: Features Introduced in June 2023
Focus
Focus

Features Introduced in June 2023

Table of Contents

Features Introduced in June 2023

Learn what’s new on Prisma™ Cloud in June 2023.

New Features

FEATURE
DESCRIPTION
IAM Security metrics included in Cloud Security Report powered by Adoption Advisor
Enhancement
Implement least-privileged access by quantifying and sharing key IAM security metrics, such as unused over-privileged permissions, now available in the Prisma Cloud Cloud Security report powered by Adoption Advisor. These newly surfaced KPIs allow you to minimize the attack surface by restricting excessive permissions that may pose a significant security risk.
Navigate to
Adoption Advisor > Create Report
from the Prisma Cloud administrative console to explore the latest available IAM security metrics.

API Ingestions

SERVICE
API DETAILS
Amazon API Gateway
aws-apigatewayv2-route
Additional permission required:
  • apigateway:GET
The Security Audit role includes the permission.
Amazon Route53
Update
aws-route53-list-hosted-zones
The resource JSON for this API will be updated to remove a “.”(dot) at the end from the field.
resourceRecordSet[*].name
AWS WAF
aws-waf-v2-rule-group
Additional permission required:
  • wafv2:ListRuleGroups
The Security Audit role includes the permission.
OCI Block Storage
oci-block-storage-volume-group
Additional permission required:
  • VOLUME_GROUP_INSPECT
You must update the Terraform template to enable the permission.
OCI Database
oci-database-keystore
Additional permission required:
  • KEY_STORE_INPSECT
You must update the Terraform template to enable the permission.

New Policies

NEW POLICIES
DESCRIPTION
GCP VM instance that is reachable from untrust internet source to ports with high risk
Identifies GCP VM instances that are reachable from untrusted internet sources to ports with high risk. VM instances with unrestricted access to the internet for high risky port may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit access to known hosts, services, or specific entities.
config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Instance' and dest.cloud.type = 'GCP' and dest.resource.state = 'Active' and protocol.ports in ( 'tcp/20:21', 'tcp/23', 'tcp/25', 'tcp/110', 'tcp/135', 'tcp/143', 'tcp/445', 'tcp/1433:1434', 'tcp/3000', 'tcp/3306', 'tcp/4333', 'tcp/5000', 'tcp/5432', 'tcp/5500', 'tcp/5601', 'tcp/8080', 'tcp/8088', 'tcp/8888', 'tcp/9200', 'tcp/9300' )
Policy Type—
Network
Severity—
High

Policy Updates

POLICY UPDATES
DESCRIPTION
Policy Updates-Metadata
AWS S3 bucket policy overly permissive to any principal
Changes—
Updating Policy Name, and Description
Policy Type—
Config
Severity—
Medium
Policy Name—
AWS S3 buckets are accessible to public
Updated Policy Name—
AWS S3 buckets are accessible to public via ACL
Description-
The policy name, description, and recommendation steps are updated to be specific on the criteria through which the S3 bucket is made public. Amazon S3 often stores highly sensitive enterprise data, allowing public access to S3 buckets through ACL results in sensitive data being compromised. It is highly recommended to disable ACL configuration for all S3 buckets and use resource based policies to allow access to S3 buckets.
Impact—
No impact, as this is a metadata change.

New Compliance Benchmarks and Updates

No new compliance benchmarks and updates for 23.6.2.

Changes in Existing Behavior

FEATURE
DESCRIPTION
Rate Limit on POST /login Endpoint
The POST /login endpoint will enforce rate limiting (HTTP Response Code 429).
This change was first announced in the look ahead that was published with the 23.5.1 release.

REST API Updates

No REST API updates for 23.6.2.

New Features

FEATURE
DESCRIPTION
Trendline for Critical Severity in Adoption Advisor Widgets
The Assets With Urgent Alerts, Incident Burndown, and Risk Burndown widgets have a trendline for critical severity alerts and assets to help you quickly review the trends for the most critical issues.
For Assets With Urgent Alerts, you can see the critical and high severity asset data points in all the 30, 60, and 90 day time series starting June 2023.

API Ingestions

SERVICE
API DETAILS
Amazon DAX
aws-dax-parameter-group
Additional permissions required:
  • dax:DescribeParameterGroups
  • dax:DescribeParameters
The Security Audit role includes the permissions.
AWS Shield
aws-shield-drt-access
Additional permission required:
  • shield:DescribeDRTAccess
The Security Audit role includes the permission.
Amazon API Gateway
aws-apigatewayv2-stage
Additional permission required:
  • apigateway:GET
The Security Audit role includes the permission.
Google Cloud DNS
gcloud-dns-resource-record-set
Additional permissions required:
  • dns.managedZones.list
  • dns.resourceRecordSets.list
The Viewer role includes the permissions.
Google Vertex AI
gcloud-vertex-ai-notebook-instance-schedule
Additional permissions required:
  • notebooks.locations.list
  • notebooks.schedules.list
The Viewer role includes the permissions.
Google Dataplex
gcloud-dataplex-lake-zone-action
Additional permissions required:
  • dataplex.locations.list
  • dataplex.lakes.list
  • dataplex.zones.list
  • dataplex.zoneActions.list
The Viewer role includes the permissions.
Google Dataplex
gcloud-dataplex-lake-action
Additional permissions required:
  • dataplex.locations.list
  • dataplex.lakes.list
  • dataplex.lakeActions.list
The Viewer role includes the permissions.
OCI Service Mesh
oci-service-mesh-ingressgateway-routetable
Additional permissions required:
  • MESH_INGRESS_GATEWAY_ROUTE​_TABLE_LIST
  • MESH_INGRESS_GATEWAY_ROUTE​_TABLE_READ
You must update the Terraform template to enable the permissions.
OCI Service Mesh
oci-service-mesh-ingressgateway
Additional permissions required:
  • MESH_INGRESS_GATEWAY​_LIST
  • MESH_INGRESS_GATEWAY​_READ
You must update the Terraform template to enable the permissions.
OCI Database
oci-database-db-node
Additional permissions required:
  • DB_SYSTEM_INSPECT
  • DB_NODE_INSPECT
  • DB_NODE_QUERY
You must update the Terraform template to enable the permissions.

New Policies

NEW POLICIES
DESCRIPTION
AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0) to Admin ports
Identifies AWS EC2 instances that are internet reachable with unrestricted access (0.0.0.0/0) to Admin ports (22 / 3389). EC2 instances with unrestricted access to the internet for admin ports may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit access to known hosts, services, or specific entities.
config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.resource.state = 'Active' and protocol.ports in ( 'tcp/22', 'tcp/3389' )
Policy Type—
Network
Severity—
High.
AWS EC2 instance that is reachable from untrust internet source to ports with high risk
Identifies AWS EC2 instances that are internet reachable with untrust internet source to ports with high risk. EC2 instances with unrestricted access to the internet for high risky port may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit the access to known hosts, services, or specific entities.
config from network where source.network = UNTRUST_INTERNET and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and protocol.ports in ( 'tcp/20:21', 'tcp/23', 'tcp/25', 'tcp/110', 'tcp/135', 'tcp/143', 'tcp/445', 'tcp/1433:1434', 'tcp/3000', 'tcp/3306', 'tcp/4333', 'tcp/5000', 'tcp/5432', 'tcp/5500', 'tcp/5601', 'tcp/8080', 'tcp/8088', 'tcp/8888', 'tcp/9200', 'tcp/9300' )
Policy Type—
Network
Severity—
High.
Azure Virtual Machine that is internet reachable with unrestricted access (0.0.0.0/0) to Admin ports
Identifies Azure Virtual Machines that are internet reachable with unrestricted access (0.0.0.0/0) to admin ports. Azure VMs with unrestricted internet access to admin ports may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit the access to known hosts, services, or specific entities.
config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'Azure' and protocol.ports in ('tcp/22','tcp/3389' ) and dest.resource.state = 'Active'
Policy Type—
Network
Severity—
High.
GCP VM instance that is internet reachable with unrestricted access (0.0.0.0/0) to Admin ports
Identifies GCP VM instances that are internet reachable with unrestricted access (0.0.0.0/0) to Admin ports (22 / 3389). VM instances with unrestricted internet access to admin ports may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit access to known hosts, services, or specific entities.
config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'GCP' and dest.resource.state = 'Active' and protocol.ports in ( 'tcp/22', 'tcp/3389' )
Policy Type—
Network
Severity—
High.

Policy Updates

POLICY UPDATES
DESCRIPTION
Policy Updates—RQL
AWS S3 bucket policy overly permissive to any principal
Changes—
The policy description and RQL are updated. The RQL now considers
Block public access
settings configuration at account and bucket Level.
Updated Description—
Identifies the S3 buckets that have a bucket policy overly permissive to any principal and don’t have Block public and cross-account access to buckets and objects through any public bucket or access point policies enabled. It is recommended to follow the principle of least privileges ensuring that the only restricted entities have permission on S3 operations instead of any anonymous.
Policy Type—
Config
Severity—
Medium.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule = policy.Statement[?any(Effect equals Allow and Action anyStartWith s3: and (Principal.AWS contains * or Principal equals *) and Condition does not exist)] exists
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule = ( ( publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration does not exist ) or ( publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false ) or ( publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false ) or ( publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration does not exist ) )AND policy.Statement[?any(Effect equals Allow and Action anyStartWith s3: and (Principal.AWS contains * or Principal equals *) and (Condition does not exist or Condition[*] is empty) )] exists
Impact—
Medium. Based on the Block Public Access settings at account and bucket Level, some alerts might get resolved.
AWS S3 bucket publicly writable
Changes—
The policy remediation steps and RQL are updated. The policy RQL now checks for
Authenticated Users
access.
Policy Type—
Config
Severity—
High.
Current RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-s3api-get-bucket-acl' AND json.rule = ((((publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false) or (publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false)) and acl.grantsAsList[?any(grantee equals AllUsers and permission is member of (WriteAcp,Write,FullControl))] exists) or ((policyStatus.isPublic is true and ((publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false) or (publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false))) and (policy.Statement[?any(Effect equals Allow and (Principal equals * or Principal.AWS equals *) and (Action contains s3:* or Action contains s3:Put or Action contains s3:Create or Action contains s3:Replicate or Action contains s3:Update or Action contains s3:Delete) and (Condition does not exist))] exists))) and websiteConfiguration does not exist
Updated RQL—
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-s3api-get-bucket-acl' AND json.rule = ((((publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false) or (publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false)) and (acl.grantsAsList[?any(grantee equals AllUsers and permission is member of (WriteAcp,Write,FullControl))] exists or acl.grantsAsList[?any(grantee equals AuthenticatedUsers and permission is member of (WriteAcp,Write,FullControl))] exists)) or ((policyStatus.isPublic is true and ((publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false) or (publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false))) and (policy.Statement[?any(Effect equals Allow and (Principal equals * or Principal.AWS equals *) and (Action contains s3:* or Action contains s3:Put or Action contains s3:Create or Action contains s3:Replicate or Action contains s3:Update or Action contains s3:Delete) and (Condition does not exist))] exists))) and websiteConfiguration does not exist
Impact—
Low. New alerts may be generated if Authenticated Users have Write permissions.
GCP Log metric filter and alert does not exist for VPC network route delete and insert
Changes—
The Policy RQL is updated to verify if resource type is present in the Log metric filter.
Policy Type—
Config
Severity—
Informational.
Current RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ( $.X.filter does not contain "resource.type =" or $.X.filter does not contain "resource.type=" ) and ( $.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=" ) and $.X.filter contains "gce_route" and ( $.X.filter contains "protoPayload.methodName:" or $.X.filter contains "protoPayload.methodName :" ) and ( $.X.filter does not contain "protoPayload.methodName!:" and $.X.filter does not contain "protoPayload.methodName !:" ) and $.X.filter contains "compute.routes.delete" and $.X.filter contains "compute.routes.insert"'; show X; count(X) less than 1
Updated RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ( $.X.filter contains "resource.type =" or $.X.filter contains "resource.type=" ) and ( $.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=" ) and $.X.filter contains "gce_route" and ( $.X.filter contains "protoPayload.methodName:" or $.X.filter contains "protoPayload.methodName :" ) and ( $.X.filter does not contain "protoPayload.methodName!:" and $.X.filter does not contain "protoPayload.methodName !:" ) and $.X.filter contains "compute.routes.delete" and $.X.filter contains "compute.routes.insert"'; show X; count(X) less than 1
Impact—
Low. New alerts will be generated against the policy violations.
GCP Log metric filter and alert does not exist for VPC network route changes
Changes—
The Policy RQL is updated to verify if resource type is present in the Log metric filter.
Policy Type—
Config
Severity—
Informational.
Current RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ($.X.filter does not contain "resource.type =" or $.X.filter does not contain "resource.type=") and ($.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=") and $.X.filter contains "gce_route" and ($.X.filter contains "jsonPayload.event_subtype=" or $.X.filter contains "jsonPayload.event_subtype =") and ($.X.filter does not contain "jsonPayload.event_subtype!=" and $.X.filter does not contain "jsonPayload.event_subtype !=") and $.X.filter contains "compute.routes.delete" and $.X.filter contains "compute.routes.insert"'; show X; count(X) less than 1
Updated RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ($.X.filter contains "resource.type =" or $.X.filter contains "resource.type=") and ($.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=") and $.X.filter contains "gce_route" and ($.X.filter contains "jsonPayload.event_subtype=" or $.X.filter contains "jsonPayload.event_subtype =") and ($.X.filter does not contain "jsonPayload.event_subtype!=" and $.X.filter does not contain "jsonPayload.event_subtype !=") and $.X.filter contains "compute.routes.delete" and $.X.filter contains "compute.routes.insert"'; show X; count(X) less than 1
Impact—
Low. New alerts will be generated against the policy violations.
GCP Log metric filter and alert does not exist for VPC network route patch and insert
Changes—
The Policy RQL is updated to verify if resource type is present in the Log metric filter.
Policy Type—
Config
Severity—
Informational.
Current RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ( $.X.filter does not contain "resource.type =" or $.X.filter does not contain "resource.type=" ) and ( $.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=" ) and $.X.filter contains "gce_route" and ( $.X.filter contains "protoPayload.methodName=" or $.X.filter contains "protoPayload.methodName =" ) and ( $.X.filter does not contain "protoPayload.methodName!=" and $.X.filter does not contain "protoPayload.methodName !=" ) and $.X.filter contains "beta.compute.routes.patch" and $.X.filter contains "beta.compute.routes.insert"'; show X; count(X) less than 1
Updated RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ( $.X.filter contains "resource.type =" or $.X.filter contains "resource.type=" ) and ( $.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=" ) and $.X.filter contains "gce_route" and ( $.X.filter contains "protoPayload.methodName=" or $.X.filter contains "protoPayload.methodName =" ) and ( $.X.filter does not contain "protoPayload.methodName!=" and $.X.filter does not contain "protoPayload.methodName !=" ) and $.X.filter contains "beta.compute.routes.patch" and $.X.filter contains "beta.compute.routes.insert"'; show X; count(X) less than 1
Impact—
Low. New alerts will be generated against the policy violations.
GCP Log metric filter and alert does not exist for VPC network changes
Changes—
The Policy RQL is updated to verify if resource type is present in the Log metric filter.
Policy Type—
Config
Severity—
Informational.
Current RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ($.X.filter does not contain "resource.type =" or $.X.filter does not contain "resource.type=") and ($.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=") and $.X.filter contains "gce_network" and ($.X.filter contains "jsonPayload.event_subtype=" or $.X.filter contains "jsonPayload.event_subtype =") and ($.X.filter does not contain "jsonPayload.event_subtype!=" and $.X.filter does not contain "jsonPayload.event_subtype !=") and $.X.filter contains "compute.networks.insert" and $.X.filter contains "compute.networks.patch" and $.X.filter contains "compute.networks.delete" and $.X.filter contains "compute.networks.removePeering" and $.X.filter contains "compute.networks.addPeering"'; show X; count(X) less than 1
Updated RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ($.X.filter contains "resource.type =" or $.X.filter contains "resource.type=") and ($.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=") and $.X.filter contains "gce_network" and ($.X.filter contains "jsonPayload.event_subtype=" or $.X.filter contains "jsonPayload.event_subtype =") and ($.X.filter does not contain "jsonPayload.event_subtype!=" and $.X.filter does not contain "jsonPayload.event_subtype !=") and $.X.filter contains "compute.networks.insert" and $.X.filter contains "compute.networks.patch" and $.X.filter contains "compute.networks.delete" and $.X.filter contains "compute.networks.removePeering" and $.X.filter contains "compute.networks.addPeering"'; show X; count(X) less than 1
Impact—
Low. New alerts will be generated against the policy violations.
GCP Log metric filter and alert does not exist for Cloud Storage IAM permission changes
Changes—
The Policy RQL is updated to verify if resource type is present in the Log metric filter.
Policy Type—
Config
Severity—
Informational.
Current RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ($.X.filter does not contain "resource.type =" or $.X.filter does not contain "resource.type=") and ($.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=") and $.X.filter contains "gcs_bucket" and ($.X.filter contains "protoPayload.methodName=" or $.X.filter contains "protoPayload.methodName =") and ($.X.filter does not contain "protoPayload.methodName!=" and $.X.filter does not contain "protoPayload.methodName !=") and $.X.filter contains "storage.setIamPermissions"'; show X; count(X) less than 1
Updated RQL—
config from cloud.resource where api.name = 'gcloud-logging-metric' as X; config from cloud.resource where api.name = 'gcloud-monitoring-policies-list' as Y; filter '$.Y.conditions[*].metricThresholdFilter contains $.X.name and ($.X.filter contains "resource.type =" or $.X.filter contains "resource.type=") and ($.X.filter does not contain "resource.type !=" and $.X.filter does not contain "resource.type!=") and $.X.filter contains "gcs_bucket" and ($.X.filter contains "protoPayload.methodName=" or $.X.filter contains "protoPayload.methodName =") and ($.X.filter does not contain "protoPayload.methodName!=" and $.X.filter does not contain "protoPayload.methodName !=") and $.X.filter contains "storage.setIamPermissions"'; show X; count(X) less than 1
Impact—
Low. New alerts will be generated against the policy violations.

New Compliance Benchmarks and Updates

COMPLIANCE BENCHMARK
DESCRIPTION
CIS Google Kubernetes Engine (GKE) v1.4.0 - (Level 1 and Level 2)
The Center for Internet Security (CIS) releases benchmarks for best practice security recommendations. CIS Google Kubernetes Engine (GKE) v1.4.0 - (Level 1 and Level 2) is a set of recommendations for configuring Kubernetes to support a strong security posture. Benchmarks are tied to specific Kubernetes releases. The CIS Kubernetes Benchmark is written for open-source Kubernetes distribution and is intended to be universally applicable. Based on the existing CIS Benchmark, this standard adds additional Google Cloud-specific controls.
You can review this compliance standard and its associated policies on Prisma Cloud’s
Compliance > Standard
page.

Changes in Existing Behavior

FEATURE
DESCRIPTION
S3 Flow Logs with Hourly Partition
This change was first announced in the look ahead that was published with the 23.1.1 release.
If you currently ingest AWS flow logs using S3 with the 24-hour partition, you need to change it to the hourly partition.
To make this change, Configure Flow Logs to use the hourly partition and enable the required additional fields.
Impact
— VPC Flow logs with partitions set to
Every 24 hours (default)
will be disabled. As a result, you will no longer be able to monitor or receive alerts for these logs.

REST API Updates

No REST API updates for 23.6.1.

Recommended For You