated RQL—
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code equals active and type equals "network" and listeners[?any(protocol equals TLS and sslPolicy exists and sslPolicy does not contain ELBSecurityPolicy-TLS13-1-2-2021-06)] exists
    Impact—
     Low. The alerts will be resolved as ‘Policy_Updated’ for AWS Network Load Balancer that are configured with the latest "ELBSecurityPolicy-TLS13-1-2-2021-06" security policy.
    AWS RDS Instance with copy tags to snapshots disabled
    Changes—
     The policy RQL has been updated to ignore RDS Instance with Neptune Engine.
    Current RQL—
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora and engine does not contain docdb
    Updated RQL—
    config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-rds-describe-db-instances' AND json.rule = dbinstanceStatus equals available and (copyTagsToSnapshot is false or copyTagsToSnapshot does not exist) and engine does not contain aurora and engine does not contain docdb and engine does not contain neptune
    Impact—
     Low. The alerts will be resolved as ‘Policy_Updated’ for Neptune DB resources.
    Azure Application Gateway allows TLSv1.1 or lower
    Changes—
     The policy name, description, RQL, and recommendation are updated as vendor support for TLS versions has been updated.
    Current RQL—
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-application-gateway' AND json.rule = " ['properties.sslPolicy'] does not exist or (['properties.sslPolicy'].policyType == Predefined and ['properties.sslPolicy'].policyName != AppGwSslPolicy20170401S ) or (['properties.sslPolicy'].policyType == Custom and ['properties.sslPolicy'].minProtocolVersion != TLSv1_2)"
    Updated RQL—
    config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-application-gateway' AND json.rule = ['properties.sslPolicy'] does not exist or (['properties.sslPolicy'].['policyType'] equal ignore case Predefined and (['properties.sslPolicy'].['policyName'] equal ignore case AppGwSslPolicy20150501 or ['properties.sslPolicy'].['policyName'] equal ignore case AppGwSslPolicy20170401)) or (['properties.sslPolicy'].['policyType'] equal ignore case Custom and (['properties.sslPolicy'].['minProtocolVersion'] equal ignore case TLSv1_0 or ['properties.sslPolicy'].['minProtocolVersion'] equal ignore case TLSv1_1))
    Impact—
     Previously generated alerts for resources which are configured with TLS new predefined policy (TLSv1.3) will be resolved as ‘Policy_Updated’.
    GCP Firewall rule allows all traffic on Microsoft-DS port (445)
    Changes—
     The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
    Additional permissions required:
    • compute.firewalls.update
    • compute.networks.updatePolicy
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(445,445) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(445,445) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
    Updated CLI—
    gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
    Impact—
     Low impact on existing alerts.
    GCP Firewall rule allows all traffic on MongoDB port (27017)
    Changes—
     The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
    Additional permissions required:
    • compute.firewalls.update
    • compute.networks.updatePolicy
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(27017,27017) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(27017,27017) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
    Updated CLI—
    gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
    Impact—
     Low impact on existing alerts.
    GCP Firewall rule allows all traffic on Oracle DB port (1521)
    Changes—
     The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
    Additional permissions required:
    • compute.firewalls.update
    • compute.networks.updatePolicy
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(1521,1521) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(1521,1521) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
    Updated CLI—
    gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
    Impact—
     Low impact on existing alerts.
    GCP Firewall rule allows all traffic on MySQL DB port (3306)
    Changes—
     The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
    Additional permissions required:
    • compute.firewalls.update
    • compute.networks.updatePolicy
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(3306,3306) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(3306,3306) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
    Updated CLI—
    gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
    Impact—
     Low impact on existing alerts.
    GCP Firewall rule allows all traffic on SMTP port (25)
    Changes—
     The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
    Additional permissions required:
    • compute.firewalls.update
    • compute.networks.updatePolicy
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(25,25) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(25,25) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
    Updated CLI—
    gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
    Impact—
     Low impact on existing alerts.
    GCP Firewall rule allows all traffic on PostgreSQL port (5432)
    Changes—
     The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
    Additional permissions required:
    • compute.firewalls.update
    • compute.networks.updatePolicy
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(5432,5432) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(5432,5432) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
    Updated CLI—
    gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
    Impact—
     Low impact on existing alerts.
    GCP Firewall rule allows all traffic on NetBIOS-SSN port (139)
    Changes—
     The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
    Additional permissions required:
    • compute.firewalls.update
    • compute.networks.updatePolicy
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(139,139) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(139,139) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
    Updated CLI—
    gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
    Impact—
     Low impact on existing alerts.
    GCP Firewall rule allows all traffic on DNS port (53)
    Changes—
     The RQL for the policy is modified to include IPv6 checks.
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists'
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(53,53) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
    Impact—
     Low impact on existing alerts.
    GCP Firewall rule allows all traffic on FTP port (21)
    Changes—
     The RQL for the policy is modified to include IPv6 checks.
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists'
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(21,21) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
    Impact—
     Low impact on existing alerts.
    GCP Firewall rule allows all traffic on SSH port (22)
    Changes—
     The RQL for the policy is modified to include IPv6 checks.
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and allowed[?any(ports contains _Port.inRange(22,22) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists'
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(22,22) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
    Impact—
     Low impact on existing alerts.
    GCP Firewall rule allows all traffic on RDP port (3389)
    Changes—
     The RQL for the policy is modified to include IPv6 checks.
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'disabled is false and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and allowed[?any(ports contains _Port.inRange(3389,3389) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists'
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(3389,3389) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
    Impact—
     Low impact on existing alerts.
    GCP Firewall rule allows all traffic on POP3 port (110)
    Changes—
     The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
    Additional permissions required:
    • compute.firewalls.update
    • compute.networks.updatePolicy
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[?any(ports contains _Port.inRange(110,110) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)) )] exists'
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(ports contains _Port.inRange(110,110) or (ports does not exist and (IPProtocol contains tcp or IPProtocol contains udp)))] exists
    Updated CLI—
    gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
    Impact—
     Low impact on existing alerts.
    GCP Firewall with Inbound rule overly permissive to All Traffic
    Changes—
     The RQL for the policy is modified to check if the firewall rule is disabled and include IPv6 checks. Remediation CLI has been modified to disable the vulnerable firewall rule instead of deleting it.
    Additional permissions required:
    • compute.firewalls.update
    • compute.networks.updatePolicy
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= 'sourceRanges[*] contains 0.0.0.0/0 and allowed[*].IPProtocol equals all'
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule= disabled is false and direction equals INGRESS and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and allowed[?any(IPProtocol equals "all")] exists
    Updated CLI—
    gcloud compute --project=${account} firewall-rules update ${resourceName} --disabled
    Impact—
     Low impact on existing alerts.
    GCP Firewall rule allows inbound traffic from anywhere with no specific target set
    Changes—
     The RQL for the policy is modified to include IPv6 checks. Also, the policy recommendation steps are modified to reflect the latest CSP changes.
    Current RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule = 'disabled is false and direction equals "INGRESS" and allowed[*] exists and (sourceRanges[*] contains 0.0.0.0/0 or sourceRanges[*] contains ::/0) and targetTags[*] does not exist and targetServiceAccounts[*] does not exist'
    Updated RQL—
    config from cloud.resource where cloud.type = 'gcp' AND api.name='gcloud-compute-firewall-rules-list' AND json.rule = 'disabled is false and direction equals "INGRESS" and allowed[] exists and (sourceRanges[*] equals ::0 or sourceRanges[*] equals 0.0.0.0 or sourceRanges[*] equals 0.0.0.0/0 or sourceRanges[*] equals ::/0 or sourceRanges[*] equals ::) and targetTags[*] does not exist and targetServiceAccounts[*] does not exist'
    Impact—
     Low impact on existing alerts.
    If you have enabled the Code Security subscription on Prisma Cloud, see Code Security-Features Introduced in June 2022 for details on new Configuration Build policies, updates to add build rules for existing Configuration Run policies, and policy deletions.

    REST API Updates

    No REST API updates for 22.6.2.

    New Features

    FEATURE
    DESCRIPTION
    API Ingestions
    AWS IAM
    aws-iam-oidc-provider
    Additional permissions required:
    • iam:ListOpenIDConnectProviders
    • iam:GetOpenIDConnectProvider
    AWS Lambda
    aws-lambda-code-signing-config
    Additional permission required:
    lambda:ListCodeSigningConfigs
    AWS Lambda
    aws-lambda-list-functions
    Additional permission required:
    lambda:GetFunctionUrlConfig
    AWS Route53 Resolver
    aws-route53resolver-query-logging-config-association
    Additional permission required:
    route53resolver:ListResolverQueryLogConfigAssociations
    AWS Route53 Resolver
    aws-route53resolver-query-logging-config
    Additional permissions required:
    • route53resolver:ListResolverQueryLogConfigs
    • route53resolver:ListTagsForResource
    Azure HPC Cache
    azure-hpc-cache
    Additional permissions required:
    • Microsoft.StorageCache/caches/read
    • Microsoft.StorageCache/Subscription/caches/read
    Azure Media Service
    azure-media-service-account
    Additional permission required:
    Microsoft.Media/mediaservices/read
    Azure Service Fabric
    azure-service-fabric-cluster
    Additional permission required:
    Microsoft.ServiceFabric/clusters/read
    Azure Virtual Network
    azure-network-effective-nsg
    Additional permission required:
    Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action
    The Network Contributor role includes the permission and do not need to be explicitly granted if you have provided this role to Prisma Cloud.
    Azure Virtual Network
    azure-network-effective-route-table
    Additional permission required:
    Microsoft.Network/networkInterfaces/effectiveRouteTable/action
    The Network Contributor role includes the permission and do not need to be explicitly granted if you have provided this role to Prisma Cloud.
    Google Certificate Authority Service
    gcloud-certificate-authority-revocation-lists
    Additional permissions required:
    • privateca.certificateRevocationLists.list
    • privateca.certificateRevocationLists.getIamPolicy
    Google Compute Engine
    gcloud-compute-backend-bucket
    Additional permission required:
    compute.backendBuckets.list
    Google Compute Engine
    gcloud-compute-external-backend-service
    Additional permission required:
    compute.backendServices.list
    OCI Big Data Service
    oci-bigdataservice-instances
    Additional permissions required:
    • inspect bds-instances
    • read bds-instances
    OCI Data Integration
    oci-dataintegration-workspaces
    Additional permissions required:
    • inspect dis-workspaces
    • read dis-workspaces
    OCI Data Science
    oci-datascience-projects
    Additional permissions required:
    • inspect data-science-projects
    • read data-science-projects
    Update
    Support for Azure Virtual Network API Ingestions
    To support ingestion for these Azure Virtual Network APIs:
    azure-network-effective-nsg
    azure-network-effective-route-table
    The Azure onboarding Terraform templates now include granular permissions for:
    • Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action
    • Microsoft.Network/networkInterfaces/effectiveRouteTable/action
    The Network Contributor role in Azure includes these two permissions, and do not need to be explicitly granted if you have provided this role to Prisma Cloud.
    Permissions in the Azure Terraform Template
    The Azure Terraform template in
    Monitor
     and
    Monitor & Protect
     modes, used for onboarding Azure Subscriptions and Azure Tenant with Management Groups on Prisma Cloud includes the following permission: 
    Microsoft.ContainerRegistry/registries/listCredentials/action
    This permission is required in the Prisma Cloud custom role to support the Drift Detection capabilities on Code Security.
    Change in Existing Behavior
    Support for Google Cloud API Ingestions
    When you onboard using granular permission, you must provide additional permissions for the following GCP APIs:
    • Google PubSub
      gcloud-pubsub-subscription
      Additional permission required:
      pubsub.subscriptions.get
      gcloud-pubsub-topic
      Additional permission required:
      pubsub.topics.get
    • Google Dataproc Clusters
      gcloud-dataproc-clusters-list
      Additional permission required:
      dataproc.clusters.get
    These permissions are part of the predefined Viewer role and are automatically included if they are using that primitive role.

    New Policies and Policy Updates

    No new policies or policy updates for 22.6.1.

    New Compliance Benchmarks and Updates

    COMPLIANCE BENCHMARK
    DESCRIPTION
    Support for Australian Energy Sector Cyber Security Framework (AESCSF)
    The Australian Energy Sector Cyber Security Framework (AESCSF) provides a set of cybersecurity guidelines specifically tailored to the Australian Energy sector. This framework enables the owners and operators of energy infrastructure in Australia to assess, evaluate, prioritize, and improve their cybersecurity posture.
    The framework involves the analysis of two aspects:
    • Criticality assessment
    • Cyber security capability and maturity self-assessment
    Support for Australian Cyber Security Centre (ACSC) Information Security Manual (ISM)
    The Australian Cyber Security Centre (ACSC) produces the Information Security Manual (ISM). ISM outlines a cyber security framework that you can apply by using the risk management framework to protect information and systems from cyber threats.
    The ISM is intended for Chief Information Security Officers, Chief Information Officers, cyber security professionals, and information technology managers.
    Support for Australian Cyber Security Centre (ACSC) Essential Eight
    The Australian Cyber Security Centre’s (ACSC) Essential Eight is a risk management framework that prioritizes eight mitigation strategies taken from the recommended ACSC’s Strategies to Mitigate Cyber Security Incidents:
    The essential eight security controls are:
    • Application Control — to control the execution of unauthorized software
    • Configure Macros — to block untrusted macros
    • Patch Application — to remediate known security vulnerabilities
    • Application Hardening — to protect against vulnerable functionality
    • Restrict Admin Permissions — to limit powerful access to systems
    • Patch Operating Systems — to remediate known security vulnerabilities
    • Multi-Factor Authentication — to protect against risk activities
    • Daily Backups — to maintain the availability of critical data
    Update
    New Zealand Information Security Manual (NZISM v3.4)
    Prisma Cloud has extended the compliance support for other cloud accounts including Azure, Alibaba, GCP, OCI, along with AWS.

    REST API Updates

    No REST API updates for 22.6.1.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo