FEATURE	DESCRIPTION
Integrated View of Run and Build details for Alerts	To help you as a Cloud Security Engineer investigate issues from code to cloud, the alert details now include information to trace and attribute which build-time resource has caused a policy violation for a runtime resource deployed in your cloud account. The alert details overview includes the IaC resource details and information on the build time resource. The new Traceability information helps you connect an alert from the production environment back to the origin templates in your upstream development environment. To view the build-time details in an alert: You must enable a Configuration policy with the subtype Run, Build and attach it to an alert rule on Prisma Cloud. Your IaC templates must be onboarded through a VCS integration. Terraform resources must include the yor_trace tag so that your IaC resources are tagged with a unique UUID for tracing the relationship between the code resource and the runtime resource that is deployed from it. This is not necessary for CloudFormation.
Prisma Cloud Data Security - Asset Level Scan	There is usually several TB or PB of data stored in your organization’s S3 buckets. In order to reduce the cost associated with the scanning of a large volume of data and to provide you with more value, Prisma Cloud Data Security now provides you the option of Asset Level Scan . When you select this option (default) while configuring a scan, Prisma Cloud randomly scans 10% of objects or maximum of 1TB (whichever is lower) and sends the data for analysis. It stops the scan as soon as it detects an object with sensitive data and triggers a 'Storage Asset with sensitive data found' policy. Asset Level Scan only applies when you select the Backward Scan mode and does exposure analysis and data classification and not malware scanning. It is only available when you’re configuring a data security scan for your AWS cloud accounts.

API Ingestions

SERVICE	API DETAILS
Amazon Inspector	aws-inspector-v2-coverage Additional permission required: inspector2:ListCoverage The Security Audit role includes the permission.
Amazon Inspector	aws-inspector-v2-finding Additional permission required: inspector2:ListFindings The Security Audit role includes the permission.
Amazon Inspector	aws-inspector-v2-filter Additional permission required: inspector2:ListFilters The Security Audit role includes the permission.
Amazon Inspector	aws-inspector-v2-permission Additional permission required: inspector2:ListAccountPermissions The Security Audit role includes the permission.
Azure Virtual Network	azure-bastion-diagnostic-settings Additional permissions required: Microsoft.Network/bastionHosts/read Microsoft.Insights/DiagnosticSettings/Read The Reader role includes the permissions.
Google Deployment Manager	gcloud-deployment-manager-deployment Additional permissions required: deploymentmanager.deployments.list deploymentmanager.deployments.getIamPolicy The Viewer role only includes the permission deploymentmanager.deployments.list . You must manually add the permission or update the Terraform template to enable deploymentmanager.deployments.getIamPolicy
Google Deployment Manager	gcloud-deployment-manager-deployment-manifest Additional permissions required: deploymentmanager.deployments.list deploymentmanager.manifests.list The Viewer role only includes the permissions.
Google Stackdriver Monitoring	gcloud-monitoring-group Additional permission required: monitoring.groups.list The Viewer role only includes the permission.
Google Stackdriver Monitoring	gcloud-monitoring-snooze Additional permission required: monitoring.snoozes.list The Viewer role only includes the permission.
Google Cloud Translation	gcloud-translation-model Additional permissions required: cloudtranslate.locations.list cloudtranslate.customModels.list The Viewer role includes the permissions.
Google Cloud Translation	gcloud-translation-native-dataset Additional permissions required: cloudtranslate.locations.list cloudtranslate.datasets.list The Viewer role includes the permissions. Legacy Datasets are not ingested as part of this API.

New Policies

No new policies for 23.7.2.

Policy Updates

POLICY UPDATES	DESCRIPTION
Policy Updates—RQL
AWS Secret Manager Automatic Key Rotation is not enabled	Changes— The policy description and RQL are updated. The policy RQL is updated to exclude the secrets managed by owning services. Updated Description— Identifies AWS Secret Manager that are not enabled with key rotation. As a security best practice, it is important to rotate the keys periodically so that if the keys are compromised, the data in the underlying service is still secure with the new keys. This policy does not include secret manager which are managed by some of the AWS services that store AWS Secrets Manager secrets on your behalf. Policy Severity— Low Policy Type— Config Current RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-secretsmanager-describe-secret' AND json.rule = rotationEnabled is false Updated RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-secretsmanager-describe-secret' AND json.rule = rotationEnabled is false and owningService is not member of (appflow, databrew, datasync, directconnect, events, opsworks-cm, rds, sqlworkbench) Impact— Low. Existing alerts are resolved as Policy_Updated for secrets managed by owning services such as appflow, databrew, datasync, directconnect, events, opsworks-cm, rds, and sqlworkbench.
AWS Elastic Load Balancer v2 (ELBv2) with listener TLS/SSL is not configured	Changes— The policy RQL is updated to exclude the NLBs which are forwarding to ALB using TCP as a listener as per the AWS limitation. Policy Severity— Low Policy Type— Config Current RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = 'state.code contains active and ((listeners[].protocol equals HTTPS or listeners[].protocol equals TLS) and listeners[].certificates[].certificateArn does not exist) or listeners[].protocol equals HTTP or listeners[].protocol equals TCP or listeners[].protocol equals UDP or listeners[].protocol equals TCP_UDP' Updated RQL— config from cloud.resource where api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = state.code contains active and listeners[?any( protocol equals HTTP or protocol equals TCP or protocol equals UDP or protocol equals TCP_UDP )] exists as X; config from cloud.resource where api.name = 'aws-elbv2-target-group' AND json.rule = targetType does not equal alb and protocol exists and protocol is not member of ('TLS', 'HTTPS') as Y; filter '$.X.listeners[?any( protocol equals HTTP or protocol equals UDP or protocol equals TCP_UDP )] exists or ( $.X.listeners[].protocol equals TCP and $.X.listeners[].defaultActions[].targetGroupArn contains $.Y.targetGroupArn)'; show X; Impact—* Low. Alerts that are generated for NLBs which are using ALB as listener via TCP will be resolved as Policy_Updated .
OCI Block Storage Block Volume does not have backup enabled	Changes— The policy description and RQL are updated. The RQL is updated to exclude the Block volumes which are attached to volume groups. Updated Description— Identifies the OCI Block Storage Volumes that do not have backup enabled. It is recommended to have block volume backup policies on each block volume so that the block volume can be restored during data loss events. Note: This Policy is not applicable for block volumes that are added to volume groups. Policy Severity— Low Policy Type— Config Current RQL— config from cloud.resource where cloud.type = 'oci' AND api.name = 'oci-block-storage-volume' AND json.rule = volumeBackupPolicyAssignment[] size equals 0 Updated RQL—* config from cloud.resource where cloud.type = 'oci' AND api.name = 'oci-block-storage-volume' AND json.rule = volumeBackupPolicyAssignment[] size equals 0 and volumeGroupId equal ignore case "null" Impact—* Low. Alerts that are generated for block volumes added to volume groups will be resolved as Policy_Updated .
Policy Updates—Metadata
AWS Route53 Hosted Zone having dangling DNS record with subdomain takeover risk	Changes— The policy name and description are updated to reflect the association of this risk with S3 Buckets, providing a more accurate representation of the associated service. Current Policy Name— AWS Route53 Hosted Zone having dangling DNS record with subdomain takeover risk Updated Policy Name— AWS Route53 Hosted Zone having dangling DNS record with subdomain takeover risk associated with AWS S3 Bucket Updated Description— Identifies AWS Route53 Hosted Zones which have dangling DNS records with subdomain takeover risk associated with AWS S3 Bucket. A Route53 Hosted Zone having a CNAME entry pointing to a non-existing S3 bucket will have a risk of these dangling domain entries being taken over by an attacker by creating a similar S3 bucket in any AWS account which the attacker owns / controls. Attackers can use this domain to do phishing attacks, spread malware and other illegal activities. As a best practice, it is recommended to delete dangling DNS records entry from your AWS Route 53 hosted zones. Policy Severity— High Policy Type— Config Impact— None.

IAM Policy Updates

Prisma Cloud has updated the following AWS IAM out-of-the-box (OOTB) policies as follows:

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK

DESCRIPTION

MLPS Level 3 Controls

Prisma Cloud now supports Multi-Level Protection Scheme (MLPS) Level 3 controls. Access control, data encryption, network segmentation, intrusion detection, and incident response are among the security measures outlined in the MLPS framework. Based on the MLPS classifications, you can assess the security risks associated with your information systems and implement the appropriate controls.

You can review this compliance standard and its associated policies on the Compliance > Standard
page.

Changes in Existing Behavior

No changes in existing behavior for 23.7.2.

REST API Updates

CHANGE	DESCRIPTION
New API to Get Resource Snapshot	The following new endpoint is added to get the latest resource snapshot by using the Restricted Resource Name(rrn). Get Resource Snapshot - GET /das/api/v1/resource

New Features Introduced in 23.7.1

New Compliance Benchmarks and Updates

Changes in Existing Behavior

REST API Updates

New Features

FEATURE	DESCRIPTION
Support for New Regions on AWS	Prisma Cloud now ingests data for resources deployed in the Zurich and Melbourne regions on AWS. To review a list of supported regions, select Inventory Assets , and choose Cloud Region from the filter drop-down.
`Prisma Cloud Data Security` Support for Singapore	Prisma Cloud Data Security is now available on the app.sg stack for all Prisma Cloud customers in Singapore. The data scans and data will remain within Singapore.
Least Privilege Access Enforcement	Streamline access management and promote secure and efficient permissions configuration with the least privilege access suggestions. Solve for over-privileged access issues that arise when you manage Identity Access through Groups or/and Roles rather than individual identities. You can now remediate over-permissive permissions effectively at the Group/Role level by creating new policies containing only the permissions applicable to all members. Alternatively, you can leverage existing policies by retaining only the permissions applicable to the entire Group/Role and removing any excessive permissions.

API Ingestions

SERVICE	API DETAILS
AWS CloudHSM	aws-cloudhsm-cluster Additional permission required: cloudhsm:DescribeClusters You must manually add the permission or update the CFT template to enable it.
Amazon VPC	aws-ec2-vpc-endpoint-service-permission Additional permission required: ec2:DescribeVpcEndpointServicePermissions The Security Audit role includes the permission.
Google Cloud Translation	gcloud-translation-glossary Additional permissions required: cloudtranslate.locations.list cloudtranslate.glossaries.list The Viewer role includes the permissions.
OCI Compute	oci-compute-image Additional permissions required: INSTANCE_IMAGE_INSPECT INSTANCE_IMAGE_READ You must update the Terraform template to enable the permissions.
`Update` OCI Compute Instance	oci-compute-instance The resource JSON for this API has been updated to include a new field vnicIds . Additional permission required: VNIC_ATTACHMENT_READ You must update the Terraform template to enable the permission.

New Policies

NEW POLICIES	DESCRIPTION
Azure SQL on Virtual Machine (Linux) with basic authentication	Identifies Azure Virtual Machines that are hosted with SQL on them and have basic authentication. Azure Virtual Machines with basic authentication could allow attackers to brute force and gain access to SQL database hosted on it, which might lead to sensitive information leakage. It is recommended to use SSH keys for authentication to avoid brute force attacks on SQL database hosted virtual machines. config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-vm-list' AND json.rule = powerState equal ignore case "PowerState/running" and ['properties.storageProfile'].['imageReference'].['publisher'] equal ignore case microsoftsqlserver and (['properties.osProfile'].['linuxConfiguration'] exists and ['properties.osProfile'].['linuxConfiguration'].['disablePasswordAuthentication'] is false) Policy Type— Config Severity— Low
AWS Route53 Hosted Zone having dangling DNS record with subdomain takeover risk	Identifies AWS Route53 Hosted Zones which have dangling DNS records with subdomain takeover risk. A Route53 Hosted Zone having a CNAME entry pointing to a non-existing S3 bucket will have a risk of these dangling domain entries being taken over by an attacker by creating a similar S3 bucket in any AWS account which the attacker owns / controls. Attackers can use this domain to do phishing attacks, spread malware and other illegal activities. As a best practice, it is recommended to delete dangling DNS records entry from your AWS Route 53 hosted zones. config from cloud.resource where api.name = 'aws-route53-list-hosted-zones' AND json.rule = hostedZone.config.privateZone is false and resourceRecordSet[?any( type equals CNAME and resourceRecords[].value contains s3-website )] exists as X; config from cloud.resource where api.name = 'aws-s3api-get-bucket-acl' as Y; filter 'not ($.X.resourceRecordSet[].name intersects $.Y.bucketName)'; show X; Policy Type— Config Severity— High

Policy Updates

POLICY UPDATES	DESCRIPTION
Policy Updates—RQL
AWS Application Load Balancer (ALB) is not using the latest predefined security policy	Changes— The policy description and recommendation steps have been updated. The policy RQL has been updated to check for the latest security policy ELBSecurityPolicy-TLS13-1-2-2021-06 Updated Description— Identifies Application Load Balancers (ALBs) are not using the latest predefined security policy. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. So it is recommended to use the latest predefined security policy which uses only secured protocol and ciphers. We recommend using ELBSecurityPolicy-TLS13-1-2-2021-06 policy to meet compliance and security standards that require disabling certain TLS protocol versions or to support legacy clients that require deprecated ciphers. Severity— Low Policy Type— Config Current RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = type equals application and listeners[?any(protocol equals HTTPS and sslPolicy exists and (sslPolicy does not contain ELBSecurityPolicy-FS-1-2-Res-2020-10 and sslPolicy does not contain ELBSecurityPolicy-TLS-1-2-Ext-2018-06))] exists Updated RQL— config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-elbv2-describe-load-balancers' AND json.rule = type equals application and listeners[?any(protocol equals HTTPS and sslPolicy exists and (sslPolicy does not contain ELBSecurityPolicy-TLS13-1-2-2021-06))] exists Impact— Medium. New alerts will be generated in case ALB is not configured to use the latest security policy. Existing alerts for resources that are already using the latest security policy are resolved as Policy_updated .
AWS EC2 instance that is reachable from untrust internet source to ports with high risk	Changes— Policy RQL is updated to check and report EC2 instance which are in active state. Severity— High Policy Type— Config Current RQL— config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and protocol.ports in ( 'tcp/20:21', 'tcp/23', 'tcp/25', 'tcp/110', 'tcp/135', 'tcp/143', 'tcp/445', 'tcp/1433:1434', 'tcp/3000', 'tcp/3306', 'tcp/4333', 'tcp/5000', 'tcp/5432', 'tcp/5500', 'tcp/5601', 'tcp/8080', 'tcp/8088', 'tcp/8888', 'tcp/9200', 'tcp/9300' ) Updated RQL— config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.resource.state = 'Active' and protocol.ports in ( 'tcp/20:21', 'tcp/23', 'tcp/25', 'tcp/110', 'tcp/135', 'tcp/143', 'tcp/445', 'tcp/1433:1434', 'tcp/3000', 'tcp/3306', 'tcp/4333', 'tcp/5000', 'tcp/5432', 'tcp/5500', 'tcp/5601', 'tcp/8080', 'tcp/8088', 'tcp/8888', 'tcp/9200', 'tcp/9300' ) Impact— Low. Alerts will be resolved for EC2 instances which are in inactive state.
Azure SQL Server ADS Vulnerability Assessment is disabled	Changes— The policy description and recommendation steps have been updated. The policy RQL has been updated according to new express configuration to check if ADS vulnerability assessment is disabled. Updated Decsription— Identifies Azure SQL Server which has ADS Vulnerability Assessment setting disabled. Advanced Data Security - Vulnerability Assessment service scans SQL databases for known security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. It is recommended to enable ADS - VA service. Severity— Medium Policy Type— Config Current RQL— config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-sql-server-list' AND json.rule = vulnerabilityAssessments[].properties.storageContainerPath does not exist Updated RQL—* config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-sql-server-list' AND json.rule = vulnerabilityAssessments[].type does not exist Impact—* Medium. New alerts will be generated if vulnerability assessment is disabled. Existing alerts will be resolved are resolved as Policy_updated when vulnerabilityAssessments[*].properties.storageContainerPath does not exist.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK	DESCRIPTION
Otoritas Jasa Keuangan (OJK) 38/POJK.03/2016	Prisma Cloud now supports Otoritas Jasa Keuangan (OJK) 38/POJK.03/20 regulations. The regulation provides specific guidance on the contents of the outsourcing agreement, due diligence, monitoring performance, contingency planning, audit, and information access rights. You can review this compliance standard and its associated policies on Prisma Cloud’s Compliance > Standard page.

Changes in Existing Behavior

FEATURE

DESCRIPTION

Access to Alerts for Deleted Assets

This change was first announced in the Look Ahead that was published with the 23.5.2 release

The ability to view resolved alerts for assets that have been deleted in cloud accounts onboarded to Prisma Cloud will be available for up to 90 days after asset deletion. After 90 days, these alerts will be permanently deleted from Prisma Cloud.

This change will be in effect starting July 1, 2023. Before July 1, if you want to export all resolved alerts older than 90 days for assets that have been deleted on the cloud account, use this API endpoint https://pan.dev/prisma-cloud/api/cspm/get-alerts-v-2/ .

REST API Updates

No REST API updates for 23.7.1.

Features Introduced in August 2023

Features Introduced in June 2023

POLICY NAME	CURRENT RQL	UPDATED RQL	CURRENT SEVERITY	UPDATED SEVERITY
AWS IAM policy allows Privilege escalation via PassRole & CloudFormation stack permissions	config from iam where action.name CONTAINS ALL ( ‘iam:PassRole', 'cloudformation:CreateStack', 'cloudformation:DescribeStacks') AND dest.cloud.resource.name ENDS WITH '*’ and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'cloudformation:CreateStack', 'cloudformation:DescribeStacks') AND dest.cloud.wildcardscope = true and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	High	Medium
AWS IAM policy allows Privilege escalation via PassRole & Lambda create Function & Event source mapping permissions	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'lambda:CreateEventSourceMapping', 'lambda:CreateFunction') AND dest.cloud.resource.name ENDS WITH '*’ and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'lambda:CreateEventSourceMapping', 'lambda:CreateFunction') AND dest.cloud.wildcardscope = true and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	High	Medium
Medium AWS IAM policy allows Privilege escalation via PassRole & SageMaker create training job permissions	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'sagemaker:CreateTrainingJob' ) AND dest.cloud.resource.name ENDS WITH '*’ and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'sagemaker:CreateTrainingJob' ) AND dest.cloud.wildcardscope = true and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	High	Medium
AWS IAM policy allows Privilege escalation via PassRole & CodeStar project permissions	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'codestar:CreateProject' ) AND dest.cloud.resource.name ENDS WITH '*’ and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'codestar:CreateProject' ) AND dest.cloud.wildcardscope = true and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	High	Medium
AWS IAM policy allows Privilege escalation via PassRole & Lambda create Function & add permissions	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'lambda:AddPermission', 'lambda:CreateFunction') AND dest.cloud.resource.name ENDS WITH '*’ and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'lambda:AddPermission', 'lambda:CreateFunction') AND dest.cloud.wildcardscope = true and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	High	Medium
AWS IAM policy allows Privilege escalation via PassRole & CodeBuild permissions	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'codebuild:CreateProject', 'codebuild:StartBuild', 'codebuild:StartBuildBatch') AND dest.cloud.resource.name ENDS WITH '*’ and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'codebuild:CreateProject', 'codebuild:StartBuild', 'codebuild:StartBuildBatch') AND dest.cloud.wildcardscope = true and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	High	Medium
AWS IAM policy allows Privilege escalation via PassRole & SageMaker create notebook permissions	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'sagemaker:CreateNotebookInstance', 'sagemaker:CreatePresignedNotebookInstanceUrl' ) AND dest.cloud.resource.name ENDS WITH '*’ and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'sagemaker:CreateNotebookInstance', 'sagemaker:CreatePresignedNotebookInstanceUrl' ) AND dest.cloud.wildcardscope = true and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	High	Medium
AWS IAM policy allows Privilege escalation via PassRole & SageMaker create processing job permissions	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'sagemaker:CreateProcessingJob' ) AND dest.cloud.resource.name ENDS WITH '*’ and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'sagemaker:CreateProcessingJob' ) AND dest.cloud.wildcardscope = true and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	High	Medium
AWS IAM policy allows Privilege escalation via EC2 Instance Connect permissions	config from iam where action.name CONTAINS ALL ( 'ec2:DescribeInstances', 'ec2-instance-connect:SendSSHPublicKey', 'ec2-instance-connect:SendSerialConsoleSSHPublicKey' ) AND dest.cloud.resource.name ENDS WITH '*’	config from iam where action.name CONTAINS ALL ( 'ec2:DescribeInstances', 'ec2-instance-connect:SendSSHPublicKey', 'ec2-instance-connect:SendSerialConsoleSSHPublicKey' ) AND dest.cloud.wildcardscope = true	High	Medium
AWS IAM policy allows Privilege escalation via PassRole & EC2 permissions	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'ec2:RunInstances' ) AND dest.cloud.resource.name ENDS WITH '*’ and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'ec2:RunInstances' ) AND dest.cloud.wildcardscope = true and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	High	Medium
AWS IAM policy allows Privilege escalation via PassRole & Data Pipeline permissions	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'datapipeline:ActivatePipeline', 'datapipeline:CreatePipeline', 'datapipeline:PutPipelineDefinition') AND dest.cloud.resource.name ENDS WITH '*’ and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'datapipeline:ActivatePipeline', 'datapipeline:CreatePipeline', 'datapipeline:PutPipelineDefinition') AND dest.cloud.wildcardscope = true and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	High	Medium
AWS IAM policy allows Privilege escalation via PassRole & Glue development endpoint permissions	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'glue:CreateDevEndpoint', 'glue:GetDevEndpoint') AND dest.cloud.resource.name ENDS WITH '*’ and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'glue:CreateDevEndpoint', 'glue:GetDevEndpoint') AND dest.cloud.wildcardscope = true and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	High	Medium
AWS IAM policy allows Privilege escalation via PassRole & Glue create job permissions	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'glue:CreateJob' ) AND dest.cloud.resource.name ENDS WITH '*’ and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'glue:CreateJob' ) AND dest.cloud.wildcardscope = true and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	High	Medium
AWS IAM policy allows Privilege escalation via PassRole & Glue update job permissions	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'glue:UpdateJob' ) AND dest.cloud.resource.name ENDS WITH '*’ and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'glue:UpdateJob' ) AND dest.cloud.wildcardscope = true and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	High	Medium
AWS IAM policy allows Privilege escalation via Glue Dev Endpoint permissions	config from iam where action.name CONTAINS ALL ( 'glue:UpdateDevEndpoint', 'glue:GetDevEndpoint' ) AND dest.cloud.resource.name ENDS WITH '*’	config from iam where action.name CONTAINS ALL ( 'glue:UpdateDevEndpoint', 'glue:GetDevEndpoint' ) AND dest.cloud.wildcardscope = true	High	Medium
AWS IAM policy allows Privilege escalation via Codestar create project and associate team member permissions	config from iam where action.name CONTAINS ALL ( 'codestar:CreateProject', 'codestar:AssociateTeamMember' ) AND dest.cloud.resource.name ENDS WITH '*’	config from iam where action.name CONTAINS ALL ( 'codestar:CreateProject', 'codestar:AssociateTeamMember' ) AND dest.cloud.wildcardscope = true	High	Medium
AWS IAM policy allows Privilege escalation via EC2 describe and SSM list and send command permissions	config from iam where action.name CONTAINS ALL ( 'ec2:DescribeInstances', 'ssm:listCommands', 'ssm:listCommandInvocations', 'ssm:sendCommand') AND dest.cloud.resource.name ENDS WITH '*’	config from iam where action.name CONTAINS ALL ( 'ec2:DescribeInstances', 'ssm:listCommands', 'ssm:listCommandInvocations', 'ssm:sendCommand') AND dest.cloud.wildcardscope = true	High	Medium
AWS IAM policy allows Privilege escalation via EC2 describe and SSM session permissions	config from iam where action.name CONTAINS ALL ( 'ec2:DescribeInstances', 'ssm:StartSession', 'ssm:DescribeSessions', 'ssm:GetConnectionStatus', 'ssm:DescribeInstanceProperties', 'ssm:TerminateSession', 'ssm:ResumeSession' ) AND dest.cloud.resource.name ENDS WITH '*’	config from iam where action.name CONTAINS ALL ( 'ec2:DescribeInstances', 'ssm:StartSession', 'ssm:DescribeSessions', 'ssm:GetConnectionStatus', 'ssm:DescribeInstanceProperties', 'ssm:TerminateSession', 'ssm:ResumeSession' ) AND dest.cloud.wildcardscope = true	High	Medium
AWS IAM policy allows Privilege escalation via PassRole & Lambda create & invoke Function permissions	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'lambda:InvokeFunction', 'lambda:CreateFunction') AND dest.cloud.resource.name ENDS WITH '*’ and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	config from iam where action.name CONTAINS ALL ( 'iam:PassRole', 'lambda:InvokeFunction', 'lambda:CreateFunction') AND dest.cloud.wildcardscope = true and grantedby.cloud.policy.condition ('iam:PassedToService') does not exist	High	Medium

Prisma™ Cloud Release Notes

Features Introduced in July 2023

Features Introduced in July 2023

New Features Introduced in 23.7.2

New Features

API Ingestions

New Policies

Policy Updates

IAM Policy Updates

New Compliance Benchmarks and Updates

Changes in Existing Behavior

REST API Updates

New Features Introduced in 23.7.1

New Features

API Ingestions

New Policies

Policy Updates

New Compliance Benchmarks and Updates

Changes in Existing Behavior

REST API Updates

Recommended For You